TECHNOLOGY AND THE BUSINESS OF GOVERNMENT
Before he retired in 2007, Andy Boots was chief information security officer (not just computer security officer) at the Office of the Comptroller of the Currency (which has nothing to do with U.S. currency) at the Treasury Department.
Previously, Andy was a champion for information security and privacy for the Student Financial Aid program at the Education Department, where his biggest challenge was building students' and parents' confidence in the agency's ability to handle Internet transactions securely. Also during his career, Andy was a member of the National Partnership for Reinventing Government, where he worked with agencies to identify ways to make federal services available to the public electronically (electronic government before electronic government was cool). He also managed networks at the Justice Department and research programs at the Housing and Urban Development Department.
Andy was schooled at Georgia Tech and educated thereafter. He has three children and four grandchildren.
09/05/08 01:01 pm ET
This showed up in my email the other day:
This is pretty neat -- special effects during the 1940s. I have never seen these pictures or knew that we had gone this far to protect us. During World War II, the Army Corps of Engineers needed to hide the Lockheed Burbank Aircraft Plant to protect it from Japanese air attack. They covered it with camouflage netting to make it look like a rural subdivision from the air.
Before:
After:
06/23/08 05:37 pm ET
A recent Government Accountability Office study shows the Federal Protective Service is not protecting General Services Administration buildings because of underfunding. And that's just the story for GSA buildings. What steps has your agency taken to assess the quality of physical protection at your GSA and non-GSA facilities?
The response to this GAO report from most agency heads is likely to be "What does that have to do with me? Are Congress or the Office of Management and Budget going to give my agency a bad grade because FPS is not doing the job?"
Senior managers understand that lots of money must be spent on computer security lest their agency get a "bad grade" (or perhaps even because current computer security is lousy). But they have no idea about the true cost of mission security or what sorts of investments are necessary to improve mission security.
05/12/08 05:53 pm ET
Human behavior is inherently risky. In this entry, I want to explore two types of behavioral risk to the organization – operational risk and reputational risk – and to argue that illegal behavior is a reputational risk that is inconsistently regulated.
In a Government Executive piece a couple months ago, Jill Aitoro reported on a survey of federal IT workers that revealed employees using government computers and networks sometimes fail to follow policy and thereby endanger information security. Certainly, this is no surprise. In fact, I question the study's results because only 56 percent of 474 survey respondents reported having observed security violations. If anything, this suggests that 44 percent of the respondents were simply unaware of the security policy.
04/23/08 10:40 am ET
Bruce Schneier recently wrote a wonderful explanation of why the dichotomy between security and privacy is artificial. I recommend it to the privacy officials who must confront security as the rationale for poor privacy practices and to security officials who must find ways to integrate privacy into their thinking and program planning.
So how does FedWorld see this topic? With no subtlety at all, of course.
03/25/08 05:42 pm ET
In essence, the information security/assurance certification and accreditation process -- in both civilian and military realms -- represents a command and control view of decision making.
On the battlefield, the commander gathers information from advisors who are qualified to attest to the accuracy (or limitations) of the information they provide. Because no one ever operates without a degree of uncertainty, the commander makes decisions using available information but with the full realization that other factors are unknown and perhaps unknowable. The commander also recognizes that a bad decision will reflect on him or her directly.
