Forwarded from: William Knowles <wk@private> http://www.eweek.com/article2/0,4149,1426312,00.asp By Dennis Fisher January 5, 2004 As criticism of the federal government's security practices and policies mounts, some agencies are making sweeping changes in the way they manage IT assets. The Department of Justice, one of a handful of agencies that received a failing grade on last month's report card on IT security delivered by a congressional subcommittee, is at the forefront of the movement. The DOJ has made a number of changes in recent months, including the establishment of a departmentwide IT security staff that answers directly to the CIO, according to DOJ officials, in Washington. That group, in turn, has set about organizing a security council within the department, they said. The council comprises the top security officials from each of Justice's dozens of component organizations, including the United States Attorney's Office; the Bureau of Alcohol, Tobacco, Firearms and Explosives; and the U.S. Marshals Service. Known as the IT Security Council, this group is now responsible for implementing and overseeing all the security programs in the department. This type of centralization, while normal in large enterprises, is still very new to federal agencies. It was organized out of necessity at Justice, an organization comprising more than 50 parts. So far, the results have been encouraging, department officials said, even though the results didn't show up on the 2003 congressional report card. "The department program is producing the security management needed, and I am looking forward to next year's report card when we can reflect the improved implementation and validation of security requirements," said Dennis Heretick, deputy director of the IT security staff at the DOJ, in Washington. "These programs have set the stage for a departmentwide capability to manage implementation of risk control requirements but are not at the point where they produced the bottom-line results needed to improve last year's report card," Heretick said. The security grades are handed out each year by the House Committee on Government Reform's Subcommittee on Technology, Information Policy, Intergovernmental Relations and the Census, and they are based mainly on how well each agency measures up to a set of established criteria. The criteria, among other things, require that each agency inventory all its IT assets and be able to assess the security of each. In large, distributed departments such as Justice, this can be a daunting task. As a result, security personnel inside the government have begun developing their own methods and tools to get the job done. The Environmental Protection Agency staff, for example, has created an automated security evaluation and remediation application capable of testing the security posture of each machine and monitoring the remediation process for any problems found. The security staff at Justice is now using this tool as well. Beyond the DOJ and EPA, other departments are moving ahead with changes. The Department of Transportation recently implemented a comprehensive vulnerability assessment and remediation package that performs continuous scans, instead of the traditional monthly or quarterly assessments. A deputy secretary of the department is kept apprised of every critical vulnerability in the department's network. Both the EPA and the DOT made full letter-grade improvements in the 2003 report card. "This is a good example of something that's working. This brings vulnerability visibility to the highest levels," said Alan Paller, research director at The SANS Institute, in Bethesda, Md. "They're transforming the concept of vulnerability assessment." *==============================================================* "Communications without intelligence is noise; Intelligence without communications is irrelevant." Gen Alfred. M. Gray, USMC ---------------------------------------------------------------- C4I.org - Computer Security, & Intelligence - http://www.c4i.org ================================================================ Help C4I.org with a donation: http://www.c4i.org/contribute.html *==============================================================* - ISN is currently hosted by Attrition.org To unsubscribe email majordomo@private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Tue Jan 06 2004 - 05:16:31 PST