CSC Home PageSkip to Main Content
About Us | Services | Client Results | Insights | Contact Us | Careers
Corporate Governance
Investor Relations
Newsroom
Cycling Sponsorship
Locations
Blogs, Podcasts, Videos & RSS
E-mail Story Story Feedback Print Version
Features
Home Page Home Arrow Features 2002

CSC Offers 25 Recommendations for Improving IT Security

Preparation and collaboration between the public and private sectors are two of the most important issues for improving information and physical security for government agencies and corporations, according to a list of 25 security-related recommendations released by CSC at the Networked Economy Summit, which was held June 9-11 in Reston, Va.

According to the CSC recommendations, preparation encompasses a wide range of topics including maintaining network firewalls; knowing which law enforcement agencies to contact in the event information systems are compromised; training first responders; using "ethical hackers" to identify IT vulnerabilities; and employing biometrics to authenticate identity.

CSC’s collaboration-related recommendations call for companies to participate actively in public-private advisory boards and work with government agencies to overcome technological and organizational barriers to information sharing. This includes potential legislative changes designed to protect companies working to secure the national critical infrastructure.

CSC’s 25 Recommendations for Information and Infrastructure Security

How do I address weaknesses in my information infrastructure?

  • Develop and maintain good security policies and procedures to form a baseline. A business case should be made for any exceptions.
  • Use an intrusion detection system to identify unauthorized attempts before they have a chance to succeed or cause damage. Monitoring is also important to determine the extent of damage and necessary corrective action should an event occur.
  • Keep all systems patched and current with the latest software releases. This prevents attackers from exploiting older vulnerabilities and minimizes the risk from new ones.
  • Maintain a firewall and buffer zone for externally facing services such as Web services.
  • Perform periodic vulnerability assessments for both internal and external networks and Internet connections.  

How can companies and organizations help ensure homeland security?

  • Federal agencies must work to overcome technological and organizational barriers to sharing vulnerability information with each other, the public, industry, and state and local governments while adhering to appropriate laws and regulations.
  • Companies who own or operate elements of the critical national infrastructure must develop inter-working strategies with government agencies regarding threat alerts and incident response activities.
  • Organizations should take a thorough and systematic approach to threat assessment followed by actions that address vulnerabilities and close gaps. Avoid quick fixes and checklist assessments that leave your organization vulnerable. A determined criminal or terrorist will be patient, flexible and creative.
  • First responders at the state and local levels should be well trained and equipped with tools, strategies, tactics and equipment to deal with terrorism and weapons of mass destruction. These should be the same as used by federal agencies so that the combined response is seamless and effective.
  • Threat screening at high-volume, inter-modal transportation facilities should involve biometrics, automated identification and other technologies in a manner that balances security, privacy and commerce.  

How can the public and private sectors work more closely to protect our nation’s critical infrastructure from attack?

  • Corporate and public-sector leaders must accept responsibility for all security concerns -- including cyber security -- and manage the risks as they do all concerns their organizations face.
  • Companies should participate actively in industry and public-private organizations designed to share information and address critical infrastructure security issues.
  • Government must continue to recognize the key role private companies play in the effort and should work with them in true partnerships.
  • Congress should pass legislation that protects companies sharing information for homeland security purposes from Freedom of Information Act inquiries and from anti-trust prosecution.
  • As talks regarding security standards ensue, government should recognize that the IT and telecommunications industries are in a constant state of innovative flux. The government should not attempt to direct specific technical solutions through legislation, regulation or standards mandates.  

What can companies do to protect their information infrastructure?

  • Make information risk management a business issue. Do not leave it as a sideline IT or add-on cost issue.
  • Identify a model for information risk management within the enterprise. Value and prioritize assets, processes and operating capabilities in terms of that model.
  • Establish a security service measurement capability so that you can decide how much information risk management is "enough."
  • Establish at least one information security program activity for each dimension of the selected information risk management model. Assign a metric and a baseline value to each one.
  • Develop and rehearse an incident response capability in reaction to a virus, intrusions, worms or other emergencies. 

What more can companies and law enforcement agencies do to catch criminals in cyberspace?

  • As with any crime, an appropriate first response is key to investigating and prosecuting an offender. Organizations and law enforcement agencies should be prepared to work together in responding to an incident.
  • Corporations should train their own first cyber responders (system administrators and intrusion detection system personnel) to know what qualifies as an incident, when to contact law enforcement and which agencies can help.
  • Preparation is crucial for a law enforcement agency about to investigate an incident. Key information such as the nature of the incident, as well as the classification and configuration of the affected equipment, should be gathered in order to prepare an IT tool kit for the investigation.
  • Upon arrival, law enforcement agencies should capture and preserve the data for prosecution. Gathering logs from other machines that may have evidence of the intrusion can also help.
  • A complete analysis of the compromised system should be performed in a lab. Searching slack, unallocated or deleted space is key to uncovering evidence.  

Related Information:

Contact Us and Let Our Experience Help You Produce Results.

Learn more about CSC’s Information Security solutions and Homeland Security offerings.

Read a press release on Ben Gianni being named CSC’s vice president for Homeland Security.
© Copyright 2008 Computer Sciences Corporation | Privacy Policy | RSS