This
“IA” is Your “IA”
Information Assurance is becoming a formal process. Make it your
process.
PERHAPS
IT MAKES SENSE THAT A CONFERENCE on Information Assurance would try
to determine exactly what IA is. Provided, of course, that a fixed
definition is possible.
Certainly
we can agree that IA is “different things to different people,”
as Susan Pequigney, director of federal programs at Internet Security
Systems (ISS) Inc., told the conference.
Equally,
there is some consensus to navigate by. For instance, just about everyone
would agree that security and privacy on the Internet are two of the
bigger “things” that IA programs must address.
Be
aware (and consoled), the world has confronted this sort of thing
before, noted John A. Jauregui, a former military technology expert
now a manager in IT security with Peak Consulting.
“Do
we think of the Internet as international waters?” Jauregui rhetorically
asked the GCN Technology Excellence in Government conference. If so,
we need to identify which waters we control and which belong to everyone,
he said.
Do international waters begin right outside of our firewall, perhaps?
Jauregui noted that the history of aviation became the history of
aviation accidents as flight increased. Then, it became the history
of aviation risk mitigation as very exacting processes grew up around
air safety — simply because there was so much air flight.
Expect
IA in the Internet era to follow a similar pattern. It will become
programmatic, embedded, very closely managed, the former Marine Corps
official said. The focus on “process” begins now.
Know What You Got
The thing is, IA covers a lot of ground.
“Information Assurance is the ability to provide the right person
with the right information at the right time on whatever device that’s
relevant,” said Sean Finnegan, a federal security manager with
Microsoft Corp.
IA is also the ability to make sure the wrong person — the hacker,
the terrorist, the thief, the virus creator, the mischief maker —
is kept out of the loop, Finnegan said.
IA is accomplished a lot of ways. “IA from our point of view
is being able to provide infrastructure,” said Andrew Lehfeld,
a PKI technical consultant with RSA Security. And Public Key Infrastructure
is a big piece of the puzzle.
But the puzzle is bigger yet.
Jauregui noted that many organizations “don’t really know
what assets they have, so it's difficult for them to know what's at
risk.” A key to good IA policy is that agencies know exactly
what they have and how vulnerable it is.
Manage What You Got
What you are shooting for is “an acceptable level of risk,”
advised Rick Westcott, a senior sales rep with VeriSign Inc. “I
say acceptable because no security is 100 percent.”
Just about anyone would tell you that risk mitigation begins by assessing
what you have. After that, well, Robert Daniels, a PKI consultant
at EDS Corp., advises that you do “penetration testing so as
to make sure the sensors are working.”
You do have sensors out there, right? Intrusion detection? A denial
of service prevention strategy? A solid password policy? A crisis
management plan?
Just about everyone involved in security and privacy will tell you
that IA really has to be managed. “The question is, who controls
the keys to the kingdom,” asked Michael Pinckney, an account
executive with BMC Software.
Pinckney thinks a central authority in your agency should have control
over things like password synchro-nization, audits, adds/deletes/changes
and other IA issues. But Daniels of EDS, a former Social Security
Administration official, thinks IA often lends itself to distributed
management — by necessity.
Infosec Thyself
If IA is “different things” it is also “different strokes
for different folks.” That’s partly because systems either
run at, or envision running at, variant “levels of trust.”
The conference took a look at systems that seek to meet these levels
of trust and federal projects meant to lay down the mandatory infrastructure
upon which eGovernment and other New Economy processes can be increasingly
leveraged by agencies.
As for infrastructure, some is just emerging and some well established.
As for the established, The National Security Agency’s long-standing
Infosec program for performing assessments has been successfully transferred
to 500 experts working in the public and private sector now, said
Wilbur Hildebrand, chief of NSA’s Vulnerability Assessment Services.
Long before GAO or the local IG or anyone else shows up to hold your
security system’s feet to the fire, you can hire an Infosec expert
to confidentially assess your system and ferret out weaknesses. Visit
www.iatrp.com for more information.
As for systems and programs now emerging, that’s what the rest
of this supplement is all about.
The conference, Information Assurance: Building Public Trust Through
Secure Government Systems, was presented by the Council for Excellence
in Government, the Digital Government Institute, GCN and Post Newsweek
Tech Media Group.
