RE: [ISN] Letter to the editor - Token effort on IT security

From: InfoSec News (isnat_private)
Date: Wed Apr 17 2002 - 00:21:25 PDT

  • Next message: InfoSec News: "[ISN] Security flaw in Microsoft Office for Mac"

    Forwarded from: "Huggins, Michael" <mhhugginsat_private>
    Comments after paragraphs.
    -----Original Message-----
    From: InfoSec News [mailto:isnat_private] 
    Sent: Tuesday, April 16, 2002 2:34 AM
    To: isnat_private
    Subject: [ISN] Letter to the editor - Token effort on IT security 
    April 15, 2002
    Why is information technology security a problem? Nothing gets
    management's attention unless it is bleeding or causing adverse
    publicity. Therefore, IT security will get no attention unless it is
    causing mission problems or getting bad publicity. Management will not
    give resources to anything that doesn't "squeak" louder than other
    Yes the squeaky wheel get's the oil, I agree with the concept. I find
    that if this is in reference to the US Gov. the issue isn't that no
    attention is paid, but that a lack of a cohesive coordinated effort
    exists.  In a previous life attempts were made to solidify the
    security initiatives that were beneficial.  Great resources exist that
    do not cost money.  Policy, procedure, and training are the founding
    blocks that should exist prior to technological solutions.  See and other gov sites that have a vast array of
    information that does not cost and solutions that are based on the
    laws, and policies as currently written.
    No agency is doing a decent job of training personnel in IT security
    issues. High cost; therefore, only token effort.
    I for one know of several agencies that are doing exceptional jobs of
    providing training and the problem is not that the training exists
    but, the complainers are to lazy to identify the sources of training.  
    It is always easy to say nothing is out there in my organization
    therefore it doesn't exist.  If you look at the FISSEA, ATE section on and review Practices for securing critical
    Information Assets annex Charlie from the CIAO you will identify
    training opportunities.  This does not even include the advanced
    network security managers COI or Information Systems security Manager
    COI from Chief of Naval education and training.  Nor does it identify
    the free CBTS and Videos available to government agencies at the or
    Note: The Computer Security Act has been in effect for 15 years, but
    to this day, most agencies have (at best) implemented only small
    pieces of the requirements of this act. Life cycle management - truly
    integrating IT security into the whole process - isn't happening.
    Again this would be the perception of one that has not reviewed the
    GAO reports, nor been involved in the processes required to Accredit
    or certify a system.  I disagree with this entirely, the fact is those
    professionals heavily involved often leave the government for better
    opportunities thus leaving only those who are waiting to retire to
    perform the jobs.
    Congress does a great job of mandating certain actions or activities,
    then providing zero resources to the agencies to actually implement
    the activities. If the Hill truly wants something done, they must be
    prepared to fund them. They can always find resources for some pork
    project that only benefits a few representatives or senators.
    Again where does the money for the free CBT's, the NIST documents,
    CIAO documents and GAO reports come from????
    Very few agencies have a comprehensive IT security policies and
    procedures document. Fewer still have actually communicated that
    document to the offices that must implement it. Fewer still provide
    the authority to the IT security manager to enforce the
    Again this may be true in those violation reported by GAO however, it
    is my experience that those policies, procedures do exist and perhaps
    there location is not identified to those not performing the roles.
    I do agree that the IT Security Manager does not have the authority
    necessary to perform there duties.  Too often politics outweighs
    implementation and reporting.
    So, why do we have problems with IT security??? Sigh!
    Problems exist if one wants them to, if one does not like what is
    in-place tactful memorandums and inputs can change the process. I have
    seen it happen.
    Too many managers think that IT security is firewalls or
    intrusion-detection systems. It isn't. There are several others that
    are important, but you get the idea.
    Yes, this is true again train train train and know your resources.
    Very Respectfully
    Michael H. Huggins USN (ret)
    Name withheld by request
    ISN is currently hosted by
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.

    This archive was generated by hypermail 2b30 : Wed Apr 17 2002 - 03:33:34 PDT