Forwarded from: Brettan Miller <bpmiller@argus-systems.com> .......While the agency I mention is not perfect, they have done an outstanding job in regards to security in the last year. Most importantly, they did the outstanding job before hiring the company I am currently with. Their administrators had security policy, firewalls, audit procedures, kept up to date on security issues, etc. For the facilities they control (which serve almost all 33 agencies), there has been no external intrusion into their network for five years........ You are correct in stating they have done more than most, however, I would suspect that one of the main reasons for their low grade is they have not addressed the issue of Access Control. Any agency that processes sensitive, classified, or confidential information must incorporate a policy of mandatory access controls. Too many agencies continue to rely on discretionary access controls. I notice in your comment, you mention they have not had any "external" intrusions in the past 5 years. Is one to assume from that statement that they have had internal intrusions? At the end of the day, what does it matter if an intrusion is "external" or "internal"? It's still an intrusion. Any agency that processes sensitive, classified, or confidential information and still relies on discretionary access controls deserves an F, period. I tend to agree with your view on too many layers of bureaucracy impeding network security, however, it is a fact of life and publicizing the poor grades these agencies receive is a necessary piece in the bureaucracy puzzle. Brettan P. Miller bpmiller@argus-systems.com -----Original Message----- From: owner-isnat_private [mailto:owner-isnat_private]On Behalf Of InfoSec News Sent: Wednesday, November 14, 2001 9:06 AM To: isnat_private Subject: Re: [ISN] Agencies flunk security review Forwarded from: security curmudgeon <jerichoat_private> (comments below) > http://www.fcw.com/fcw/articles/2001/1112/news-score-11-12-01.asp > > By Diane Frank > > A House panel last week gave two-thirds of all federal agencies a > failing grade for efforts to secure information systems a worse > showing than last year attributed to greater awareness of security > vulnerabilities. > > New set of security grades from Horn > (Last year's scores in parentheses) > > Agriculture (F) F USAID (C-) F > Commerce (C-) F Defense (D+) F > Education (C) F Energy (Inc) F > HHS (F) F Interior (F) F > Justice (F) F Labor (F) F > Nuclear Regulatory Commission (Inc) F OPM (F) F > SBA (F) F Transportation (Inc) F > Treasury (D) F VA (D) F > NSF (B-) B+ Social Security (B) C+ > NASA (D-) C- EPA (D-) D+ > State (C) D+ FEMA (Inc) D > GSA (D-) D HUD (C-) D > Governmentwide grade (D-) F So in short, basically every agency stayed the same or went down. Why does this seem a bit off to me.. I am no fan of government agencies when it comes to *most* of their security practices. I realize that a lot of the demands have been dumped on them with little time or resources to meet stringent demands as well. I have done direct consulting for two agencies listed above, and work with several people that handle a healthy amount of some aspects of security of a third, so my comments are based on that. [...] - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Thu Nov 15 2001 - 01:08:59 PST