As 2005 comes to a close, what have we learned and implemented to assist us in managing our information security? And what does the future hold for us who live and work in this information assurance space?

Let's start at the turn of the millennium: Almost six years ago, during this same time period, people all over the world were wondering if we would technically survive the turning of the new century. Old Cobol and Fortran programmers were called back to work, and many people rang in the New Year staring at computer screens. And yet, nothing really happened. Was it because of the preparation for the event or would the computers have kept running without noticing a change in their date/time banks? I'm not sure we ever will really know that answer.

Then in 2001, we had the terrorist attacks on the U.S. which shook the world. And we learned our contingency plans and disaster recovery efforts required more than they had been covering. Our business continuity plans needed to address more than fires in the building and updated backup tapes. They need to address business functions, hot/warm sites, and personnel.

A few years back, 2002 brought us Web Services, and all the security issues that went with it. Then 2003 and 2004 introduced new security threats, such as spam and phishing. Identify theft through computers was huge, as were the SQL Slammer and MS Blaster worm attacks. Security types worked hard to come up with new policies and regulations to try and address some of these issues.

During 2005, did we embrace our information assurance policies and enforce the rules? Did our renewed contingency planning and disaster recovery efforts help when disasters struck? Have we, as information assurance professional, kept pace with technology, and those who would do malicious harm to our systems?

Here are some of the highlights so you can make your own informed opinions:

  • Regulations, Polices and Standards -- The National Institute of Standards and Technology (NIST) published many special publications. The documents addressed security controls and risk management. There was an effort to coordinate policies from both the federal government and the Department of Defense. These guidelines are very helpful in assisting information assurance practitioners. We have the policies and procedures for great security. What is lacking is the enforcement of these policies.
  • Enforcement -- I believe we are still struggling with the enforcement issue in regard to information assurance policies. The Federal Information Systems Management Act (FISMA) attempts to try and enforce good security practices, however, it has fallen short of the intent of the act. The Government Accountability Office (GAO) is publishing more reports on agencies that have not correctly or thoroughly implemented security in their environments. This is one of those areas where the information assurance world will continue to struggle, but it's absolutely critical.
  • Technical Controls -- The information assurance arena has made great progress in developing and implementing technical controls in their systems and networks. We have seen a progression from defensive features to proactive features. Firewalls, intrusion detection systems (IDS), and DMZs now are automatically considered in network architectures.
  • Continuity & Disaster Recovery -- This past year was one for continuity and disaster recovery planning. Hurricane Katrina proved that in order to survive a disaster, prior planning must be done. Those companies that had plans in place and had tested those plans, survived. We have seen natural disasters on the increase, as well as disasters that are created and implemented by man. I know people who have endured an anthrax scare. Add to that the fact that the Center for Disease Control has advised large companies to have continuity plans in place as they expect an epidemic flu this year. Continuity planning must move from being system-based to enterprise levels, taking into account people and processes, as well as data. I believe we will see more disasters on a larger scale in the future.

    I continue to be optimistic that information assurance will rise in importance, and business management will understand why we need to have security in our systems and networks. I also believe that as security professionals we will figure out how to enforce our security policies and procedures.

    Most of all, I wish you all a safe and secure new year!