1、Lessons Learned Entry: 1150Lesson Info:a71 Lesson Number: 1150a71 Lesson Date: 2000-02-01a71 Submitting Organization: HQa71 Submitted by: David M. LengyelSubject: Agency-Wide/Computer Hardware-Software/Computer Security Description of Driving Event: Agency-Wide Computer System VulnerabilitiesLesson(
2、s) Learned: Further analysis of NASAs planned agency-wide computer security system is needed to understand its vulnerabilities and the programs and activities to which the system should be applicable.Recommendation(s): Conduct a thorough analysis, together with the National Security Agency, to deter
3、mine the level of computer security required by the Agency, the level of security that can be expected from the system and its most serious vulnerabilities. Also require all major mission or safety critical programs to have a qualified third party conduct a computer vulnerability analysis of their d
4、esigns as soon as possible.Evidence of Recurrence Control Effectiveness: NASA concurs in principle with both parts of this recommendation. Regarding analysis with the National Security Agency (NSA), we conducted a thorough internal study in 1998 to determine the level of required computer security,
5、and GAO audited our computer security the same year. In addition, we are using a combination of internal audits/tests and third-party audits/tests to determine our security at a technical level. Our metrics also provides ongoing information about the adequacy of our computer security. Finally, the N
6、ASA Inspector General has made computer security a high priority for audits and inspections. Thus, we are not sure that adding another layer of analysis by the NSA will add commensurate value. Every analysis or audit disturbs ongoing work, and, at some point, additional analyses can actually degrade
7、 security because they have negative marginal value. Provided by IHSNot for ResaleNo reproduction or networking permitted without license from IHS-,-,-We will discuss with the NSA what services that they could provide, to establish whether contracting with them would add significant value above what
8、 is already underway.Regarding major mission systems, we believe that there is merit in the recommendation but wish to consult with owners of such systems before levying this requirement. We require that managers of all “special management attention“ systems complete IT security plans and provide wr
9、itten authorization to operate those systems this fiscal year. We expect that all major mission or safety critical systems are included among the special management attention systems. Thus, these activities will provide a documented baseline for discussion regarding the value of third-party analyses
10、.Documents Related to Lesson: N/AMission Directorate(s): a71 Exploration Systemsa71 Aeronautics ResearchAdditional Key Phrase(s): a71 Flight Operationsa71 Ground Operationsa71 Policy & Planninga71 Risk Management/Assessmenta71 Securitya71 SoftwareAdditional Info: Approval Info: a71 Approval Date: 2002-03-18a71 Approval Name: Bill Loewya71 Approval Organization: HQa71 Approval Phone Number: 202-358-0528Provided by IHSNot for ResaleNo reproduction or networking permitted without license from IHS-,-,-