It usually goes something like this:
''My network (or system, or application) is very secure. Periodicvulnerability scans are conducted, security patches are installed asidentified, and virus detectors are implemented. Additionally, there areDMZs, firewalls, and Intrusion Detection Systems (IDS), as well asIntrusion Prevention Systems (IPS). Yep, we are totally secured. All thatother policy stuff does not matter.''
Then there's this statement: ''We have all of the policies in place. Wehave interpreted the national and agency policies into our language andhave the documents posted to our Website. Additionally, annual securitytraining is provided to the users and the system administrators. With allthese procedures and processes, how can we not be secure?''https://o1.qnsr.com/log/p.gif?;n=203;c=204660766;s=9477;x=7936;f=201812281312070;u=j;z=TIMESTAMP;a=20392931;e=i And last, but not least, is the argument that if there is no support fromsenior management on information assurance, and the associatedenforcement of the security policies, then the security program is doomedto failure.
Personally, I always have believed all three need to be in place to havea successful information assurance program. However, I hardly have everseen all three areas truly working together in the same environment.
What I have noticed is the three areas are at odds with one another.
After reading a couple of recent Government Accountability Office (GAO)reports on the security posture of our government agencies, I have foundI am not the only one who has noticed a lack of interoperability betweenthe three security areas. For those of you who are not familiar with theGAO, it's an agency that works for Congress and the American people.Congress will ask the GAO to study federal programs and expenditures inan independent and nonpartisan manner. After an investigation, a reportis written that identifies areas of weaknesses and providesrecommendations to fix them.
One report in particular noted that the agency they were investigatingwas particularly weak in the implementation of the managerial andoperational controls. Although the agency was diligent in periodicscanning, patch management and the conduct of technical security featuretesting, the report noted that they did not track and plan for correctionof their non-technical deficiencies.
The GAO report identified several specific areas...
One of the areas was risk management. According to the GAO report, theagency did not annually re-evaluate its network, system, and applicationsto determine residual risks. This included activities such as thesecurity test and evaluation of the managerial and operational controls,as well as the technical controls, and the tracking and corrections ofthe non-technical findings.
This was particularly disturbing to me, as the determination of risk, andthen its minimization, is what information assurance is all about.
The other major trouble spot was a lack of security training andawareness.
It's not that a security training and awareness program did not exist,because it does at this particular agency. The issue was that thesecurity training program was not maintained and updated to keep pacewith emerging security trends. There also was no good mechanism in placeto keep track of personnel who were trained.
There were other findings as well, but these were the major points.
I have to admit that none of these findings were a huge surprise, andcould probably be identified in any government agency at anytime. Whatdid surprise me was the agency's response to the report.
Let me provide you a condensed version of the response: They periodicallyexecute vulnerability scans, respond to the identified vulnerabilitiesand have other such technical controls in place. No mention of theoperational or managerial controls.
I have to admit I am amazed that with all the progress we have made inthe information assurance field, there could be such a lack ofunderstanding of how the three areas must work together. However, I amhopeful that with the technical security features that are currentlyavailable for our systems; the national attention that is being given tosecurity via policies (e.g., FISMA); and the enforcement of thesesecurity policies that is slowly but steadily being executed, we may yetget all three areas to interact in a positive manner.
Only then will our networks, systems and applications be truly secured.