Letters to the editor

Real security comes with processes, not patches

Your June 14 editorial, "Time to apply a patch," correctly highlights the fact that patch-management services have not eradicated problems such as worms and viruses in government systems.

The issue, however, is not really one of whether agencies should be forced to subscribe to patch-management services or left to their own devices, but rather whether agencies effectively implement the end-to-end business processes that permit them to identify, prioritize and resolve security problems.

The issue of managing changes to information systems is a core discipline that transcends the needs of information security. For an organization to be successful in patch management, the following components must be in place:

  • Threat awareness — Agency officials must understand the nature and intensity of threats to their information technology assets.
  • Vulnerability awareness — Agency officials must understand the actual susceptibility of IT assets to attack.
  • Asset identification and valuation — All IT assets must be clearly identified and cataloged by actual valuation, priority, location, services, software and firmware patch levels.
  • Analysis and correlation engine — Threat, vulnerability and asset information must be distilled into a risk score that characterizes the overall level of risk associated with the correlation of these three vectors and that dictates the priority for action.
  • Problem management and resolution — Once the need for action is determined, a workflow must be created to support management and resolution of the problem.

Eddie Schwartz

Senior Architect

netForensics Inc.

No more purchase requirements

In response to your May 31 article titled "Tightening the screws," I must say that the reporter's information is old.

Management practices have tightened up so much that it is now quite tedious to use a purchase card. All in all, this out-of-control system now requires three signatures, storing a minimum of five sheets of paper for three years and mandatory retraining every six months because of new congressional mandates.

I now spend at least an hour reconcilling, justifying and documenting each item purchased. Please don't encourage Congress to add more requirements.

Jim Hochstein

Unprofessional review

After looking at the charts for the "Click. Are you available?" article in the June 7 issue, I believe there are significant flaws in your comparison.

For example, IBM Corp.'s Lotus product, which costs $47.59 per user plus a one-time server cost to buy the software, got four stars for price. Microsoft Corp.'s product got four stars for price, and it costs $75 to $150 per user per month. WebEx Communications Inc.'s product got five stars for price, yet costs $83 per user per month. This makes no sense.

Additionally, Microsoft got five stars for usability and performance, yet doesn't have audio and video support (the others do), and it only works on Windows with Internet Explorer. The others are much more flexible.

Also, you mention the platforms for Lotus but fail to do so for WebEx and Microsoft. Plus, you don't provide the rationale behind any of the stars.

With reviews like this, the objectivity and credibility of FCW are really in question. This was a very unprofessional review.

Boyd C. Fletcher

Reviews Editor Patrick Marshall responds:

Instead of overall grades, we have opted for a five-star scoring system that rates products in certain categories as a general guide to the products' relative strengths and weaknesses. We count on the discussion in the review to provide the details for readers to decide whether a given product deserves a closer look in light of their particular needs.

Due to space constraints, we can't provide all the details of the assessments. Your questions about the ratings are a good example of this. Here are a few more details related to the observations in the article.

For pricing, Lotus received four stars because organizations must factor in the cost per user plus additional licensing costs per server. There are also annual costs for support and upgrades.

On the service side, Microsoft's base cost may be lower per month, but this is just for the base service. The price for WebEx is flat with all the features enabled, so it is rated higher in value.

Microsoft received good marks for usability and performance because its service, though limited to Internet Explorer and lacking features such as video, did perform well. In addition, the Microsoft service was easy to use.

As for whether platforms should be cited for WebEx and Microsoft, that's semantics. Because theirs are Internet services rather than installable products, the platform is a nonissue. To avoid confusion, we cited their platform as "Internet."

Know your geography?

The Flip Side section in your July 5 issue included a "Know your history" piece on the National Constitution Center. You're lucky the article pointed readers to the center's Web site, because if they were planning to go in person, your article would have sent them about 200 miles off course. The center is located in Philadelphia, where the original Constitution was written — not Washington, D.C., as the article indicated.

Joe Schanne

The 2014 Federal 100

FCW is very pleased to profile the women and men who make up this year's Fed 100. 

Reader comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above