Information Security Program Survey - Essay Example

? Information Security Program Survey Information Security Program Survey Introduction The National Aeronautics and Space Administration (NASA) is the United States’ agency to manage the nation’s aerospace research, aeronautics, and other civilian space programs. As per 2011 NASA strategic plan, NASA’s mission is to “drive advances in science, technology, and exploration to enhance knowledge, education, innovation, economic vitality, and stewardship of Earth”. Safety, integrity, teamwork, and excellence are the core values of this government agency. Since the NASA needs to manage highly sensitive data, information, strategic plans, and space programs, the organization pays particular attention to its information security program. This paper will analyze NASA’s information security program focusing on aspects like strategic fit, breadth and coverage, program deficiencies or implementation issues, and stated costs and benefits. NASA Information Security Program The NASA IT Security (ITS) Division operations under the control the Chief Information Officer to manage security projects and thereby to mitigate vulnerabilities, improve obstacles to cross-center collaboration, and to provide cost effective IT security services for supporting the agency’s systems and e-Gov initiatives. The ITS Division works to ensure that IT security across the organization meets integrity and confidentiality to enhance disaster recovery and continuity of operations. “The ITS Division develops and maintains an information security program that ensures consistent security policy, indentifies and implements risk-based security controls, and tracks security metrics to gauge compliance and effectiveness” (IT Security Division). This Division also performs periodical audits and reviews to make certain that security policies and procedures meet accepted standards. It is clear that NASA extensively relies on information systems and networks to manage its activities such as scientific discovery, aeronautics research, and space exploration. Since many of these information systems and networks are interconnected using internet, they are more likely to be threatened by cyber attacks from different sources. While analyzing the strategic fit of the NASA’s information security program, it seems that the program cannot well support the organization’s goals and objectives due to several security pitfalls. Although the organization has achieved significant advancements in information security program management and security control implementation, it is still vulnerable to cyber attacks. According to the GAO report, NASA has not always implemented proper control measures to ensure the confidentiality and integrity of its systems and networks that support the organization’s mission directorates. As a result, the organization often fails to sufficiently prevent, restrict, and detect unauthorized access to its systems and networks (GAO). The major pitfall of the NASA’s information security program is that it has not been consistent in identifying and authenticating users and limiting user access to its key systems and networks. The organization cannot effectively encrypt its network services and data and often fails to protect its network boundaries. It is alarming to note that the organization has even failed to protect its information technology resources physically. In addition, shortcomings in the auditing and monitoring of computer-related events also contributed to the organization’s information security inefficiency. The organization also faces challenges in effectively segregating incompatible duties and managing system configurations. The key reason for those inefficiencies in NASA’s information security program is that the organization is yet to implement some key activities to make certain that control measure are appropriately developed and functioning efficiently. The organization does not give specific focus to complete assessment of information security risks always and therefore many security threats go unnoticed. In addition, it has not designed or documented extensive security policies and procedures and not included key information in security plans to manage information systems and networks effectively. Considering the sensitivity of activities undertaken by NASA, the organization has not performed comprehensive assessments of its information system controls. In addition, the NASA does not specifically focus on tracking the status of operational plans to find solutions to known weaknesses and planning for unforeseen contingencies and disruptions in service. Another major reason for the weakness is that the organization’s information security program does have capabilities for detecting, reporting, and responding to security incidents. Therefore, it is obvious that NASA’s information security program is not very effectively mainly as a result of serious implementation issues. While analyzing the breadth and coverage of the information security program, it seems that the major components such as people, processes, and technologies do not notably contribute to the efficiency of systems and networks. To illustrate, NASA reported 1,120 security incidents over the fiscal years 2007 and 2008 that led to malicious software installation on its systems and unauthorized access to highly confidential information (GAO). The Security Operations Center established by NASA in 2008 was also not effective in preventing unauthorized access to the organization’s sensitive information. It is identified that control vulnerabilities and other program shortfalls increase the risk of unauthorized access to NASA’s systems and networks. Considering the huge costs spent by NASA each year to improve security of its systems, networks, and information, it can be stated that the benefits of NASA’s information security system do not outweigh the costs budgeted. Worksheet: Information Security Program Survey Security Area Responsible Party / Office of Primary Responsibility (OPR) Known Vulnerabilities / Risks Countermeasures / Risk Mitigation Strategy Acquisition (systems/services)       Asset management       Audit and accountability  IT Security Division  Poor auditing of computer-related events  Timely audit and review of systems and networks to detect security incidents. Authentication and authorization  IT Security Division  Fail to authenticate users and limit users’ access to key systems and networks  Well monitored authentication and authorization of users Business continuity       Compliance management  IT Security Division  The information security program often fails to comply with accepted standards  Appointment of project supervisors to ensure effective compliance management Configuration control       Data       Hardware       Identity management       Incident management  IT Security Division  The prevalence of security incidents has been increased  Improving the operational efficiency of Security Operations Center Maintenance procedures  IT Security Division  Lack of extensive security procedures  Development of well defined and comprehensive procedures Media protection and destruction       Network  IT Security Division  Network is exposed to unauthorized access and cyber attacks Development of strong security systems to mitigate network exposure  Planning       Personnel       Physical environment  IT Security Division  Even information technology resources are not appropriately protected.  Strict monitoring over the physical environment. Policy  IT Security Division  Lack of extensive security policies.  Development of high standard security policies Operations       Outsourcing       Risk assessments  IT Security Division  Poor performance of risk assessment systems like Security Operations Center  Establishing a special team to deal with risk assessment. Software       Training       Conclusion From the above discussion, it is clear that NASA’s information security program performs poorly in terms of threat detection and securing systems and networks. Ineffective program implementation is the major reason contributing to the inefficiency of this information security program. A cost-benefit analysis indicates that the benefits of NASA’s information security program are poor compared to the cost spent for it. References 2011 NASA strategic plan. Retrieved from http://www.nasa.gov/pdf/516579main_NASA2011StrategicPlan.pdf NASA IT Security Division. Retrieved from http://www.nasa.gov/offices/ocio/itsecurity/ GAO. NASA Needs to Remedy Vulnerabilities in Key Networks. Report to Congressional Committees. Retrieved from http://www.gao.gov/new.items/d104.pdf Read More