Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Information-Security-News
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[ISN] Q&A: Rep. Davis on latest federal IT security report card

from [InfoSec News] Network Security [Permanent Link]
Subject: [ISN] Q&A: Rep. Davis on latest federal IT security report card
Date: Fri, 25 Feb 2005 03:48:23 -0600 (CST) 
http://www.computerworld.com/securitytopics/security/story/0,10801,100010,00.html

By Jaikumar Vijayan 
FEBRUARY 24, 2005 
COMPUTERWORLD

House Government Reform Committee Chairman Tom Davis (R-Va.) last week
released the 2004 federal government computer security scorecard,
which gave federal agencies an overall D+ average (see story) [1].  
Several agencies, including the Department of Homeland Security and
the Department of Energy, scored F's for the second year running.
Others, such as the Department of Transportation, showed big
improvements.
 
In this interview with Computerworld, Davis talked about the
government's performance on the score card and warned that more
mandates could be on the way if federal agencies don't fix their
security issues soon.

What are your conclusions about the overall performance of government
agencies?

I think it is improving, but it's not improving fast enough at this
point. The overall agency scores rose by 2.5 points, but they still
scored a D+. We just need to continue to give this focus, and
hopefully we won't have some kind of cyberattack or cyber-Pearl
Harbor. We have to be inspired by that to try and stay ahead of the
curve.


Why are some agencies faring so well while others appear to be
struggling?

Leadership. It's about leadership. It basically goes to the CIO and
the agency heads and their ability to coordinate on this.  They have
to get this focused. They need to get a plan, [and] they need to
execute on it. Some agencies have put the resources into it, and
others haven't. We have independently verified these scores. Some have
still a long way to go.


What's the incentive to improve when there are no funding or other
repercussions for bad grades?

I don't know if you want to punish people by withholding funding. That
makes it even tougher for them to meet their goals. But I think there
may be an embarrassment factor. If you want to have career advancement
and you come off an agency that has got a bad FISMA [Federal
Information Security Management Act] grade, it probably isn't going to
help you move to the next level. I think this is part of the
evaluation process. Eventually, I think there will be a funding
attachment. These score cards are fairly new, and we are trying to get
an appropriations buy-in.


Many of the recommended security controls for federal agencies will
become mandated requirements by the end of this year. What impact will
that have on the score cards next year.

Mandates are better than suggestions, unfortunately. You hate to get
to the point where you have to mandate things that need to get done.
But I think that is the way Congress will react, with more mandates on
agencies that will put more burden on them. We would rather have
[agencies] solve the issues themselves. But if they can't do that, I
think they'll get a lot more mandates.


You identified several areas where federal agencies overall need to
improve, including annual reviews of contractor systems, testing of
contingency plans and incident reporting. What is the problem?

[Federal agencies] don't have the finances for it. The basic problem
is that we are asking them to do this in some cases without giving
them a lot of new money. As a result of that, they just check it off
like they do all their other priorities. They are kind of waiting for
additional money to come through. We ask the agencies to do a lot of
things. This is just one.


You had identified a need for each agency's inspector general to
standardize the evaluation process to ensure the accuracy of their
reports and make sure that fair comparisons can be made between the
agencies. What's being done?

We haven't made any changes yet. That will be based on the responses
we get from the different agencies.


How will the CISO Exchange that you announced recently help improve
things?

Hopefully, we will get people to come from agencies that have done it
going into agencies that haven't done it and show them how to do it.
You get some pollination that way.

[1] 
http://www.computerworld.com/governmenttopics/government/story/0,10801,99846,00.html



_________________________________________
Bellua Cyber Security Asia 2005 -
http://www.bellua.com/bcs2005
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [ISN] Q&A: Rep. Davis on latest federal IT security report card, InfoSec News <=
Previous by Date:  [ISN] Flaw threatens T-Mobile voice mail leaks, InfoSec News
Next by Date:  [ISN] Firefox Patch Fixes Vulnerabilities And Crashes, InfoSec News
Previous by Thread:  [ISN] Flaw threatens T-Mobile voice mail leaks, InfoSec News
Next by Thread:  [ISN] Firefox Patch Fixes Vulnerabilities And Crashes, InfoSec News
Indexes:  [Date] [Thread] [Top] [All Lists]