New Presidential Cyber Security Initiative

Today President Barack Obama presented a 10-point near-term action plan aimed at securing the federal government's and the nation's critical IT infrastructure. Why? Because "Acts of terror could come from a few keystrokes."
 
The 10 steps outlined are:
1. Appoint a cyber security official
2. Setup a national cyber security strategy
3. Make it a priority
4. Come up with a privacy and civil liberties official
5. Set up interagency mechanisms (Government teamwork)
6. Create national public security awareness program
7. Develop international collaboration (International teamwork)
8. Create a national incident response plan
9. Support research and development
10. Create a identity management system (keeping privacy and civil liberties in mind)
 
President Obama's final remarks, "But we need to remember: We're only at the beginning. The epochs of history are long - the Agricultural Revolution; the Industrial Revolution. By comparison, our Information Age is still in its infancy. We're only at Web 2.0. Now our virtual world is going viral. And we've only just begun to explore the next generation of technologies that will transform our lives in ways we can't even begin to imagine."
 
You may remember form one of my previous post that the National Cyber Security Alliance is working on raising awareness and literacy of information security. This works hand in hand with point 6 of Obama's new initiative.
 
The real question now is what is to become of the current information security landscape. I have a few ideas of issues that should be addressed.
 
1. Simplify legislation. Currently we have different sets of rules for different sets of date. SOX, HIPAA, Breach Disclosure and other laws can be simplified and combined. Why have one law for financial date (GLBA), one for health data (HIPAA), one for student data (FERPA), one for financial reporting (SOX) etc.. Create one law that covers personally identifiable information (PII) and data integrity regardless of type.
2. Continue to raise awareness public awareness.
3. Address jurisdictional issues with Internet based crimes.
4. Create incentives for business to 'do the right thing' positive and negative reinforcement.
5. Take the bureaucracy out of FISMA.
6. Extend a new FISMA to state and local governments. Extend the funding needed to implement for the state and local governments. State and local government maintain part of the infrastructure. The infrastructure is only as strong as the weakest link.
7. Understand security is a process not a goal.
8. Ensure security is implemented in a risk based fashion.
9. Protect privacy while protecting the infrastructure.
 
There are probably 100 other things that can be done. These are just a few that are top issues in my mind.

 
Donald E. Hester
CISSP, CISA, CAP, PSP, MCT, MCITP, MCSE Security, MCSA Security, MCTS, MCDST, Security+, CTT+, MV
 
Brought to you by Maze & Associates, a leading Northern California Accounting Firm specializing in Municipal & Nonprofit Audit, Tax for individuals and all types of entities, Information System Audits, Security Reviews, as well as PCI Scans and certified training. Maze & Associates is a PCI ASV - Approved Scanning Vendor.
 
RSS Subscription: http://feeds2.feedburner.com/learnsecurityblog
 
Disclaimer: The views expressed here are those of the author and do not represent those of Maze & Associates.