http://www.fcw.com/fcw/articles/2002/0415/web-letter-04-15-02.asp April 15, 2002 Why is information technology security a problem? Nothing gets management's attention unless it is bleeding or causing adverse publicity. Therefore, IT security will get no attention unless it is causing mission problems or getting bad publicity. Management will not give resources to anything that doesn't "squeak" louder than other issues. No agency is doing a decent job of training personnel in IT security issues. High cost; therefore, only token effort. Note: The Computer Security Act has been in effect for 15 years, but to this day, most agencies have (at best) implemented only small pieces of the requirements of this act. Life cycle management — truly integrating IT security into the whole process — isn't happening. Congress does a great job of mandating certain actions or activities, then providing zero resources to the agencies to actually implement the activities. If the Hill truly wants something done, they must be prepared to fund them. They can always find resources for some pork project that only benefits a few representatives or senators. Very few agencies have a comprehensive IT security policies and procedures document. Fewer still have actually communicated that document to the offices that must implement it. Fewer still provide the authority to the IT security manager to enforce the implementation. So, why do we have problems with IT security??? Sigh! Too many managers think that IT security is firewalls or intrusion-detection systems. It isn't. There are several others that are important, but you get the idea. Name withheld by request - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Tue Apr 16 2002 - 03:43:42 PDT