[ISN] Firms undergo NSA infosec rating

From: InfoSec News (isnat_private)
Date: Wed Mar 20 2002 - 23:57:31 PST

  • Next message: InfoSec News: "[ISN] What's a Chief Security Officer Make? Depends on Where You Look"

    By Dan Caterinicchia 
    March 20, 2002
    The National Security Agency last week announced the first companies
    to undergo an appraisal of their information security practices in a
    program aimed at helping government and commercial organizations
    improve their systems security.
    According to the Infosec Assessment Training and Rating Program,
    organizations that need to assess their vulnerability can call on
    companies that are qualified to perform such assessments within
    NSA-defined guidelines and standards, according to NSA.
    This marks the first time civilian agencies have been able to access
    security assessment companies that have undergone this type of
    government evaluation and it enables customers to judge whether a
    provider is capable of meeting its requirements.
    Many agencies are using the General Services Administration's
    Safeguard contract, which offers more than 25 vendors who perform such
    cybersecurity assessments, but GSA does not provide any standard
    evaluation of the vendors' capabilities.
    NSA established the program because it does not have the resources to
    perform all the Infosec assessments requested. The training part of
    the program teaches NSA's standardized Infosec Assessment Methodology,
    which is a systematic way of examining cyber vulnerabilities. Then,
    providers undergo an Infosec Assessment Capability Maturity Model
    appraisal and receiving a rating.
    Seven companies agreed to have their Infosec vulnerability assessment
    capability appraised: Backbone Security.com Inc., Booz Allen Hamilton,
    Computer Sciences Corp., EDS, Lucent Technologies, SRA International
    Inc. and TrustWave Corp. (formerly NetSafe).
    All the companies use either the NSA-developed Infosec Assessment
    Methodology or a similar assessment methodology, and their ratings can
    be found at www.iatrp.com.
    Paul Holmes, director of assessment operations at EDS, said the
    company had participated in the program since it was piloted in 1998.  
    In September 2001, NSA completed its review of EDS' security
    assessment processes and the company already has performed those
    services for government and commercial clients, he said.
    Holmes said the cost and time needed to perform an assessment varied
    by client, and he would not go into further detail. He did say that
    inclusion in the NSA program has been a "valuable credential to have,"  
    and he considers the effort "an ongoing, continuously improving
    The program's long-term goal is to assist in the protection of
    sensitive data by increasing the information assurance levels of
    national and defense information systems, according to NSA. The
    program also enables compliance with the Presidential Decision
    Directive 63 requirements for vulnerability assessments.
    PDD-63 requires agencies to protect the information systems that
    support the nation's critical infrastructure, including transportation
    and banking. It also directed industry to form information sharing and
    analysis centers to collaborate on security incidents and to work with
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.

    This archive was generated by hypermail 2b30 : Thu Mar 21 2002 - 03:04:18 PST