Government Information Security Podcast

When a consortium of federal agencies and private organizations circulated among federal agencies earlier this year the Consensus Audit Guidelines, the IT security team at the State Department mapped these 20 most critical cybersecurity controls against security incidents reported by State to the Department of Homeland Security. John Streufert, deputy chief information officer and chief information security officer at the State Department, in an interview reveals the results of the match and explains how that knowledge helps the department secure its worldwide IT systems and networks. In addition, Streufert discusses a new grading system employed by State aimed at reducing systems and network vulnerabilities. Streufert, in an earlier interview, discussed the department's Risk Scoring Program, which is aimed at pinpointing and correcting the worst vulnerabilities on any particular day on any of its worldwide systems and networks. (Click here to listen to that interview.). Streufert spoke with Information Se

To get a peak as to how IT security will be measured after FISMA, take a look at what's happening at Foggy Bottom. The State Department in 2006 instituted its Risk Scoring Program, which is aimed at pinpointing and correcting the worst vulnerabilities on any particular day on any of its worldwide systems and networks. John Streufert, the State Department deputy chief information officer and chief information security officer, says in an interview with GovInfoSecurity.com that the daily monitoring of IT vulnerabilities under Risk Scoring truly measures systems and network security as compared with the once-every-three-year assessment required by the Federal Information Security Management Act of 2002. Because of Risk Scoring, overall risk on State's key unclassified network has plunged by more than 80 percent in the past year. As lawmakers craft legislation to upgrade to FISMA, expect to see a program like Risk Scoring incorporated in it. Streufert spoke with Eric Chabrow, GovInfoSecurity.com managing ed

Interview with Deborah Frincke of the Pacific Northwest National Laboratory. Deborah Frincke is leading a team of computer scientists at the Pacific Northwest National Laboratory, one of nine Department of Energy national labs, to find new ways to defend government IT systems. In an interview with the Information Security Media Group, Frincke describes four areas of research and development being conducted at the Richland, Wash., labs: Adaptive Systems that preserve the intended mission of the systems regardless of attempts at manipulation; Cyber Analytics that provide a broader context for decision making; Predictive Defense that supports strategic and tactical decisions in preserving the long-term soundness of the infrastructure; and Trustworthy Engineering that establishes and maintains security goals. Frincke spoke with Eric Chabrow, managing editor of GovInfoSecurity.com. (A summary of the lab's R&D activities can be found here: i4.pnl.gov.)

Audit and enterprise risk - they're inextricably linked. As cyber threats grow - from the inside and out - require organizations and their regulators to pay closer attention to technology and information security. What are some of the key audit and risk trends to track? David Melnick of Deloitte answers that question in an interview focusing on: Top challenges for financial institutions and government agencies; Successful strategies being deployed to mitigate threats; Trends organizations should track as they eye 2010. Melnick is a principal in security and privacy services within the audit and enterprise risk services practice in the Los Angeles office of Deloitte and brings more than 17 years of experience designing, developing, managing and auditing large scale secure technology infrastructure. Melnick has authored several technology books and is a frequent speaker on the topics of security and electronic commerce.

From his perch as executive director of (ISC)2, the not-for-profit certifier of IT security professionals, and as the former CIO at the Interior Department, Hord Tipton has a close-up view on what works and doesn't work in regards of training government employees on information security awareness. In an interview with Information Security Media Group's GovInfoSecurity.com, Tipton discusses the: Need to provide federal employees awareness training more often than once a year because of the ever-changing challenges IT security presents; Challenges the government faces in hiring qualified cybersecurity practitioners even if there aren't enough applicants with IT security certification; and Expansion of information security awareness beyond government agencies and establishing programs in elementary and secondary schools. Tipton spoke with Eric Chabrow, managing editor of GovInfoSecurity.com.

Ari Schwartz wants you to help draft the new federal Privacy Act, and he's providing the tool for you to do that. Schwartz is vice president and chief operating officer of the public interest group Center for Democracy and Technology, which has on its site, at eprivacyact.org, a wiki in which cybersecurity professionals are proposing language on how the 35-year-old law should be upgraded. Schwartz hopes to send lawmakers CDT's final draft by the end of June, so legislation could be introduced by Independence Day. The law has not kept up with technology, such as data mining. Also, Congress enacted the original act years before anyone even heard of the Internet technology that easily makes sharing of information, which proves problematic. Schwartz spoke with Information Security Media Group's Eric Chabrow about the changes he sees the Privacy Act needs and how the wiki works and who is using it.

