North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Fwd: cnn.com - Homeland Security seeks cyber counterattack system(Einstein 3.0)

  • From: Sean Donelan
  • Date: Thu Oct 09 12:13:37 2008

On Tue, 7 Oct 2008, [email protected] wrote:
You don't want "the securest implementation".  You want one that's
"secure enough" while still allowing the job to get done.  You also don't
want to be *paying* for more security than you actually need.  Note that
the higher price paid to the vendor isn't the only added cost of too much
security.

The most recent (September 15 2008) US Government DNI directive about IT systems security includes the concept of appropriate risk management.


http://www.dni.gov/electronic_reading_room/ICD_503.pdf
  D. POLICY
  1. Risk Management
  a. The principal goal of an IC element's information technology risk
     management process shall be to protect the element's ability to
     perform its mission, not just its information assets. [...]
  b. [...] For example, a very high level of security may reduce risk to a
     very low level, but can be extremely expensive, and may unacceptably
     impede essential operations.

In practice, it often turns out a "secure" system that is unusable for its mission is both insecure and unused because people start using other ways that bypass the "secure" system just to get the job done.

So back to my original questions, what advice would you give to the US Government about protecting and defending its networks to maintain
its capability to perform. And how can it be sure its getting what
it paid for.