Forwarded from: "Huggins, Michael" <mhhugginsat_private> Comments after paragraphs. -----Original Message----- From: InfoSec News [mailto:isnat_private] Sent: Tuesday, April 16, 2002 2:34 AM To: isnat_private Subject: [ISN] Letter to the editor - Token effort on IT security http://www.fcw.com/fcw/articles/2002/0415/web-letter-04-15-02.asp April 15, 2002 Why is information technology security a problem? Nothing gets management's attention unless it is bleeding or causing adverse publicity. Therefore, IT security will get no attention unless it is causing mission problems or getting bad publicity. Management will not give resources to anything that doesn't "squeak" louder than other issues. Yes the squeaky wheel get's the oil, I agree with the concept. I find that if this is in reference to the US Gov. the issue isn't that no attention is paid, but that a lack of a cohesive coordinated effort exists. In a previous life attempts were made to solidify the security initiatives that were beneficial. Great resources exist that do not cost money. Policy, procedure, and training are the founding blocks that should exist prior to technological solutions. See http://csrc.nist.gov http://www.cio.gov http://www.ciao.gov http://iase.disa.mil and other gov sites that have a vast array of information that does not cost and solutions that are based on the laws, and policies as currently written. No agency is doing a decent job of training personnel in IT security issues. High cost; therefore, only token effort. I for one know of several agencies that are doing exceptional jobs of providing training and the problem is not that the training exists but, the complainers are to lazy to identify the sources of training. It is always easy to say nothing is out there in my organization therefore it doesn't exist. If you look at the FISSEA, ATE section on http://csrc.nist.gov and review Practices for securing critical Information Assets annex Charlie from the CIAO you will identify training opportunities. This does not even include the advanced network security managers COI or Information Systems security Manager COI from Chief of Naval education and training. Nor does it identify the free CBTS and Videos available to government agencies at the www.ioss.gov or http://iase.disa.mil. Note: The Computer Security Act has been in effect for 15 years, but to this day, most agencies have (at best) implemented only small pieces of the requirements of this act. Life cycle management - truly integrating IT security into the whole process - isn't happening. Again this would be the perception of one that has not reviewed the GAO reports, nor been involved in the processes required to Accredit or certify a system. I disagree with this entirely, the fact is those professionals heavily involved often leave the government for better opportunities thus leaving only those who are waiting to retire to perform the jobs. Congress does a great job of mandating certain actions or activities, then providing zero resources to the agencies to actually implement the activities. If the Hill truly wants something done, they must be prepared to fund them. They can always find resources for some pork project that only benefits a few representatives or senators. Again where does the money for the free CBT's, the NIST documents, CIAO documents and GAO reports come from???? Very few agencies have a comprehensive IT security policies and procedures document. Fewer still have actually communicated that document to the offices that must implement it. Fewer still provide the authority to the IT security manager to enforce the implementation. Again this may be true in those violation reported by GAO however, it is my experience that those policies, procedures do exist and perhaps there location is not identified to those not performing the roles. I do agree that the IT Security Manager does not have the authority necessary to perform there duties. Too often politics outweighs implementation and reporting. So, why do we have problems with IT security??? Sigh! Problems exist if one wants them to, if one does not like what is in-place tactful memorandums and inputs can change the process. I have seen it happen. Too many managers think that IT security is firewalls or intrusion-detection systems. It isn't. There are several others that are important, but you get the idea. Yes, this is true again train train train and know your resources. Very Respectfully Michael H. Huggins USN (ret) Name withheld by request - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Wed Apr 17 2002 - 03:33:34 PDT