Government Information Security Podcast

Data and privacy protection - there's much that government, industry and consumers alike can do to improve information security. And the Federal Trade Commission (FTC) is at the heart of education and enforcement efforts. In an exclusive interview, the FTC's Joel Winston discusses: Top privacy risks facing consumers and businesses; How the agency is battling privacy risks; The latest on Identity Theft Red Flags Rule compliance. Winston is Associate Director of the Division of Privacy and Identity Protection of the Federal Trade Commission's Bureau of Consumer Protection. That Division has responsibility over consumer privacy and data security issues, identity theft and credit reporting matters, among other things. Mr. Winston serves on the federal government's Identity Theft Task Force, which was created by President Bush in March 2006. He also is a member of the Advisory Board for the BNA Privacy & Security Law Reporter, and served on the Editorial Board and as an author for a treatise published in 200

Tom Stanton, a fellow at the Center for the Study of American Government at Johns Hopkins University, knows cybersecurity and government, having authored last year's study, Defending Cyberspace: Protecting Individuals, Government Agencies and Private Companies Against Persistent and Evolving Threats. In an interview with Information Security Media Group's Eric Chabrow, Stanton discusses the challenges the government faces in adequately attracting and maintaining dedicated experts with the smarts as managers and practitioners to secure federal IT. To build such a workforce, he says, leadership must originate in the White House, with a respected and influential cybersecurity czar who goes beyond coordination. "The problem is that czars traditionally, at least in the Russian context, have been really bad managers," he says. "What we need in the American context is sound management of this problem." Among the ways the government can attract qualified personnel is to adopt a program used by the government duri

Eugene Spafford, one of the nation's top information security experts who heads Purdue University's Center for Education and Research in Information Assurance and Security, likes the fact that cybersecurity is getting the attention he feels it long deserved from the White House and Congress. Still Spaf - as he's affectionately known - expresses concern that President Obama isn't going far enough to elevate cybersecurity as a national priority, in part, because the White House cybersecurity advisor is not seen having the clout to create policy. And, he wonders if the president and Congress have the political wherewithal to invest enough money to truly secure federal IT. In an interview with the Information Security Media Group's Eric Chabrow, Spafford explains that: A high-ranking cybersecurity czar is needed to be a peer of cabinet secretaries and major agency heads to influence them to help advance federal IT security policy; Proposals to require the certification of information security professionals is

The law rarely keeps pace with advancements in information technology, and the 35-year-old federal Privacy Act has failed to provide the proper framework needed to protect the privacy of citizens. Dan Chenok chaired the federal Information Security and Privacy Advisory Board that issued a report entitled Toward a 21st Century Framework for Federal Government Privacy Policy that calls for the creation of a federal chief privacy officer as well as chief privacy officers in major federal agencies and a federal Chief Privacy Officers' Council. The panel also recommended steps Congress and the Obama administration should take to change federal laws and regulations to allow the government to more efficiently use specific technologies, such as cookies, while maintaining citizens' privacy. Chenok, the one-time highest ranking non-political IT official in the Office of Management and Budget and now a senior vice president at IT services provider Pragmatics, spoke with Information Security Media Group's Eric Chabrow

Charlotte, N.C., Chief Information Security Office Randy Moulton, unlike his counterparts in the federal government, is responsible for writing the regulations that guides the city government secure its IT security. As Moulton explains in this interview with Information Security Media Group's Eric Chabrow, Charlotte and North Carolina don't have the luxury of the Federal Information Security Management Act, the Office of Management and Budget and the National Institute of Standards and Technology to regulate and guide IT security compliance, though NIST guidance is often employed. Still, cities like Charlotte - population topping 600,000 - look to Washington for ideas, and Moulton says he's closely following developments from the White House as President Obama implements new federal government cybersecurity and wonders what impact that could have on his operation.

Rep. James Langevin, D.-R.I., holds out hope that the new White House cybersecurity coordinator will have more influence with the president than Obama suggested in his speech last week outlining the administration's approach to information security. As co-chair of the House Cybersecurity Caucus and the influential public-private Commission on Cybersecurity for the 44th President, Langevin wanted the cybersecurity adviser to be a special assistant, but would understand that individual a step lower on the White House organizational chart - deputy special assistant - should have enough sway to get the president's ear. In an interview with GovInfoSecurity.com's Eric Chabrow, Langevin discusses the the responsibilities the White House and Congress have in securing government IT, including the need to provide proper funding, and the role government leaders must play to work with the private sector to safeguard the critical national IT infrastructure.

From the president on down, the nation has a renewed focus on cybersecurity. Nadia Short of General Dynamics, a major government/defense contractor, discusses: The types of cybersecurity positions GD is filling; Requirements for qualified personnel; Potential career paths in cybersecurity. Nadia D. Short is vice president of strategy & business development at General Dynamics Advanced Information Systems. In this role, she is responsible for strategic planning, business development, international business, marketing and public relations, and customer and corporate relations.

