NASA Struggles to Fix Network Security Holes - 'ZIFFPAGE TITLEPostscript '
(
Page 5 of 6 )
Postscript
When I follow up with Ing in September, she assures me that NASA took the review panel's recommendations seriously. Some of the results:
A review of NISE project management and its conformance with NASA standards for design reviews and configuration control.
Completion of an additional enterprise architecture review, which had not been previously scheduled.
A decision to make deployment of replicas of the LDAP directory part of the project plan. NASA carved out money for those servers from the NISE budget, rather than ask the space centers to fund them.
Revamp of the communication plan, aimed at improving understanding of the NISE project and its impact on each center.
Following an operational readiness review, the account management system was on track to go live by Oct. 1, Ing says: "But it's tight. There's a possibility it could slip a couple of weeks."
Looking back on our recommendations, I have the guilty suspicion that we bogged down the project with more review meetings and paperwork. But when I bounce this off Greenwood in a phone call, he reassures me that "oh, no, they needed it." The project governance was "too loosey-goosey," he says, and we nudged them toward tightening it up.
Should we judge them harshly for not having a better identification system already in place, for having to admit to us that there are dead people with live accounts on NASA's network?
"I would have judged them more harshly if they denied having dead people," Greenwood says. Instead of denying reality, NASA was taking an honest look at the weaknesses of its systems and methodically working to eliminate them, we agree.
And that, after all, is the best way to improve anything from an information system to a space program.
Projects: Security 
