Get security help in person or online

Get security help in person or online


From tailor-made Web sites to advisory groups, federal systems administrators needn't look far for answers about computer and network security, Marianne Swanson said at a recent conference.

Swanson, senior adviser for information technology security management at the National Institute of Standards and Technology in Gaithersburg, Md., spoke at the National High-Performance Computing and Communications Council's annual conference in Newport, R.I.

Federal users can submit case studies for posting on the security best- practices site, NIST's Marianne Swanson says.

The Best Security Practices site, at, sponsored by a subcommittee of the Chief Information Officers Council, recounts 16 case studies of agencies' security efforts. Each case study estimates the resources involved and details procurement information and lessons learned.

Federal users can submit case studies to the CIO Council subcommittee, which will review them for appropriateness before posting, Swanson said. An automatically scrolling window on the home page shows the subject areas that the subcommittee is interested in learning about.

For users who prefer to learn about best practices in person, the Federal Computer Security Program Managers' Forum holds bimonthly meetings and has a 300-member e-mail list, Swanson said.

The CIO Council's security subcommittee has produced a risk management guide for managers, Swanson said. The subcommittee also has been developing an IT security assessment framework to help administrators diagnose their security problems, much as they assessed year 2000 vulnerabilities in the late 1990s.

Five levels

The self-assessment framework, which is undergoing final review for release later this year, specifies five levels of IT security program effectiveness, Swanson said. Each level has detailed questions and criteria for determining effectiveness level.

NIST's Computer Security Resource Center, at, started as a bulletin board service about a dozen years ago, Swanson said.

It contains material about the Advanced Encryption Standard, computer virus alerts and intrusion detection. It also has a section on the international Common Criteria standards for IT security.

Recently the Web site added a section on proper implementation of public-key infrastructure systems. Over the next two months, NIST will add sections on risk assessment, incident handling and firewall policies.

Swanson said the ICAT metabase, at, now lists more than 2,300 known computer and network vulnerabilities with links to patches.

The searchable index is organized according to the Common Vulnerabilities and Exposures naming standards developed two years ago by Mitre Corp. of Bedford, Mass.


  • Records management: Look beyond the NARA mandates

    Pandemic tests electronic records management

    Between the rush enable more virtual collaboration, stalled digitization of archived records and managing records that reside in datasets, records management executives are sorting through new challenges.

  • boy learning at home (Travelpixs/

    Tucson’s community wireless bridges the digital divide

    The city built cell sites at government-owned facilities such as fire departments and libraries that were already connected to Tucson’s existing fiber backbone.

Stay Connected