You are here: Home Ideas Comprehensive Security Approach
 

Jump into the discussion

Here's a question to get you started:

What platforms for displaying and manipulating data are most likely to be relevant to a large audience of average citizens?

Comprehensive Security Approach

idea

What is the idea?

The government should consider key trusted security advisor and security partner/s in monitoring expenditures and using recovery funds. 

Why is it important?

The government must consider the likelihood of piracy and theft of both direct capital as well as information capital as it carries out its recovery tasking.  All levels of security must be accounted for and employed including Governance and Compliance at a high-level as well as securing People and Identity, Data and Information, Applications and Processes, Networks Servers and Endpoints, and most certainly Physical Infrastructure.  While the government does indeed have home-grown capability in each area, it can certainly benefit from corporate knowledge, strategies and products both for best-practices as well as cost-saving security tools. 

Critical to leveraging the corporate arena will be finding actual corporations that provide best-of-breed products and services and resources that have both a strong R&D backbone as well as real-world implementation in ideally a global setting.   The two must co-exist for effective continual security as the world of cyber-crime and cyber-terrorism methodologies is in constant flux. 

So which companies exist that provide such comprehensive security?  There really is no actual silver bullet as being able to completely overhaul existing security infrastructure is cost-prohibitive.  However, being able to leverage a corporation with deep security knowledge, frameworks to integrate security tools that are cross-vendor rather than straight rip-and-replace, as well as significant incumbency and experience does fortunately exist.  IBM immediately comes to mind as a clear-cut leader. 

Submitted by MJELLIN (Information Security/Assurance) on Apr 27, 2009

This idea is now closed to further comments.

Current number of stars: 3
based on 1 vote
Tags:

1 Comment

Member comment

I always think of access-security as like a three-legged stool, with the organization sitting on the stool. I've worked in these areas since 1984.

The legs are 1) Authentication, 2) Access-requirements, and 3) Authorization.

PKI and biometric capabilities take care of 1)Authentication.  Access-specifications (like a lock's mechanism) and resource/asset permission mechanisms take care of the 2) Authorization.

The hard part is 2) Access-requirements (like a key to turn the lock's mechanism to then open the lock).  There are many methods for determining who (person or process) needs access to what (resource or process).  The most effective method is going to include some form of visible role-based or "attribute-based" access requirement definition and governance.

I believe that a comprehensive domain terminology provides the best mechanism for 2) Access-requirement definition, tracking, and governance.

Terminology and Terminology Servers are already part of some "access and distribution" provisioning systems (often called "policy servers").  But, consistent terminology across domains is usually not available, so access-requirements management across domains is usually not available, so access-security across domains is usually not available.

Solution: whatever information technology and underlying data structure/syntax is used for  access-security, there needs to be a consistent terminology method that will result in cross-domain, cross-organizational 2) Access-requirement definition and management.  For this, I recommend a single endeavor-wide (ARRA, for Nation) terminology design and implementation (which would be its own first access-security customer).

 

Comment from RoyERoebuck at One World Information System on Apr 30, 2009