[ISN] Agencies outline security changes

From: InfoSec News (isnat_private)
Date: Thu Mar 07 2002 - 23:52:26 PST

Next message: InfoSec News: "RE: [ISN] Digital Destruction Was Worst Imaginable"

Previous message: InfoSec News: "[ISN] U.S. to Curb Computer Access by Foreigners"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

http://www.fcw.com/fcw/articles/2002/0304/web-action-03-07-02.asp

By Diane Frank 
March 7, 2002

Federal agencies are reviewing old security programs and kicking off
new ones in response to the deficiencies discovered during the
self-assessments required by Congress, officials testified March 6.

Energy and Defense department officials outlined several major changes
in their information security policies and practices as they testified
before a hearing of the House Government Reform Committee's Government
Efficiency, Financial Management and Intergovernmental Relations
Subcommittee.

The changes include new system certification, employee training and
policy compliance programs.

At Energy, that means increasing security education and awareness
programs to ensure that "every member of the department's
infrastructure is aware that cybersecurity is an integral part of his
or her job," said Karen Evans, the new chief information officer at
Energy.

The department also is developing new programs, such as a
departmentwide certification and accreditation process for all of its
unclassified systems to complement the process already in place on the
classified side, she said.

All of these programs are being developed by a working group made up
of officials from every portion of the department to ensure buy-in at
all levels, she said.

The DOD assessment found that while the department has good security
policies, practices and procedures, it does little verification of
compliance despite initiatives such as the DOD Information Technology
Security Certification and Accreditation Program (DITSCAP), said
Robert Gorrie, deputy director of the Defensewide Information
Assurance Program.

The problem will not be solved by stricter audits and enforcement of
the DITSCAP, he said. Instead "non-compliance is more a symptom of the
complexity of that process and the clarity of its implementing
policy," Gorrie said.

So now the DITSCAP is undergoing a "dramatic modification in policy as
well as implementation," he said. The department is also looking at
possible automated tools to ease the documentation burden on security
and system administrators, he said.
  
  


-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
of the mail.

Next message: InfoSec News: "RE: [ISN] Digital Destruction Was Worst Imaginable"
Previous message: InfoSec News: "[ISN] U.S. to Curb Computer Access by Foreigners"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Mar 08 2002 - 02:34:50 PST