With the Obama administration's focus on cybersecurity, this is a good time to start or move into an information security career. And Regis University in Colorado is one institution offering state-of-the-art education for undergraduates and graduates alike. In an exclusive interview, Daniel Likarish, faculty of the Regis University School of Computer & Info Sciences, discusses: The information security programs at Regis University; The unique types of students enrolled in these programs; Job placement and opportunities in business and government. Regis University, with nearly 16,000 students, comprises Regis College, College for Professional Studies and Rueckert-Hartman College for Health Professions. The University is recognized by U. S. News & World Report as a Top School in the West and is one of 28 Catholic Jesuit colleges and universities throughout the United States. Regis University is located at 3333 Lowell Blvd. at 50th Street in north Denver. In addition to its north Denver Lowell campus, the U

Cybersecurity isn't getting as much publicity in and around Washington as it did a month ago, when speculation was hot about what was in White House adviser Melissa Hathaway famous 60-day review of federal government cybersecurity policy and President Obama announced he intends to name a cybersecurity coordinator. But, as Jim Flyzk says in this interview conducted Friday, June 12, much action is occurring behind the scenes, at government contractors with designs to win an expected increase in the number of federal cybersecurity contracts and along the corridors of the White House and Capitol as officials prepare for a sea change in the way the government addresses information security. One thing is for certain, Flyzk says, cybersecurity is now a crucial topic that won't be ignored. Flyzk, if anything, is as well connected as anyone in Washington's government IT community. He spent 27 years in government, most notably as chief information officer of the Treasury Department and White House IT advisor on ho

On Thursday, the World Health Organization declared the H1N1 virus to be the first global pandemic in over 40 years. In an exclusive interview, pandemic expert Regina Phelps explains exactly what this means, discussing: How organizations should respond to this announcement; Lessons learned so far from the H1N1 experience; What to expect - and how to respond - in the coming weeks. Phelps is an internationally recognized expert in the field of emergency management and continuity planning. With over 26 years of experience, she has provided consultation and educational speaking services to clients in four continents. She is founder of Emergency Management & Safety Solutions, a consulting company specializing in emergency management, continuity planning and safety.

After nearly seven years as Michigan chief information security office, Dan Lohrmann got promoted earlier this year to the post of state chief technology officer. But despite new responsibilities, Lohrmann remains a key knowledge center on how Michigan handles information security. Lohrmann, in an interview, says preventing data loss is among the biggest IT security challenges the state faces. Speaking with Information Security Media Group's Eric Chabrow, Lohrmann compares how the state governs cybersecurity with that of the federal government, and in many respects, it's not much different. Michigan relies on the Federal Information Security Management Act and guidance from the National Institute of Standards and Technology to keep state IT safe. One advantage, Lohrmann concedes, the state has over its federal counterparts: Michigan isn't graded on compliance by the Office of Management and Budget.

Data and privacy protection - there's much that government, industry and consumers alike can do to improve information security. And the Federal Trade Commission (FTC) is at the heart of education and enforcement efforts. In an exclusive interview, the FTC's Joel Winston discusses: Top privacy risks facing consumers and businesses; How the agency is battling privacy risks; The latest on Identity Theft Red Flags Rule compliance. Winston is Associate Director of the Division of Privacy and Identity Protection of the Federal Trade Commission's Bureau of Consumer Protection. That Division has responsibility over consumer privacy and data security issues, identity theft and credit reporting matters, among other things. Mr. Winston serves on the federal government's Identity Theft Task Force, which was created by President Bush in March 2006. He also is a member of the Advisory Board for the BNA Privacy & Security Law Reporter, and served on the Editorial Board and as an author for a treatise published in 200

Tom Stanton, a fellow at the Center for the Study of American Government at Johns Hopkins University, knows cybersecurity and government, having authored last year's study, Defending Cyberspace: Protecting Individuals, Government Agencies and Private Companies Against Persistent and Evolving Threats. In an interview with Information Security Media Group's Eric Chabrow, Stanton discusses the challenges the government faces in adequately attracting and maintaining dedicated experts with the smarts as managers and practitioners to secure federal IT. To build such a workforce, he says, leadership must originate in the White House, with a respected and influential cybersecurity czar who goes beyond coordination. "The problem is that czars traditionally, at least in the Russian context, have been really bad managers," he says. "What we need in the American context is sound management of this problem." Among the ways the government can attract qualified personnel is to adopt a program used by the government duri

Eugene Spafford, one of the nation's top information security experts who heads Purdue University's Center for Education and Research in Information Assurance and Security, likes the fact that cybersecurity is getting the attention he feels it long deserved from the White House and Congress. Still Spaf - as he's affectionately known - expresses concern that President Obama isn't going far enough to elevate cybersecurity as a national priority, in part, because the White House cybersecurity advisor is not seen having the clout to create policy. And, he wonders if the president and Congress have the political wherewithal to invest enough money to truly secure federal IT. In an interview with the Information Security Media Group's Eric Chabrow, Spafford explains that: A high-ranking cybersecurity czar is needed to be a peer of cabinet secretaries and major agency heads to influence them to help advance federal IT security policy; Proposals to require the certification of information security professionals is

