[attrition] Article: The Joke Known As Federal IT Security Oversight (fwd)

[security curmudgeon]

The Joke Known As Federal IT Security Oversight
Richard Forno
www.infowarrior.org

17 March 2004
Copyright (c) 2004 by Author.  Permission granted to reproduce with credit.

Source w/in-line URLs: http://www.infowarrior.org/articles/2004-07.html.

Over the past several years, various Washington entities, from the General
Accounting Office to assorted Congressional committees, conducted surveys
and issued reports on the state of the federal government's information
security posture.  In each case, with few exceptions, the findings range
from the scathing to the downright embarrassing, and remain essentially
unchanged since the mid-1990s.

Like any other issue involving government oversight, this process has
become an annual Washington tradition - the reports are released; there's
back-and-forth blather in Congress about how we need "to do more" to
secure our federal networks; agency leaders and CIOs are called to testify
on the Hill; some more blather, and perhaps a piece of legislation is
introduced and dies before reaching the floor; and then the issue recedes
into digital memory until next year's survey results are released -- and
the process begins anew, with little or nothing really changing.

It's no different than our annual visit to the dentist. We know he's going
to admonish us to brush more and cut out the sweets, and we know that
we're going to be embarrassed or uncomfortable as he tells us this to our
face and makes notes in our patient file, but we endure it year after
year, because it's something we have to do for good oral hygiene.  Of
course, we ignore his advice because it's inconvenient and, besides, candy
is a tastier snack than celery.

This seems to be the approach taken by the majority of the federal
government when dealing with the security of federal information
systems....

< - snip - >

http://www.infowarrior.org/articles/2004-07.html