Printer Friendly

Enterprise security system deployment.

Many people cringe when they hear the phrase, "information assurance compliance."

It seems the term is synonymous with "no you can't" or it's going to be a difficult process that has to be approved at the senior level to do something that seems so simple on your home computer system.

Effective security is seldom convenient or easy. If it were easy it wouldn't be worth doing. I'm sure the enemy would like for it to be both convenient and easy.

Information security requirements have always existed, but only brought to the forefront of importance and leader focus in recent years due to major incidents involving national security with emerging technologies, vulnerabilities and impacts to unit mission.

U.S. Army Central Command in coordination with the 335th Signal Command (Theater) (Provisional) engaged the Defense Information Systems Agency for a comprehensive security compliance tool that has the ability to automate and report the security posture of a networks key components.

The requirement for a tool that will consolidate and supplement existing IA tool data collections to increase situational awareness and enhance the security posture to meet IA compliance for certification and accreditation, vulnerability management and asset tracking in a user friendly dashboard view. DISA responded to our request with the identification of a tool they've been using for years to meet their compliance requirements. ESPS is a comprehensive security compliance tool created at DISA Defense Enterprise Computer Center in Montgomery, Ala. This tool has enhanced capabilities that supplement other IA tools and provides situational awareness of the security posture of all servers, databases, and systems for Security Technical Implementation Guide, Information Assurance Vulnerability Assessment, Security Content Automation Protocol compliance checker and Vulnerability Management System file generation to upload across multiple operating system platforms. The partnership with DISA in piloting this system will provide a snapshot for leaders to consider making this tool available to all of DoD as an enterprise service offering.

Enterprise Security Posture System provides a Graphical User Interface to view compliance status on a dashboard for servers, databases, and workstations. This tool was created internally at DISA DECC Montgomery to meet their IA compliance requirements in an automated, cost effective manner. ESPS has enhanced capabilities that supplement existing IA tools with the scalability to support future tools. ESPS was developed to provide automation and detection that no other tool provides. Other tools such as HBSS Policy auditor, Space and Naval Warfare Systems Command SCAP Compliance Checker, 3.0 and the STIG Viewer do not provide the complete review of all applicable STIGs, IAVMs, policies and SCAP checks that is provided by ESPS.

For example, the SPAWAR SCC tool had 356 of the 614 checks that are in VMS for the windows operating system.

In addition, SCC doesn't cover any of the additional targets for the Windows OS like McAfee, Internet Information Services, and Domain Name Services. Other tools provide a portion of these checks, but only ESPS provides all necessary checks in an automated fashion and reports that are easily understood by information assurance security personnel. This tool utilizes Unix and Windows scripts that are developed to encompass and supplement FSO toolkits (Gold Disk, SRR, Winbatch). One of our newest improvements in ESPS is the incorporation of Retina and Assured Compliance Assessment Solution Nessus scan data. This capability further improves the visibility of the complete security posture of an asset. Once incorporating the toolkit, which is essentially an agent loaded on servers and workstations, it will check in with the master database and schedule scans and upload of automated data collections that are organized and available for report generation. If the existing reports do not meet the individualized needs of a unit, a request for change can be submitted for customized reports. Initial piloting of ESPS is complete at the Main Command Post, this system will be further deployed throughout the South West Asia area of responsibility in coming months for integration into business processes and greatly assist with the IA security posture and certification and accreditation challenges in that environment.

Information security requirements will continue to exist as the enemy will continue to try and exploit information that they are not intended to have. If we can mitigate the occurrence of major incidents involving national security with technology, we have to keep up with emerging technologies available to our enemies to subvert vulnerabilities that impact mission readiness and the ability to command and control.

Acronym QuickScan

ACAS--Assured Compliance Assessment Solution

DISA--Defense Information Systems Agency

DECC--DISA Defense Enterprise Computer Center

DNS--Domain Name Services

ESPS--Enterprise Security Posture System

GUI--Graphical User Interface

IA--Information Assurance

IAVA--Information Assurance Vulnerability Assessment

IIS--Internet Information Services

SCC--SCAP Compliance Checker

SCAP--Security Content Automation Protocol

STIG--Security Technical Implementation Guide

SWA--South West Asia

SPAWAR--Space and Naval Warfare Systems Command

USARCENT--U. S. Army Central Command

VMS--Vulnerability Management System

MAJ Scott A. Salmon graduated from Central Missouri State University, with a Bachelor Degree in marketing. and was commissioned in 2001. He earned the Certified Information Security Manager certification in 2010 and has completed the Signal Captains Career Course. MAJ Salmon has served a variety of increasingly responsible Signal positions including platoon leader, battalion FA53 automation officer, battalion S6, USARCENT HQ support operations officer in charge of networks, systems and helpdesk, information assuarance program manager and information assurance manager.
COPYRIGHT 2014 U.S. Army Signal Center
No portion of this article can be reproduced without the express written permission from the copyright holder.
Copyright 2014 Gale, Cengage Learning. All rights reserved.

Article Details
Printer friendly Cite/link Email Feedback
Author:Salmon, Scott A.
Publication:Army Communicator
Date:Jun 22, 2014
Previous Article:New satellite terminal program increases network capacity and reach.
Next Article:Operating an effective Afghanistan network.

Terms of use | Privacy policy | Copyright © 2019 Farlex, Inc. | Feedback | For webmasters