OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
[ISN] Agencies Beef Up IT Security

From: InfoSec News (isnc4i.org)
Date: Tue Jan 06 2004 - 04:39:23 CST

Forwarded from: William Knowles <wkc4i.org>

http://www.eweek.com/article2/0,4149,1426312,00.asp

By Dennis Fisher
January 5, 2004
 
As criticism of the federal government's security practices and
policies mounts, some agencies are making sweeping changes in the way
they manage IT assets.

The Department of Justice, one of a handful of agencies that received
a failing grade on last month's report card on IT security delivered
by a congressional subcommittee, is at the forefront of the movement.

The DOJ has made a number of changes in recent months, including the
establishment of a departmentwide IT security staff that answers
directly to the CIO, according to DOJ officials, in Washington. That
group, in turn, has set about organizing a security council within the
department, they said.

The council comprises the top security officials from each of
Justice's dozens of component organizations, including the United
States Attorney's Office; the Bureau of Alcohol, Tobacco, Firearms and
Explosives; and the U.S. Marshals Service. Known as the IT Security
Council, this group is now responsible for implementing and overseeing
all the security programs in the department. This type of
centralization, while normal in large enterprises, is still very new
to federal agencies.

It was organized out of necessity at Justice, an organization
comprising more than 50 parts. So far, the results have been
encouraging, department officials said, even though the results didn't
show up on the 2003 congressional report card.

"The department program is producing the security management needed,
and I am looking forward to next year's report card when we can
reflect the improved implementation and validation of security
requirements," said Dennis Heretick, deputy director of the IT
security staff at the DOJ, in Washington.

"These programs have set the stage for a departmentwide capability to
manage implementation of risk control requirements but are not at the
point where they produced the bottom-line results needed to improve
last year's report card," Heretick said.

The security grades are handed out each year by the House Committee on
Government Reform's Subcommittee on Technology, Information Policy,
Intergovernmental Relations and the Census, and they are based mainly
on how well each agency measures up to a set of established criteria.
The criteria, among other things, require that each agency inventory
all its IT assets and be able to assess the security of each. In
large, distributed departments such as Justice, this can be a daunting
task.

As a result, security personnel inside the government have begun
developing their own methods and tools to get the job done.

The Environmental Protection Agency staff, for example, has created an
automated security evaluation and remediation application capable of
testing the security posture of each machine and monitoring the
remediation process for any problems found. The security staff at
Justice is now using this tool as well.

Beyond the DOJ and EPA, other departments are moving ahead with
changes.

The Department of Transportation recently implemented a comprehensive
vulnerability assessment and remediation package that performs
continuous scans, instead of the traditional monthly or quarterly
assessments.

A deputy secretary of the department is kept apprised of every
critical vulnerability in the department's network. Both the EPA and
the DOT made full letter-grade improvements in the 2003 report card.

"This is a good example of something that's working. This brings
vulnerability visibility to the highest levels," said Alan Paller,
research director at The SANS Institute, in Bethesda, Md. "They're
transforming the concept of vulnerability assessment."

 
*==============================================================*
"Communications without intelligence is noise; Intelligence
without communications is irrelevant." Gen Alfred. M. Gray, USMC
----------------------------------------------------------------
C4I.org - Computer Security, & Intelligence - http://www.c4i.org
================================================================
Help C4I.org with a donation: http://www.c4i.org/contribute.html
*==============================================================*

-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomoattrition.org with 'unsubscribe isn'
in the BODY of the mail.