Information Security News mailing list archives
Top IT cops say lack of authority, resources undermine security
From: InfoSec News <alerts () infosecnews org>
Date: Tue, 12 Aug 2008 14:24:50 -0500 (CDT)
http://www.govexec.com/story_page.cfm?articleid=40700 By Jill R. Aitoro Govexec.com August 11, 2008 To understand what it's like to be a federal chief information security officer, consider Larry Ruffin. As CISO at the Interior Department, his job could be described as having little to do with being a chief and not much more about security. Although he regards Interior's current information security as "far from inadequate," Ruffin and Chief Information Officer Michael Howell don't have a way to check that the department's network security is configured correctly or to monitor suspicious activity on a daily basis. Ruffin also has no authority and few resources to check on the security of employees' equipment, such as laptops, workstations and servers, or to monitor specific applications. He has to rely on verbal and written promises from Interior's bureau managers that they are complying with security policies. To a limited extent, Ruffin says, he conducts on-site checks of systems, which in the end offer little insight into the state of IT security departmentwide. "How do you take control, when you don't [have authority over] the funds or maintain clear authority to make decisions? That stymies processes," Ruffin says. "We don't get clear approvals and don't feel empowered to make decisions that might have budgetary impacts. Those decisions can get made, but rarely." Ruffin isn't alone. His experience is common to CISOs across government. Security budgets are paper thin, and CISOs rarely have the authority to enforce security policies down deep into individual department offices. Their job is one of frustration; they're aware of what's required to protect agency networks, but unable to get the job done. It's no wonder that more security analysts are warning of serious security breaches, if they have not occurred already. [...] __________________________________________________ Visit Defcon Pics - Defcon Memory Repository http://www.defconpics.org
Current thread:
- Top IT cops say lack of authority, resources undermine security InfoSec News (Aug 12)