Government Information Security Podcast

A veteran cybersecurity pro, Shane Sims shares his insights on trends he's seeing as cybercrime continues to hit all companies, including financial institutions. Sims is currently a Director in the Forensic Services practice at PricewaterhouseCoopers, where he provides investigative, forensic technology, security incident response and cyber security services to commercial and government clients. He is a former FBI Supervisory Special Agent who specialized in cybercrime, digital evidence, computer exploitation, and network surveillance. Listen to this podcast and hear Sims insights on: Who's hitting financial institutions with cybercrime activities; Why just having an incident response plan isn't enough; What needs to happen and (what shouldn't be done) when a breach occurs.

Jim Harper contends cyber terrorism does not exists, believing it's a creation of politicians, government contractors and pundits who try to make the problem of securing government IT bigger than it really is. Simply, it's a scare tactic. "Cyber terrorism, in particular, cannot exist," says Harper, director of information policy studies at The Cato Institute, a libertarian think tank. "I think there's no such thing as cyber terrorism because cyberattacks can't cause terror. They don't scare us, and that's an essential element of terrorism as the name implies." In an interview with Information Security Media Group's GovInfoSecurity.com, Harper also: Analogizes the digital world with the real world, and as everything in the real world isn't secured, not all things in cyberspace must be safeguarded, too. Proposes IT vendors assume more responsibility - and liability - for the products they sell in event of cyberattacks, even if that should raise the price of wares the government, businesses and consumers pay

Information assurance is what everyone is talking about these days, and the term is strongly associated with "excellence" at the University of Dallas. Listen to Dr. Brett J.L. Landry, Director of the school's Center for Academic Excellence, Information Assurance, discuss: What make's the school's program unique; How students maximize their education; The future of information assurance education. Landry is the Ellis Endowed Chair of Technology Management, Associate Professor and Director of the Center for Academic Excellence in Information Assurance at the University of Dallas. He joined the University of Dallas in the fall of 2006, following six years of teaching at the University of New Orleans. He has worked in network security and design in the private and public sector and earned his Ph.D. from Mississippi State University. Landry has published numerous journal articles on Information Technology in the ACM Journal of Educational Resources in Computing (JERIC), Communications of the ACM (CACM), Dec

It's a marriage made in heaven, if your the tropical island of Oahu as paradise. In 2005, newly elected Honolulu Mayor Mufi Hannemann assembled the city's public safety and IT officials together to develop an integrated security program, forming a public safety oversight committee, chaired by chief information officer Gordon Bruce. "Anything that has to deal with security; anytime the issue of security came up, we put it on the list," Bruce says, in an interview with Information Security Media Group's GovInfoSecurity.com. "We took an entire, enterprise approach." Bruce spoke with GovInfoSecurity.com's Eric Chabrow about the benefits of linking governmental physical and IT security.

Securing innovative technology is admirable, but if you don't get the basics right, then an organization cannot truly secure its information technology. That simple belief is at the foundation of IT security efforts at the National Aeronautics and Space Administration (NASA), as articulated by Jerry Davis, NASA's deputy chief information officer for IT security. As NASA consolidates its IT infrastructure - active directory, IP address management and e-mail, to name a few - its security team is actively involved. "Security doesn't function on its own in silos," Davis says in an interview with Information Security Media Group's GovInfoSecurity.com. "Managing better IT in that regard helps us better to manage security as well." Davis also discusses the need for NASA to attract more highly skilled IT security practitioners, especially those with forensic experience, and secure new technologies such as iPhones that employees like to use. Davis was interviewed by GovInfoSecurity.com's Eric Chabrow.

Risk management is a common theme across and within businesses, and at North Carolina State University the Enterprise Risk Management (ERM) program is attracting notice from prospective employers and students alike. Mark Beasley, head of the school's ERM initiative, discusses: What makes the program unique; The types of students entering and graduated from the initiative; How to approach a career in ERM. Beasley is the Deloitte Professor of Enterprise Risk Management at the College of Management at North Carolina State University in Raleigh, North Carolina. The Enterprise Risk Management (ERM) Initiative at NC State provides thought leadership about ERM practices and their integration with strategy and corporate governance. As founding director, Dr. Beasley leads the ERM Initiative's efforts to help pioneer the development of this emergent discipline through outreach to business professionals, with its ongoing ERM Roundtable Series and ERM Executive Education for boards and senior executives; research, a

When a consortium of federal agencies and private organizations circulated among federal agencies earlier this year the Consensus Audit Guidelines, the IT security team at the State Department mapped these 20 most critical cybersecurity controls against security incidents reported by State to the Department of Homeland Security. John Streufert, deputy chief information officer and chief information security officer at the State Department, in an interview reveals the results of the match and explains how that knowledge helps the department secure its worldwide IT systems and networks. In addition, Streufert discusses a new grading system employed by State aimed at reducing systems and network vulnerabilities. Streufert, in an earlier interview, discussed the department's Risk Scoring Program, which is aimed at pinpointing and correcting the worst vulnerabilities on any particular day on any of its worldwide systems and networks. (Click here to listen to that interview.). Streufert spoke with Information Se

