VA spruces up security act

[InfoSec News <isn () c4i org>]

http://www.fcw.com/fcw/articles/2002/0909/mgt-va-09-09-02.asp

By Judi Hasson 
Sept. 9, 2002

Only 18 months ago, the Department of Veterans Affairs received a
failing grade for its cybersecurity efforts.

Reports from the inspector general's office criticized the agency for
failing to protect its computer environment. Congress was up in arms
over disclosures that it was a cakewalk to hack the VA's systems. And
VA officials did not even know how many renegade gateways had been set
up to get into the VA computer system.

In a remarkably short period of time, the VA has cleaned up its act.

"When I got here, this place — cybersecurity — was pretty chaotic,"  
said Bruce Brody, the VA's cybersecurity chief since March 2001.  
"There was nothing but bad news."

But Brody had some strong supporters who resolved to fix the problem.  
Backed by VA Secretary Anthony Principi, who has promised to create
one VA, and chief information officer John Gauss, Brody has made
changes that are becoming the model for other agencies facing
cybersecurity threats.

"With the support of the secretary and the leadership of the CIO and
his team, we have come a long way," Brody said. "But much remains to
be done, and we are working very hard to do it."

It is no easy task. There are more than 200 unauthorized and
unprotected gateways into the VA's central cyber infrastructure, built
by employees in the field with no authority to do so. It was
"uncontrolled," Brody said. And VA officials had no idea how big VA
cyberspace was.

"They sprouted like a thousand flowers booming," Brody said. "There
was no consistent security policy. Wherever someone wanted a gateway,
there was a gateway."

The VA launched the Enterprise Cyber Security Infrastructure Project
to find the gateways and secure them. In the next two years, the VA
will create standardized hardened gateways that will be centrally
managed and monitored by VA security operations centers.

In October, the VA will begin closing down the unauthorized gateways.  
In the meantime, the cybersecurity office is requiring tighter
firewalls and periodic testing to make sure hackers cannot get in.

"By September 2004, there will only be a single-digit number of exit
gateways...and no other external connections," Brody said.

Gateways aren't the only problem within the VA, although it has been
one of the biggest headaches. The agency has worked to develop a
cutting-edge enterprise architecture plan and standardize programs
throughout its network, which reaches more than 160 hospitals. Last
month, the VA awarded a contract to manage its nationwide security
services around the clock. It is putting a national virtual private
network in place in October. The VPN will enable the agency to
encapsulate, encrypt and then send data to a specific destination.

"Veterans records are more secure than they have been in the past,"  
Brody said. "They are not as secure as they will be in the future."

Matt Roland of Gartner Inc., a market research firm, said that good
information technology security is a property of an environment, not
the property of a product or technology.

"A lot of organizations focused on deploying firewalls and antivirus
software," he said. "Now there is an increased emphasis on
establishing management processes around these technologies."

It appears the VA has turned a corner. In August, Principi
consolidated IT management and budget functions under the CIO, a move
that Congress has sought for seven years. The order also consolidates
cybersecurity functions, which includes centralizing the $50 million
cybersecurity budget in Brody's office.

Art Wu, staff director of the House Veterans' Affairs Committee's
Oversight and Investigations Subcommittee, said the VA's actions
should "expedite and facilitate VA's compliance under" the Government
Information Security Reform Act.

The VA is "definitely on the right track," according to Shannon
Kellogg, vice president for information security programs at the IT
Association of America.

The agency is looking at security in a "holistic fashion, a
multi-tiered process," and that makes all the difference, Kellogg
said.


***


Tightening up

The Department of Veterans Affairs has done the following to protect
its systems:

* Launched the Enterprise Cyber Security Infrastructure Project to
  find unauthorized gateways to the agency's systems and shut them
  down.

* Required tighter firewalls and periodic security testing to ensure
  hackers cannot get in.

* Awarded a contract in August for around-the-clock nationwide managed
  security services.

* Built a national virtual private network.

* Centralized the $50 million cybersecurity budget in the VA
  cybersecurity chief's office.
 


-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.