Last week marked the release of the preliminary NIPP (National Infrastructure Protection Plan) from the DHS; all 175 vague pages of it. It also marked the release of an audit of FEMA's database security, basically telling us what we already know - that FEMA's database security is in line with the rest of IT security in the DHS (i.e. minimal and poorly implemented.)
Never being one to remove the splinter from their own eye before recommending a "vigilant foreign-body exploration posture" to others, the DHS includes a "honey-do" list in the NIPP for the world at large. There's a laundry list of task items for the private sector, additional specific recommendations broken down by sector, and to-do's for academia (unfunded, of course.)
In general, I'm thinking that the recommendations will probably fly better with those folks who are out of the loop on the DHS security track record... On the upside, if you choose to ignore the recommendations by infrequently auditing, taking years to develop a security plan, not conducting training exercises, and having lax technical controls - you can honestly say that you've modeled your security program on how the DHS does business. If you decide to go that route, just remember that what works for the DHS may not work for you - after all, in the private sector, you're accountable to your customers.
Posted by Ed at November 8, 2005 08:45 AM