To get a peak as to how IT security will be measured after FISMA, take a look at what's happening at Foggy Bottom. The State Department in 2006 instituted its Risk Scoring Program, which is aimed at pinpointing and correcting the worst vulnerabilities on any particular day on any of its worldwide systems and networks. John Streufert, the State Department deputy chief information officer and chief information security officer, says in an interview with GovInfoSecurity.com that the daily monitoring of IT vulnerabilities under Risk Scoring truly measures systems and network security as compared with the once-every-three-year assessment required by the Federal Information Security Management Act of 2002. Because of Risk Scoring, overall risk on State's key unclassified network has plunged by more than 80 percent in the past year. As lawmakers craft legislation to upgrade to FISMA, expect to see a program like Risk Scoring incorporated in it. Streufert spoke with Eric Chabrow, GovInfoSecurity.com managing ed

Interview with Deborah Frincke of the Pacific Northwest National Laboratory. Deborah Frincke is leading a team of computer scientists at the Pacific Northwest National Laboratory, one of nine Department of Energy national labs, to find new ways to defend government IT systems. In an interview with the Information Security Media Group, Frincke describes four areas of research and development being conducted at the Richland, Wash., labs: Adaptive Systems that preserve the intended mission of the systems regardless of attempts at manipulation; Cyber Analytics that provide a broader context for decision making; Predictive Defense that supports strategic and tactical decisions in preserving the long-term soundness of the infrastructure; and Trustworthy Engineering that establishes and maintains security goals. Frincke spoke with Eric Chabrow, managing editor of GovInfoSecurity.com. (A summary of the lab's R&D activities can be found here: i4.pnl.gov.)

Audit and enterprise risk - they're inextricably linked. As cyber threats grow - from the inside and out - require organizations and their regulators to pay closer attention to technology and information security. What are some of the key audit and risk trends to track? David Melnick of Deloitte answers that question in an interview focusing on: Top challenges for financial institutions and government agencies; Successful strategies being deployed to mitigate threats; Trends organizations should track as they eye 2010. Melnick is a principal in security and privacy services within the audit and enterprise risk services practice in the Los Angeles office of Deloitte and brings more than 17 years of experience designing, developing, managing and auditing large scale secure technology infrastructure. Melnick has authored several technology books and is a frequent speaker on the topics of security and electronic commerce.

From his perch as executive director of (ISC)2, the not-for-profit certifier of IT security professionals, and as the former CIO at the Interior Department, Hord Tipton has a close-up view on what works and doesn't work in regards of training government employees on information security awareness. In an interview with Information Security Media Group's GovInfoSecurity.com, Tipton discusses the: Need to provide federal employees awareness training more often than once a year because of the ever-changing challenges IT security presents; Challenges the government faces in hiring qualified cybersecurity practitioners even if there aren't enough applicants with IT security certification; and Expansion of information security awareness beyond government agencies and establishing programs in elementary and secondary schools. Tipton spoke with Eric Chabrow, managing editor of GovInfoSecurity.com.

Ari Schwartz wants you to help draft the new federal Privacy Act, and he's providing the tool for you to do that. Schwartz is vice president and chief operating officer of the public interest group Center for Democracy and Technology, which has on its site, at eprivacyact.org, a wiki in which cybersecurity professionals are proposing language on how the 35-year-old law should be upgraded. Schwartz hopes to send lawmakers CDT's final draft by the end of June, so legislation could be introduced by Independence Day. The law has not kept up with technology, such as data mining. Also, Congress enacted the original act years before anyone even heard of the Internet technology that easily makes sharing of information, which proves problematic. Schwartz spoke with Information Security Media Group's Eric Chabrow about the changes he sees the Privacy Act needs and how the wiki works and who is using it.

With the Obama administration's focus on cybersecurity, this is a good time to start or move into an information security career. And Regis University in Colorado is one institution offering state-of-the-art education for undergraduates and graduates alike. In an exclusive interview, Daniel Likarish, faculty of the Regis University School of Computer & Info Sciences, discusses: The information security programs at Regis University; The unique types of students enrolled in these programs; Job placement and opportunities in business and government. Regis University, with nearly 16,000 students, comprises Regis College, College for Professional Studies and Rueckert-Hartman College for Health Professions. The University is recognized by U. S. News & World Report as a Top School in the West and is one of 28 Catholic Jesuit colleges and universities throughout the United States. Regis University is located at 3333 Lowell Blvd. at 50th Street in north Denver. In addition to its north Denver Lowell campus, the U

