Posted by Bob Craig - Dir Prod Marketing on Thu, Jul 23, 2009
Recently the U.S. General Accounting Office (GAO) sent a very disturbing
report to Congress concerning Federal agencies compliance with the Federal Information Security Management Act (FISMA). To quote from the report:
"Significant weaknesses in information security policies and practices threaten the confidentiality, integrity, and availability of critical information and information systems used to support the operations, assets, and personnel of most federal agencies. These persistent weaknesses expose sensitive data to significant risk, as illustrated by recent incidents at various agencies. Further, our work and reviews by inspectors general note significant information security control deficiencies that place a broad array of federal operations and assets at risk."
Some of the areas of deficiency include:
|
Access Controls |
At least 23 major federal agencies had access control weaknesses during fiscal year 2008. ...agencies did not consistently identify and authenticate users to prevent unauthorized access; enforce the principle of least privilege to ensure that authorized access was necessary and appropriate; log, audit, and monitor security-relevant events... |
|
Accounts and password management |
...certain agencies did not adequately enforce strong password settings, increasing the likelihood that accounts could be compromised and used by unauthorized individuals to gain access to sensitive information, ... [did not] enforce periodic changing of passwords or use of one-time passwords or passcodes, and transmitted or stored passwords in clear text. |
|
Segregation of Duties |
At least 14 agencies did not appropriately segregate information technology duties... |
|
Policy weaknesses |
Thirteen agencies had weaknesses in their information security policies and procedures... |
As a result, the number of reported incidents has risen dramatically over the past 3 years, increasing from 5,503 incidents reported in fiscal year 2006 to 16,843 incidents in fiscal year 2008 (slightly more than 200 percent). Some of the findings reported by the GAO include:
- Dept. of Transportation: audit staff gained unauthorized access to ... sensitive personally identifiable information.
- FAA: employee personal identity information ... stolen electronically
- Office of Personnel and Management: USAJOBS database illegally accessed and contact and account data taken
- Federal Emergency Management Administration: a spreadsheet with data that included applicant names, social security numbers, addresses, telephone numbers, e-mail addresses, and other information on disaster applicants was posted to the Internet
- Securities and Exchange Commission: has not always consistently enforced strong controls for identifying and authenticating users [or] sufficiently restricted user access to systems.
The 66-page report continues with a litany of additional planning, testing, training, certification and monitoring failures.
The Federal Government must get serious about adopting an Access Assurance strategy that will ensure that sensitive data, including personally identifiable data, is kept safe and secure from unauthorized access. This includes:
- Implementing robust password management processes and procedures
- Deploying authorization controls to eliminate violations of the principle of least privilege
- Better managing access rights to critical systems, such as terminating accounts associated with employees and/or contractors are not longer employed by the government
- Defining and enforcing segregation-of-duties and other policies designed to reduce or eliminate fraud and waste
- Configuring activity tracking systems to monitor users' activities
- Testing and installing software patches on a timely basis to protect against known vulnerabilities
Posted by Bob Craig - Dir Prod Marketing on Thu, Jul 02, 2009
According to the Merriam-Webster dictionary, "specious" means "having a false look of truth or genuineness." This is a strong word to use when discussing the strategy of a multi-billion dollar software vendor, yet that's exactly the word
Anne Thomas Manes used to describe the Oracle Fusion Middleware 11
g announcement on July 1.
As the market is starting to realize more and more, the strategy of the stack vendors (including Oracle, IBM, Sun, CA and others) is to dominate their customer's IT infrastructure, from desktop to data center and everything in between.
This is why we say "Hallelujah" when we see Ms. Manes flatly declare:
"As alluring as the one-stop shopping strategy is, organizations must learn to just say ‘no'. The reality is that no one has an entirely homogeneous environment. Oracle claims that Enterprise Manager supports end-to-end business process monitoring, but the concept breaks down if the process includes a .NET service or a third-party COTS application. A better solution is a management strategy that embraces diversity. Diversity in IT systems is a fact of life."
Courion's philosophy from the beginning has been to embrace the fact that every customer's IT environment is unique, heterogeneous and diverse. One reason we are able to compete effectively against much larger vendors is precisely because our Access Assurance solutions are designed to work with whatever the customer has in place.
Kudos to Ms. Manes for pointing out that this emperor has no clothes!