Re: Agencies flunk security review

[InfoSec News <isn () c4i org>]

Forwarded from: security curmudgeon <jericho () attrition org>

(comments below)


> http://www.fcw.com/fcw/articles/2001/1112/news-score-11-12-01.asp
>
> By Diane Frank 
>
> A House panel last week gave two-thirds of all federal agencies a
> failing grade for efforts to secure information systems a worse
> showing than last year attributed to greater awareness of security
> vulnerabilities.
>
> New set of security grades from Horn
> (Last year's scores in parentheses)
>
> Agriculture (F) F                             USAID (C-) F
> Commerce (C-) F                               Defense (D+) F
> Education (C) F                               Energy (Inc) F
> HHS (F) F                                     Interior (F) F
> Justice (F) F                                 Labor (F) F
> Nuclear Regulatory Commission (Inc) F         OPM (F) F
> SBA (F) F                                     Transportation (Inc) F
> Treasury (D) F                                VA (D) F
> NSF (B-) B+                                   Social Security (B) C+
> NASA (D-) C-                                  EPA (D-) D+
> State (C) D+                                  FEMA (Inc) D
> GSA (D-) D                                    HUD (C-) D
> Governmentwide grade (D-) F 

So in short, basically every agency stayed the same or went down. Why
does this seem a bit off to me..

I am no fan of government agencies when it comes to *most* of their
security practices. I realize that a lot of the demands have been
dumped on them with little time or resources to meet stringent demands
as well.

I have done direct consulting for two agencies listed above, and work
with several people that handle a healthy amount of some aspects of
security of a third, so my comments are based on that.

First, one of the two agencies I have worked with does not deserve
anything close to the grade it received. Part of the problem is the
single grade for huge agencies that are broken down into many sub
agencies. One of them listed above got an "F", yet consists of 33
federal agencies that get referred to by a single name. While the
agency I mention is not perfect, they have done an oustanding job in
regards to security in the last year. Most importantly, they did the
outstanding job before hiring the company I am currently with. Their
administrators had security policy, firewalls, audit procedures, kept
up to date on security issues, etc. For the facilities they control
(which serve almost all 33 agencies), there has been no external
intrusion into their network for five years. They recently hired
several companies to set up and audit (before it went live) new
systems for remote access. They went through a full accreditation
process to verify security controls were in place. While it may not be
*everything* they could possibly do, it sure is a hell of a lot more
than many net connected companies/agencies go through, and all done
within budget constraints. Their staff is knowledgeable, practical,
and gets the job done. To see them get labeled as 'F' is a joke.

Second, several of these agencies still have too many layers of
beauracracy that impede network security. The big wigs of these
agencies who hand down these over simplified report card style grading
are often the cause of problems. They want X security, with Y budget,
in Z time.. and they want to be able to remotely pop their mail from
home, firewall be damned. The problem is, X is too high, Y is too low,
and Z is often barely enough time to write an RFP let alone complete
the job.

I'm not saying these grades are necessarily right or wrong. I am
saying they are not giving credit where due, and overlooking the fact
that some agencies have been taking the security initiative for a long
time now. Some of these agencies are aware of the importance of
security, they understand the need for it, and they are still not
given the time and resources required to do the job.

And to pick on a single agency above (that i do not consult for =), I
don't have a clue how they could give NASA a C while failing some of
the other agencies. Three nasa machines have been hacked and defaced
in the last six days. That is three security incidents that the public
is aware about, all happening within a week of NASA getting a 'C'..

bleh.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY
of the mail.