Evans touts Energy IT security standard
- By Michael Hardy
- Sep 23, 2003
A coalition of government agencies has created a security configuration benchmark for two Oracle Corp. products that could provide a governmentwide model for future contracts.
The benchmark is a compilation of more than 250 security configuration recommendations to guide agencies and Oracle in implementing the products, said Karen Evans, chief information officer for the Energy Department who was recently picked to head the Office of Management and Budget's e-government efforts.
Energy led development of the benchmark for Oracle Database versions 8i and 9i on the Microsoft Corp. Windows and Unix operating systems, Evans said.
The idea is to standardize installations so that security features that can vary will remain constant from one to the next.
In order to have easy installation, "a lot of security features are turned off" by default, Evans said. The question that information technology leaders face, and which the benchmark answers, is which ones need to be on and how they should be configured. In some cases, like Energy's Oracle relationship, vendors might ship products already set according to the benchmark.
Energy developed the benchmark with the Homeland Security Department, National Security Agency, General Services Administration and the Defense Information Systems Agency. The Center for Internet Security aided in its development and is now working on a scorecard for agencies to use in assessing whether their own systems comply with it.
"Every time we can raise the security bar, every time we can raise the awareness of people, we should recognize that," said Bob Lentz, director of information assurance at the Defense Department at a Sept. 23 ceremony to announce the benchmark.
Evans said the benchmark can now be incorporated into governmentwide enterprise licenses.