http://informationweek.com/story/showArticle.jhtml?articleID=60401476 By Eric Chabrow InformationWeek Feb. 16, 2005 The consistent failure of many federal agencies to secure their IT systems effectively has prompted government officials to create a new organization, to be funded by the private sector, to help federal chief information security officers improve cybersecurity. The formation of the CISO Exchange, announced Wednesday, came as the House Government Reform Committee issued a federal computer security report card in which the average grade for 2004 was a D+. Federal CISOs need better guidance to comply with the 2002 law that requires agencies to secure their IT systems and networks. In a survey of one-quarter of federal CISOS, 70% say they want clarification of guidelines; 53% recommended that guidance be improved on the annual security control tests conducted by agencies' inspectors general. "It's not sufficient to keep admonishing these guys," says Stephen O'Keefe, the head of an IT public relations, research, and events firm, who will serve as the CISO group's executive. "We have to provide a forum where they can have a seat at the table, learn from others, and get feedback on ideas." The creation of the CISO Exchange was announced by Rep. Tom Davis, the Virginia Republican who chairs the Government Reform Committee and the federal CIO Council, a congressionally mandated group of CIOs who represent major federal departments and agencies. Unlike the CIO Council, the CISO Exchange will be an informal organization aimed at giving 117 federal departmental and agency CISOs a common voice. The exchange will be co-chaired by Justice Department CIO Van Hitch, who chairs the CIO Council's cyber security and privacy committee, and Government Reform Committee staff director Melissa Wojciak. Davis, in a statement, said the exchange is patterned after other government efforts to cross-pollinate ideas and best practices between the private sector and government in order "to move our government to the top of the class in IT security." The CISO Exchange will hold quarterly education meetings as well as produce a report on federal IT security priorities and operations. O'Keefe says 100% of CISO Exchange funding will come from business, mostly IT security companies and not government coffers. No company has been asked to commit money to the venture, since O'Keefe says that CISO Exchange wanted to await the announcement of the group's formation before soliciting contributions. He says a number of companies have expressed interest in supporting the exchange, which doesn't yet have a budget. Seven cabinet departments received a grade of F on their computer security report card: Agriculture, Commerce, Energy, Health and Human Services, Homeland Security, Housing and Urban Development, and Veterans Affairs. The grades for Commerce and Veterans Affairs dropped from 2003 scores of C- and C, respectively. The biggest jump in performance occurred at Transportation, which received an A- after getting a D+ in 2003. The Agency for International Development had the highest grade, an A+, up from a C- in 2003. In the CISO survey, conducted by IT security management provider Telos Corp., an IT security management provider, the vast majority of security officers said there was no correlation with the scorecard grades they received and government funding of IT security initiatives. "If there are no incentives for agencies to continue to comply with FISMA requirements," Telos chief security officer Richard Tracy says, "what's the point?" _________________________________________ Bellua Cyber Security Asia 2005 - http://www.bellua.com/bcs2005
This archive was generated by hypermail 2.1.3 : Thu Feb 17 2005 - 04:04:39 PST