RE: [ISN] Agencies flunk security review

From: InfoSec News (isnat_private)
Date: Wed Nov 14 2001 - 23:13:25 PST

  • Next message: InfoSec News: "[ISN] Security UPDATE, November 14, 2001"

    Forwarded from: Brettan Miller <>
    .......While the
    agency I mention is not perfect, they have done an outstanding job in
    regards to security in the last year. Most importantly, they did the
    outstanding job before hiring the company I am currently with. Their
    administrators had security policy, firewalls, audit procedures, kept
    up to date on security issues, etc. For the facilities they control
    (which serve almost all 33 agencies), there has been no external
    intrusion into their network for five years........
    You are correct in stating they have done more than most, however, I
    would suspect that one of the main reasons for their low grade is they
    have not addressed the issue of Access Control. Any agency that
    processes sensitive, classified, or confidential information must
    incorporate a policy of mandatory access controls. Too many agencies
    continue to rely on discretionary access controls. I notice in your
    comment, you mention they have not had any "external" intrusions in
    the past 5 years. Is one to assume from that statement that they have
    had internal intrusions? At the end of the day, what does it matter if
    an intrusion is "external" or "internal"? It's still an intrusion. Any
    agency that processes sensitive, classified, or confidential
    information and still relies on discretionary access controls deserves
    an F, period. I tend to agree with your view on too many layers of
    bureaucracy impeding network security, however, it is a fact of life
    and publicizing the poor grades these agencies receive is a necessary
    piece in the bureaucracy puzzle.
    Brettan P. Miller
    -----Original Message-----
    From: owner-isnat_private [mailto:owner-isnat_private]On Behalf
    Of InfoSec News
    Sent: Wednesday, November 14, 2001 9:06 AM
    To: isnat_private
    Subject: Re: [ISN] Agencies flunk security review
    Forwarded from: security curmudgeon <jerichoat_private>
    (comments below)
    > By Diane Frank
    > A House panel last week gave two-thirds of all federal agencies a
    > failing grade for efforts to secure information systems a worse
    > showing than last year attributed to greater awareness of security
    > vulnerabilities.
    > New set of security grades from Horn
    > (Last year's scores in parentheses)
    > Agriculture (F) F                             USAID (C-) F
    > Commerce (C-) F                               Defense (D+) F
    > Education (C) F                               Energy (Inc) F
    > HHS (F) F                                     Interior (F) F
    > Justice (F) F                                 Labor (F) F
    > Nuclear Regulatory Commission (Inc) F         OPM (F) F
    > SBA (F) F                                     Transportation (Inc) F
    > Treasury (D) F                                VA (D) F
    > NSF (B-) B+                                   Social Security (B) C+
    > NASA (D-) C-                                  EPA (D-) D+
    > State (C) D+                                  FEMA (Inc) D
    > GSA (D-) D                                    HUD (C-) D
    > Governmentwide grade (D-) F
    So in short, basically every agency stayed the same or went down. Why
    does this seem a bit off to me..
    I am no fan of government agencies when it comes to *most* of their
    security practices. I realize that a lot of the demands have been
    dumped on them with little time or resources to meet stringent demands
    as well.
    I have done direct consulting for two agencies listed above, and work
    with several people that handle a healthy amount of some aspects of
    security of a third, so my comments are based on that.
    ISN is currently hosted by
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.

    This archive was generated by hypermail 2b30 : Thu Nov 15 2001 - 01:08:59 PST