Re: [ISN] Davis reinforces security rules

From: InfoSec News (isnat_private)
Date: Sat Mar 09 2002 - 01:52:25 PST

  • Next message: InfoSec News: "[ISN] Linux Advisory Watch - March 8th 2002"

    Forwarded from: Robert G. Ferrell <rferrellat_private>
    > Rep. Tom Davis (R-Va.) introduced a bill March 6 that would update
    > and extend the Government Information Security Reform Act, as
    > members of Congress expressed concern over current legislation.
    After a year and a half of scrambling to implement GISRA, here are my
    observations concerning it:
    1. It creates absolute mountains of mostly useless paperwork, which
    require many person-hours to complete and remove the focus from actual
    security implementation.
    2. It does very little in the way of enforcing real physical security
    3. It reduces security to a simplistic formula for auditing purposes.
    4. It gives agencies a false sense of having secured their systems,
    without requiring them to employ adequately trained personnel.  It
    treats network security as a static, rather than dynamic, process.
    5.  It misses the point entirely.  Congress always thinks that the
    answer to any problem is to create more reports and a concrete list of
    people who can be blamed if something goes wrong.  The problem with
    reports is that Congress is largely composed of people who have no
    chance of being able to understand what the reports mean.  They have
    to be simplified to the point of meaninglessness because the only
    requirement for being in Congress is winning an election. Bury the
    problem under paperwork and identify patsies at whom to point fingers
    when the poorly thought out 'solution' proves to be a dismal failure.
    Rinse.  Repeat.
    ISN is currently hosted by
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.

    This archive was generated by hypermail 2b30 : Sat Mar 09 2002 - 04:51:17 PST