North American Network Operators Group|
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical
Re: Fwd: cnn.com - Homeland Security seeks cyber counterattack system(Einstein 3.0)
On Tue, 7 Oct 2008, Valdis.Kletnieks@xxxxxx wrote:
You don't want "the securest implementation". You want one that's "secure enough" while still allowing the job to get done. You also don't want to be *paying* for more security than you actually need. Note that the higher price paid to the vendor isn't the only added cost of too much security.
The most recent (September 15 2008) US Government DNI directive about IT systems security includes the concept of appropriate risk management.
http://www.dni.gov/electronic_reading_room/ICD_503.pdf D. POLICY 1. Risk Management a. The principal goal of an IC element's information technology risk management process shall be to protect the element's ability to perform its mission, not just its information assets. [...] b. [...] For example, a very high level of security may reduce risk to a very low level, but can be extremely expensive, and may unacceptably impede essential operations.
In practice, it often turns out a "secure" system that is unusable for its mission is both insecure and unused because people start using other ways that bypass the "secure" system just to get the job done.
So back to my original questions, what advice would you give to the US Government about protecting and defending its networks to maintain
its capability to perform. And how can it be sure its getting what
it paid for.