Here are the top 10 things I discovered when I reviewed it.
1. DO NOT (under any circumstances) share your IT security strategy with the media. All they heard is that the government will only have 50 Internet connections.
2. The plan states "The total number of access points should be less than 50 to the extent practicable." "To the extent practicable" is a legal term that will translate into vulnerabilities. (Page 7).
3. "Practicable" is a term of art that differs depending who you are - agency officials, vendors and politicians. Tax payers are not included.
4. If you can't meet your goals revise them (page 18):
“Continue to pursue the goal of the Trusted Internet Connection program to reduce the number of government network connections
to the Internet but reconsider goals and timelines based on a realistic assessment of the challenges.” – Cyberspace Policy
Review, 2009
5. The TIC strategy presumes trust among government agencies. Hmmmm...... See item 4 again (and again).
6. Use pictures [with cryptic notes and ambiguous goals] to explain your IT initiatives because everyone will understand at least some part of the picture....and later you can explain it however you want.
7. PowerPoint slides have gone too far if the US government can describe its strategy on just one slide (page 8).
8. Leverage pre-existing brands by using really smart code names like "Einstein" to convey a sense of confidence and to ensure a steady stream of funding resources regardless of results. For instance, the media would have a field day if the program gets cancelled (e.g. Congress Kills Einstein).
9. When establishing rules for operations be sure to provide absolute clarity (with sufficient loopholes). See page 9 for this excellent example of a bright line rule for HTTP/s connections:
"Unless exempted all http/https connections to external systems only allowed by Web proxy."
10. Keep your day jobs. The vendor gods (even Lawrence) can not convert this TIC strategy into an SBS wizard [YET!].
0 comments:
Post a Comment