Re: Davis reinforces security rules

[InfoSec News <isn () c4i org>]

Forwarded from: Robert G. Ferrell <rferrell () texas net>

> Rep. Tom Davis (R-Va.) introduced a bill March 6 that would update
> and extend the Government Information Security Reform Act, as
> members of Congress expressed concern over current legislation.

After a year and a half of scrambling to implement GISRA, here are my
observations concerning it:

1. It creates absolute mountains of mostly useless paperwork, which
require many person-hours to complete and remove the focus from actual
security implementation.

2. It does very little in the way of enforcing real physical security
measures.

3. It reduces security to a simplistic formula for auditing purposes.

4. It gives agencies a false sense of having secured their systems,
without requiring them to employ adequately trained personnel.  It
treats network security as a static, rather than dynamic, process.

5.  It misses the point entirely.  Congress always thinks that the
answer to any problem is to create more reports and a concrete list of
people who can be blamed if something goes wrong.  The problem with
reports is that Congress is largely composed of people who have no
chance of being able to understand what the reports mean.  They have
to be simplified to the point of meaninglessness because the only
requirement for being in Congress is winning an election. Bury the
problem under paperwork and identify patsies at whom to point fingers
when the poorly thought out 'solution' proves to be a dismal failure.

Rinse.  Repeat.

RGF



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY
of the mail.