RE: [ISN] U.S. Government Flunks Computer Security Tests

From: InfoSec News (isnat_private)
Date: Sun Nov 24 2002 - 23:59:06 PST

  • Next message: InfoSec News: "[ISN] Lawyers fear misuse of cyber murder law"

    Forwarded from: Brad Ball <bradballat_private>
    One of the key weak points in getting security to have equal footing
    in the war room or the boardroom is the inability to convince upper
    management of the importance of configuration management. It is not
    the single activity that can seal up insecurities but offers a unique
    opportunity in every organization.
    This opportunity is having the different pieces of the organization at
    the same table at the same time to discuss IT initiatives and plans.
    Security, network operations, finance, etc. are all given a chance to
    pass their perspectives and concerns to senior management.
    The trick of course is persuading management to support such an
    approach. I would contend that the security professional able to
    successfully convince their bosses to do this will be setting up a
    process that (1) makes the security a shared concern (2) allows all
    departments to better understand all organizational objectives and
    possibly be motivated to contribute their own unique ideas that
    benefit the entire process.
    Having been in security for sometime myself I can empathize with
    Huggins' outlook. What I have found personally is that I have evolved
    over a period of time to a broader outlook .. what I will call the Fox
    News approach... I report .. you decide! My commitment to secure
    practices is not lessened but I have convinced more non-IT types by
    simply reporting the pluses & minuses as well as the military
    regulations that drive my reports. In one unit I was nicknamed Satan
    because of my inflexibility on security. Was I wrong in my assessments
    at the time? No but my approach didn't fit the organization.
    The attempt to pass a cyber security initiative through the Arizona
    legislature last year is the first of many that eventually will
    convince corporate America that sharing the efforts of their security
    departments strengthens them rather than weakens them. That initiative
    was extremely innovative in its assertion that only businesses that
    wanted to participate had to and offered no financial incentives. It
    won't become another government program bloated by territorial fights
    -- it is designed to be a collaborative effort between businesses and
    government for the sole purpose of promoting security.
    Sorry for long post .. my 2cents
    -----Original Message-----
    From: owner-isnat_private [mailto:owner-isnat_private]
    On Behalf Of InfoSec News
    Sent: Thursday, November 21, 2002 9:23 AM
    To: isnat_private
    Subject: Re: [ISN] U.S. Government Flunks Computer Security Tests
    Forwarded from: hugginsat_private
    Note: The fine print in the document says that these inspections were
    more in-depth then previous inspections and that in comparison the
    government has improved its security.  Those in business and
    government as well as the private sector had an opportunity until
    Monday to improve on the Cyber Security national plan.  The problem
    was we don't want regulation, we dont want to utilized secure unix or
    hardened Microsoft even though those procedures exist.  Our society
    wants instant gratification, and with that goes instant access to
    everything without security influencing how things are done.  As a
    retired military security professional my experience is that senior
    management in government is just like senior management (although a
    little more secure than those) in america's corporation.  Those that
    would hoot and hooler that we told you so need to look at the
    corporations and how they work and think where they would be 2 maybe 3
    would receive a D the rest would fail miserably.
    > Forwarded from: Elyn Wollensky <elynat_private>
    > By Brian Krebs
    > Staff Writer
    > Tuesday, November 19, 2002
    > The U.S. government has earned failing marks for computer security for
    > the second year in a row, according to a report released today by a
    > congressional oversight committee.
    > Nearly two-thirds of the federal government's 24 major agencies
    > flunked the General Accounting Office's (GAO) latest "computer
    > security report card," according to a House Government Reform
    > subcommittee. The Departments of Justice, Defense, Energy and Treasury
    > earned flunking grades, with the Department of Transportation earning
    > the lowest score.
    > The Social Security Administration won the highest mark, with a
    > "B minus."
    ISN is currently hosted by
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Mon Nov 25 2002 - 04:15:52 PST