RE: Government Compliance

From: Kasyan, Walter A (Tony) (wakasyan@purdue.edu)
Date: Thu Jun 16 2005 - 09:01:45 EDT

• Next message: Robert Hines: "RE: Government Compliance"
• Previous message: Diego Kellner: "Re: Government Compliance"
• Maybe in reply to: Security Professional: "Government Compliance"
• Next in thread: Smith, Michael J.: "RE: Government Compliance"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

If this is in fact the case, they are not really interested in true
security but rather a minimal compliance with what the chain of command
views as "Security". This way they can assure their compliance and get
good evals and assure the continued march up the promotional ladder. But
be careful, there was once a Commander R. Marcinko, USN who did some
Security Scans with a group called Red Cell and his chain of command
didn't like the results. It may be OK to rock the boat gently, but be
careful not to tip it over.

Tony

-----Original Message-----
From: Dave [mailto:dave.anon@gmail.com]
Sent: Wednesday, June 15, 2005 9:51 AM
To: pen-test@securityfocus.com
Subject: Government Compliance

Hello everyone. I know some will view this as a rant and other as
informative, but I am making this post as a sanity check.

For the purposes here, I currently work as an IT Security professional
for the US government. I work at the Department of Government, within a
component named AgencyX. Yes, these names are fictional.

To give an outline or basic background, all government computer systems
are governed by strict requirements for designing, implementing,
maintaining, and securing them. Many of these are mandatory and are not
up for negotiation. Some examples include NIST SP's, FISMA, DCID 6/3,
etc.....

OK....so I received and email from a "IT Security professional"
(qualifications and knowledge very questionable) at the Department in
response to a question I had. I had asked for the definition the
Department was adopting for penetration testing. The response I received
was (scrubbed for anonymity):

"... The guidance for penetration testing was reviewed at [department
committee] meeting... penetration testing shall consist of [product name
deleted] vulnerability scans and running [product name deleted] for
cracking passwords... if this has been done AgencyX shall get credit for
penetration testing...."

Ok, I have big problems with this. There are seperate and distinct
requirements for maintaining password complexity, performing vuln scans,
AND performing penetration testing. Any industry guideline or resource
would never allow this "definition". Am I wrong? Am I over reacting?

When I brought this up to my chain of command I was told "don't rock the
boat". They fully admitted that they knew the definition to be incorrect
in that it was not meeting the intent of the requirement, but that I
should not say anything to rock the boat and just accept this.

Obviously, for ethical reasons, I am leaving the agency and the
department.

Feedback? Thoughts?

-- Dave

• Next message: Robert Hines: "RE: Government Compliance"
• Previous message: Diego Kellner: "Re: Government Compliance"
• Maybe in reply to: Security Professional: "Government Compliance"
• Next in thread: Smith, Michael J.: "RE: Government Compliance"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:54:25 EDT