GAO offers security guide
- By Diane Frank
- Mar 15, 2004
"Information Security: Technologies to Secure Federal Systems"
The 18 types of security technology available in the commercial market can help agencies protect their systems and information, but they are still only the beginning of a comprehensive security management process, according to the General Accounting Office.
In a report released today that essentially serves as a catalog and explanatory guide, GAO officials outlined the major types of commercial security technologies that agencies can use and how effective they are for various risks and vulnerabilities.
Robert Dacy, GAO's director for information security, is testifying today before the House Government Reform Committee's Technology, Information Policy, Intergovernmental Relations and the Census Subcommittee on agencies' implementation of the Federal Information Security Management Act. It mandates many of the security management practices that can be supported by the technologies identified in the report.
GAO officials say the selection and effective use of security technology requires agency officials to consider several questions about implementation within their networks:
* How can we use the technology within a layered, defense-in-depth strategy?
* How will the technology enhance or impede users' ability to carry out the agency's mission?
* What independent evaluations of the technology's effectiveness are available?
* What security awareness programs are in place and what training will be necessary for new technology?
* How can we ensure that the technology is properly and securely configured?
The 18 technologies that GAO identified fall into five categories: access controls, system integrity, cryptography, auditing and monitoring, and configuration management and assurance. The technologies that fit under those headings include everything from digital signatures to network management tools.
The report provides a description of each category, the history and context of the technology, and the general advantages and disadvantages to the use of that type. It then breaks down each technology, detailing what it does, how it works