U.S. Department of State Office of the CIO Wins 2011 National Cybersecurity Innovation Award

Achieving drastic risk reductions and rapid threat mitigation through continuous security monitoring and mitigation

WASHINGTON, Oct. 31, 2011 /PRNewswire-USNewswire/ -- The SANS Institute announced today that the U.S. Department of State Office of the Chief Information Officer has won the 2011 U.S. National Cybersecurity Innovation Award for significantly improving the effectiveness of the nation's cyber security for creating, deploying and sharing the Department of State's unique risk scoring program, which continuously monitors more than 100,000 systems for vulnerabilities and provides daily prioritized security action plans for every Department of State system administrator in the U.S. and in more than 200 countries.

(Photo: http://photos.prnewswire.com/prnh/20111031/DC97174)

The U.S. State Department is responsible for protecting computer networks for 400 U.S. embassies and offices across 24 time zones. To help protect these networks the State Department pioneered a risk scoring program to make it easier for managers to identify trouble spots, prioritize them, and resolve issues more quickly. The program relies on continuous risk monitoring and threat-based response and has proven to be so effective that the program has become a model for more than 100 state agencies and many commercial organizations. The security program scans every computer, every three to four days, to detect security vulnerabilities and weak configurations, ensures the most important problems are fixed first and publishes monthly grades that celebrates the success of the units doing the best job of protecting their computers. "We know anywhere in the world what our risk is," says John Streufert, Deputy CIO and Chief Information Security Officer of the department.

In the program's first year, the number of security gaps detected fell about 90% and most embassies and offices were receiving A and B grades. The uniqueness of the program is its market-based approach creating incentives for fixing security gaps. The program quantifies a range of security risks and "monetizes" them into a "common currency" that assigns the most points to the highest priority security gaps. The point system helps to identify which gaps to repair first, allowing security managers to quickly fix the gaps responsible for the greatest impact on their office or embassy's overall grade. Each embassy or office is evaluated on its ability to mitigate those risks, and its performance is made public for the rest of the department to see.  When a critical vulnerability arises, the scoring system provides a laser-like focus on correcting that problem first, resulting in the vast majority of State Department computers being protected long before the computers of other departments.

Since launching the hugely successful program three years ago, the State Department has received inquiries from global companies such as Microsoft Corp., General Electric Co., JPMorgan Chase & Co., RSA, The Security Division of EMC and Heartland Payment Systems. Streufert has shared the State's documents and tools with other agencies, and he regularly works with CIOs and CISOs across government to troubleshoot their monitoring processes. And most importantly the State Department doesn't keep the methods secret; at least 40 organizations have requested and been supplied software, free of charge.

The U.S. Department of State Office of the Chief Information Officer wins the 2011 National Cybersecurity Innovation Award for eliminating security weaknesses that allow targeted cyber-attacks to succeed and for their ability to reduce risk, and quickly and effectively respond to new threats.

About the National Cybersecurity Innovation Awards
The National Cybersecurity Innovation Awards recognize developments undertaken by companies and government agencies who have developed and deployed innovative processes or technologies which are innovative in that it has not been deployed effectively before, can show a significant impact on reducing cyber risk, can be scaled quickly to serve large numbers of people, and should be adopted quickly by many other organizations. Nominations included most senior government officials involved with Cybersecurity as well as those from major Cybersecurity Information Sharing and Analysis Centers (ISACs).  Corporations and individuals, including SANS instructors also nominated innovations and each nomination was tested by the SANS Institute research department. More than 50 nominations were received and 14 were selected.

About SANS Institute (www.sans.org)
The SANS Institute was established in 1989 as a cooperative research and education organization. SANS is the most trusted and by far the largest source for information security training and security certification in the world.  In addition to world-class training, SANS offers certification via the ANSI accredited GIAC security certification program. SANS offers a myriad of free resources to the Infosec community including consensus projects, research reports, newsletters, and it operates the Internet's early warning system - the Internet Storm Center.  At the heart of SANS are the many security practitioners in varied global organizations from corporations to universities working together to help the entire information security community.

SOURCE SANS Institute