Search FCW

Advanced Search
Subscribe Now!
Table of Contents
Sprint
Business
BPM
CXOs
Columns
Columnists
Defense
E-Government
Elections 2008
Enterprise Architecture
Funding
Homeland Security
Health IT
IPv6
LOB
Management
Procurement
Privacy
Policy
Program Management
State and Local
Security
Technology
Telework
Training and Certification
Workforce

More Topics
resourcecenter
Home
Letters to the Editor
Current Issue/Download
Print/Online Archives
Editorial Calendar
researchstore
resourcecenter
Communications for Continuity Operations

Oracle Resource Center
NEW! Transforming Data Center
Managed Services
Service Oriented Architecture
Training & Simulation
Networking Communications
Security Directives and Compliance
Data Center Virtualization
Air Force ELSG Contract Guide

More >>



Latest News
ADVERTISEMENT




 

Diplomatic patches

State centralizes processes in a bid to shore up security at posts worldwide

By FCW Staff
Published on March 5, 2007

Comment

Click here to comment on this article

Newsletters

You might also be interested in these FCW newsletters:

Daily

To learn more, click here.

The State Department is fighting patchwork with patches. After years during which embassies and other outposts around the globe developed individual, disparate applications—which left department systems vulnerable—State IT officials are establishing centralized software patching and hardening their defenses.

CIO James Van Derhoff is leading a bid to end the department’s information assurance woes and simultaneously cut costs by deploying new tools, improving training and mandating pilots that centralize security services. The move is at least in part a response to a series of dismal security assessments.

“I arrived a year ago,” Van Derhoff said in a recent interview. “There were clear IT security issues that were pointed out to me immediately when I arrived.”

Flunked FISMA

State bears the stigma of an F on its Federal Information Security Management Act report card for 2005. In addition, the department’s inspector general had spewed critical reports on State’s system security for the preceding five years.

A thick stack of scathing IG reports, newly revealed via the Freedom of Information Act, describes years of failure to meet patching requirements, harmonize systems configuration across overseas locations and meet certification and accreditation requirements dating back to the 1980s.

GCN received the previously undisclosed IG reports, which state that they are “sensitive but unclassified,” under the Freedom of Information Act. The reports, dated from 2002 to 2006, were released almost a year after GCN filed the original FOIA request in 2005.

The audit reports include many sections that have been “redacted,” or deleted for security reasons. In some reports, entire pages appear blank because of the redactions, while in others, many paragraphs or individual words have been excised.

The IG’s analyses and recommendations, and the department’s corresponding replies, show that serious security flaws continued for years despite repeated pledges to improve.

Among the most prominent areas the auditors singled out for criticism were:
  • Patch management procedures

  • Configuration management methods

  • Training of information systems security officers.

Van Derhoff and his team have deployed technology and changed procedures to improve security in these and other areas.

upcoming event

Green Computing Summit, Ronald Reagan Building, Washington, DC
December 2 - December 3, 2008

Trusted Internet Connection and the Comprehensive National Cyber Security Initiative, The Willard Intercontinental Hotel, Washington, DC
December 4, 2008


 

head
fcw
issue
First Name State
Last Name Zip
Title Email
     

Home | About | Contact | Customer Help | Privacy Policy | Editorial Info | Advertise | Link policy / Reprints | Site Map


1105 Media, Inc.

© 1996-2008 1105 Media, Inc. All Rights Reserved.