NSA 'Hacker' Speaks Out Legislation before Congress would require agencies to implement new ways to measure information security, including detailed blue-team analysis and red-team assaults on IT systems. Most civilian agencies have not conducted blue/red team analysis, but it's been a common practice for years within Defense and intelligence agencies. Among the leading organizations conducting blue/red team analysis for the Department of Defense, intelligence agencies and some units at the Department of Homeland Security is the three-year-old Vulnerability Analysis and Operations Groups at the National Security Agency. Tony Sager serves as the group's chief, and he says such testing requires far more planning between his organization and client agencies than most people would expect. "It's not freeform, turn a bunch of people loose," Sager says. "There's a lot of consideration given to what is it that the customer would like to learn." GovInfoSecurity.com Managing Editor Eric Chabrow interviewed Sager o

Steve Katz was the world's first CISO, and he has unique insight on the information security profession - how it's developed and where it's headed. In an exclusive interview, Katz discusses: How the information security role has evolved; Which trends are changing the role; The skillsets necessary for today's security professionals to succeed tomorrow. Katz is a prominent figure in the network security discipline. Since 1985, he has served as the senior security executive for Citibank/Citigroup, JP Morgan, and most recently Merrill Lynch - and has been a force in raising the visibility and shaping the direction of the security industry at industry and government levels. Deeply respected within both the financial services and security industries, Katz has testified to Congress on information security issues and was appointed as the Financial Services Sector Coordinator for Critical Infrastructure Protection by the Secretary of the Treasury. Other credentials include: Founder and Chairman of the Financial

It's been nearly four years since John Gilligan retired as Air Force chief information office, but he remains a force in influencing the future direction of government information security. Earlier this year, Gilligan - president of the consultancy Gilligan Group - led a consortium of federal agencies and private organizations in developing the Consensus Audit Guidelines that define the most critical security controls to protect federal IT systems and coauthored the influential Commission on Cybersecurity for the 44th Presidency report from the Center for Strategic and International Studies, a Washington think tank, that's helping shape federal government IT security policy. In this second of a two-part interview with GovInfoSecurity.com Managing Editor Eric Chabrow, Gilligan explains the importance of the Consensus Audit Guidelines and how so-called red teams are critical in identifying vulnerabilities in government IT systems. In the first part of the interview, Gilligan explains the importance of core

Interview with Longtime Criminal Investigator Dana Turner Embezzlement has become the nation's favorite financial crime -- and losses attributed to embezzlement are greater than those from all other financial crimes combined. Understanding the crime of embezzlement is critical to every investigator. In this exclusive interview in advance of his new webinar series, Dana Turner discusses: Why embezzlement is a growing crime; How the Internet aids embezzlers - and investigators; Key distinctions between male and female embezzlers - and how to spot them. Turner is a security practitioner with Security Education Systems -- a research, consulting and training firm located near San Antonio, Texas. He has served as a law enforcement officer in several capacities -- including the investigation of business and banking crimes; as a community college instructor and administrator in both the law enforcement and business management fields; and as a program development specialist and trainer for private businesses

Interview with former Air Force and Energy CIO John Gilligan on core configuration. While Air Force chief information officer, John Gilligan initiated the process that led to the highly praised Federal Desktop Core Configuration, in which personal computers purchased by the government must be preconfigured to included specified security controls. In the first of a two-part interview with GovInfoSecurity.com managing editor Eric Chabrow, Gilligan explains the importance of core configuration, and the challenges the government faces in expanding the program to other types of information and communication technologies. A primary barrier, Gilligan says, is overcoming the culture of each agency deciding how it deems best to procure and secure its IT. "The term personal computer is just more than a description of a particular brand of machine, but it is really how people think of it. It is my computer, it's my organization, and no one outside will tell me how to operate," Gilligan says. Gilligan also served a

As the first chief information security officer of Vermont, Kris Rowley's primary mission isn't to build an information security organization, but to create a culture of IT security and trust. In a state where many agencies operate their own independent information systems -- stovepipes, she calls them - encouraging agency heads and their IT staffs to adapt to new approaches proves to be a challenge, one she's willing to take on. "People have their own domains, and they're the lord of their domains, and that's where they feel comfortable," says Rowley, who's been on the job since last September. "Part of that is a trust issue, as well. There's now an office of CISO in the state, and that's new to people. That involves change, and as we all know, change is difficult." In an interview with GovInforSecurity.com Managing Editor Eric Chabrow, Rowley discusses how she plans to change old habits by fostering an information security culture in Vermont, as well as working to codify information assurance policies and

