Information Security News mailing list archives
Security: Its a management thing
From: InfoSec News <isn () C4I ORG>
Date: Tue, 12 Dec 2000 18:06:25 -0600
http://www.fcw.com/fcw/articles/2000/1211/web-secure-12-12-00.asp BY Diane Frank 12/12/2000 Federal agencies are making the same mistake when it comes to security viewing it as something that can be fixed with technology and not recognizing it as a management issue, officials said Monday. "We have a tendency to turn [security] into a technical problem, rather than a management problem with technical aspects," said Marty Wagner, associate administrator of the General Services Administrations Office of Governmentwide Policy, speaking Monday at the Defending Cyberspace conference in Washington, D.C. The CIO Councils Security, Privacy and Critical Infrastructure Committee is working on several initiatives to help agencies get a handle on the management aspect of the federal security problem, said John Gilligan, deputy chief information officer at the Air Force and co-chairman of the committee. Some pieces already are available, including a Web-based repository of security best practices and the Information Technology Security Assessment Framework that the council released last week. But the biggest problems and the best solutions come from line managers and program leaders, Gilligan said. Getting the word out to these people and getting them to understand the importance of their role in the security of federal systems and programs is one of the challenges the council is trying to solve right now, he said. For the most part, the councils efforts involve providing newsletters, sample policies and conferences, but the council is also partnering with the U.S. Chief Financial Officers Council and others, Gilligan said. In the immediate future, the committees efforts are focused on two areas: risk management and funding. Many agencies do not know how to assess their level of risk or how to manage that risk throughout a programs life cycle. Although the General Accounting Office has issued an executive guide presenting risk management best practices from industry and government, the security subcommittee is trying to develop additional guidelines and processes to help, Gilligan said. Agencies struggle to fund problems relating to federal requirements under Presidential Decision Directive 63, which calls for agencies to protect systems that run the nations critical infrastructure. President Clinton signed PDD-63 in May 1998, but agencies have trouble getting funding for programs that often cross agency lines. Gilligan said the critical infrastructure protection subcommittee is developing guidelines for agencies on how to prepare budget submissions and how to work on those submissions with the Office of Management and Budget and the appropriations committees in Congress. [Links in article: http://www.cio.gov/spci/spci/spci.html http://www.financenet.gov/financenet/fed/cfo/cfo.htm ] ISN is hosted by SecurityFocus.com --- To unsubscribe email LISTSERV () SecurityFocus com with a message body of "SIGNOFF ISN".
Current thread:
- Security: Its a management thing InfoSec News (Dec 13)