ROSI Challenges

Security returns are improved through the optimized integration of People, Processes, and Technology:

People

• Executive participation encourages high grades
• Moving security initiatives through an organization not solely a technology issue
• Real costs should not be siphoned from other programs
• Governance model = elaborate fire fighting

Process

• Quality reviews of security certification and accreditation (C&A) processes
• Integration of C&A with IT governance and other internal control processes
• Reduce rework and manual processes
• Bring standardization to controls
• Consistent processes in authorizing systems for operations

Technology

• Clarify IT asset inventory / categorization
• Use enterprise automated security management products
• Deploy concise, standardized metrics, policies and procedures
• Agencies must meet certification and accreditation (C&A) criteria as defined by FISMA and NIST guidance.