RE: Letter to the editor - Token effort on IT security

[InfoSec News <isn () c4i org>]

Forwarded from: "Huggins, Michael" <mhhuggins () firstcommand com>

Comments after paragraphs.

-----Original Message-----
From: InfoSec News [mailto:isn () c4i org] 
Sent: Tuesday, April 16, 2002 2:34 AM
To: isn () attrition org
Subject: [ISN] Letter to the editor - Token effort on IT security 

http://www.fcw.com/fcw/articles/2002/0415/web-letter-04-15-02.asp

April 15, 2002

Why is information technology security a problem? Nothing gets
management's attention unless it is bleeding or causing adverse
publicity. Therefore, IT security will get no attention unless it is
causing mission problems or getting bad publicity. Management will not
give resources to anything that doesn't "squeak" louder than other
issues.

Yes the squeaky wheel get's the oil, I agree with the concept. I find
that if this is in reference to the US Gov. the issue isn't that no
attention is paid, but that a lack of a cohesive coordinated effort
exists.  In a previous life attempts were made to solidify the
security initiatives that were beneficial.  Great resources exist that
do not cost money.  Policy, procedure, and training are the founding
blocks that should exist prior to technological solutions.  See
HTTP://csrc.nist.gov Http://www.cio.gov Http://www.ciao.gov
http://iase.disa.mil and other gov sites that have a vast array of
information that does not cost and solutions that are based on the
laws, and policies as currently written.

No agency is doing a decent job of training personnel in IT security
issues. High cost; therefore, only token effort.

I for one know of several agencies that are doing exceptional jobs of
providing training and the problem is not that the training exists
but, the complainers are to lazy to identify the sources of training.  
It is always easy to say nothing is out there in my organization
therefore it doesn't exist.  If you look at the FISSEA, ATE section on
http://csrc.nist.gov and review Practices for securing critical
Information Assets annex Charlie from the CIAO you will identify
training opportunities.  This does not even include the advanced
network security managers COI or Information Systems security Manager
COI from Chief of Naval education and training.  Nor does it identify
the free CBTS and Videos available to government agencies at the
www.ioss.gov or http://iase.disa.mil.



Note: The Computer Security Act has been in effect for 15 years, but
to this day, most agencies have (at best) implemented only small
pieces of the requirements of this act. Life cycle management - truly
integrating IT security into the whole process - isn't happening.

Again this would be the perception of one that has not reviewed the
GAO reports, nor been involved in the processes required to Accredit
or certify a system.  I disagree with this entirely, the fact is those
professionals heavily involved often leave the government for better
opportunities thus leaving only those who are waiting to retire to
perform the jobs.

Congress does a great job of mandating certain actions or activities,
then providing zero resources to the agencies to actually implement
the activities. If the Hill truly wants something done, they must be
prepared to fund them. They can always find resources for some pork
project that only benefits a few representatives or senators.

Again where does the money for the free CBT's, the NIST documents,
CIAO documents and GAO reports come from????

Very few agencies have a comprehensive IT security policies and
procedures document. Fewer still have actually communicated that
document to the offices that must implement it. Fewer still provide
the authority to the IT security manager to enforce the
implementation.

Again this may be true in those violation reported by GAO however, it
is my experience that those policies, procedures do exist and perhaps
there location is not identified to those not performing the roles.

I do agree that the IT Security Manager does not have the authority
necessary to perform there duties.  Too often politics outweighs
implementation and reporting.

So, why do we have problems with IT security??? Sigh!

Problems exist if one wants them to, if one does not like what is
in-place tactful memorandums and inputs can change the process. I have
seen it happen.

Too many managers think that IT security is firewalls or
intrusion-detection systems. It isn't. There are several others that
are important, but you get the idea.

Yes, this is true again train train train and know your resources.

Very Respectfully

Michael H. Huggins USN (ret)

Name withheld by request




-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY
of the mail.