RE: Agencies flunk security review

[InfoSec News <isn () c4i org>]

Forwarded from: Brettan Miller <bpmiller () argus-systems com>

.......While the

agency I mention is not perfect, they have done an outstanding job in

regards to security in the last year. Most importantly, they did the

outstanding job before hiring the company I am currently with. Their

administrators had security policy, firewalls, audit procedures, kept

up to date on security issues, etc. For the facilities they control

(which serve almost all 33 agencies), there has been no external

intrusion into their network for five years........

You are correct in stating they have done more than most, however, I
would suspect that one of the main reasons for their low grade is they
have not addressed the issue of Access Control. Any agency that
processes sensitive, classified, or confidential information must
incorporate a policy of mandatory access controls. Too many agencies
continue to rely on discretionary access controls. I notice in your
comment, you mention they have not had any "external" intrusions in
the past 5 years. Is one to assume from that statement that they have
had internal intrusions? At the end of the day, what does it matter if
an intrusion is "external" or "internal"? It's still an intrusion. Any
agency that processes sensitive, classified, or confidential
information and still relies on discretionary access controls deserves
an F, period. I tend to agree with your view on too many layers of
bureaucracy impeding network security, however, it is a fact of life
and publicizing the poor grades these agencies receive is a necessary
piece in the bureaucracy puzzle.


Brettan P. Miller
bpmiller () argus-systems com



-----Original Message-----
From: owner-isn () attrition org [mailto:owner-isn () attrition org]On Behalf
Of InfoSec News
Sent: Wednesday, November 14, 2001 9:06 AM
To: isn () attrition org
Subject: Re: [ISN] Agencies flunk security review


Forwarded from: security curmudgeon <jericho () attrition org>

(comments below)


> http://www.fcw.com/fcw/articles/2001/1112/news-score-11-12-01.asp
>
> By Diane Frank
>
> A House panel last week gave two-thirds of all federal agencies a
> failing grade for efforts to secure information systems a worse
> showing than last year attributed to greater awareness of security
> vulnerabilities.
>
> New set of security grades from Horn
> (Last year's scores in parentheses)
>
> Agriculture (F) F                             USAID (C-) F
> Commerce (C-) F                               Defense (D+) F
> Education (C) F                               Energy (Inc) F
> HHS (F) F                                     Interior (F) F
> Justice (F) F                                 Labor (F) F
> Nuclear Regulatory Commission (Inc) F         OPM (F) F
> SBA (F) F                                     Transportation (Inc) F
> Treasury (D) F                                VA (D) F
> NSF (B-) B+                                   Social Security (B) C+
> NASA (D-) C-                                  EPA (D-) D+
> State (C) D+                                  FEMA (Inc) D
> GSA (D-) D                                    HUD (C-) D
> Governmentwide grade (D-) F

So in short, basically every agency stayed the same or went down. Why
does this seem a bit off to me..

I am no fan of government agencies when it comes to *most* of their
security practices. I realize that a lot of the demands have been
dumped on them with little time or resources to meet stringent demands
as well.

I have done direct consulting for two agencies listed above, and work
with several people that handle a healthy amount of some aspects of
security of a third, so my comments are based on that.


[...]




-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY
of the mail.