Computer Security Inspection: An Inspectee Perspective

Year
1987
Author(s)
S.K. Penny - Martin Marietta Energy Systems, Inc.
R.J. Caldwell - U.S. Department of Energy
Abstract
The inspection process within the Department of Energy (DOE) is intended to be an independent monitor and reporter of the status of security programs in various areas, such as computer security. It is one of several quality controls on the security process within the DOE's structure. When it works well, it contributes to a standard of performance for security across DOE sites. When it works b a d l y , it results in e m b a r r a s s m e n t to DOE a n d potentially contributes to a misalignment of priorities. When the process works well, the site describes how its security controls function within the organization and mission of the site for the purpose of external analysis and verification. The Standards and Criteria represent a compromise between Headquarters and the DOE field organizations regarding issues and priorities to be reviewed and serve as a mutual basis in preparing for and conducting an inspection. The result is an independent analysis that can be factored into the local decision process. The paper discusses this interaction. The process becomes dangerous if its results are taken out of context. This happens if the results are prematurely released outside of DOE and receive national or congressional attention prior to their internal adjudication. Another danger exists of reacting to findings rather than using them to find solutions. When this happens, a misalignment of priorities and expenditures frequently occurs. This paper discusses these dangers and ways to avoid them.