Government Information Security Podcast

Securing innovative technology is admirable, but if you don't get the basics right, then an organization cannot truly secure its information technology. That simple belief is at the foundation of IT security efforts at the National Aeronautics and Space Administration (NASA), as articulated by Jerry Davis, NASA's deputy chief information officer for IT security. As NASA consolidates its IT infrastructure - active directory, IP address management and e-mail, to name a few - its security team is actively involved. "Security doesn't function on its own in silos," Davis says in an interview with Information Security Media Group's GovInfoSecurity.com. "Managing better IT in that regard helps us better to manage security as well." Davis also discusses the need for NASA to attract more highly skilled IT security practitioners, especially those with forensic experience, and secure new technologies such as iPhones that employees like to use. Davis was interviewed by GovInfoSecurity.com's Eric Chabrow.

Risk management is a common theme across and within businesses, and at North Carolina State University the Enterprise Risk Management (ERM) program is attracting notice from prospective employers and students alike. Mark Beasley, head of the school's ERM initiative, discusses: What makes the program unique; The types of students entering and graduated from the initiative; How to approach a career in ERM. Beasley is the Deloitte Professor of Enterprise Risk Management at the College of Management at North Carolina State University in Raleigh, North Carolina. The Enterprise Risk Management (ERM) Initiative at NC State provides thought leadership about ERM practices and their integration with strategy and corporate governance. As founding director, Dr. Beasley leads the ERM Initiative's efforts to help pioneer the development of this emergent discipline through outreach to business professionals, with its ongoing ERM Roundtable Series and ERM Executive Education for boards and senior executives; research, advancing knowledge and understanding of ERM issues; and undergraduate and graduate business education for the next generation of business executives (www.erm.ncsu.edu). He frequently works with boards of directors and senior management teams to assist them in strengthening their risk oversight processes.

Risk management is a common theme across and within businesses, and at North Carolina State University the Enterprise Risk Management (ERM) program is attracting notice from prospective employers and students alike. Mark Beasley, head of the school's ERM initiative, discusses: What makes the program unique; The types of students entering and graduated from the initiative; How to approach a career in ERM. Beasley is the Deloitte Professor of Enterprise Risk Management at the College of Management at North Carolina State University in Raleigh, North Carolina. The Enterprise Risk Management (ERM) Initiative at NC State provides thought leadership about ERM practices and their integration with strategy and corporate governance. As founding director, Dr. Beasley leads the ERM Initiative's efforts to help pioneer the development of this emergent discipline through outreach to business professionals, with its ongoing ERM Roundtable Series and ERM Executive Education for boards and senior executives; research, advancing knowledge and understanding of ERM issues; and undergraduate and graduate business education for the next generation of business executives (www.erm.ncsu.edu). He frequently works with boards of directors and senior management teams to assist them in strengthening their risk oversight processes.

When a consortium of federal agencies and private organizations circulated among federal agencies earlier this year the Consensus Audit Guidelines, the IT security team at the State Department mapped these 20 most critical cybersecurity controls against security incidents reported by State to the Department of Homeland Security. John Streufert, deputy chief information officer and chief information security officer at the State Department, in an interview reveals the results of the match and explains how that knowledge helps the department secure its worldwide IT systems and networks. In addition, Streufert discusses a new grading system employed by State aimed at reducing systems and network vulnerabilities. Streufert, in an earlier interview, discussed the department's Risk Scoring Program, which is aimed at pinpointing and correcting the worst vulnerabilities on any particular day on any of its worldwide systems and networks. (Click here to listen to that interview.). Streufert spoke with Information Security Media Group's Eric Chabrow, managing editor of GovInfoSecurity.com

