Forwarded from: Robert G. Ferrell <rferrellat_private> > Rep. Tom Davis (R-Va.) introduced a bill March 6 that would update > and extend the Government Information Security Reform Act, as > members of Congress expressed concern over current legislation. After a year and a half of scrambling to implement GISRA, here are my observations concerning it: 1. It creates absolute mountains of mostly useless paperwork, which require many person-hours to complete and remove the focus from actual security implementation. 2. It does very little in the way of enforcing real physical security measures. 3. It reduces security to a simplistic formula for auditing purposes. 4. It gives agencies a false sense of having secured their systems, without requiring them to employ adequately trained personnel. It treats network security as a static, rather than dynamic, process. 5. It misses the point entirely. Congress always thinks that the answer to any problem is to create more reports and a concrete list of people who can be blamed if something goes wrong. The problem with reports is that Congress is largely composed of people who have no chance of being able to understand what the reports mean. They have to be simplified to the point of meaninglessness because the only requirement for being in Congress is winning an election. Bury the problem under paperwork and identify patsies at whom to point fingers when the poorly thought out 'solution' proves to be a dismal failure. Rinse. Repeat. RGF - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Sat Mar 09 2002 - 04:51:17 PST