Information Security News mailing list archives

Previous By Date Next
Previous By Thread Next

NIAP offering security forum

From: InfoSec News <isn () C4I ORG>
Date: Thu, 8 Mar 2001 22:03:35 -0600
http://www.fcw.com/fcw/articles/2001/0305/web-niap-03-08-01.asp

BY Diane Frank
03/08/2001

The National Information Assurance Partnership is offering agencies
and industry a forum to determine how to build security requirements
into the development cycle of commercial products, something that
would make it easier to secure an organizations systems
enterprisewide.

In the current information technology environment, agencies trying to
secure networks made up of commercial off-the-shelf hardware and
software must purchase add-on products or customize the COTS products.

But adding security products after installation takes time and money.
Furthermore, customization leaves the agency with a system that is no
longer supported by the vendor and that will not be easy to upgrade.

The NIAP, a partnership between the National Institute of Standards
and Technology and the National Security Agency, brought together
security experts from government, industry and academia this week to
discuss possible ways to overcome these problems.

The consensus that there needs to be more communication on what the
exact requirements are will not immediately fix security, but work
must start on developing and collecting these requirements and getting
them into the development cycle, officials said.

"We cant wait for years; weve got to rapidly converge on
requirements," said Stuart Katzke, senior adviser at the NIAP.

Agencies including the Federal Aviation Administration are starting to
work with the NIAP to better define their security requirements, and
the NIAP is looking for other target communities where the
organization can serve as a catalyst, Katzke said.

The smart-card group hosted by the NIAP has had success in bringing
together users and vendors, and it is being offered as a model for new
working groups to address security needs in other areas.

The group demonstrated that simply developing requirements at the user
level will not be enough and that a link must be made to the product
vendors or there will be a disconnect between the needs and the
results. For example, a financial services group testing commercial
smart cards against their requirements failed almost every single one,
said Ken Ayer, vice president of risk management at Visa International
Inc. and chairman of the Smart Card Security Users Group.

"Almost nothing is built to specification the first time around," he
said.

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".
Previous By Date Next
Previous By Thread Next

Current thread: