|
Finding
the Right Mix for Information Assurance
By
Penny Klein, TLA Associates
As
security experts, we probably all have
had the conversation about the value
of technical, operational and managerial
security controls.
It
usually goes something like this:
''My
network (or system, or application)
is very secure. Periodic vulnerability
scans are conducted, security patches
are installed as identified, and virus
detectors are implemented. Additionally,
there are DMZs, firewalls, and Intrusion
Detection Systems (IDS), as well as
Intrusion Prevention Systems (IPS).
Yep, we are totally secured. All that
other policy stuff does not matter.''
Then
there's this statement: ''We have all
of the policies in place. We have interpreted
the national and agency policies into
our language and have the documents
posted to our Website. Additionally,
annual security training is provided
to the users and the system administrators.
With all these procedures and processes,
how can we not be secure?''
And
last, but not least, is the argument
that if there is no support from senior
management on information assurance,
and the associated enforcement of the
security policies, then the security
program is doomed to failure.
Personally,
I always have believed all three need
to be in place to have a successful
information assurance program. However,
I hardly have ever seen all three areas
truly working together in the same environment.
What
I have noticed is the three areas are
at odds with one another.
After
reading a couple of recent Government
Accountability Office (GAO) reports
on the security posture of our government
agencies, I have found I am not the
only one who has noticed a lack of interoperability
between the three security areas. For
those of you who are not familiar with
the GAO, it's an agency that works for
Congress and the American people. Congress
will ask the GAO to study federal programs
and expenditures in an independent and
nonpartisan manner. After an investigation,
a report is written that identifies
areas of weaknesses and provides recommendations
to fix them.
One
report in particular noted that the
agency they were investigating was particularly
weak in the implementation of the managerial
and operational controls. Although the
agency was diligent in periodic scanning,
patch management and the conduct of
technical security feature testing,
the report noted that they did not track
and plan for correction of their non-technical
deficiencies.
The
GAO report identified several specific
areas...
One
of the areas was risk management. According
to the GAO report, the agency did not
annually re-evaluate its network, system,
and applications to determine residual
risks. This included activities such
as the security test and evaluation
of the managerial and operational controls,
as well as the technical controls, and
the tracking and corrections of the
non-technical findings.
This
was particularly disturbing to me, as
the determination of risk, and then
its minimization, is what information
assurance is all about.
The
other major trouble spot was a lack
of security training and awareness.
It's
not that a security training and awareness
program did not exist, because it does
at this particular agency. The issue
was that the security training program
was not maintained and updated to keep
pace with emerging security trends.
There also was no good mechanism in
place to keep track of personnel who
were trained.
There
were other findings as well, but these
were the major points.
I
have to admit that none of these findings
were a huge surprise, and could probably
be identified in any government agency
at anytime. What did surprise me was
the agency's response to the report.
Let
me provide you a condensed version of
the response: They periodically execute
vulnerability scans, respond to the
identified vulnerabilities and have
other such technical controls in place.
No mention of the operational or managerial
controls.
I
have to admit I am amazed that with
all the progress we have made in the
information assurance field, there could
be such a lack of understanding of how
the three areas must work together.
However, I am hopeful that with the
technical security features that are
currently available for our systems;
the national attention that is being
given to security via policies (e.g.,
FISMA); and the enforcement of these
security policies that is slowly but
steadily being executed, we may yet
get all three areas to interact in a
positive manner.
Only
then will our networks, systems and
applications be truly secured.
Copyright:
TLA Associates
Source:
eSecurity Planet, the original
article appeared here
|
