From: "Rich Gauszka" 


"Rich Gauszka"  wrote in message
news:441a493b$1{at}w3....
> Not necessarily - It depends on who was chosen to do the review and the
> methodology used for it.  Since it's a security review I don't know how
> much testimony we'll get to see when the senior IT staffers meet with the
> committee. I would definitely be interested in hearing some of the reasons
> for the unacceptable evaluation.
>
> "Mark"  wrote in message
news:441a4599$1{at}w3....
>> "The scorecards, which are compiled by the House Committee On
Government
>> Reform..."
>>
>> Sort of like the blind judging the deaf, yes?
>>
>>
>> "Rich Gauszka"  wrote in message
>> news:441a43da{at}w3....
>>> maybe DHS and DOD should get some help from the SSA
>>>
>>>
http://news.yahoo.com/s/pcworld/20060316/tc_pcworld/125110;_ylt=AgodYs0nGZd
c1NtV7ipEI.UOSLMF;_ylu=X3oDMTA5aHJvMDdwBHNlYwN5bmNhdA--
>>>
>>> The U.S. government will get low marks for computer security in a

It looks like the scorecard may be indicative of nothing but the ability to
fill out reports though as opposed to the ability to secure a
system/network/process

http://www.computerworld.com/securitytopics/security/story/0,10801,109588,00.ht
ml
The annual scorecards are based on reports submitted to Congress by the
different government agencies, as mandated by the Federal Information
Security Management Act of 2002 (FISMA).


The reports are designed to gauge whether the departments meet federally
mandated security standards, but according to one observer, they say very
little about the security of the IT systems in those departments.


"You get a very low score if you haven't finished a whole bunch of
reports called Certification & Accreditation Reports," said Alan
Paller, director of research at the SANS Institute, a computer security
training organization in Bethesda, Md. "They're 90% documentation of
the system."


"Even the consultants that write these reports have never secured a
computer system," he added. "They wouldn't know a secure system
if they met it on the street."


Rather than looking at whether agencies are meeting FISMA requirements, the
government should adopt scorecards that measure the real-world
"readiness" of its computer systems, much as the military reports
on the battle readiness of its weapon systems, Paller said.

--- BBBS/NT v4.01 Flag-5