NASA scientists: buy-in from users essential for security

[InfoSec News <isn () c4i org>]

http://www.idgnet.co.nz/webhome.nsf/UNID/964F8B4F4DEDFDFCCC256AAF000F0C42!opendocument

Andrea Malcolm, Auckland
Wednesday, 22 August, 2001 

Most users consider IT security a nuisance, and that's an attitude
that can render any security measure useless, says the man in charge
of keeping NASA data systems safe.

Scott Santiago, information chief at NASA's IT security operation,
says the key to the agency's security was to change the mindset of the
people running the organisation.

NASA was surprisingly short on IT security until a couple of years
ago. Speaking at a recent security conference in Auckland, Santiago
says a large part of NASA's role has always been to disseminate
information to the public but an audit in 2000 revealed that the
organisation was complacent in terms of IT security. NASA got a
hammering by the US Congress, though this ensured management buy-in
for developing a business case for IT security, says Santiago.

NASA embarked on a process of risk assessment and defining IT security
metrics. The idea of outsourcing was mooted as NASA had already
outsourced most of its IT operations but Santiago fought the idea and
retained it in-house.

Now each system has its own IT security plan and audits are carried
out across NASA's 11 main centres each year. A vulnerability scan of
every system is done once a month. NASA has listed the top 100
vulnerabilities of each system with the aim to reduce these.

NASA also fosters the practice of sharing information on security
breaches.

"Everyone was afraid to talk about being hacked so there was no
sharing of incident information. We needed to convince them that they
needed to share and now we have a body to facilitate sharing."

But the key factor for success is to have buy-in from the users, says
Santiago. "You have to make security an integral part of how they do
their job."

To this end NASA has set up an IT security training programme which
100% of employees must do. "We had to overcome a negative attitude
towards IT security. Scientists and researchers saw it as something
which hampered their ability to get the job done. Their attitude was
'that's not my job it's yours'."

Santiago says the only way it works is if you have everyone
participating. "We have to have constant communication with
researchers emphasising the benefits."



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY
of the mail.