Focus: Federal
Federal Government News and Media
Army Expects to OK First Tablet Device
25 Aug 2011
The Army is about to give the green light for the first tablet computer to be permitted to operate on its networks.
http://www.gao.gov/products/GAO-11-43LTC Matthew Dosmann: "The key, he said, is mobile device management software that would allow the Army to control what a user can and can't do based on his or her role in an organization, location, and other factors.
For instance, in the case of senior officers in sensitive positions, the Army would want to disable social media services that track a user's location, while the same apps might be allowed for other users.
Also, while cameras are disabled in most of today's Army BlackBerrys, Dossman said it makes sense to turn them back on for certain users and for certain applications, such as barcode scanning."
United States Government Accountability Office Report to Congressional Committees
Leading Practices and Recommendations for Securing Wireless Networks and Technologies:http://www.whitehouse.gov/sites/default/files/omb/assets/memoranda_2010/m10-15.pdf
Challenges that wireless technologies are susceptible to:
- Policy
- Risk-Based Approach
- Centralized Management
- Configuration Requirements-security tools, addressing access points, and physical protection
- Training
- Remote Access
- Monitoring-includes tools to detect signal leakage, ensure configuration compliance, ensure access is authorized, and include tools to identify unauthorized access
- Security Assessments
- Denial of Service
- Eavesdropping
- Man-in-the-middle
- Impersonating an authorized user
- Altering messages
- Retransmitting messages as an authorized user
- Stealing or unauthorized use of service
- Monitoring transmissions to identify communication patterns and participants
M-10-15, FY 2010 Reporting Instructions for the Federal Information Security Management Act and Agency Privacy Management
April 21, 2010
"Agencies need to be able to continuously monitor security-related information from across the enterprise in a manageable and actionable way."http://www.idc.com
IDC Report emphasizing the importance of continuous monitoring
"Most regulations and best practices have stated what the goal is but do not provide information on how that goal is to be accomplished. This makes it difficult to provide information to auditors because of the subjective nature of what data is beneficial to them. This is changing. PCI DSS and Massachusetts' data privacy law 201 CMR 17 are providing specific prescriptive security controls that must be adopted. Both mandate a number of security functions (e.g., firewalls, antivirus, and vulnerability assessments) that must be implemented. It is a little easier to demonstrate compliance if what needs to be done is known, but with these prescriptive security controls come new standards for continuous monitoring and auditing.
The importance of security monitoring is growing. Massachusetts 201 CMR 17, which went into effect in 2010, requires "regular monitoring to ensure that the comprehensive information security program is operating." The HITECH update to HIPAA requires improved reporting associated with electronic medical records. Legislation introduced in Congress to update the Federal Information Security Management Act (FISMA) requires continuous detection, monitoring, correlation, and analysis of the security of information systems. All of these efforts are forcing continuous monitoring, not just a "checkbox approach" to compliance. Compliance with these and other future mandates will require comprehensive security and compliance management."
