[ISN] VA spruces up security act

From: InfoSec News (isnat_private)
Date: Wed Sep 11 2002 - 02:05:25 PDT

  • Next message: InfoSec News: "[ISN] Energy Utilities Ramp Up Security"

    By Judi Hasson 
    Sept. 9, 2002
    Only 18 months ago, the Department of Veterans Affairs received a
    failing grade for its cybersecurity efforts.
    Reports from the inspector general's office criticized the agency for
    failing to protect its computer environment. Congress was up in arms
    over disclosures that it was a cakewalk to hack the VA's systems. And
    VA officials did not even know how many renegade gateways had been set
    up to get into the VA computer system.
    In a remarkably short period of time, the VA has cleaned up its act.
    "When I got here, this place  cybersecurity  was pretty chaotic,"  
    said Bruce Brody, the VA's cybersecurity chief since March 2001.  
    "There was nothing but bad news."
    But Brody had some strong supporters who resolved to fix the problem.  
    Backed by VA Secretary Anthony Principi, who has promised to create
    one VA, and chief information officer John Gauss, Brody has made
    changes that are becoming the model for other agencies facing
    cybersecurity threats.
    "With the support of the secretary and the leadership of the CIO and
    his team, we have come a long way," Brody said. "But much remains to
    be done, and we are working very hard to do it."
    It is no easy task. There are more than 200 unauthorized and
    unprotected gateways into the VA's central cyber infrastructure, built
    by employees in the field with no authority to do so. It was
    "uncontrolled," Brody said. And VA officials had no idea how big VA
    cyberspace was.
    "They sprouted like a thousand flowers booming," Brody said. "There
    was no consistent security policy. Wherever someone wanted a gateway,
    there was a gateway."
    The VA launched the Enterprise Cyber Security Infrastructure Project
    to find the gateways and secure them. In the next two years, the VA
    will create standardized hardened gateways that will be centrally
    managed and monitored by VA security operations centers.
    In October, the VA will begin closing down the unauthorized gateways.  
    In the meantime, the cybersecurity office is requiring tighter
    firewalls and periodic testing to make sure hackers cannot get in.
    "By September 2004, there will only be a single-digit number of exit
    gateways...and no other external connections," Brody said.
    Gateways aren't the only problem within the VA, although it has been
    one of the biggest headaches. The agency has worked to develop a
    cutting-edge enterprise architecture plan and standardize programs
    throughout its network, which reaches more than 160 hospitals. Last
    month, the VA awarded a contract to manage its nationwide security
    services around the clock. It is putting a national virtual private
    network in place in October. The VPN will enable the agency to
    encapsulate, encrypt and then send data to a specific destination.
    "Veterans records are more secure than they have been in the past,"  
    Brody said. "They are not as secure as they will be in the future."
    Matt Roland of Gartner Inc., a market research firm, said that good
    information technology security is a property of an environment, not
    the property of a product or technology.
    "A lot of organizations focused on deploying firewalls and antivirus
    software," he said. "Now there is an increased emphasis on
    establishing management processes around these technologies."
    It appears the VA has turned a corner. In August, Principi
    consolidated IT management and budget functions under the CIO, a move
    that Congress has sought for seven years. The order also consolidates
    cybersecurity functions, which includes centralizing the $50 million
    cybersecurity budget in Brody's office.
    Art Wu, staff director of the House Veterans' Affairs Committee's
    Oversight and Investigations Subcommittee, said the VA's actions
    should "expedite and facilitate VA's compliance under" the Government
    Information Security Reform Act.
    The VA is "definitely on the right track," according to Shannon
    Kellogg, vice president for information security programs at the IT
    Association of America.
    The agency is looking at security in a "holistic fashion, a
    multi-tiered process," and that makes all the difference, Kellogg
    Tightening up
    The Department of Veterans Affairs has done the following to protect
    its systems:
    * Launched the Enterprise Cyber Security Infrastructure Project to
      find unauthorized gateways to the agency's systems and shut them
    * Required tighter firewalls and periodic security testing to ensure
      hackers cannot get in.
    * Awarded a contract in August for around-the-clock nationwide managed
      security services.
    * Built a national virtual private network.
    * Centralized the $50 million cybersecurity budget in the VA
      cybersecurity chief's office.
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Wed Sep 11 2002 - 04:45:44 PDT