2. Business Initiated Vulnerabilities

How can agencies sharpen focus on vulnerabilities created by (or exposed by) uninformed business/program users and the array of technology solutions embedded in service delivery that does not account for cyber?

Endorse existing ideas by voting for them. YOU MUST BE LOGGED ON TO VOTE.

Question: 2. Business Initiated Vulnerabilities

Remember Bell-LaPadula?

Multi-level access controls such as Bell-LaPadula have been in place for government applications for a very long time with good success. Why not implement a similar model for access across the board. A well defined business environment should understand where critical data is located and the risk involved with that data and control access based on area of responsibility or job function. Users and hosts should be limited ...more »

Submitted by

Voting

1 vote
Public Input

Question: 2. Business Initiated Vulnerabilities

Adopt the Security Development Lifecycle

The Security Development Lifecycle (SDL) is a software development process that helps developers build more secure software and address security compliance requirements while reducing development cost. The SDL is composed of proven security practices that work in development organizations regardless of their size or platform. It consists of multiple phases in which core software assurance activities are defined. Computer ...more »

Submitted by

Voting

1 vote
Public Input

Question: 2. Business Initiated Vulnerabilities

Adopting Flexible, Fast, Scalable Solutions

The evolution of the cyber attacker’s techniques, skills and tools has far exceeded the pace of the cyber defender’s. Throughout the public and private sector, from federal agencies to health insurance providers, emerging threats continue to wreak havoc on enterprise networks, applications and data. Incident response teams must move faster, but the tools they’ve been given to do the job aren’t fast enough in detecting, ...more »

Submitted by

Voting

0 votes
Public Input

Question: 2. Business Initiated Vulnerabilities

ACT-IAC Membership Meeting Ideas

1. Approach cybersecurity the same way government now approaches Section 508 compliance – embed it from the start through the finish.

2. Make available a real, visualized threat dashboard to business process owners to educate them on the scope of threat in today’s environment.

Submitted by

Voting

1 vote
Public Input

Question: 2. Business Initiated Vulnerabilities

Build Security into Development (SuperSIG)

Build security into the front end of development activities so that tailored standards could be used to address appropriate risk factors in test/dev settings – create DMZ for developers, who build knowing security policies in advance

Submitted by

Voting

1 vote
Public Input

Question: 2. Business Initiated Vulnerabilities

Partner Security Incentive (SuperSIG)

Give a plus in evaluations of companies for primes that incentivize partners to address business-led security

Submitted by

Voting

1 vote
Public Input

Question: 2. Business Initiated Vulnerabilities

New Risk Management Approach (SuperSIG)

Need a Risk-based approach using quantifiable risk measures in Tech-Stat like sessions so that mission/business requests involving business process changes or introduction of new products/apps would be properly vetted, using “what-if” scenarios that provide more reality around probabilities and impacts resulting from potential vulnerabilities.

Submitted by

Voting

2 votes
Public Input

Question: 2. Business Initiated Vulnerabilities

Business Initiated Vulnerabilities

2) How can agencies sharpen focus on vulnerabilities created (or exposed) by uninformed business/program users and the array of technology solutions embedded in service delivery that does not account for cyber.

Submitted by

Voting

1 vote
Public Input

Question: 2. Business Initiated Vulnerabilities

Create Gov Wide "Security Maven" Program for Gov IT Developers

Walmart achieved a 92% reduction in security defects by creating a "Security Maven" role to drive security best practices into their software development teams that greatly outnumbered their security teams. IT security in government is typically organized as a silo focused on protecting production systems. A government-wide security maven program would help tear down the existing" expertise" and "contractual" barriers ...more »

Submitted by

Voting

4 votes
Public Input

Question: 2. Business Initiated Vulnerabilities

Supported ITAPS recommendations

(Paragraphs preceded by [Non-ITAPS] are expanded recommendations to more explicitly address questions, not directly addressed by ITAPS; participated in and collaborated with ITAPS OMB-OPM-NSC Task Force) How can agencies sharpen focus on vulnerabilities created by (or exposed by) uninformed business/program users and the array of technology solutions embedded in service delivery that does not account for cyber? [Non-ITAPS] ...more »

Submitted by

Voting

1 vote
Public Input

Question: 2. Business Initiated Vulnerabilities

President and CEO

We talk about these issues inside the beltway everyday the THR CIO community. The business owners need to get a job done and take care of their customers. Again it comes down explaining in business oriented words to make the business owners understand not the cyber language. WE also need to do a better job explaining this outside the beltway. There needs to be a coordinated education blitz that is explained over and ...more »

Submitted by

Voting

5 votes
Public Input