Forwarded from: security curmudgeon <jerichoat_private> (comments below) > http://www.fcw.com/fcw/articles/2001/1112/news-score-11-12-01.asp > > By Diane Frank > > A House panel last week gave two-thirds of all federal agencies a > failing grade for efforts to secure information systems a worse > showing than last year attributed to greater awareness of security > vulnerabilities. > > New set of security grades from Horn > (Last year's scores in parentheses) > > Agriculture (F) F USAID (C-) F > Commerce (C-) F Defense (D+) F > Education (C) F Energy (Inc) F > HHS (F) F Interior (F) F > Justice (F) F Labor (F) F > Nuclear Regulatory Commission (Inc) F OPM (F) F > SBA (F) F Transportation (Inc) F > Treasury (D) F VA (D) F > NSF (B-) B+ Social Security (B) C+ > NASA (D-) C- EPA (D-) D+ > State (C) D+ FEMA (Inc) D > GSA (D-) D HUD (C-) D > Governmentwide grade (D-) F So in short, basically every agency stayed the same or went down. Why does this seem a bit off to me.. I am no fan of government agencies when it comes to *most* of their security practices. I realize that a lot of the demands have been dumped on them with little time or resources to meet stringent demands as well. I have done direct consulting for two agencies listed above, and work with several people that handle a healthy amount of some aspects of security of a third, so my comments are based on that. First, one of the two agencies I have worked with does not deserve anything close to the grade it received. Part of the problem is the single grade for huge agencies that are broken down into many sub agencies. One of them listed above got an "F", yet consists of 33 federal agencies that get referred to by a single name. While the agency I mention is not perfect, they have done an oustanding job in regards to security in the last year. Most importantly, they did the outstanding job before hiring the company I am currently with. Their administrators had security policy, firewalls, audit procedures, kept up to date on security issues, etc. For the facilities they control (which serve almost all 33 agencies), there has been no external intrusion into their network for five years. They recently hired several companies to set up and audit (before it went live) new systems for remote access. They went through a full accreditation process to verify security controls were in place. While it may not be *everything* they could possibly do, it sure is a hell of a lot more than many net connected companies/agencies go through, and all done within budget constraints. Their staff is knowledgeable, practical, and gets the job done. To see them get labeled as 'F' is a joke. Second, several of these agencies still have too many layers of beauracracy that impede network security. The big wigs of these agencies who hand down these over simplified report card style grading are often the cause of problems. They want X security, with Y budget, in Z time.. and they want to be able to remotely pop their mail from home, firewall be damned. The problem is, X is too high, Y is too low, and Z is often barely enough time to write an RFP let alone complete the job. I'm not saying these grades are necessarily right or wrong. I am saying they are not giving credit where due, and overlooking the fact that some agencies have been taking the security initiative for a long time now. Some of these agencies are aware of the importance of security, they understand the need for it, and they are still not given the time and resources required to do the job. And to pick on a single agency above (that i do not consult for =), I don't have a clue how they could give NASA a C while failing some of the other agencies. Three nasa machines have been hacked and defaced in the last six days. That is three security incidents that the public is aware about, all happening within a week of NASA getting a 'C'.. bleh. - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Wed Nov 14 2001 - 09:23:29 PST