There are more opportunities than ever for skilled information security professionals. This is the belief of Gerald Masson, Director of Johns Hopkins University Information Security Institute, and in an exclusive interview he discusses: Job prospects for information security professionals in the public and private sectors; Growing opportunities in the healthcare field; What students need to know if they're either starting or re-starting their careers. Masson received his PhD from Northwestern University in 1971. He has developed and taught numerous graduate and undergraduate courses addressing various aspects of the field of computer networking and systems architecture. He has published over 150 technical papers, co-authored two books and is an inventor on six patents. His research addresses a range of issues dealing with the foundations and implementations of distributed systems regarding issues such as survivability, real-time performance monitoring techniques, and security mechanisms used for networ

Cloud computing is among the hottest topics in the federal government, with its efficiencies promising to save agencies and eventually taxpayers money. Despite its attractiveness, few agencies have implemented any type of cloud computing initiative, mostly because of IT security concerns. The Defense Information Systems Agency is among the few government agencies actively involved in cloud computing. In this interview, Henry Sienkiewicz, technical program advisor in DISA's Computing Services Directorate, discusses how DISA: Employs cloud computing securely behind its own firewall; Wrestles with the cultural change to a new computing model; and Collaborates with vendors to host and manage their commercial software-as-a-service applications on DISA servers.

Verizon Business investigated 90 major data breaches in 2008, including 285 million compromised records. Nearly ¾ of those breaches were external hacks, and 99.9 percent of the records were compromised via servers and applications. These are among the findings of Verizon's new 2009 Data Breach Investigations Report. In an exclusive interview, Dr. Peter Tippett, VP of Technology and Innovation at Verizon Business, discusses: The survey results; What these results mean to financial institutions and government entities; Which threats to watch out for most in the coming months. Tippett is the chief scientist of the security product testing and certification organization, ICSA Labs, an independent division of Verizon Business. An information security pioneer, Tippett has led the computer security industry for more than 20 years, initially as a vendor of security products, and over the past 16 years, as a key strategist. He is widely credited with creating the first commercial anti-virus product

As the swine flu outbreak triggers new fears of a global pandemic, security organizations must dust off and review their emergency management plans. For insight on how to prepare for swine flu, pandemic expert Regina Phelps offers expert insight on: What you need to know about swine flu; How your organization should respond - internally and with customers; Where and what to watch for updates over the coming days. Regina Phelps is an internationally recognized expert in the field of emergency management and continuity planning. With over 26 years of experience, she has provided consultation and educational speaking services to clients in four continents. She is founder of Emergency Management & Safety Solutions, a consulting company specializing in emergency management, continuity planning and safety. Resources Swine Flu Update Swine Flu FAQ

To this point, information security professionals have been generalists. Going forward, they'll have to be specialists. At least this is the opinion of John Rossi, professor of systems management/information assurance. In an exclusive interview on the future of the information security profession, Rossi discusses: Why information security is headed toward specialization; The new capacities security professionals must develop; How academic institutions and industry groups must change how they educate security pros. Rossi is a Professor of Systems Management/Information Assurance in the Information Operations and Assurance Department at the National Defense University (NDU) Information Resources Management College (IRMC). Prior to joining the NDU/IRMC faculty, he was a computer scientist for information security, research, and training with the U.S. Federal Aviation Administration Headquarters. He was Security Division Manager of the U.S. Department of Energy's Nuclear Weapons Production Security Assess

Navy CIO Robert Carey was among the first federal CIOs to embrace blogging as a way to keep in touch with his various constituencies, including officers and sailors. Carey believes steps can be taken to embrace new technologies while maintaining security. In this second of two parts of an exclusive interview, Carey discusses: Securing the new Navy-Marine intranet to debut next year; How the Navy employs social networking, though with some security restrictions; and Plans to implement secure cloud computing as a way to exploit technical efficincies. Carey joined the Navy's Office of CIO in 2000, regularly being elevated from e-business team leader, to director of the Smart Card Office, to deputy CIO for policy and integration to CIO. Previously, Carey served in a variety of engineering and program management leadership positions within the Navy's acquisition community in the undersea warfare domain. A 1982 graduate of the University of South Carolina with a BS in engineering, Carey earned a master of engi

Information Security is among the top priorities for departmental and agency chief information officers, and no one knows that better than Navy CIO Robert Carey, who carries the double duty of co-chairing the federal CIO Council's Committee on Information Security and Identity Management. In this first of two parts of an exclusive interview, Carey discusses: Information security initiatives being tackled by the CIO Council panel he co-chairs with Justice Department CIO Vance Hitch; How the Federal Information Security Management Act benefited government IT security; and Why he feels there's no need for a separate Chief Information Security Officer Council. Carey joined the Navy's Office of CIO in 2000, regularly being elevated from e-business team leader, to director of the Smart Card Office, to deputy CIO for policy and integration to CIO. Previously, Carey served in a variety of engineering and program management leadership positions within the Navy's acquisition community in the undersea warfare domain