Washington
April 7, 1998
A high priority of the CIO Council is to ensure the implementation of security practices within the Federal government that gain public confidence and protect government services, privacy, and sensitive and national security information. This Executive Guide, "Information Security Management, Learning From Leading Organizations," clearly illustrates how leading organizations are successfully addressing the challenges of fulfilling that goal. These organizations establish a central management focal point, promote awareness, link policies to business risks, and develop practical risk assessment procedures that link security to business needs. This latter point--the need to link security to business requirements--is particularly important, and is illustrated in a statement of a security manager quoted in the guide: "Because every control has some cost associated with it, every control needs a business reason to be put in place."
The CIO Council is pleased to endorse the principles and best practices embodied in this guide. Its findings underscore the policies articulated in Appendix III to OMB Circular A-130, "Security of Federal Automated Information Resources." We expect that it will be a valuable resource for all agency CIOs and program managers who execute those policies, and will complement the other activities of the Council to improve Federal information systems security.
We look forward to working with the General Accounting Office in the future as we implement these best practices to further enhance agency security practices and programs.