[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[infowar.de] erster Report zur IT-Sicherheit der US-Behörden veröffentlicht
Die Berichte der Behörden, aus denen der Report zusammengestellt wurde,
sind nach dem "Government Information Security and Reform Act of 2000"
jährlich vorgeschrieben. Der erste Report ist verfügbar unter
GovExec.com, February 14, 2002
Report stresses management?s role in boosting cybersecurity
By Joshua Dean
- govexec -
Based on a review of agencies? self-reported cybersecurity weaknesses,
the Bush administration has pledged to ensure that cybersecurity is a
management priority and will devote extra funding to plug the
government?s IT security holes, according to a report released Wednesday
by the Office of Management and Budget.
The release of the report ends the first round of reporting under the ,
which requires annual program reviews and audits of information security
practices by agency inspectors general.
The first internal reviews were due to OMB by October 2001. OMB sent its
overview of the security gaps reported by agencies to Congress
According to the report, agencies have a long way to go in fixing their
cybersecurity weaknesses. The report emphasized that security is an
?essential management function.? Therefore, it said, program
officials?not just security officers and chief information officers?are
?primarily responsible for ensuring that security is integrated and
funded within their programs and tied to program goals.?
OMB found six main deficiencies in agency cybersecurity efforts, most of
which focus on management rather than technology:
- Senior managers do not currently view cybersecurity as a priority.
?[Security] is a management function, which must be embraced by each
federal agency and agency head,? the report said.
- Program officials are not being evaluated on how well they integrate
security into their systems. ?Virtually every agency response regarding
performance implies that there has been inadequate accountability for
job and program performance related to IT security,? the report said.
- Agencies are doing a poor job of educating their employees about the
importance of cybersecurity. ?Some agencies and large bureaus reported
virtually no security training,? the report said.
- Agencies are still working to integrate security into the budget and
planning process. ?[Agency] officials must ensure [security] is built
into and funded within each system and program through effective capital
planning and investment control,? the report said.
- Agencies are not including adequate security requirements in IT
contracts. ?Given that most federal IT projects are developed and many
operated by contractors, IT contracts need to include adequate security
requirements,? the report said.
- Security incidents and intrusions are not being detected or reported
to interagency security groups. ?Far too many agencies have virtually no
meaningful system to test or monitor system activity and therefore are
unable to detect intrusions, suspected intrusions or virus infections,?
the report said.
OMB used the GISRA findings to justify an increase of approximately $1.5
billion in the federal cybersecurity budget.
In fiscal 2002, agencies spent $2.7 billion on cybersecurity. According
to the president?s fiscal 2003 budget
(http://www.whitehouse.gov/omb/budget/fy2003/budget.html), which was
released last week, agencies are expected to spend about $4.2 billion on
cybersecurity in the next fiscal year.
In fiscal 2002, the majority of federal agencies reported spending
between 2.1 percent and 5.6 percent of their total IT budget on
security. Of the 24 largest federal departments and agencies, five
reported spending between 7.3 percent and 17 percent of their total IT
budget on security. Another five reported spending just 1 percent to 2
percent of their total IT budget on security. For an overview of federal
agencies' fiscal 2002 IT spending, click here.
Beyond increased funding, OMB has included cybersecurity as a key
component to successful e-government in its management scorecard
(http://www.govexec.com/dailyfed/0202/020402ts1chart.htm), a series of
grades in grades in five key categories of management included in the
In addition, OMB has sent letters to department and agency heads about
making cybersecurity a management priority and a key responsibility for
employees beyond the IT staff. ?Security is the responsibility of every
employee in the agency,? the report stated. ?There must be consequences
for inadequate performance.?
In response to the October 2001 reports, OMB is now requiring agencies
to submit plans to correct every cybersecurity weakness reported by the
agency, its IG and GAO.
Furthermore, OMB is now requiring all large agencies to conduct a
?Project Matrix? review. Project Matrix is a program developed by the
White House?s Critical Infrastructure Assurance Office to help with
governmentwide disaster recovery planning. The program includes a
template to help agencies identify their assets that are critical to the
nation?s economic and physical security and their dependencies on key
services such as power and communications. Brought to you
Mail an infowar -
- infopeace -
de mit "unsubscribe" im Text.