Privacy vs. Security The AFCEA Global Intelligence Forum was scheduled for this June but given the ongoing debate in Congress on the conference topic and the FY13 budget uncertainties, the event has been postponed. Nevertheless, they have proposed some interesting questions: • What does it mean to be a citizen of the information nation? • Who are the protectors of that nation and what is the appropriate balance between personal privacy and public security? • Is the choice between security and privacy a false one? Can technology itself enable safe and secure citizenship? • Who and how should the ethics of information technology be determined? How does the next generation – the generation of cyber “citizens” – view the issue of privacy and security? It is easy to believe that there are more questions than answers but that is not a particularly useful ground to stand on for analysis. Let’s explore these questions. Read More »

Continuous monitoring involves assessing an agency’s information security posture based on changes to risk resulting from new threats or newly discovered vulnerabilities. The National Institute of Standards and Technology’s (NIST) Guide for Applying the Risk Management Framework to Federal Information Systems (Special Publication 800‐37, Revision 1) specifies continuous monitoring as one of the six steps in information security. As agencies begin looking at cloud initiatives, the challenge is implementing a continuous monitoring program that reduces risk and ensures compliance with NIST and other relevant guidance in an environment of decreased control. The solution begins with knowing where compliance ends and risk begins. Read More »

A recent New York Times article spells out the issues around federal cloud computing adoption explaining “such high praise for new Internet technologies may be common in Silicon Valley, but it is rare in the federal government, where concerns about security are paramount”. Agencies are notably concerned about losing responsibility for managing and securing data as well as the possibility of cloud outages. However, there are agencies with fewer concerns about security breaches and they have been busy moving user accounts and email services to the cloud environment. For example, the Agriculture Department has already moved about 46,000 employee accounts and is in the process of adding another 120,000. NASA has also made the migration by launching their own internal Nebula cloud computing platform. This platform provides a range of services powerful enough to manage all of NASA’s large-scale scientific data sets. Read More »

The problem is that we don’t typically have a disciplined methodology for arriving at a plan of action. Consider the following: You have to know what the loss is that you are trying to avoid. Sound simple? I assure you that most money is spent protecting assets without any regard to the loss that they represent. Remember, it’s not the laptop computer that you are protecting per se. It is the monetary value of some aspect of that asset. It could be the replacement cost of the asset. Do you think that would change your view of what was needed as a control? Of course! The replacement value of the computer is only a factor if you physically lose the computer or it is broken through physical damage. Anti-theft devices, padded carrying cases, security awareness training for employees are all possibilities but if the cost of these measures exceeds the cost of the computer then I’m guessing that you wouldn’t be likely to apply them. You may do some but not all and it would depend on analysis of which would represent a greater cost reduction. Read More »

(Network Access Control and Gateway Protection) In previous blogs we talked about the need to educate end users, knowing the details of what activity is occurring on your network, and managing the threat through compliance. In part 4, we’re going to talk about protecting your network and web/email traffic. First let’s talk about Network Access Control. Most enterprises have widespread networks across multiple locations with hundreds or thousands of network ports at each. Protecting these networks gives you peace of mind that a rouge machine will not get on the network and potentially capture data or cause disruptions. Another way to think of this is network endpoint compliance. Compliant machines get access to the network. Read More »