[ISN] EPA improves security compliance

From: InfoSec News (isn@private)
Date: Tue Apr 06 2004 - 07:48:21 PDT

  • Next message: InfoSec News: "[ISN] Volunteer Security Pros Launch Free Vulnerability Database"

    http://www.fcw.com/fcw/articles/2004/0405/web-fisma-04-05-04.asp
    
    By Sarita Chourey 
    April 5, 2004 
    
    Environmental Protection Agency officials dramatically improved their
    ability to follow information security regulations by spending half a
    million dollars on a compliance system.
    
    Several companies and government agencies have contacted the EPA to
    learn about its increased compliance with the Federal Information
    Security Management Act of 2002, said Mark Day, the EPA's deputy chief
    information officer. Since buying software from BindView Corp. more
    than a year ago, the agency's FISMA technical compliance has risen
    from 35 percent to 95 percent, attracting interest inside and outside
    of the federal government., Day said.
    
    In an Office of Management and Budget report, "Budget of the United
    States 2005; Analytical Perspectives," officials stated that the EPA
    "excelled at protecting their information security assets."
    
    BindView's product, BindView Report Packs, is designed to help
    information technology administrators target and eliminate security
    vulnerabilities in information systems. The software cost the agency
    about $500,000, Day said.
    
    As with many new IT strategies, particularly ones that involve
    intensified oversight, initial hesitancy among agency staff members
    gave way to broad-based approval, Day said.
    
    "There were a couple brave souls who took this on and proved that it
    could be done," he said. "Then later, when someone said, 'It's too
    hard. It can't be done,' the answer was easy: 'Everyone else is doing
    it.' "
    
    The BindView system gave managers the tools to give instructions and
    check compliance, which helped the EPA chart and publish its
    compliance.
    
    "It's amazing how these charts went from being something very disliked
    in the first couple months to now most of the IT professionals saying
    to their boss, 'Here's independent proof that I am doing my job.' "
    
    Officials ensured that the EPA's compliance reports were widely
    published, lending to system-critical transparency and credibility,
    Day said. And managers didn't have to be technical experts to address
    their IT problems. "The typical problem a manager gets is a report
    saying a password isn't set up. What can they do? They don't know how
    to fix that. Well, now they say get me green."
    
    EPA isn't endorsing BindView's product, Day sa
    
    
    
    _________________________________________
    ISN mailing list
    Sponsored by: OSVDB.org
    



    This archive was generated by hypermail 2b30 : Tue Apr 06 2004 - 10:19:04 PDT