Computer Security Report Card: Hearing Before the Subcommittee on Government Management, Information, and Technology of the Committee on Government Reform, House of Representatives, One Hundred Sixth Congress, Second Session, September 11, 2000

Front Cover
 

What people are saying - Write a review

We haven't found any reviews in the usual places.

Other editions - View all

Common terms and phrases

Popular passages

Page 110 - Such controls can prevent both errors in software programming as well as malicious efforts to insert unauthorized computer program code. Without adequate controls, incompletely tested or unapproved software can result in erroneous data processing that, depending on the application, could lead to losses or faulty outcomes. In addition, individuals could surreptitiously modify software programs to include processing steps or features that could later be exploited for personal gain or sabotage.
Page 34 - The reform provisions supplement information security requirements established in the Computer Security Act of 1987, the Paperwork Reduction Act of 1995, and the Clinger-Cohen Act of 1996 and...
Page 184 - It has a diverse portfolio of over 200 federal programs throughout the nation and the world.
Page 57 - Government. 3. Interagency Coordination: The Sector Liaison Officials and Functional Coordinators of the Lead Agencies, as well as representatives from other relevant departments and agencies, including the National Economic Council, will meet to coordinate the implementation of this directive under the auspices of a Critical Infrastructure Coordination Group (CICG) , chaired by the National Coordinator for Security, Infrastructure Protection and Counter-Terrorism. The National Coordinator will be...
Page 83 - ... recover and provide service sufficient to meet the minimal needs of users of the system. Manual procedures are generally NOT a viable back-up option. When automated support is not available, many functions of the organization will effectively cease. Therefore, it is important to take cost-effective steps to manage any disruption of service. Decisions on the level of service needed at any particular time and on priorities in service restoration should be made in consultation with the users of...
Page 84 - ... of Security Controls. The security of a system will degrade over time, as the technology evolves and as people and procedures change. Reviews should assure that management, operational, personnel, and technical controls are functioning effectively. Security controls may be reviewed by an independent audit or a self review. The type and rigor of review or audit should be commensurate with the acceptable level of risk that is established in the rules for the system and the likelihood of learning...
Page 49 - ... agency for information systems. Additionally, the ClingerCohen Act calls for OMB to issue clear and concise direction to ensore thet the information security policies, prncesses, and pmctices of the agencies are edequats.
Page 52 - ... procedures are in place to ensure that controls are implemented effectively and remain effective over time. b) Demonstrating specific methods used to ensure that the security controls are commensurate with the risk and magnitude of harm that may result from the loss, misuse, or unauthorized access to or modification of the system itself or the information it manages. c) Identifying additional security controls that are necessary to minimize risks to and potential loss from those systems that...
Page 152 - SSA's systems. We will work with the various oversight bodies-the General Accounting Office and the IG, for example, to review what we are doing and identify any issues they believe we need to address. Only in this way can we be assured SSA is getting all the advice that is available to us, and doing its utmost to maintain the security of our computer systems, and the data they contain. Zero Tolerance for Fraud Finally, I also want to state that we have a zero tolerance...
Page 84 - ... individuals, are generally more cost-effective personnel security controls than background screening. Such controls should be implemented as both technical controls and as application rules. For example, technical controls to ensure individual accountability, such as looking for patterns of user behavior, are most effective if users are aware that there is such a technical control. If adequate audit or access controls (through both technical and non-technical methods) cannot be established, then...

Bibliographic information