http://www.fcw.com/fcw/articles/2002/0415/web-letter-04-15-02.asp

April 15, 2002

Why is information technology security a problem? Nothing gets
management's attention unless it is bleeding or causing adverse
publicity. Therefore, IT security will get no attention unless it is
causing mission problems or getting bad publicity. Management will not
give resources to anything that doesn't "squeak" louder than other
issues.

No agency is doing a decent job of training personnel in IT security
issues. High cost; therefore, only token effort.

Note: The Computer Security Act has been in effect for 15 years, but
to this day, most agencies have (at best) implemented only small
pieces of the requirements of this act. Life cycle management — truly
integrating IT security into the whole process — isn't happening.

Congress does a great job of mandating certain actions or activities,
then providing zero resources to the agencies to actually implement
the activities. If the Hill truly wants something done, they must be
prepared to fund them. They can always find resources for some pork
project that only benefits a few representatives or senators.

Very few agencies have a comprehensive IT security policies and
procedures document. Fewer still have actually communicated that
document to the offices that must implement it. Fewer still provide
the authority to the IT security manager to enforce the
implementation.

So, why do we have problems with IT security??? Sigh!

Too many managers think that IT security is firewalls or
intrusion-detection systems. It isn't. There are several others that
are important, but you get the idea.

Name withheld by request

-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomoattrition.org with 'unsubscribe isn' in the BODY
of the mail.

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]