Re: Government Compliance

["Kevin Lee" <kevin () kevincomputers com sg>]

Many a times we sacrifice policies for conveniences.

Apparently this happened in the US govt which is supposed to be a place 
where strictest compliance to security policies are to be adhered to.

It depends what kind of employee you are.

If you strongly believe this is not right and you want to get it right, then 
climb the chain of commands till you get to someone who share the same 
thoughts as you.

If you know it's not right and you'll rather leave then piss people off, 
then no further action is required.

If you know it's not right but it doesn't bother you (apparently this is not 
the case), then carry on with life. But then again if you stay as a Security 
Professional at a place where security policies are breached, you can't stay 
long either.

Just my 2 cents worth.

Kevin Lee
Singapore

----- Original Message ----- 
From: "Dave" <dave.anon () gmail com>
To: <pen-test () securityfocus com>
Sent: Wednesday, June 15, 2005 10:50 PM
Subject: Government Compliance


> Hello everyone. I know some will view this as a rant and other as
> informative, but I am making this post as a sanity check.
>
> For the purposes here, I currently work as an IT Security professional
> for the US government. I work at the Department of Government, within
> a component named AgencyX. Yes, these names are fictional.
>
> To give an outline or basic background, all government computer
> systems are governed by strict requirements for designing,
> implementing, maintaining, and securing them. Many of these are
> mandatory and are not up for negotiation. Some examples include NIST
> SP's, FISMA, DCID 6/3, etc.....
>
> OK....so I received and email from a "IT Security professional"
> (qualifications and knowledge very questionable) at the Department in
> response to a question I had. I had asked for the definition the
> Department was adopting for penetration testing. The response I
> received was (scrubbed for anonymity):
>
> "... The guidance for penetration testing was reviewed at [department
> committee] meeting... penetration testing shall consist of [product
> name deleted] vulnerability scans and running [product name deleted]
> for cracking passwords... if this has been done AgencyX shall get
> credit for penetration testing...."
>
>
> Ok, I have big problems with this. There are seperate and distinct
> requirements for maintaining password complexity, performing vuln
> scans, AND performing penetration testing. Any industry guideline or
> resource would never allow this "definition". Am I wrong? Am I over
> reacting?
>
> When I brought this up to my chain of command I was told "don't rock
> the boat". They fully admitted that they knew the definition to be
> incorrect in that it was not meeting the intent of the requirement,
> but that I should not say anything to rock the boat and just accept
> this.
>
> Obviously, for ethical reasons, I am leaving the agency and the 
> department.
>
> Feedback? Thoughts?
>
> -- Dave