1、Lessons Learned Entry: 1175Lesson Info:a71 Lesson Number: 1175a71 Lesson Date: 2001-02-01a71 Submitting Organization: HQa71 Submitted by: David M. LengyelSubject: Computer Hardware-Software/System Security/Personnel Awareness and Training Description of Driving Event: Delays in Drafting and Implemen
2、ting Computer System Security Plans and Training Especially for System AdministratorsLesson(s) Learned: NASA has initiated a well-founded, broadly encompassing computer security program to ensure that its computer systems are protected from hostile attacks, but development of security plans for all
3、systems is lagging. Also, the function of Computer Security Officer has typically been added to the responsibilities of systems administrators.Recommendation(s): 16a. Complete and maintain security plans for all appropriate computer systems and ensure that the computer security program is sustaining
4、16b. Ensure that computer systems administrators are properly trained in computer security.Evidence of Recurrence Control Effectiveness: 16a. Code AO - Concur: We concur with the ASAP recommendation. Progress since the ASAP review consistent with the recommendation is shown below:Current Status of
5、Computer Security Plans and Sustainability of Computer Security ProgramProvided by IHSNot for ResaleNo reproduction or networking permitted without license from IHS-,-,-a71 Status of Computer Security Plans: As of the second quarter of FY 2001, computer security plans for 100 percent of SMA (Special
6、 Management Attention) Systems have been completed, including authorization to operate; 97 percent of SMA Systems have all protective measures completed as stipulated in their plans; three systems have completed interim measures that give adequate security. SMA Systems are NASAs most critical system
7、s.a71 Sustainability of Computer Security Program: In FY 1999, NASA spent $28 million on IT security programs and measures. That amount has more than tripled in FY 2000 as NASA introduced an aggressive, Agency-wide program that stressed closer monitoring, improved reporting, expanded training, and b
8、etter technology. The FY 2000 budget of $91 million targeted the Space Flight and Earth Science Enterprises for particular emphasis, with those two business units receiving 80 percent of the ITS budget.Future Computer Security Plans for Computer Systems and Plans for Ensuring Sustainability of the C
9、omputer Security Programa71 Future Computer Security Plans for Special Management Attention (SMA) Systems:a71 SMA Systems:a71 By September 30, 2001 - remaining 2.4 percent of systems have completed protective measures stipulated in their plans; Mission (MSN) a71 By October 1, 2001 - 100 percent have
10、 signed IT Security Plans authorizing processing.Sustainability of the Computer Security Program: The Agency will increase the ITS budget by over ten percent in FY 2001 to $101 million, primarily to improve monitoring, protect data, and enhance technology at all Centers.16b. Code AO - Concur: We con
11、cur with the recommendation. Status of system administrator training is shown:Current Status of Computer Security Training for Systems Administratorsa71 As of the first quarter of FY 2001, 35.6% of system administrators have received basic awareness training and IT security training for UNIX or NT s
12、ystems. This is below the target of 50%.Future Computer Security Training Plans for Systems AdministratorsSystem Administratorsa71 By October 1, 2001- 90 percent of all system administrators completed during FY 2001 either Provided by IHSNot for ResaleNo reproduction or networking permitted without
13、license from IHS-,-,-the FY 2000 or the FY 2001 “ITS Overview“ training on SOLAR or equivalent training.a71 By October 1, 2001- 80 percent of administrators of UNIX systems completed “UNIX Security for System Administrators“ training on SOLAR or equivalent training.*a71 By October 1, 2001 - 80 perce
14、nt of administrators of NT systems completed “NT Security for System Administrators“ on SOLAR or equivalent training.We believe that the ITS program has made significant progress in the past two fiscal years as indicated in our response.Documents Related to Lesson: N/AMission Directorate(s): a71 Exp
15、loration Systemsa71 Space Operationsa71 Aeronautics ResearchAdditional Key Phrase(s): a71 Administration/Organizationa71 Aerospace Safety Advisory Panela71 Communication Systemsa71 Computersa71 Configuration Managementa71 Human Resources & Educationa71 Information Technology/Systemsa71 Policy & Plan
16、ninga71 Risk Management/Assessmenta71 Securitya71 Softwarea71 Test & VerificationAdditional Info: Provided by IHSNot for ResaleNo reproduction or networking permitted without license from IHS-,-,-Approval Info: a71 Approval Date: 2002-03-18a71 Approval Name: Bill Loewya71 Approval Organization: HQa71 Approval Phone Number: 202-358-0528Provided by IHSNot for ResaleNo reproduction or networking permitted without license from IHS-,-,-
