Evaluation
30.08.2011
cyber security, Evaluation, information security, iso/iec 27001, security
The British Standards Institute (BSI) issued ISO/IEC 27001:2005 Lead Auditor (TPECS) certificate to Chuck Georgo today. ISO/IEC 27001
ISO/IEC 27001 is an Information Security Management System (ISMS) standard published in October 2005 by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC).
ISO/IEC 27001 formally specifies a management system that is intended to bring information security under explicit management control. Being a formal specification means that it mandates specific requirements. Organizations that claim to have adopted ISO/IEC 27001 can therefore be formally audited and certified compliant with the standard.
NOWHERETOHIDE will be publishing a series of blog posts over the next few weeks to help educate organizations about the standard, its criteria, and strategies for achieving compliance.
It is important to understand that ISO/IEC certification is not a one-off exercise. To maintain the certificate the organization will need to both review and monitor the information security management system on an on-going basis.
03.08.2009
data sharing, Evaluation, Information sharing, LEIS, NIEM, Performance Measures
I just finished reading of your appointment on the FederalNews Radio website. As you begin your review of the state of information sharing and the ISE, I would like to offer up some thoughts as someone who has been an information sharing evangelist for nearly a decade. here are seven points to consider:
- Resist the urge to see information sharing as an outcome. Information sharing is a means to an end, not the end itself. Each federal agency, every state and regional fusion center, and all law enforcement intelligence units should have a clear set of information requirements, questions if you will, that information sharing and the intelligence process should work to answer–hold agencies accountable for having clear and valid requirements. This has been a common practice in the intelligence community for decades and should be a practice for all information sharing elements.
- Build clear accountability into the information sharing process. Every federal agency, fusion center and law enforcement agency should have one person, preferably an impassioned, well-respected leader, that can ensure that their agencies requirements are well documented and communicated horizontally across federal boundaries and vertically to local, state, and municipal agencies, and (where applicable) private sector organizations.
- Establish clear linkage of information sharing to agency operational performance measures. Just as staffing, information technology, facilities, and utilities are seen as strategic resources in a performance-based budget, information sharing must be seen as a resource to be strategically used to help an agency achieve its mission. When measuring the success of information sharing, focus on the extent to which it helped achieve agency goals–just as counting cases in law enforcement is a misleading way to judge public safety success, counting RFIs, records shared, SARs submitted is not a good way to gauge information sharing success–successful information sharing can only be measured through the extent to which it helps agencies (at all levels) achieve their operational goals.
- Discourage agencies from using stovepiped portals for information sharing. All shareable data should be available as a “service” for consumer agencies to ingest into their systems and not through a dedicated portal that users will need a discrete login to access. You can read my previous “Portal-mania” blog post for more detail here, but all federal agencies should be required to make their data accessible through National information Exchange Model (NIEM) based web services. This will enable consumer agencies to integrate multiple data streams into their workflow and will reduce the number of websites and portals analysts are required to access to perform their work.
- Give the same amount of attention to what is shared and how it is shared. Over the last few years, a significant amount of effort has gone into how information is shared at the expense of understanding the depth and breadth of information actually being shared. Many regional and national information sharing efforts still only contain basic levels of information, or worse are just pointer systems that require additional human effort to gain access to the actual record. Encourage agencies to communicate to each other what specific information is being shared, and what is not being shared, and help everyone understand the consequences of their decisions.
- Encourage maximum use of NIEM and the Information Exchange Package Descriptions (IEPD) contained it its clearinghouse. NIEM has emerged as the dictionary of shareable data elements. When you string together sets of these data elements to satisfy a specific business need, an IEPD is born. The NIEM IEPD clearinghouse contains more than 150 IEPDs, many of which apply to national security, law enforcement and public safety missions. While many federal agencies have pledged their support of NIEM, more effort is needed to ensure that they first seek to use IEPDs already contained in the clearinghouse and do not develop one-off IEPDs designed to meet very narrow applications.
- Finally, foster a culture of transparency to help communicate an appreciation of personal civil rights and civil liberties. All information sharing and intelligence operations should engage in proactive efforts to help alleviate any fears that individual privacy and liberties are violated by any of the actions taken by those agencies. In my September 3, 2009 blog posting I list ten questions a fusion center director should ask of their own intelligence operations. I’d like to offer up these questions as a beginning framework for any information sharing or intelligence operation. They also serve as a good framework for evaluating the extent to which information sharing and intelligence operations are in fact seriously working to do the right thing.
