Security: Its a management thing

[InfoSec News <isn () C4I ORG>]

http://www.fcw.com/fcw/articles/2000/1211/web-secure-12-12-00.asp

BY Diane Frank
12/12/2000

Federal agencies are making the same mistake when it comes to security
viewing it as something that can be fixed with technology and not
recognizing it as a management issue, officials said Monday.

"We have a tendency to turn [security] into a technical problem,
rather than a management problem with technical aspects," said Marty
Wagner, associate administrator of the General Services
Administrations Office of Governmentwide Policy, speaking Monday at
the Defending Cyberspace conference in Washington, D.C.

The CIO Councils Security, Privacy and Critical Infrastructure
Committee is working on several initiatives to help agencies get a
handle on the management aspect of the federal security problem, said
John Gilligan, deputy chief information officer at the Air Force and
co-chairman of the committee. Some pieces already are available,
including a Web-based repository of security best practices and the
Information Technology Security Assessment Framework that the council
released last week.

But the biggest problems and the best solutions come from line
managers and program leaders, Gilligan said. Getting the word out to
these people and getting them to understand the importance of their
role in the security of federal systems and programs is one of the
challenges the council is trying to solve right now, he said.

For the most part, the councils efforts involve providing newsletters,
sample policies and conferences, but the council is also partnering
with the U.S. Chief Financial Officers Council and others, Gilligan
said.

In the immediate future, the committees efforts are focused on two
areas: risk management and funding.

Many agencies do not know how to assess their level of risk or how to
manage that risk throughout a programs life cycle. Although the
General Accounting Office has issued an executive guide presenting
risk management best practices from industry and government, the
security subcommittee is trying to develop additional guidelines and
processes to help, Gilligan said.

Agencies struggle to fund problems relating to federal requirements
under Presidential Decision Directive 63, which calls for agencies to
protect systems that run the nations critical infrastructure.
President Clinton signed PDD-63 in May 1998, but agencies have trouble
getting funding for programs that often cross agency lines.

Gilligan said the critical infrastructure protection subcommittee is
developing guidelines for agencies on how to prepare budget
submissions and how to work on those submissions with the Office of
Management and Budget and the appropriations committees in Congress.

[Links in article: http://www.cio.gov/spci/spci/spci.html
http://www.financenet.gov/financenet/fed/cfo/cfo.htm ]

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".