RE: U.S. Government Flunks Computer Security Tests

[InfoSec News <isn () c4i org>]

Forwarded from: Brad Ball <bradball () bellsouth net>

One of the key weak points in getting security to have equal footing
in the war room or the boardroom is the inability to convince upper
management of the importance of configuration management. It is not
the single activity that can seal up insecurities but offers a unique
opportunity in every organization.

This opportunity is having the different pieces of the organization at
the same table at the same time to discuss IT initiatives and plans.
Security, network operations, finance, etc. are all given a chance to
pass their perspectives and concerns to senior management.

The trick of course is persuading management to support such an
approach. I would contend that the security professional able to
successfully convince their bosses to do this will be setting up a
process that (1) makes the security a shared concern (2) allows all
departments to better understand all organizational objectives and
possibly be motivated to contribute their own unique ideas that
benefit the entire process.

Having been in security for sometime myself I can empathize with
Huggins' outlook. What I have found personally is that I have evolved
over a period of time to a broader outlook .. what I will call the Fox
News approach... I report .. you decide! My commitment to secure
practices is not lessened but I have convinced more non-IT types by
simply reporting the pluses & minuses as well as the military
regulations that drive my reports. In one unit I was nicknamed Satan
because of my inflexibility on security. Was I wrong in my assessments
at the time? No but my approach didn't fit the organization.

The attempt to pass a cyber security initiative through the Arizona
legislature last year is the first of many that eventually will
convince corporate America that sharing the efforts of their security
departments strengthens them rather than weakens them. That initiative
was extremely innovative in its assertion that only businesses that
wanted to participate had to and offered no financial incentives. It
won't become another government program bloated by territorial fights
-- it is designed to be a collaborative effort between businesses and
government for the sole purpose of promoting security.

Sorry for long post .. my 2cents


-----Original Message-----
From: owner-isn () attrition org [mailto:owner-isn () attrition org]
On Behalf Of InfoSec News
Sent: Thursday, November 21, 2002 9:23 AM
To: isn () attrition org
Subject: Re: [ISN] U.S. Government Flunks Computer Security Tests


Forwarded from: huggins () airmail net

Note: The fine print in the document says that these inspections were
more in-depth then previous inspections and that in comparison the
government has improved its security.  Those in business and
government as well as the private sector had an opportunity until
Monday to improve on the Cyber Security national plan.  The problem
was we don't want regulation, we dont want to utilized secure unix or
hardened Microsoft even though those procedures exist.  Our society
wants instant gratification, and with that goes instant access to
everything without security influencing how things are done.  As a
retired military security professional my experience is that senior
management in government is just like senior management (although a
little more secure than those) in america's corporation.  Those that
would hoot and hooler that we told you so need to look at the
corporations and how they work and think where they would be 2 maybe 3
would receive a D the rest would fail miserably.


> Forwarded from: Elyn Wollensky <elyn () consect com>
>
> http://www.washingtonpost.com/wp-dyn/articles/A9496-2002Nov19.html
>
> By Brian Krebs
> washingtonpost.com Staff Writer
> Tuesday, November 19, 2002
>
> The U.S. government has earned failing marks for computer security for
> the second year in a row, according to a report released today by a
> congressional oversight committee.
>
> Nearly two-thirds of the federal government's 24 major agencies
> flunked the General Accounting Office's (GAO) latest "computer
> security report card," according to a House Government Reform
> subcommittee. The Departments of Justice, Defense, Energy and Treasury
> earned flunking grades, with the Department of Transportation earning
> the lowest score.
>
> The Social Security Administration won the highest mark, with a
> "B minus."

[...]



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.