Memorandum for NASA Senior Management2 November 2012
From: Cybersecurity Program Manager,
Subject: NASA Cybersecurity Recommendation
1. As a loyal representative of NASA and a Program Manager of the Cybersecurity Division, I have discovered key areas pertaining to security that require immediate attention. The changes listed in this memorandum are in the best interest of NASA and its security. Please take a moment of your time to consider some of the suggestions and recommendations developed by a team of subject matter experts in the Cybersecurity Division of NASA.
2. Currently, NASA follows regulations and standards defined by Federal Information Security Management Act (FISMA) and the Privacy Act of 1974. These are both crucial policies in which NASA needs to provide continued support. However, there is a lack of knowledge amongst several of our employees on the requirements and their respective responsibilities on keeping NASA within legal rights. We must also establish internal policies to minimize violations and prevent further recidivism. Our team has created a specific training program to be applied at all levels of NASA employees. We recommend this training plan be implemented immediately.
3. NASA has also met requirements established by National Institute of Standards and Technology (NIST) SP 800-30. Although, the guidelines defined by International Organization for Standardization (ISO) 17799 have not been followed. We recommend that NASA should instate its own policies to work in conjunction with ISO 17799 to further circumvent future security issues. ISO 17799 defines protection of NASA assets as well as effectively managing and utilizing personnel. It also follows a basic security cycle of deterrence, prevention, detection and remedies. ISO 17799 may not cover specific needs of NASA but it proves a general set up standards to follow that would be useful to maintaining the security of NASA.
4. NASA has also lost sight of disaster preparedness for information systems. Our team recommends a plan to manage all types of malicious attacks. This should cover attacks that are from internal and external means whether intentional or unintentional. We must continue to perform audits, establish common security practices and a rework of NASA policies and procedures.
5. The Cybersecurity Division’s mission is to provide NASA senior management with the tools to effectively develop security policies that will maintain the reputation and pride of NASA. If there are any questions, please contact me at 555-1234 or e-mail me at . Thank you for your time.
Regards,
Cybersecurity Program Manager