Multi-level access controls such as Bell-LaPadula have been in place for government applications for a very long time with good success. Why not implement a similar model for access across the board. A well defined business environment should understand where critical data is located and the risk involved with that data and control access based on area of responsibility or job function. Users and hosts should be limited... more »
2. Business Initiated Vulnerabilities
How can agencies sharpen focus on vulnerabilities created by (or exposed by) uninformed business/program users and the array of technology solutions embedded in service delivery that does not account for cyber?
Endorse existing ideas by voting for them. YOU MUST BE LOGGED ON TO VOTE.
The Security Development Lifecycle (SDL) is a software development process that helps developers build more secure software and address security compliance requirements while reducing development cost. The SDL is composed of proven security practices that work in development organizations regardless of their size or platform. It consists of multiple phases in which core software assurance activities are defined. Computer... more »
The evolution of the cyber attacker’s techniques, skills and tools has far exceeded the pace of the cyber defender’s. Throughout the public and private sector, from federal agencies to health insurance providers, emerging threats continue to wreak havoc on enterprise networks, applications and data. Incident response teams must move faster, but the tools they’ve been given to do the job aren’t fast enough in detecting,... more »
1. Approach cybersecurity the same way government now approaches Section 508 compliance – embed it from the start through the finish.
2. Make available a real, visualized threat dashboard to business process owners to educate them on the scope of threat in today’s environment.
Build security into the front end of development activities so that tailored standards could be used to address appropriate risk factors in test/dev settings – create DMZ for developers, who build knowing security policies in advance
Give a plus in evaluations of companies for primes that incentivize partners to address business-led security
Need a Risk-based approach using quantifiable risk measures in Tech-Stat like sessions so that mission/business requests involving business process changes or introduction of new products/apps would be properly vetted, using “what-if” scenarios that provide more reality around probabilities and impacts resulting from potential vulnerabilities.
2) How can agencies sharpen focus on vulnerabilities created (or exposed) by uninformed business/program users and the array of technology solutions embedded in service delivery that does not account for cyber.
Walmart achieved a 92% reduction in security defects by creating a "Security Maven" role to drive security best practices into their software development teams that greatly outnumbered their security teams. IT security in government is typically organized as a silo focused on protecting production systems. A government-wide security maven program would help tear down the existing" expertise" and "contractual" barriers... more »
(Paragraphs preceded by [Non-ITAPS] are expanded recommendations to more explicitly address questions, not directly addressed by ITAPS; participated in and collaborated with ITAPS OMB-OPM-NSC Task Force) How can agencies sharpen focus on vulnerabilities created by (or exposed by) uninformed business/program users and the array of technology solutions embedded in service delivery that does not account for cyber? [Non-ITAPS]... more »
We talk about these issues inside the beltway everyday the THR CIO community. The business owners need to get a job done and take care of their customers. Again it comes down explaining in business oriented words to make the business owners understand not the cyber language. WE also need to do a better job explaining this outside the beltway. There needs to be a coordinated education blitz that is explained over and... more »