A majority of government organizations taking a recent survey by security education provider SANS Institute said they have adopted the Critical Security Controls (CSCs), a roadmap of 20 best practices for computer security developed by a public private consortium.
The CSC project was initiated in 2008 as a response to extreme data losses experienced by U.S. defense firms.
This year’s survey found 90 percent of organizations used the roadmap, with government and financial-sector-based industries leading the pack. The results run well ahead of a similar 2013 SANS survey, which showed a 73 percent adoption rate, according to SANS.
"Organizations across a broad range of industries are making steady progress toward adopting, integrating and automating the CSCs," said SANS analyst James Tarala, author of the survey results paper.
Even so, there are problems limiting adoption of all of the controls, he said. Staffing issues, lack of budget and silos that limit communication between IT security and operations remain barriers that adopters encounter, according to Tarala.
These are key problems identified in last year's survey that haven't gone away, according to the Institute.
Not all organizations have adopted all controls, nor are they following the order of the controls currently listed as 1-20. But of those who are able to measure improvement, 16 percent noted the controls improved risk posture and 11 percent improved their ability to detect advanced attacks.
Tony Sager, director of the SANS Innovation Center and chief technologist for the Council on CyberSecurity, said the organization was working on guidelines and case studies, a resource requested by two-thirds of the survey respondents.
"The Controls are not about having the best list of things to do – they are about members of a community helping each other improve their security, according to Sager. Full results of the survey will be shared during a Sept. 9, 2014, webcast at 1 p.m., EDT.
Posted on Sep 08, 2014 at 9:41 AM0 comments
Security education provider SANS Institute released 27 updated information security policy templates government agencies can use to ensure their security policies are practical, up-to-date and reflect real-world experience.
The refreshed policy library removes policies that are no longer needed, adds those covering new technologies and new threats and updates policies to reflect changes in practice.
The update was produced by a team of security industry professionals chaired by Michele D. Guel, a senior security architect at Cisco Systems, and a 26-year veteran of the cybersecurity industry.
The templates can be downloaded from the SANS Security Policy Project.
For general policies, titles include Acceptable Use, Acceptable Encryption, Password Construction, Password Protection, Email Use, Disaster Recovery Plans, and Security Response Plans.
In the network security arena, users will find templates for policies on Remote Access, Router and Switch Security, Wireless Communications and Standards, and the Assessment of Potential Acquisitions.
Server security templates include policies covering Database Credentials, Technology Equipment Disposal, Lab Security, and Software Installation. Templates database also includes a Web Application Security Policy template.
The templates are often generalized versions of policies developed for and used by government agencies and corporations.
"The Policy Project site allows organizations to create better policies, faster, by starting from a proven set of templates,” said Alan Paller, director of research at the SANS Institute. “It also helps ensure their own policies have sufficient scope and depth relative to those included in the library.”
Posted on Sep 05, 2014 at 7:59 AM0 comments
As agencies increasingly migrate to the cloud in search of security and savings, their potential industry partners are stepping up to supply the increased security features demanded by federal customers.
This week, AT&T announced Synaptic Storage as a Service (STaaS ) for Government, a multi-tenant, community cloud that has the same features as AT&T's commercial cloud storage offering but adds additional security, the company said in its announcement.
Among the security enhancements are:
- Storage towers that are physically separated from other users' towers in the data center.
- Separate logical cloud for government data so that government customer data will not co-exist with commercial data.
- A separate cloud portal partition for government agencies.
- All government agency customers and their authorized users are assigned RSA hard token for two-factor authentication.
"Federal agencies want the mobility, collaboration, information sharing and efficiency that cloud offers but they can't afford to adopt cloud solutions that sacrifice performance, reliability and above all, security," said Kay Kapoor, president, AT&T Government Solutions.
"Our new STaaS for Government offer delivers the key attributes federal buyers require and allows them to move to the cloud with ease and confidence."
Posted on Sep 03, 2014 at 10:22 AM0 comments
The National Geospatial-Intelligence Agency (NGA) awarded Leidos Inc., a contract potentially worth $20 million to provide digital mapping production services to the national security and geospatial intelligence communities.
Leidos, which describes itself as a national security, health and engineering solutions company, provides production services for imagery, map-based intelligence and geospatial information for national security projects. It also supports the National System for Geospatial Intelligence, the collection of of technology, policies and programs necessary to geospatial intelligence in an integrated environment, the company said.
Under the single-award, indefinite delivery requirements contract, Leidos will work on production flow efficiencies and improved customer services for producing mapping deliverables to the intel community. It will also provide online and on-demand capabilities to the mapping production process, according to the company.
Leidos said its team will produce digital and plate-ready, standard and non-standard NGA geospatial intelligence mapping for navigation planning charts as well as digitized and compressed raster graphics.
“We look forward to providing global products … as well as services designed to further automate and streamline NGA's effort to deliver global products to its customers,” said Leidos Group President Larry Hill.
Posted on Aug 29, 2014 at 7:49 AM0 comments
Massachusetts will soon have a statewide emergency services system that will let first responders communicate in real time using Internet Protocol formats.
The Massachusetts State 911 Department awarded General Dynamics Information Technology a contract to build, install and operate an IP-based system that will help the commonwealth’s public safety community integrate new technologies, including smart phones, texting, video and web services into its first-response arsenal.
Massachusetts Public Safety Secretary Andrea Cabral said the new system, “will effectively transform our analog based system into an IP- based system, making it compatible with today's changing technology and communication methods."
The deal equips the commonwealth to move to a statewide next-generation 911 system that complies with National Emergency Number Association's i3 architecture standards, which establishes nationwide interoperability for the system and will speed information sharing with first responder teams, officials said.
General Dynamics will replace Massachusetts’s legacy Enhanced 911 (E911) emergency call-handling system with a secure, IP-based NG 911 system. The new protocols clear the way to receive emergency service requests from existing public networks as well as new applications and devices, according to the company. Data from geographical information systems, for example, will be integrated into all emergency service requests to accurately map a caller's location and route calls to public safety answering points.
The company will also train more than 6,000 Massachusetts police, fire and dispatch workers and other emergency service organizations.
"This vitally important system transition enhances the safety of 911 users in the Commonwealth by allowing the public better, easier access to emergency responders," Cabral said.
General Dynamics said it has launched more than 50 E911 systems into service, including the recent transition of the E911 system in Morgan County, Ohio, to a NG911 network.
Posted on Aug 28, 2014 at 9:09 AM0 comments