Ever since 9/11, many companies and government agencies have heavily invested in network security solutions to best protect their networks. However, investing in a half-million dollar solution doesn't necessarily mean a network will be protected against vulnerabilities.
In fact, with the thousands of worms -- including Botnets -- inching across the Internet ready to attack, it's not enough anymore to just invest in security solutions and hire security managers to guard networks; organizations have to develop internal security plans to involve non-technical employees in protecting information systems.
The Environmental Protection Agency did just that. Agency officials implemented a proactive employee system to improve information security and comply with the Federal Information Security Management Act (FISMA) of 2002.
"Ever since buying the software from BindView Corp. for a mere half million dollars a little more than a year ago, the EPA's FISMA technical compliance has risen from 35% to 95%, enticing interest from other government agencies as well as corporate businesses," said Mark Day, the EPA's deputy chief information officer.
BindView's Report Packs for FISMA, a security and vulnerability management reporting solution, is designed to help security managers target and eliminate vulnerabilities in network information systems -- it's available for Windows, Unix, NetWare and NDS/eDirectory environments.
In addition to providing security software, the Houston-based company also recommends security training that motivates employees to do the right thing.
"Organizations should maintain a consensus on protecting their information assets, by establishing policies and procedures, and continue to keep them current on their employee minds," said Ron Rosenthal, senior vice president of worldwide marketing for BindView.
The EPA followed that approach by giving security managers the tools to provide instructions and check compliance, ultimately helping the entire agency chart its own compliance.
"At first, our staff was a little hesitant about incorporating a new system, but then we developed a system where upper IT management didn't have to be technical experts to address their IT problems; it was a color coded chart that virtually anyone could read and determine where the network vulnerabilities existed," Day said.
The EPA's system proved so successful that in an Office of Management and Budget report, "Budget of the United States 2005; Analytical Perspectives, officials stated that the EPA "excelled at protecting their information security assets."
The EPA isn't endorsing the BindView solution. Agency officials investigated BindView's product and decided it best fit their budgetary needs.
"Our decisions to use BindView was purely based on price, other solutions developed by more well-known organizations like IBM are just as effective. We wanted to purchase a security solution and implement an internal plan to get the most out of it," Day said.
Several companies and government agencies have contacted the EPA to learn about its increased compliance, and how to execute a similar plan in their organization.