Fwd: cnn.com - Homeland Security seeks cyber counterattack system(Einstein 3.0)
sean at donelan.com
Thu Oct 9 11:13:29 CDT 2008
On Tue, 7 Oct 2008, Valdis.Kletnieks at vt.edu wrote:
> You don't want "the securest implementation". You want one that's
> "secure enough" while still allowing the job to get done. You also don't
> want to be *paying* for more security than you actually need. Note that
> the higher price paid to the vendor isn't the only added cost of too much
The most recent (September 15 2008) US Government DNI directive about IT
systems security includes the concept of appropriate risk management.
1. Risk Management
a. The principal goal of an IC element's information technology risk
management process shall be to protect the element's ability to
perform its mission, not just its information assets. [...]
b. [...] For example, a very high level of security may reduce risk to a
very low level, but can be extremely expensive, and may unacceptably
impede essential operations.
In practice, it often turns out a "secure" system that is unusable for its
mission is both insecure and unused because people start using other ways
that bypass the "secure" system just to get the job done.
So back to my original questions, what advice would you give to the US
Government about protecting and defending its networks to maintain
its capability to perform. And how can it be sure its getting what
it paid for.
More information about the NANOG