Government Information Security Podcast

Interview with former Air Force and Energy CIO John Gilligan on core configuration. While Air Force chief information officer, John Gilligan initiated the process that led to the highly praised Federal Desktop Core Configuration, in which personal computers purchased by the government must be preconfigured to included specified security controls. In the first of a two-part interview with GovInfoSecurity.com managing editor Eric Chabrow, Gilligan explains the importance of core configuration, and the challenges the government faces in expanding the program to other types of information and communication technologies. A primary barrier, Gilligan says, is overcoming the culture of each agency deciding how it deems best to procure and secure its IT. "The term personal computer is just more than a description of a particular brand of machine, but it is really how people think of it. It is my computer, it's my organization, and no one outside will tell me how to operate," Gilligan says. Gilligan also served as CIO at the Energy Department, and now heads his own consulting firm, the Gilligan Group. But he remains a big influence on government IT. He led a consortium of federal agencies and private organizations in developing the Consensus Audit Guidelines that define the most critical security controls to protect federal IT systems and coauthored the influential Commission on Cybersecurity for the 44th Presidency report from the Center for Strategic and International Studies, a Washington think tank, that's helping shape federal cybersecurity policy.

Interview with former Air Force and Energy CIO John Gilligan on core configuration. While Air Force chief information officer, John Gilligan initiated the process that led to the highly praised Federal Desktop Core Configuration, in which personal computers purchased by the government must be preconfigured to included specified security controls. In the first of a two-part interview with GovInfoSecurity.com managing editor Eric Chabrow, Gilligan explains the importance of core configuration, and the challenges the government faces in expanding the program to other types of information and communication technologies. A primary barrier, Gilligan says, is overcoming the culture of each agency deciding how it deems best to procure and secure its IT. "The term personal computer is just more than a description of a particular brand of machine, but it is really how people think of it. It is my computer, it's my organization, and no one outside will tell me how to operate," Gilligan says. Gilligan also served as CIO at the Energy Department, and now heads his own consulting firm, the Gilligan Group. But he remains a big influence on government IT. He led a consortium of federal agencies and private organizations in developing the Consensus Audit Guidelines that define the most critical security controls to protect federal IT systems and coauthored the influential Commission on Cybersecurity for the 44th Presidency report from the Center for Strategic and International Studies, a Washington think tank, that's helping shape federal cybersecurity policy.

As the first chief information security officer of Vermont, Kris Rowley's primary mission isn't to build an information security organization, but to create a culture of IT security and trust. In a state where many agencies operate their own independent information systems -- stovepipes, she calls them - encouraging agency heads and their IT staffs to adapt to new approaches proves to be a challenge, one she's willing to take on. "People have their own domains, and they're the lord of their domains, and that's where they feel comfortable," says Rowley, who's been on the job since last September. "Part of that is a trust issue, as well. There's now an office of CISO in the state, and that's new to people. That involves change, and as we all know, change is difficult." In an interview with GovInforSecurity.com Managing Editor Eric Chabrow, Rowley discusses how she plans to change old habits by fostering an information security culture in Vermont, as well as working to codify information assurance policies and procedures and looking to Washington for guidance and money. Rowley, in the interview, makes reference to the state of Vermont's website, aimed at educating citizens and government employees on information security. Click here to see that site.

As the first chief information security officer of Vermont, Kris Rowley's primary mission isn't to build an information security organization, but to create a culture of IT security and trust. In a state where many agencies operate their own independent information systems -- stovepipes, she calls them - encouraging agency heads and their IT staffs to adapt to new approaches proves to be a challenge, one she's willing to take on. "People have their own domains, and they're the lord of their domains, and that's where they feel comfortable," says Rowley, who's been on the job since last September. "Part of that is a trust issue, as well. There's now an office of CISO in the state, and that's new to people. That involves change, and as we all know, change is difficult." In an interview with GovInforSecurity.com Managing Editor Eric Chabrow, Rowley discusses how she plans to change old habits by fostering an information security culture in Vermont, as well as working to codify information assurance policies and procedures and looking to Washington for guidance and money. Rowley, in the interview, makes reference to the state of Vermont's website, aimed at educating citizens and government employees on information security. Click here to see that site.

