[ISN] NASA scientists: buy-in from users essential for security

From: InfoSec News (isnat_private)
Date: Wed Aug 22 2001 - 02:57:20 PDT

  • Next message: InfoSec News: "[ISN] Microsoft plugs Hotmail security hole"

    Andrea Malcolm, Auckland
    Wednesday, 22 August, 2001 
    Most users consider IT security a nuisance, and that's an attitude
    that can render any security measure useless, says the man in charge
    of keeping NASA data systems safe.
    Scott Santiago, information chief at NASA's IT security operation,
    says the key to the agency's security was to change the mindset of the
    people running the organisation.
    NASA was surprisingly short on IT security until a couple of years
    ago. Speaking at a recent security conference in Auckland, Santiago
    says a large part of NASA's role has always been to disseminate
    information to the public but an audit in 2000 revealed that the
    organisation was complacent in terms of IT security. NASA got a
    hammering by the US Congress, though this ensured management buy-in
    for developing a business case for IT security, says Santiago.
    NASA embarked on a process of risk assessment and defining IT security
    metrics. The idea of outsourcing was mooted as NASA had already
    outsourced most of its IT operations but Santiago fought the idea and
    retained it in-house.
    Now each system has its own IT security plan and audits are carried
    out across NASA's 11 main centres each year. A vulnerability scan of
    every system is done once a month. NASA has listed the top 100
    vulnerabilities of each system with the aim to reduce these.
    NASA also fosters the practice of sharing information on security
    "Everyone was afraid to talk about being hacked so there was no
    sharing of incident information. We needed to convince them that they
    needed to share and now we have a body to facilitate sharing."
    But the key factor for success is to have buy-in from the users, says
    Santiago. "You have to make security an integral part of how they do
    their job."
    To this end NASA has set up an IT security training programme which
    100% of employees must do. "We had to overcome a negative attitude
    towards IT security. Scientists and researchers saw it as something
    which hampered their ability to get the job done. Their attitude was
    'that's not my job it's yours'."
    Santiago says the only way it works is if you have everyone
    participating. "We have to have constant communication with
    researchers emphasising the benefits."
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.

    This archive was generated by hypermail 2b30 : Wed Aug 22 2001 - 05:04:30 PDT