As 2005 comes to a close, what have we learned and implemented to assist
us in managing our information security? And what does the future hold
for us who live and work in this information assurance space?
Let's start at the turn of the millennium: Almost six years ago, during
this same time period, people all over the world were wondering if we
would technically survive the turning of the new century. Old Cobol and
Fortran programmers were called back to work, and many people rang in the
New Year staring at computer screens. And yet, nothing really happened.
Was it because of the preparation for the event or would the computers
have kept running without noticing a change in their date/time banks? I'm
not sure we ever will really know that answer.
Then in 2001, we had the terrorist attacks on the U.S. which shook the
world. And we learned our contingency plans and disaster recovery efforts
required more than they had been covering. Our business continuity plans
needed to address more than fires in the building and updated backup
tapes. They need to address business functions, hot/warm sites, and
A few years back, 2002 brought us Web Services, and all the security
issues that went with it. Then 2003 and 2004 introduced new security
threats, such as spam and phishing. Identify theft through computers was
huge, as were the SQL Slammer and MS Blaster worm attacks. Security types
worked hard to come up with new policies and regulations to try and
address some of these issues.
During 2005, did we embrace our information assurance policies and
enforce the rules? Did our renewed contingency planning and disaster
recovery efforts help when disasters struck? Have we, as information
assurance professional, kept pace with technology, and those who would do
malicious harm to our systems?
Here are some of the highlights so you can make your own informed
Regulations, Polices and Standards -- The National Institute
of Standards and Technology (NIST) published many special publications.
The documents addressed security controls and risk management. There was
an effort to coordinate policies from both the federal government and the
Department of Defense. These guidelines are very helpful in assisting
information assurance practitioners. We have the policies and procedures
for great security. What is lacking is the enforcement of these policies.
Enforcement -- I believe we are still struggling with the
enforcement issue in regard to information assurance policies. The
Federal Information Systems Management Act (FISMA) attempts to try and
enforce good security practices, however, it has fallen short of the
intent of the act. The Government Accountability Office (GAO) is publishing
more reports on agencies that have not correctly or thoroughly
implemented security in their environments. This is one of those areas
where the information assurance world will continue to struggle, but it's
Technical Controls -- The information assurance arena has
made great progress in developing and implementing technical controls in
their systems and networks. We have seen a progression from defensive
features to proactive features. Firewalls, intrusion detection systems
(IDS), and DMZs now are automatically considered in network
Continuity & Disaster Recovery -- This past year was one for
continuity and disaster recovery planning. Hurricane Katrina proved that
in order to survive a disaster, prior planning must be done. Those
companies that had plans in place and had tested those plans, survived.
We have seen natural disasters on the increase, as well as disasters that
are created and implemented by man. I know people who have endured an
anthrax scare. Add to that the fact that the Center for Disease Control
has advised large companies to have continuity plans in place as they
expect an epidemic flu this year. Continuity planning must move from
being system-based to enterprise levels, taking into account people and
processes, as well as data. I believe we will see more disasters on a
larger scale in the future.
I continue to be optimistic that information assurance will rise in
importance, and business management will understand why we need to have
security in our systems and networks. I also believe that as security
professionals we will figure out how to enforce our security policies and
Most of all, I wish you all a safe and secure new year!