Yet another bad grade for government security

Yet another bad grade for government security

Government employees got a D for IT security awareness in a study by PentaSafe Security Technologies Inc.

About 1,400 workers at 600 organizations scored an average 65 out of 100 on an awareness index developed by the Houston company. Government employees accounted for 20 percent of the respondents. The index, which will come out every six months, was released today at the RSA Conference 2002 in San Jose, Calif., hosted by RSA Security Inc. of Bedford, Mass.

Seven of eight government and industry sectors identified in the survey received a D grade, and one critical sector'the communications industry'had a failing grade of 45.

'One of the most striking results is how poorly most workers score when it comes to security awareness,' said Todd Tucker, PentaSafe's director of security architecture and strategy.

Security awareness is one of six critical areas of weakness identified in a Feb. 13 report to Congress from the Office of Management and Budget [see story at].

OMB found across-the-board weaknesses in IT security at agencies. Although the Computer Security Act of 1987 mandates security training, 'some agencies and large bureaus reported virtually no security training,' OMB's report said. 'Government employees must understand their responsibilities before being held accountable for them.'

According to OMB, the Defense Department is doing the best job of educating its personnel, who are required to take training and be certified before gaining access to systems. OMB is working with the Critical Infrastructure Protection Board and the CIO Council to develop other training programs.

Respondents to the PentaSafe study received uniformly low scores for awareness regardless of job responsibility. Even information security workers scored only 69.8, the equivalent of a high D. Nearly half of those surveyed said they never received formal awareness training, and only one in five had training in the last six months.

The online survey, available at, has two phases. First, the chief security officer of an organization is quizzed on policy and practices for training employees in information security. The security officer then tests employee awareness by e-mailing them the survey link. As employees respond, an awareness index score is compiled for the organization. PentaSafe periodically will release aggregate index scores.

The first report concluded that organizational practices are primarily responsible for the low grades. Organizations should classify information according to its importance, establish policies for securing it; make policies easily accessible and require employees to agree to the policies, the report said.

About the Author

William Jackson is a Maryland-based freelance writer.

Stay Connected

Sign up for our newsletter.

I agree to this site's Privacy Policy.