Get security help in person or online

Get security help in person or online

BY PATRICIA DAUKANTAS | GCN STAFF

From tailor-made Web sites to advisory groups, federal systems administrators needn't look far for answers about computer and network security, Marianne Swanson said at a recent conference.

Swanson, senior adviser for information technology security management at the National Institute of Standards and Technology in Gaithersburg, Md., spoke at the National High-Performance Computing and Communications Council's annual conference in Newport, R.I.


Federal users can submit case studies for posting on the security best- practices site, NIST's Marianne Swanson says.


The Best Security Practices site, at bsp.cio.gov, sponsored by a subcommittee of the Chief Information Officers Council, recounts 16 case studies of agencies' security efforts. Each case study estimates the resources involved and details procurement information and lessons learned.

Federal users can submit case studies to the CIO Council subcommittee, which will review them for appropriateness before posting, Swanson said. An automatically scrolling window on the home page shows the subject areas that the subcommittee is interested in learning about.

For users who prefer to learn about best practices in person, the Federal Computer Security Program Managers' Forum holds bimonthly meetings and has a 300-member e-mail list, Swanson said.

The CIO Council's security subcommittee has produced a risk management guide for managers, Swanson said. The subcommittee also has been developing an IT security assessment framework to help administrators diagnose their security problems, much as they assessed year 2000 vulnerabilities in the late 1990s.

Five levels

The self-assessment framework, which is undergoing final review for release later this year, specifies five levels of IT security program effectiveness, Swanson said. Each level has detailed questions and criteria for determining effectiveness level.

NIST's Computer Security Resource Center, at csrc.nist.gov, started as a bulletin board service about a dozen years ago, Swanson said.

It contains material about the Advanced Encryption Standard, computer virus alerts and intrusion detection. It also has a section on the international Common Criteria standards for IT security.

Recently the Web site added a section on proper implementation of public-key infrastructure systems. Over the next two months, NIST will add sections on risk assessment, incident handling and firewall policies.

Swanson said the ICAT metabase, at icat.nist.gov, now lists more than 2,300 known computer and network vulnerabilities with links to patches.

The searchable index is organized according to the Common Vulnerabilities and Exposures naming standards developed two years ago by Mitre Corp. of Bedford, Mass.

inside gcn

  • health data

    Improving the VA patient journey with data transparency

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group