The law rarely keeps pace with advancements in information technology, and the 35-year-old federal Privacy Act has failed to provide the proper framework needed to protect the privacy of citizens. Dan Chenok chaired the federal Information Security and Privacy Advisory Board that issued a report entitled Toward a 21st Century Framework for Federal Government Privacy Policy that calls for the creation of a federal chief privacy officer as well as chief privacy officers in major federal agencies and a federal Chief Privacy Officers' Council. The panel also recommended steps Congress and the Obama administration should take to change federal laws and regulations to allow the government to more efficiently use specific technologies, such as cookies, while maintaining citizens' privacy. Chenok, the one-time highest ranking non-political IT official in the Office of Management and Budget and now a senior vice president at IT services provider Pragmatics, spoke with Information Security Media Group's Eric Chabrow

Charlotte, N.C., Chief Information Security Office Randy Moulton, unlike his counterparts in the federal government, is responsible for writing the regulations that guides the city government secure its IT security. As Moulton explains in this interview with Information Security Media Group's Eric Chabrow, Charlotte and North Carolina don't have the luxury of the Federal Information Security Management Act, the Office of Management and Budget and the National Institute of Standards and Technology to regulate and guide IT security compliance, though NIST guidance is often employed. Still, cities like Charlotte - population topping 600,000 - look to Washington for ideas, and Moulton says he's closely following developments from the White House as President Obama implements new federal government cybersecurity and wonders what impact that could have on his operation.

Rep. James Langevin, D.-R.I., holds out hope that the new White House cybersecurity coordinator will have more influence with the president than Obama suggested in his speech last week outlining the administration's approach to information security. As co-chair of the House Cybersecurity Caucus and the influential public-private Commission on Cybersecurity for the 44th President, Langevin wanted the cybersecurity adviser to be a special assistant, but would understand that individual a step lower on the White House organizational chart - deputy special assistant - should have enough sway to get the president's ear. In an interview with GovInfoSecurity.com's Eric Chabrow, Langevin discusses the the responsibilities the White House and Congress have in securing government IT, including the need to provide proper funding, and the role government leaders must play to work with the private sector to safeguard the critical national IT infrastructure.

From the president on down, the nation has a renewed focus on cybersecurity. Nadia Short of General Dynamics, a major government/defense contractor, discusses: The types of cybersecurity positions GD is filling; Requirements for qualified personnel; Potential career paths in cybersecurity. Nadia D. Short is vice president of strategy & business development at General Dynamics Advanced Information Systems. In this role, she is responsible for strategic planning, business development, international business, marketing and public relations, and customer and corporate relations.

NSA 'Hacker' Speaks Out Legislation before Congress would require agencies to implement new ways to measure information security, including detailed blue-team analysis and red-team assaults on IT systems. Most civilian agencies have not conducted blue/red team analysis, but it's been a common practice for years within Defense and intelligence agencies. Among the leading organizations conducting blue/red team analysis for the Department of Defense, intelligence agencies and some units at the Department of Homeland Security is the three-year-old Vulnerability Analysis and Operations Groups at the National Security Agency. Tony Sager serves as the group's chief, and he says such testing requires far more planning between his organization and client agencies than most people would expect. "It's not freeform, turn a bunch of people loose," Sager says. "There's a lot of consideration given to what is it that the customer would like to learn." GovInfoSecurity.com Managing Editor Eric Chabrow interviewed Sager o

Steve Katz was the world's first CISO, and he has unique insight on the information security profession - how it's developed and where it's headed. In an exclusive interview, Katz discusses: How the information security role has evolved; Which trends are changing the role; The skillsets necessary for today's security professionals to succeed tomorrow. Katz is a prominent figure in the network security discipline. Since 1985, he has served as the senior security executive for Citibank/Citigroup, JP Morgan, and most recently Merrill Lynch - and has been a force in raising the visibility and shaping the direction of the security industry at industry and government levels. Deeply respected within both the financial services and security industries, Katz has testified to Congress on information security issues and was appointed as the Financial Services Sector Coordinator for Critical Infrastructure Protection by the Secretary of the Treasury. Other credentials include: Founder and Chairman of the Financial

It's been nearly four years since John Gilligan retired as Air Force chief information office, but he remains a force in influencing the future direction of government information security. Earlier this year, Gilligan - president of the consultancy Gilligan Group - led a consortium of federal agencies and private organizations in developing the Consensus Audit Guidelines that define the most critical security controls to protect federal IT systems and coauthored the influential Commission on Cybersecurity for the 44th Presidency report from the Center for Strategic and International Studies, a Washington think tank, that's helping shape federal government IT security policy. In this second of a two-part interview with GovInfoSecurity.com Managing Editor Eric Chabrow, Gilligan explains the importance of the Consensus Audit Guidelines and how so-called red teams are critical in identifying vulnerabilities in government IT systems. In the first part of the interview, Gilligan explains the importance of core