[ISN] Wartime CIOs Alter Security Strategies

From: InfoSec News (isnat_private)
Date: Wed Apr 10 2002 - 01:49:23 PDT

  • Next message: InfoSec News: "[ISN] Cracks in the Firewall"

    http://www.computerworld.com/storyba/0,4125,NAV47_STO69936,00.html
    
    By DAN VERTON 
    April 08, 2002
    
    Sept. 11 has taught federal IT leaders lessons on the value of
    security, continuity planning
    
    Information technology managers at U.S. federal government agencies
    are applying the lessons learned from the Sept. 11 attacks to improve
    planning for continuity of operations during possible major IT
    disasters in the future.
    
    Speaking here last week at the annual meeting of the Tiverton,
    R.I.-based National High Performance Computing and Communications
    Council, a group of five federal CIOs and senior IT executives said IT
    security and its role in continuity of operations has taken on
    heightened importance since Sept. 11.
    
    There's an increased emphasis at federal agencies to make operational
    continuity plans "living documents," said Sandra Bates, commissioner
    of the Federal Technology Service.
    
    The U.S. Department of Labor, which manages employment and
    unemployment benefits for millions of Americans, lost two offices and
    its inspector general in the attacks on the World Trade Center and was
    forced to put its disaster recovery plan into action without ever
    having rehearsed it, said Laura Callahan, the agency's CIO.
    
    One of the most important lessons to come out of that experience, she
    said, is the need to plot a well-conceived communications strategy in
    advance.
    
    "We couldn't talk to each other," said Callahan, because of cell phone
    overload problems and a four-hour "dark" period during which the
    agency shut down its networks to assess the damage.
    
    Since the terrorist attacks, the agency has also moved to deputize its
    workers and create what Callahan calls a "neighborhood watch" program,
    through which they can report anything that doesn't seem right to
    them.
    
    The Department of the Interior is also working on developing reporting
    procedures for managing any future disasters and is focusing on
    integrating security and business continuity operations into its
    capital planning process, Callahan said.
    
    "We don't do capital planning with an understanding of the risk," said
    Daryl White, CIO at the Interior Department. "We do it after the fact.  
    We have to get away from that mentality."
    
    To break away from that approach, network architecture specialists at
    the agency are now being brought into the thick of the security
    planning process at the agency, said White.
    
    In the Works
    
    Lee Holcomb, CIO at NASA, said agencies and private companies "need to
    architect networks to isolate mission-critical systems."
    
    One such plan that is currently being studied at NASA is the use of
    security "honeypots," or decoy systems, to divert attackers away from
    sensitive operational systems, said Holcomb.
    
    Sallie McDonald, assistant commissioner for the Office of Information
    Assurance and Critical Infrastructure Protection at the General
    Services Administration, said there are also several security programs
    in the works that are designed to improve everything from patch
    management to secure collaboration and vulnerability analysis.
    
    "We're trying to develop a culture of security in federal civilian
    agencies," McDonald said.
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.
    



    This archive was generated by hypermail 2b30 : Wed Apr 10 2002 - 04:41:37 PDT