Underlying Causes of Security Problems
Government Accounting Office report GAO/T-AIMD-99-223
-- INFORMATION SECURITY: Recent Attacks on Federal Web Sites
Underscore Need for Stronger Information Security Management, June 24
A business that establishes itself on the web, in fact,
is no longer just a "storefront"; rather it is a "worldfront"
with a presence across all time zones and geographic
barriers. It is also a 24-hour-a-day/7-day-a-week operation.
Overall, information security is hindered by three narrow approaches
taken by government agencies:
- System versus organizational focus. Agencies tend to look at
security from a system perspective, but not an organization-wide
perspective. This focus, however, is unworkable in a network
- Static categories versus management risks. Agencies often
reduce information security to protecting static categories
of information, e.g., sensitive versus non-sensitive or classified
versus unclassified. This approach fails to encompass the multifaceted
nature of managing security across varying levels of risks to
the integrity, availability, and confidentiality of information
supporting agency operations and assets.
- Technical versus management function. Agencies frequently
treat information security as a technical function rather than
as a management function. This removes security from its integral
role in program management.
Dave Dittrich <firstname.lastname@example.org>
Last modified: Mon Aug 2 12:09:45 1999