Wartime CIOs Alter Security Strategies

[InfoSec News <isn () c4i org>]

http://www.computerworld.com/storyba/0,4125,NAV47_STO69936,00.html

By DAN VERTON 
April 08, 2002

Sept. 11 has taught federal IT leaders lessons on the value of
security, continuity planning

Information technology managers at U.S. federal government agencies
are applying the lessons learned from the Sept. 11 attacks to improve
planning for continuity of operations during possible major IT
disasters in the future.

Speaking here last week at the annual meeting of the Tiverton,
R.I.-based National High Performance Computing and Communications
Council, a group of five federal CIOs and senior IT executives said IT
security and its role in continuity of operations has taken on
heightened importance since Sept. 11.

There's an increased emphasis at federal agencies to make operational
continuity plans "living documents," said Sandra Bates, commissioner
of the Federal Technology Service.

The U.S. Department of Labor, which manages employment and
unemployment benefits for millions of Americans, lost two offices and
its inspector general in the attacks on the World Trade Center and was
forced to put its disaster recovery plan into action without ever
having rehearsed it, said Laura Callahan, the agency's CIO.

One of the most important lessons to come out of that experience, she
said, is the need to plot a well-conceived communications strategy in
advance.

"We couldn't talk to each other," said Callahan, because of cell phone
overload problems and a four-hour "dark" period during which the
agency shut down its networks to assess the damage.

Since the terrorist attacks, the agency has also moved to deputize its
workers and create what Callahan calls a "neighborhood watch" program,
through which they can report anything that doesn't seem right to
them.

The Department of the Interior is also working on developing reporting
procedures for managing any future disasters and is focusing on
integrating security and business continuity operations into its
capital planning process, Callahan said.

"We don't do capital planning with an understanding of the risk," said
Daryl White, CIO at the Interior Department. "We do it after the fact.  
We have to get away from that mentality."

To break away from that approach, network architecture specialists at
the agency are now being brought into the thick of the security
planning process at the agency, said White.

In the Works

Lee Holcomb, CIO at NASA, said agencies and private companies "need to
architect networks to isolate mission-critical systems."

One such plan that is currently being studied at NASA is the use of
security "honeypots," or decoy systems, to divert attackers away from
sensitive operational systems, said Holcomb.

Sallie McDonald, assistant commissioner for the Office of Information
Assurance and Critical Infrastructure Protection at the General
Services Administration, said there are also several security programs
in the works that are designed to improve everything from patch
management to secure collaboration and vulnerability analysis.

"We're trying to develop a culture of security in federal civilian
agencies," McDonald said.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY
of the mail.