Computer Security Program Management
An organization's components may develop
specialized expertise, which can be shared among
For example, one operating unit may
primarily use UNIX and have developed skills in
A second operating unit (with only
one UNIX machine), may concentrate on MVS
security and rely on the first unit's knowledge and
skills for its UNIX machine.
Budget, the General Services Administration, the National Institute of Standards and Technology,
and the National Telecommunications and Information Administration, provide information on
computer, telecommunications, or information resources.
This information includes security-
related policy, regulations, standards, and guidance.
A portion of the information is channelled
through the senior designated official for each agency (see Federal Information Resources
Management Regulation [FIRMR] Part 201-2).
Agencies are expected to have mechanisms in
place to distribute the information the senior designated official receives.
Computer security-related information is also available from private and federal professional
societies and groups.
These groups will often provide the information as a public service,
although some private groups charge a fee for it.
However, even for information that is free or
inexpensive, the costs associated with personnel gathering the information can be high.
Internal security-related information, such as which procedures were effective, virus infections,
security problems, and solutions, need to be shared within an organization.
Often this information
is specific to the operating environment and culture of the organization.
A computer security program administered at the organization level can provide a way to collect
the internal security-related information and distribute it as needed throughout the organization.
Sometimes an organization can also share this information with external groups.
See Figure 6.3.
Another use of an effective conduit of information is to increase the central computer security
program's ability to influence external and internal policy decisions.
If the central computer
security program office can represent the entire organization, then its advice is more likely to be
heeded by upper management and external organizations.
However, to be effective, there should
be excellent communication between the system-level computer security programs and the
For example, if an organization were considering consolidating its mainframes
into one site (or considering distributing the processing currently done at one site), personnel at
the central program could provide initial opinions about the security implications.
speak authoritatively, central program personnel would have to actually know the security
impacts of the proposed change
information that would have to be obtained from the system-
level computer security program.
Besides being able to help an organization use