Warning: Parameter 1 to Language::getMagic() expected to be a reference, value given in /home/govitwik/public_html/w/includes/StubObject.php on line 58
IT Security - GovITwiki

IT Security

From GovITwiki

Jump to: navigation, search
Introduction to the IT Security

Latest News
The National Institute of Standards and Technology (NIST) has released its draft for Guidelines on Securing Public Web Servers. this publication, know as NIST Special Publication 800-44 contains multiple NIST recommendations for the best way to configure and secure Web servers that are used by government agencies. It's a second draft, following an initial publication from 2002.

Comments on the draft can be filed with NIST until July 6, 2007. The e-mailed address is 800-44comments@nist.gov. Messages should mention "Comments SP 800-44" in the subject line.


History of Information Technology Security in Government

The original government computer security was little more than physical security and intelligence security. That means that the managers of the first government computer systems had to limit access to the systems, and secrets were kept on exactly how the systems were being used. But as computer networking grew, so did concerns about protecting system access in other ways.

The National Institute of Standards (NIST) keeps an interesting archive of papers form the early days of computer security.

Current Situation

FISMA, The Federal Information Security Management Act (FISMA) of 2002, provides a framework for IT security controls, attempting to coordinate efforts across civilian, Defense Department, Homeland Security and law enforcement agencies. provides a structure for cooperative development and maintenance tfor federal information system security. Agencies are able to choose their own specific technical solutions and products.

Federal Enterprise Architecture Security and Privacy Profile
The FEA SPP is voluntary guidance applicable to any Federal government agency. Instead of setting specific technical requirements, it provides best practices and recommendations to promote the successful incorporation of security and privacy into a government organization’s enterprise architecture and to ensure appropriate consideration of security and privacy requirements in agencies’ strategic planning and investment decision processes.

The Federal Chief Information Officers Council published initial versions of the Federal Enterprise Architecture Security and Privacy Profile (FEA SPP) in July 2004 and July 2005. The current version of the methodology (Version 2.0) was published June, 2006. [1]

Information Assurance Technical Framework

The Information Assurance Technical Framework Forum (IATFF) is a National Security Agency (NSA) sponsored outreach activity created to foster dialog amongst U.S. Government agencies, U.S. Industry, and U.S. Academia seeking to provide their customers solutions for information assurance problems.

The forum serves to increase awareness of available security solutions and allows attendees to establish contacts with other individuals and organizations dealing with similar problems.

Information Assurance Technical Framework Forum

Security Essential Body of Knowledge

The Homeland Security Department recently published a draft of a framework of knowledge and skills it believes the United States needs to prevent cyberattacks. This draft publication entitled:

Information Technology (IT) Security Essential Body of Knowledge (EBK):A Competency and Functional Framework for IT Security Workforce Development is the output from the National Strategy to Secure Cyberspace directive of which priority III was:

DHS will encourage efforts that are needed to build foundations for the development of security certification programs that will be broadly accepted by the public and private sectors. DHS and other federal agencies can aid these efforts by effectively articulating the needs of the federal IT security community

Draft Security Essential Body of Knowledge

The Einstein Program
The Department of Homeland Security has set up The Einstein Program to share information, cross agency, on security breeches and known vulnerability problems.

Federal Information Processing Standards
Our FIPS page has the details.

Latest IT Security News

Most Common Procurement Methods


Closely related to Information technology governance


Related Links

NIST offers a very detailed document titled the Guide for Developing Performance Metrics for Information Security: Recommendations of the National Institute of Standards and Technology. It provides advice for security, configuration management issues, and different types of risk management for government IT systems.

Of particular growing interest in the growing environment of Wireless PDA reliance are the NIST guides available on Security Technical Implementation Guides (STIGS) and Supporting Documents. The STIGs and the NSA Guides are the configuration standards for DOD IA and IA-enabled devices/systems. A Security Checklist (sometimes referred to as a lockdown guide, hardening guide, or benchmark configuration) is essentially a document that contains instructions or procedures to verify compliance to a baseline level of security. And Security Readiness Review Scripts(SRRs) test products for STIG compliance. SRR Scripts are available for all operating systems and databases that have STIGs, and web servers using IIS. The SRR scripts are unlicensed tools developed by the Field Security Office (FSO) and the use of these tools on products is completely at the user's own risk.

The the Information Technology Resources Board (ITRB) has produced an interesting document titled A Balanced Approach to Managing Information Risk in an Unfriendly World. It discusses what it means to provide cost-effective information risk management for government systems.

Management Profile

Currently most chief security officers report to either the chief information officer or the chief technology officer of their agency. There are informal cross-agency meetings and best practices for system security, but it is difficult to make a universal set of system security rules because of the wide differences in government systems and business processes.

Balance risk management an continuity of operations pressures with the ongoing need for agencies to inter operate and share data.

This page needs to be expanded. If you know about this technology area and how the government buys and uses this technology, please feel free to add to this page. Please make sure that all entries are free from political ideology and that your entries are factual and documented with external references.

In a hurry? Just fill add some details to one section if you know about this topic.


[1] Quoted from the FEA SPP document.

Personal tools