[ISN] Agencies Beef Up IT Security

From: InfoSec News (isn@private)
Date: Tue Jan 06 2004 - 02:39:23 PST

  • Next message: InfoSec News: "[ISN] Feds thwart extortion plot against Best Buy"

    Forwarded from: William Knowles <wk@private>
    
    http://www.eweek.com/article2/0,4149,1426312,00.asp
    
    By Dennis Fisher 
    January 5, 2004   
     
    As criticism of the federal government's security practices and 
    policies mounts, some agencies are making sweeping changes in the way 
    they manage IT assets.
    
    The Department of Justice, one of a handful of agencies that received 
    a failing grade on last month's report card on IT security delivered 
    by a congressional subcommittee, is at the forefront of the movement.
    
    The DOJ has made a number of changes in recent months, including the 
    establishment of a departmentwide IT security staff that answers 
    directly to the CIO, according to DOJ officials, in Washington. That 
    group, in turn, has set about organizing a security council within the 
    department, they said.
    
    The council comprises the top security officials from each of 
    Justice's dozens of component organizations, including the United 
    States Attorney's Office; the Bureau of Alcohol, Tobacco, Firearms and 
    Explosives; and the U.S. Marshals Service. Known as the IT Security 
    Council, this group is now responsible for implementing and overseeing 
    all the security programs in the department. This type of 
    centralization, while normal in large enterprises, is still very new 
    to federal agencies.
    
    It was organized out of necessity at Justice, an organization 
    comprising more than 50 parts. So far, the results have been 
    encouraging, department officials said, even though the results didn't 
    show up on the 2003 congressional report card.
    
    "The department program is producing the security management needed, 
    and I am looking forward to next year's report card when we can 
    reflect the improved implementation and validation of security 
    requirements," said Dennis Heretick, deputy director of the IT 
    security staff at the DOJ, in Washington.
    
    "These programs have set the stage for a departmentwide capability to 
    manage implementation of risk control requirements but are not at the 
    point where they produced the bottom-line results needed to improve 
    last year's report card," Heretick said.
    
    The security grades are handed out each year by the House Committee on 
    Government Reform's Subcommittee on Technology, Information Policy, 
    Intergovernmental Relations and the Census, and they are based mainly 
    on how well each agency measures up to a set of established criteria. 
    The criteria, among other things, require that each agency inventory 
    all its IT assets and be able to assess the security of each. In 
    large, distributed departments such as Justice, this can be a daunting 
    task.
    
    As a result, security personnel inside the government have begun 
    developing their own methods and tools to get the job done.
    
    The Environmental Protection Agency staff, for example, has created an 
    automated security evaluation and remediation application capable of 
    testing the security posture of each machine and monitoring the 
    remediation process for any problems found. The security staff at 
    Justice is now using this tool as well.
    
    Beyond the DOJ and EPA, other departments are moving ahead with 
    changes.
    
    The Department of Transportation recently implemented a comprehensive 
    vulnerability assessment and remediation package that performs 
    continuous scans, instead of the traditional monthly or quarterly 
    assessments.
    
    A deputy secretary of the department is kept apprised of every 
    critical vulnerability in the department's network. Both the EPA and 
    the DOT made full letter-grade improvements in the 2003 report card.
    
    "This is a good example of something that's working. This brings 
    vulnerability visibility to the highest levels," said Alan Paller, 
    research director at The SANS Institute, in Bethesda, Md. "They're 
    transforming the concept of vulnerability assessment."
    
    
     
    *==============================================================*
    "Communications without intelligence is noise;  Intelligence
    without communications is irrelevant." Gen Alfred. M. Gray, USMC
    ----------------------------------------------------------------
    C4I.org - Computer Security, & Intelligence - http://www.c4i.org
    ================================================================
    Help C4I.org with a donation: http://www.c4i.org/contribute.html
    *==============================================================*
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomo@private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Tue Jan 06 2004 - 05:16:31 PST