[ISN] Agencies outline security changes

From: InfoSec News (isnat_private)
Date: Thu Mar 07 2002 - 23:52:26 PST

  • Next message: InfoSec News: "RE: [ISN] Digital Destruction Was Worst Imaginable"

    By Diane Frank 
    March 7, 2002
    Federal agencies are reviewing old security programs and kicking off
    new ones in response to the deficiencies discovered during the
    self-assessments required by Congress, officials testified March 6.
    Energy and Defense department officials outlined several major changes
    in their information security policies and practices as they testified
    before a hearing of the House Government Reform Committee's Government
    Efficiency, Financial Management and Intergovernmental Relations
    The changes include new system certification, employee training and
    policy compliance programs.
    At Energy, that means increasing security education and awareness
    programs to ensure that "every member of the department's
    infrastructure is aware that cybersecurity is an integral part of his
    or her job," said Karen Evans, the new chief information officer at
    The department also is developing new programs, such as a
    departmentwide certification and accreditation process for all of its
    unclassified systems to complement the process already in place on the
    classified side, she said.
    All of these programs are being developed by a working group made up
    of officials from every portion of the department to ensure buy-in at
    all levels, she said.
    The DOD assessment found that while the department has good security
    policies, practices and procedures, it does little verification of
    compliance despite initiatives such as the DOD Information Technology
    Security Certification and Accreditation Program (DITSCAP), said
    Robert Gorrie, deputy director of the Defensewide Information
    Assurance Program.
    The problem will not be solved by stricter audits and enforcement of
    the DITSCAP, he said. Instead "non-compliance is more a symptom of the
    complexity of that process and the clarity of its implementing
    policy," Gorrie said.
    So now the DITSCAP is undergoing a "dramatic modification in policy as
    well as implementation," he said. The department is also looking at
    possible automated tools to ease the documentation burden on security
    and system administrators, he said.
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.

    This archive was generated by hypermail 2b30 : Fri Mar 08 2002 - 02:34:50 PST