When a consortium of federal agencies and private organizations circulated among federal agencies earlier this year the Consensus Audit Guidelines, the IT security team at the State Department mapped these 20 most critical cybersecurity controls against security incidents reported by State to the Department of Homeland Security. John Streufert, deputy chief information officer and chief information security officer at the State Department, in an interview reveals the results of the match and explains how that knowledge helps the department secure its worldwide IT systems and networks. In addition, Streufert discusses a new grading system employed by State aimed at reducing systems and network vulnerabilities. Streufert, in an earlier interview, discussed the department's Risk Scoring Program, which is aimed at pinpointing and correcting the worst vulnerabilities on any particular day on any of its worldwide systems and networks. (Click here to listen to that interview.). Streufert spoke with Information Security Media Group's Eric Chabrow, managing editor of GovInfoSecurity.com

To get a peak as to how IT security will be measured after FISMA, take a look at what's happening at Foggy Bottom. The State Department in 2006 instituted its Risk Scoring Program, which is aimed at pinpointing and correcting the worst vulnerabilities on any particular day on any of its worldwide systems and networks. John Streufert, the State Department deputy chief information officer and chief information security officer, says in an interview with GovInfoSecurity.com that the daily monitoring of IT vulnerabilities under Risk Scoring truly measures systems and network security as compared with the once-every-three-year assessment required by the Federal Information Security Management Act of 2002. Because of Risk Scoring, overall risk on State's key unclassified network has plunged by more than 80 percent in the past year. As lawmakers craft legislation to upgrade to FISMA, expect to see a program like Risk Scoring incorporated in it. Streufert spoke with Eric Chabrow, GovInfoSecurity.com managing editor, in the first of a two-part interview.

To get a peak as to how IT security will be measured after FISMA, take a look at what's happening at Foggy Bottom. The State Department in 2006 instituted its Risk Scoring Program, which is aimed at pinpointing and correcting the worst vulnerabilities on any particular day on any of its worldwide systems and networks. John Streufert, the State Department deputy chief information officer and chief information security officer, says in an interview with GovInfoSecurity.com that the daily monitoring of IT vulnerabilities under Risk Scoring truly measures systems and network security as compared with the once-every-three-year assessment required by the Federal Information Security Management Act of 2002. Because of Risk Scoring, overall risk on State's key unclassified network has plunged by more than 80 percent in the past year. As lawmakers craft legislation to upgrade to FISMA, expect to see a program like Risk Scoring incorporated in it. Streufert spoke with Eric Chabrow, GovInfoSecurity.com managing editor, in the first of a two-part interview.

Interview with Deborah Frincke of the Pacific Northwest National Laboratory. Deborah Frincke is leading a team of computer scientists at the Pacific Northwest National Laboratory, one of nine Department of Energy national labs, to find new ways to defend government IT systems. In an interview with the Information Security Media Group, Frincke describes four areas of research and development being conducted at the Richland, Wash., labs: Adaptive Systems that preserve the intended mission of the systems regardless of attempts at manipulation; Cyber Analytics that provide a broader context for decision making; Predictive Defense that supports strategic and tactical decisions in preserving the long-term soundness of the infrastructure; and Trustworthy Engineering that establishes and maintains security goals. Frincke spoke with Eric Chabrow, managing editor of GovInfoSecurity.com. (A summary of the lab's R&D activities can be found here: i4.pnl.gov.)

Interview with Deborah Frincke of the Pacific Northwest National Laboratory. Deborah Frincke is leading a team of computer scientists at the Pacific Northwest National Laboratory, one of nine Department of Energy national labs, to find new ways to defend government IT systems. In an interview with the Information Security Media Group, Frincke describes four areas of research and development being conducted at the Richland, Wash., labs: Adaptive Systems that preserve the intended mission of the systems regardless of attempts at manipulation; Cyber Analytics that provide a broader context for decision making; Predictive Defense that supports strategic and tactical decisions in preserving the long-term soundness of the infrastructure; and Trustworthy Engineering that establishes and maintains security goals. Frincke spoke with Eric Chabrow, managing editor of GovInfoSecurity.com. (A summary of the lab's R&D activities can be found here: i4.pnl.gov.)

