Imagine telling an entire U.S. Agency to reorganize across 2 of their largest divisions to be more effective & secure. TDI did! For the DEA.
TDI provided the DEA with support at multiple levels of the organization, to include the CTO and Information Security Office. Our primary function was in a consulting role, helping the DEA in a proactive effort to mitigate many of the potential risks in cybersecurity business processes and procedures to which they could be vulnerable. TDI conducted a Security Assessment to ascertain the most likely areas for improvement within the DEA; targeting DEA’s Information Security Section (ISI) and Office of Information Systems (SI). The goal of the assessment was to recommend a solution for the DEA to fulfill its cybersecurity responsibilities mandated by Congress, the President, DOJ, OMB and NIST.
In addition, it was our responsibility to analyze the current operations/security environment of ISI and SI, and to assess risks in their cybersecurity practices. This resulted in TDI developing a recommended set of security processes/procedures/policies, providing associated budgetary recommendations and estimations, and suggesting organizational restructuring to demonstrate how ISI and SI should optimally conduct operations.
TDI performed a thorough review and dissection of the 17 DOJ security standards, and all DEA policies, procedures, and processes that relate to security. To supplement the documentation, TDI conducted multiple rounds of interviews with dozens of DEA staff at virtually all levels. The assessment was unbiased, with no existing budgetary data provided prior to making budget recommendations, and no DEA influence on the findings or recommendations.
For the assessment final report, findings, recommendations, and any additional costs associated with each recommendation were incorporated into a budget spanning nearly ten years. In general, the most pressing findings related to the structural organization of the DEA and the relationship between ISI and SI. Closely linked to this are sharply defined roles and responsibilities inside each of ISI and SI independently and between ISI and SI.
As a follow-up to our organizational cybersecurity assessment, TDI delivered strategic executive-level advice to the DEA’s Chief Technology Officer and provided recommendations for DEA enterprise IT and cybersecurity expenditures. We conducted product evaluation, ROI analyses, proof-of-concept, and executed pilot programs on new and emerging technologies. Our role allowed us to provide daily advice for decisions affecting a 15,000-user community. We consulted on matters relating to IT security federal regulatory compliance such as FISMA, HSPD-12, and DOJ directives. On behalf of the DEA, we provided input to DOJ Information Assurance policy, when secure standards for new technologies emerged. TDI executed projects under federal guidelines and standards such as NIST and FIPS and provided a best practices cybersecurity perspective to the organization in their pursuit of a sound Federal Enterprise Technical Architecture model. Our accomplishments included:
- TDI provided an end-to-end recommendation and proof-of-concept evaluation for securing enterprise email communications
- Acted as a liaison for the Office of Information Systems to the Office of Security Programs for issues pertaining to IA such as vulnerability assessment analysis
- Evaluated FIPS 140-2 protection mechanisms for wireless networks
- Drafted response to DOJ wireless policy on behalf of the DEA
- Interfaced and elicited requirements consensus among a varying number of stakeholders within the DEA
- Worked with the organization to help develop a Patch and Vulnerability Group (PVG) capability for the entire DEA enterprise
- Provided strategic plan, end-to-end recommendation and proof-of-concept for server virtualization technology using VMWare as part of the DEA’s Disaster Recovery initiative
- Developed and implemented in-house processes for evaluation of emerging technologies
- Researched and evaluated Biometric storage drives and smart-card technologies
- Evaluated protection mechanisms for wireless networks
- Provided guidance and recommendations on decision support tools to the DEA source selection process
- Interfaced and elicited requirements consensus among a varying number of stakeholders within the DEA
- Consulted and negotiated with large and small hardware/software vendors