Month: June 2005

All major agencies are required to submit implementation plans to the White House Office of Management and Budget that describe how they intend to meet the smart-card requirements outlined in Federal Information Processing Standard 201. The cards must support two-factor authentication via digital certificates, a password or personal identification number, and biometric identifiers.

The effort required for most agencies to conform to the mandates makes meeting the two October deadlines “very challenging,” said John Moore, chairman of the Federal Smart Card Project Managers Group and director of the Office of Governmentwide Policy at the General Services Administration in Washington.

Because the Personal Identity Verification (PIV) cards will control access to both physical and IT assets, IT departments within agencies have to work with their counterparts on the physical security side, as well as with badging and access-control staffers and human resources personnel, Moore said. The specification is designed to make the smart cards more interoperable than existing ones, said Curt Barker, NIST’s FIPS-201 program manager.

For instance, the U.S. Department of Defense has rolled out more than 4 million of the previous-generation cards. Although Barker said the transition is intended to be “evolutionary,” he noted that agencies such as the DOD could find things “a bit more complex” than agencies that are implementing smart-card technology for the first time.

Some of the technical details of the smart cards themselves are still in draft form, said Neville Pattison, director of technology and government affairs at Axalto Inc., a smart-card manufacturer in Austin. Large-scale manufacturing of PIV cards is unlikely to happen before the second half of next year, said Pattison, who was on a team that acted as a liaison between agencies and technology vendors.

http://www.computerworld.com/securitytopics/security/story/0,10801,102778,00.html

One of several seminars being featured during Ziff Davis Internet’s SMB (small and midsize business) Solutions Virtual Tradeshow, a hot-button virtual panel titled “Security Priorities: Getting the Most Protection for Your Dollar” featured three presenters.

Each presenter examined different aspects of the SMB security issue, along with polls and a question-and-answer interactive box for participants to type in questions relating to the topic.

The first speaker, Michael Grieves, consulting partner for channel strategies firm Core Strategies and director of research of the MIS department at the University of Arizona, said that because smaller businesses don’t have the resources of their larger brethren, members of such organizations “have got to go look in the mirror” to find somebody to handle their security needs, adding that it is a fairly lonely proposition. Grieves went on to present a set of what he called “realistic security steps” that SMBs can use to protect themselves and to sense and respond to incidences without needing the sorts of resources to which larger enterprises have access. According to Grieves, these four steps are making IT security a priority; taking obvious steps such as keeping systems up-to-date and implementing virus protection; being paranoid about security; and developing an emergency plan of action before any emergencies arise.

John Norman, a systems engineer at Advanced Systems Group, focused on sensible security strategies for SMBs, said that perhaps the biggest problem SMBs face in developing a security strategy is one of prioritization. In determining these priorities, Norman noted that it may not be feasible to protect some of a company’s assets and to weigh security costs against the time, money and convenience required.

SMBs may need to hire consultants to obtain expertise and outsource such services as regular audits and firewall maintenance, he said.

Meanwhile, Forrester Research analyst Paul Stamp discussed data his group has collected about the importance of security among SMBs. According to Stamp, about 28 percent of North American SMBs spend between 2 percent and 4 percent of their budgets on IT security, while another 28 percent spent less than 2 percent. In addition, about 12 percent of decision-makers for the SMBs Stamp surveyed “didn’t know” how much their companies spent on security.

http://www.eweek.com/article2/0,1759,1830641,00.asp?kc=EWRSS03119TX1K0000594