Challenges in managing critical resources — In which the management of uncertainty of impacts includes the design and implementation of:

1.  Indicators that provide continuous visibility of the states of confidence.

2.  Sensors and procedures that can positively verify the identity and privilege status of access to information, including verification of connectivity and interfaces.

3.  Administrative and electronic controls to ensure separation of duty and assignment of privilege, and to limit unintentional or unauthorized granting and propagation of privileges.

4.  Administrative and electronic mechanisms for assuring continuity of access to information, including the capability to restore systems to a known state that have been or, are perceived to be in the process of being interrupted by natural or induced disasters.

Administrative challenge of controlling and safeguarding access to and usage of proprietary information — In which an independent verification and validation process is institutionalized that attests to an acceptable status of trust in the integrity of information resources, systems, and agents.

Challenge of technology infusion — In which the management of enhancements to technology is addressed. Currently, technological enhancements of products and services is expanding at a phenomenal rate, while management methodologies, prototyping strategies, and tactical planning for their incorporation into enterprise domains are expanding at a much slower rate. Due to the dynamics and the proliferation of products and services, management is faced with a significant degree of uncertainty in deciding whether or not to use freeware, shareware, COTS products, or end-user-developed systems. Furthermore, if these are used, how will management control proprietary and/or critical information, when should they be used, and what will be the associated long-range sustaining costs?

“EYE OF NEWT, HAIR OF DOG, BLOOD OF BAT,…”

In conclusion, information security is bounded only by our own prejudices and short sightedness.

In the last five years, security has changed from a discipline that was fairly isolated and unique, and easily controlled and administered, into a management dream turned into a nightmare. The Security “druids” of the 1980s, crouched over boiling cauldrons muttering strange incantations and peering into the future, have been replaced with the 1990s “techno-wennies” and “security geeks” who were let out of their closets gloomily forecasting that:

•  Security can no longer be effectively added as an independent layer of protection.

•  Every PC is equivalent to an international data center and should be similarly protected.

•  Security in a distributed environment is a logical configuration, and cannot be physically controlled.

•  Security cannot be legislated.

•  Security is an operational decision, it is not part of the development life cycle and therefore, should not be addressed as a technical requirement until after a system is built and delivered.

•  Once systems are opened, they can probably never be closed.

•  Effective security is cost prohibitive and we can’t do anything about it until a COTS product is available.

We have looked “SATAN” in the eye (1994) and “danced with the devil in the pale moonlight (1995,1996)”. We are still here, the values, issues, and concerns are still here. Although we have made progress in determining what is needed, we are still ignoring the simple fact that adequate security safeguards and protection mechanisms have to be designed for, and built into our systems. We must take the initiative by accepting a synergistic approach that combines the current development and maintenance disciplines into a single Integrity Engineering discipline as the future answer to our concerns.