In closing, I hope you can see how these seven points help to frame how you might structure a results oriented evaluation of information sharing across our federal agencies and with our state and regional fusion center, and private sector partners. Taken together you will be able to report the extent to which agencies have:
- Documented their information sharing requirements – what needs to be shared;
- Someone who can be directly held accountable for effective and proper information sharing;
- Linked their need for information to specific operational goals and strategies;
- Implemented mechanisms that makes it easy for other agencies to access their information;
- Ensured that they are sharing the right information (most meaningful) information;
- Taken advantage of NIEM as a way to save money and expedite information sharing; and
- Taken measures to proactively diffuse public (and media) perceptions of information misuse.
I wish you well in your new role as Senior Director for Information Sharing Policy.
Regards,
Chuck Georgo
chuck@nowheretohide.org
02.01.2009
CJIS, data sharing, Evaluation, Information sharing, law enforcement, Law enforcement information sharing, LEIS, Performance Measures, Processes, public safety, SOA, Strategy, Technology, Uncategorized
Tom Peters liked to say “what gets measured gets done.” The Office of Management and Budget (OMB) took this advice to heart when they started the federal Performance Assessment Rating Tool (PART) (http://www.whitehouse.gov/omb/part/) to assess and improve federal program performance so that the Federal government can achieve better results. PART includes a set of criteria in the form of questions that helps an evaluator to identify a program’s strengths and weaknesses to inform funding and management decisions aimed at making the program more effective.
I think we can take a lesson from Tom and the OMB and begin using a formal framework for evaluating the level of implementation and real-world results of the many Law Enforcement Information Sharing projects around the nation. Not for any punitive purposes, but as a proactive way to ensure that the energy, resources, and political will continues long enough to see these projects achieve what their architects originally envisioned.
I would like to propose that the evaluation framework be based on six “Standards for Law Enforcement Information Sharing” that every LEIS project should strive to comply with; they include:
1. Active Executive Engagement in LEIS Governance and Decision-Making;
2. Robust Privacy and Security Policy and Active Compliance Oversight;
3. Public Safety Priorities Drive Utilization Through Full Integration into Daily Operations;
4. Access and Fusion of the Full Breadth and Depth of Regional Data (law enforcement related);
5. Wide Range of Technical Capabilities to Support Public Safety Business Processes; and
6. Stable Base of Sustainment Funding for Operational and Technical Infrastructure Support.
My next step is to develop scoring criteria for each of these standards; three to five per standard, something simple and easy for project managers and stakeholders to use as a tool to help get LEIS “done.”
I would like to what you think of these standards and if you would like to help me develop the evaluation tool itself…r/Chuck
Chuck Georgo
chuck@nowheretohide.org
www.nowheretohide.org
26.06.2007
Evaluation, Performance Measures
On May 31, 2007, Clay Johnson released a memorandum to the President’s Management Council to annouce the establishment of an effort to get agencies to document “Where they would be proud to be” in two years (2009). This memorandum represents OMB’s next step in its effort to get Federal agencies to “Green” in each of the five categories of the President’s Management Agenda – Strategic Management of Human Capital, Competitive Sourcing, Improved Financial Performance, Expanded eGovernment, and Performance Improvement (aka Budget and Performance Integration).
OMB is to be commended for continuing to devise creative ways to get the attention of Federal program executives focused on what is really happening in their agencies and the extent to which a) resources are effectively applied to the problems at hand, b) processes and infrastructure investments directly support delivery of meaningful services (outputs), and c) those servies do in-fact lead to meaningful results (outcomes).
In my opinion, this latest OMB strategy takes government performance accountability to the next level by making it “more personal” – Clay specifically asked each agency to indicate “where they would be proud to be on July 1, 2008 and July 1, 2009″ with respect to each of the five PMA initiatives. If successful, this initiative will engage agency executives to make a personal statement of what they would be proud to achieve in the stated timeframes. And, I am all for strategies and initiatives that put performance planning more in the hands of agency operators than in detached planning staffs.
The entire 78 page memorandum can be seen at: http://www.cio.gov/documents/PTB5_Memo_Attachments.pdf
Comments welcome…r/Chuck