Agencies Beef Up IT Security

[InfoSec News <isn () c4i org>]

Forwarded from: William Knowles <wk () c4i org>

http://www.eweek.com/article2/0,4149,1426312,00.asp

By Dennis Fisher 
January 5, 2004   
 
As criticism of the federal government's security practices and 
policies mounts, some agencies are making sweeping changes in the way 
they manage IT assets.

The Department of Justice, one of a handful of agencies that received 
a failing grade on last month's report card on IT security delivered 
by a congressional subcommittee, is at the forefront of the movement.

The DOJ has made a number of changes in recent months, including the 
establishment of a departmentwide IT security staff that answers 
directly to the CIO, according to DOJ officials, in Washington. That 
group, in turn, has set about organizing a security council within the 
department, they said.

The council comprises the top security officials from each of 
Justice's dozens of component organizations, including the United 
States Attorney's Office; the Bureau of Alcohol, Tobacco, Firearms and 
Explosives; and the U.S. Marshals Service. Known as the IT Security 
Council, this group is now responsible for implementing and overseeing 
all the security programs in the department. This type of 
centralization, while normal in large enterprises, is still very new 
to federal agencies.

It was organized out of necessity at Justice, an organization 
comprising more than 50 parts. So far, the results have been 
encouraging, department officials said, even though the results didn't 
show up on the 2003 congressional report card.

"The department program is producing the security management needed, 
and I am looking forward to next year's report card when we can 
reflect the improved implementation and validation of security 
requirements," said Dennis Heretick, deputy director of the IT 
security staff at the DOJ, in Washington.

"These programs have set the stage for a departmentwide capability to 
manage implementation of risk control requirements but are not at the 
point where they produced the bottom-line results needed to improve 
last year's report card," Heretick said.

The security grades are handed out each year by the House Committee on 
Government Reform's Subcommittee on Technology, Information Policy, 
Intergovernmental Relations and the Census, and they are based mainly 
on how well each agency measures up to a set of established criteria. 
The criteria, among other things, require that each agency inventory 
all its IT assets and be able to assess the security of each. In 
large, distributed departments such as Justice, this can be a daunting 
task.

As a result, security personnel inside the government have begun 
developing their own methods and tools to get the job done.

The Environmental Protection Agency staff, for example, has created an 
automated security evaluation and remediation application capable of 
testing the security posture of each machine and monitoring the 
remediation process for any problems found. The security staff at 
Justice is now using this tool as well.

Beyond the DOJ and EPA, other departments are moving ahead with 
changes.

The Department of Transportation recently implemented a comprehensive 
vulnerability assessment and remediation package that performs 
continuous scans, instead of the traditional monthly or quarterly 
assessments.

A deputy secretary of the department is kept apprised of every 
critical vulnerability in the department's network. Both the EPA and 
the DOT made full letter-grade improvements in the 2003 report card.

"This is a good example of something that's working. This brings 
vulnerability visibility to the highest levels," said Alan Paller, 
research director at The SANS Institute, in Bethesda, Md. "They're 
transforming the concept of vulnerability assessment."


 
*==============================================================*
"Communications without intelligence is noise;  Intelligence
without communications is irrelevant." Gen Alfred. M. Gray, USMC
----------------------------------------------------------------
C4I.org - Computer Security, & Intelligence - http://www.c4i.org
================================================================
Help C4I.org with a donation: http://www.c4i.org/contribute.html
*==============================================================*



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.