There are more opportunities than ever for skilled information security professionals. This is the belief of Gerald Masson, Director of Johns Hopkins University Information Security Institute, and in an exclusive interview he discusses: Job prospects for information security professionals in the public and private sectors; Growing opportunities in the healthcare field; What students need to know if they're either starting or re-starting their careers. Masson received his PhD from Northwestern University in 1971. He has developed and taught numerous graduate and undergraduate courses addressing various aspects of the field of computer networking and systems architecture. He has published over 150 technical papers, co-authored two books and is an inventor on six patents. His research addresses a range of issues dealing with the foundations and implementations of distributed systems regarding issues such as survivability, real-time performance monitoring techniques, and security mechanisms used for network access. His research has been widely cited as well as implemented and utilized for critical infrastructure government and commercial applications.

There are more opportunities than ever for skilled information security professionals. This is the belief of Gerald Masson, Director of Johns Hopkins University Information Security Institute, and in an exclusive interview he discusses: Job prospects for information security professionals in the public and private sectors; Growing opportunities in the healthcare field; What students need to know if they're either starting or re-starting their careers. Masson received his PhD from Northwestern University in 1971. He has developed and taught numerous graduate and undergraduate courses addressing various aspects of the field of computer networking and systems architecture. He has published over 150 technical papers, co-authored two books and is an inventor on six patents. His research addresses a range of issues dealing with the foundations and implementations of distributed systems regarding issues such as survivability, real-time performance monitoring techniques, and security mechanisms used for network access. His research has been widely cited as well as implemented and utilized for critical infrastructure government and commercial applications.

Cloud computing is among the hottest topics in the federal government, with its efficiencies promising to save agencies and eventually taxpayers money. Despite its attractiveness, few agencies have implemented any type of cloud computing initiative, mostly because of IT security concerns. The Defense Information Systems Agency is among the few government agencies actively involved in cloud computing. In this interview, Henry Sienkiewicz, technical program advisor in DISA's Computing Services Directorate, discusses how DISA: Employs cloud computing securely behind its own firewall; Wrestles with the cultural change to a new computing model; and Collaborates with vendors to host and manage their commercial software-as-a-service applications on DISA servers.

Cloud computing is among the hottest topics in the federal government, with its efficiencies promising to save agencies and eventually taxpayers money. Despite its attractiveness, few agencies have implemented any type of cloud computing initiative, mostly because of IT security concerns. The Defense Information Systems Agency is among the few government agencies actively involved in cloud computing. In this interview, Henry Sienkiewicz, technical program advisor in DISA's Computing Services Directorate, discusses how DISA: Employs cloud computing securely behind its own firewall; Wrestles with the cultural change to a new computing model; and Collaborates with vendors to host and manage their commercial software-as-a-service applications on DISA servers.

Verizon Business investigated 90 major data breaches in 2008, including 285 million compromised records. Nearly ¾ of those breaches were external hacks, and 99.9 percent of the records were compromised via servers and applications. These are among the findings of Verizon's new 2009 Data Breach Investigations Report. In an exclusive interview, Dr. Peter Tippett, VP of Technology and Innovation at Verizon Business, discusses: The survey results; What these results mean to financial institutions and government entities; Which threats to watch out for most in the coming months. Tippett is the chief scientist of the security product testing and certification organization, ICSA Labs, an independent division of Verizon Business. An information security pioneer, Tippett has led the computer security industry for more than 20 years, initially as a vendor of security products, and over the past 16 years, as a key strategist. He is widely credited with creating the first commercial anti-virus product that later became Norton AntiVirus.

Verizon Business investigated 90 major data breaches in 2008, including 285 million compromised records. Nearly ¾ of those breaches were external hacks, and 99.9 percent of the records were compromised via servers and applications. These are among the findings of Verizon's new 2009 Data Breach Investigations Report. In an exclusive interview, Dr. Peter Tippett, VP of Technology and Innovation at Verizon Business, discusses: The survey results; What these results mean to financial institutions and government entities; Which threats to watch out for most in the coming months. Tippett is the chief scientist of the security product testing and certification organization, ICSA Labs, an independent division of Verizon Business. An information security pioneer, Tippett has led the computer security industry for more than 20 years, initially as a vendor of security products, and over the past 16 years, as a key strategist. He is widely credited with creating the first commercial anti-virus product that later became Norton AntiVirus.