Cybersecurity isn't getting as much publicity in and around Washington as it did a month ago, when speculation was hot about what was in White House adviser Melissa Hathaway famous 60-day review of federal government cybersecurity policy and President Obama announced he intends to name a cybersecurity coordinator. But, as Jim Flyzk says in this interview conducted Friday, June 12, much action is occurring behind the scenes, at government contractors with designs to win an expected increase in the number of federal cybersecurity contracts and along the corridors of the White House and Capitol as officials prepare for a sea change in the way the government addresses information security. One thing is for certain, Flyzk says, cybersecurity is now a crucial topic that won't be ignored. Flyzk, if anything, is as well connected as anyone in Washington's government IT community. He spent 27 years in government, most notably as chief information officer of the Treasury Department and White House IT advisor on ho

On Thursday, the World Health Organization declared the H1N1 virus to be the first global pandemic in over 40 years. In an exclusive interview, pandemic expert Regina Phelps explains exactly what this means, discussing: How organizations should respond to this announcement; Lessons learned so far from the H1N1 experience; What to expect - and how to respond - in the coming weeks. Phelps is an internationally recognized expert in the field of emergency management and continuity planning. With over 26 years of experience, she has provided consultation and educational speaking services to clients in four continents. She is founder of Emergency Management & Safety Solutions, a consulting company specializing in emergency management, continuity planning and safety.

After nearly seven years as Michigan chief information security office, Dan Lohrmann got promoted earlier this year to the post of state chief technology officer. But despite new responsibilities, Lohrmann remains a key knowledge center on how Michigan handles information security. Lohrmann, in an interview, says preventing data loss is among the biggest IT security challenges the state faces. Speaking with Information Security Media Group's Eric Chabrow, Lohrmann compares how the state governs cybersecurity with that of the federal government, and in many respects, it's not much different. Michigan relies on the Federal Information Security Management Act and guidance from the National Institute of Standards and Technology to keep state IT safe. One advantage, Lohrmann concedes, the state has over its federal counterparts: Michigan isn't graded on compliance by the Office of Management and Budget.

Data and privacy protection - there's much that government, industry and consumers alike can do to improve information security. And the Federal Trade Commission (FTC) is at the heart of education and enforcement efforts. In an exclusive interview, the FTC's Joel Winston discusses: Top privacy risks facing consumers and businesses; How the agency is battling privacy risks; The latest on Identity Theft Red Flags Rule compliance. Winston is Associate Director of the Division of Privacy and Identity Protection of the Federal Trade Commission's Bureau of Consumer Protection. That Division has responsibility over consumer privacy and data security issues, identity theft and credit reporting matters, among other things. Mr. Winston serves on the federal government's Identity Theft Task Force, which was created by President Bush in March 2006. He also is a member of the Advisory Board for the BNA Privacy & Security Law Reporter, and served on the Editorial Board and as an author for a treatise published in 200

Tom Stanton, a fellow at the Center for the Study of American Government at Johns Hopkins University, knows cybersecurity and government, having authored last year's study, Defending Cyberspace: Protecting Individuals, Government Agencies and Private Companies Against Persistent and Evolving Threats. In an interview with Information Security Media Group's Eric Chabrow, Stanton discusses the challenges the government faces in adequately attracting and maintaining dedicated experts with the smarts as managers and practitioners to secure federal IT. To build such a workforce, he says, leadership must originate in the White House, with a respected and influential cybersecurity czar who goes beyond coordination. "The problem is that czars traditionally, at least in the Russian context, have been really bad managers," he says. "What we need in the American context is sound management of this problem." Among the ways the government can attract qualified personnel is to adopt a program used by the government duri

Eugene Spafford, one of the nation's top information security experts who heads Purdue University's Center for Education and Research in Information Assurance and Security, likes the fact that cybersecurity is getting the attention he feels it long deserved from the White House and Congress. Still Spaf - as he's affectionately known - expresses concern that President Obama isn't going far enough to elevate cybersecurity as a national priority, in part, because the White House cybersecurity advisor is not seen having the clout to create policy. And, he wonders if the president and Congress have the political wherewithal to invest enough money to truly secure federal IT. In an interview with the Information Security Media Group's Eric Chabrow, Spafford explains that: A high-ranking cybersecurity czar is needed to be a peer of cabinet secretaries and major agency heads to influence them to help advance federal IT security policy; Proposals to require the certification of information security professionals is

The law rarely keeps pace with advancements in information technology, and the 35-year-old federal Privacy Act has failed to provide the proper framework needed to protect the privacy of citizens. Dan Chenok chaired the federal Information Security and Privacy Advisory Board that issued a report entitled Toward a 21st Century Framework for Federal Government Privacy Policy that calls for the creation of a federal chief privacy officer as well as chief privacy officers in major federal agencies and a federal Chief Privacy Officers' Council. The panel also recommended steps Congress and the Obama administration should take to change federal laws and regulations to allow the government to more efficiently use specific technologies, such as cookies, while maintaining citizens' privacy. Chenok, the one-time highest ranking non-political IT official in the Office of Management and Budget and now a senior vice president at IT services provider Pragmatics, spoke with Information Security Media Group's Eric Chabrow