Audit and enterprise risk - they're inextricably linked. As cyber threats grow - from the inside and out - require organizations and their regulators to pay closer attention to technology and information security. What are some of the key audit and risk trends to track? David Melnick of Deloitte answers that question in an interview focusing on: Top challenges for financial institutions and government agencies; Successful strategies being deployed to mitigate threats; Trends organizations should track as they eye 2010. Melnick is a principal in security and privacy services within the audit and enterprise risk services practice in the Los Angeles office of Deloitte and brings more than 17 years of experience designing, developing, managing and auditing large scale secure technology infrastructure. Melnick has authored several technology books and is a frequent speaker on the topics of security and electronic commerce.

Audit and enterprise risk - they're inextricably linked. As cyber threats grow - from the inside and out - require organizations and their regulators to pay closer attention to technology and information security. What are some of the key audit and risk trends to track? David Melnick of Deloitte answers that question in an interview focusing on: Top challenges for financial institutions and government agencies; Successful strategies being deployed to mitigate threats; Trends organizations should track as they eye 2010. Melnick is a principal in security and privacy services within the audit and enterprise risk services practice in the Los Angeles office of Deloitte and brings more than 17 years of experience designing, developing, managing and auditing large scale secure technology infrastructure. Melnick has authored several technology books and is a frequent speaker on the topics of security and electronic commerce.

From his perch as executive director of (ISC)2, the not-for-profit certifier of IT security professionals, and as the former CIO at the Interior Department, Hord Tipton has a close-up view on what works and doesn't work in regards of training government employees on information security awareness. In an interview with Information Security Media Group's GovInfoSecurity.com, Tipton discusses the: Need to provide federal employees awareness training more often than once a year because of the ever-changing challenges IT security presents; Challenges the government faces in hiring qualified cybersecurity practitioners even if there aren't enough applicants with IT security certification; and Expansion of information security awareness beyond government agencies and establishing programs in elementary and secondary schools. Tipton spoke with Eric Chabrow, managing editor of GovInfoSecurity.com.

From his perch as executive director of (ISC)2, the not-for-profit certifier of IT security professionals, and as the former CIO at the Interior Department, Hord Tipton has a close-up view on what works and doesn't work in regards of training government employees on information security awareness. In an interview with Information Security Media Group's GovInfoSecurity.com, Tipton discusses the: Need to provide federal employees awareness training more often than once a year because of the ever-changing challenges IT security presents; Challenges the government faces in hiring qualified cybersecurity practitioners even if there aren't enough applicants with IT security certification; and Expansion of information security awareness beyond government agencies and establishing programs in elementary and secondary schools. Tipton spoke with Eric Chabrow, managing editor of GovInfoSecurity.com.

Ari Schwartz wants you to help draft the new federal Privacy Act, and he's providing the tool for you to do that. Schwartz is vice president and chief operating officer of the public interest group Center for Democracy and Technology, which has on its site, at eprivacyact.org, a wiki in which cybersecurity professionals are proposing language on how the 35-year-old law should be upgraded. Schwartz hopes to send lawmakers CDT's final draft by the end of June, so legislation could be introduced by Independence Day. The law has not kept up with technology, such as data mining. Also, Congress enacted the original act years before anyone even heard of the Internet technology that easily makes sharing of information, which proves problematic. Schwartz spoke with Information Security Media Group's Eric Chabrow about the changes he sees the Privacy Act needs and how the wiki works and who is using it.

Ari Schwartz wants you to help draft the new federal Privacy Act, and he's providing the tool for you to do that. Schwartz is vice president and chief operating officer of the public interest group Center for Democracy and Technology, which has on its site, at eprivacyact.org, a wiki in which cybersecurity professionals are proposing language on how the 35-year-old law should be upgraded. Schwartz hopes to send lawmakers CDT's final draft by the end of June, so legislation could be introduced by Independence Day. The law has not kept up with technology, such as data mining. Also, Congress enacted the original act years before anyone even heard of the Internet technology that easily makes sharing of information, which proves problematic. Schwartz spoke with Information Security Media Group's Eric Chabrow about the changes he sees the Privacy Act needs and how the wiki works and who is using it.