As the swine flu outbreak triggers new fears of a global pandemic, security organizations must dust off and review their emergency management plans. For insight on how to prepare for swine flu, pandemic expert Regina Phelps offers expert insight on: What you need to know about swine flu; How your organization should respond - internally and with customers; Where and what to watch for updates over the coming days. Regina Phelps is an internationally recognized expert in the field of emergency management and continuity planning. With over 26 years of experience, she has provided consultation and educational speaking services to clients in four continents. She is founder of Emergency Management & Safety Solutions, a consulting company specializing in emergency management, continuity planning and safety. Resources Swine Flu Update Swine Flu FAQ

As the swine flu outbreak triggers new fears of a global pandemic, security organizations must dust off and review their emergency management plans. For insight on how to prepare for swine flu, pandemic expert Regina Phelps offers expert insight on: What you need to know about swine flu; How your organization should respond - internally and with customers; Where and what to watch for updates over the coming days. Regina Phelps is an internationally recognized expert in the field of emergency management and continuity planning. With over 26 years of experience, she has provided consultation and educational speaking services to clients in four continents. She is founder of Emergency Management & Safety Solutions, a consulting company specializing in emergency management, continuity planning and safety. Resources Swine Flu Update Swine Flu FAQ

To this point, information security professionals have been generalists. Going forward, they'll have to be specialists. At least this is the opinion of John Rossi, professor of systems management/information assurance. In an exclusive interview on the future of the information security profession, Rossi discusses: Why information security is headed toward specialization; The new capacities security professionals must develop; How academic institutions and industry groups must change how they educate security pros. Rossi is a Professor of Systems Management/Information Assurance in the Information Operations and Assurance Department at the National Defense University (NDU) Information Resources Management College (IRMC). Prior to joining the NDU/IRMC faculty, he was a computer scientist for information security, research, and training with the U.S. Federal Aviation Administration Headquarters. He was Security Division Manager of the U.S. Department of Energy's Nuclear Weapons Production Security Assessments Program and National Program Manager for Computer Security Certification and Accreditation (C&A) with the U.S. Department of Defense during Desert Storm.

To this point, information security professionals have been generalists. Going forward, they'll have to be specialists. At least this is the opinion of John Rossi, professor of systems management/information assurance. In an exclusive interview on the future of the information security profession, Rossi discusses: Why information security is headed toward specialization; The new capacities security professionals must develop; How academic institutions and industry groups must change how they educate security pros. Rossi is a Professor of Systems Management/Information Assurance in the Information Operations and Assurance Department at the National Defense University (NDU) Information Resources Management College (IRMC). Prior to joining the NDU/IRMC faculty, he was a computer scientist for information security, research, and training with the U.S. Federal Aviation Administration Headquarters. He was Security Division Manager of the U.S. Department of Energy's Nuclear Weapons Production Security Assessments Program and National Program Manager for Computer Security Certification and Accreditation (C&A) with the U.S. Department of Defense during Desert Storm.

Navy CIO Robert Carey was among the first federal CIOs to embrace blogging as a way to keep in touch with his various constituencies, including officers and sailors. Carey believes steps can be taken to embrace new technologies while maintaining security. In this second of two parts of an exclusive interview, Carey discusses: Securing the new Navy-Marine intranet to debut next year; How the Navy employs social networking, though with some security restrictions; and Plans to implement secure cloud computing as a way to exploit technical efficincies. Carey joined the Navy's Office of CIO in 2000, regularly being elevated from e-business team leader, to director of the Smart Card Office, to deputy CIO for policy and integration to CIO. Previously, Carey served in a variety of engineering and program management leadership positions within the Navy's acquisition community in the undersea warfare domain. A 1982 graduate of the University of South Carolina with a BS in engineering, Carey earned a master of engineering management degree from George Washington University in 1995. As an active member of the Naval Reserve, he holds the rank of commander in the Civil Engineer Corps, Carey was recalled to duty for Operation Desert Storm and more recently as part of a Marine expeditionary force in Iraq's Al Anbar province.