http://www.newsbytes.com/news/02/174514.html By Brian Krebs, Newsbytes WASHINGTON, D.C., U.S.A., 14 Feb 2002, 1:06 PM CST Most federal agencies do not manage their information technology resources well enough to detect or defeat computer viruses and hacker attacks, the White House said in a report released Wednesday. Far too many agencies have virtually no meaningful system to test or monitor system activity and therefore are unable to detect intrusions, suspected intrusions, or virus infections, the OMB said. In its analysis of security audits conducted at 50 federal agencies the OMB identified six government-wide security problems, including a lack of policies and programs in place to detect, report or share information on security vulnerabilities or attacks. The report also notes that most employees lack basic awareness or education about computer security. In addition, few agencies routinely ensure that contractors meet minimum security requirements and background checks, the OMB said. The OMB report found no correlation between the amount each agency spent on IT security and its overall performance in that arena. At this point, there is no evidence that poor security is a result of a lack of money, the OMB said. Last year, the federal government spent $2.7 billion on computer security, out of a total $48 billion in IT investments. This year, the OMB expects federal agencies will spend roughly double that amount - $4.2 billion out of a total IT budget of $52 billion. Under the Government Information Security Reform Act of 2000, agencies are required to assess and test the security of their non-classified information systems. Agencies are graded on the results of penetration testing and overall security, and the reports are tied to each agency's budget request. Last year's round of penetration tests showed nearly all federal agencies earned a grade of D or lower for computer security, prompting the OMB to pledge it would soon begin to kill funding for projects that consistently fail to meet minimum security requirements. The lone exception cited in the OMB report was the Department of Defense, which maintained a consistent record of training employees and screening IT security contractors, the agency said. - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Fri Feb 15 2002 - 05:01:45 PST