Forwarded from: Brad Ball <bradballat_private> One of the key weak points in getting security to have equal footing in the war room or the boardroom is the inability to convince upper management of the importance of configuration management. It is not the single activity that can seal up insecurities but offers a unique opportunity in every organization. This opportunity is having the different pieces of the organization at the same table at the same time to discuss IT initiatives and plans. Security, network operations, finance, etc. are all given a chance to pass their perspectives and concerns to senior management. The trick of course is persuading management to support such an approach. I would contend that the security professional able to successfully convince their bosses to do this will be setting up a process that (1) makes the security a shared concern (2) allows all departments to better understand all organizational objectives and possibly be motivated to contribute their own unique ideas that benefit the entire process. Having been in security for sometime myself I can empathize with Huggins' outlook. What I have found personally is that I have evolved over a period of time to a broader outlook .. what I will call the Fox News approach... I report .. you decide! My commitment to secure practices is not lessened but I have convinced more non-IT types by simply reporting the pluses & minuses as well as the military regulations that drive my reports. In one unit I was nicknamed Satan because of my inflexibility on security. Was I wrong in my assessments at the time? No but my approach didn't fit the organization. The attempt to pass a cyber security initiative through the Arizona legislature last year is the first of many that eventually will convince corporate America that sharing the efforts of their security departments strengthens them rather than weakens them. That initiative was extremely innovative in its assertion that only businesses that wanted to participate had to and offered no financial incentives. It won't become another government program bloated by territorial fights -- it is designed to be a collaborative effort between businesses and government for the sole purpose of promoting security. Sorry for long post .. my 2cents -----Original Message----- From: owner-isnat_private [mailto:owner-isnat_private] On Behalf Of InfoSec News Sent: Thursday, November 21, 2002 9:23 AM To: isnat_private Subject: Re: [ISN] U.S. Government Flunks Computer Security Tests Forwarded from: hugginsat_private Note: The fine print in the document says that these inspections were more in-depth then previous inspections and that in comparison the government has improved its security. Those in business and government as well as the private sector had an opportunity until Monday to improve on the Cyber Security national plan. The problem was we don't want regulation, we dont want to utilized secure unix or hardened Microsoft even though those procedures exist. Our society wants instant gratification, and with that goes instant access to everything without security influencing how things are done. As a retired military security professional my experience is that senior management in government is just like senior management (although a little more secure than those) in america's corporation. Those that would hoot and hooler that we told you so need to look at the corporations and how they work and think where they would be 2 maybe 3 would receive a D the rest would fail miserably. > Forwarded from: Elyn Wollensky <elynat_private> > > http://www.washingtonpost.com/wp-dyn/articles/A9496-2002Nov19.html > > By Brian Krebs > washingtonpost.com Staff Writer > Tuesday, November 19, 2002 > > The U.S. government has earned failing marks for computer security for > the second year in a row, according to a report released today by a > congressional oversight committee. > > Nearly two-thirds of the federal government's 24 major agencies > flunked the General Accounting Office's (GAO) latest "computer > security report card," according to a House Government Reform > subcommittee. The Departments of Justice, Defense, Energy and Treasury > earned flunking grades, with the Department of Transportation earning > the lowest score. > > The Social Security Administration won the highest mark, with a > "B minus." [...] - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Mon Nov 25 2002 - 04:15:52 PST