Disclaimer: This site has been first put up 15 years ago. Since then I would probably do a couple things differently, but because I've noticed this site had been linked from news outlets, PhD theses and peer rewieved papers and because I really hate the concept of "digital dark age" I've decided to put it back up. There's no chance it can produce any harm now.
| Identifier: | 04THEHAGUE586 |
|---|---|
| Wikileaks: | View 04THEHAGUE586 at Wikileaks.org |
| Origin: | Embassy The Hague |
| Created: | 2004-03-10 11:34:00 |
| Classification: | UNCLASSIFIED |
| Tags: | PARM PREL CWC |
| Redacted: | This cable was not redacted by Wikileaks. |
This record is a partial extract of the original cable. The full text of the original cable is not available.
UNCLAS SECTION 01 OF 02 THE HAGUE 000586 SIPDIS STATE FOR AC/CB, NP/CBM, VC/CCB, L/ACV, IO/S SECDEF FOR OSD/ISP JOINT STAFF FOR DD PMA-A FOR WTC COMMERCE FOR BIS (GOLDMAN) NSC FOR CHUPA WINPAC FOR LIEPMAN E.O. 12958: N/A TAGS: PARM, PREL, CWC SUBJECT: CHEMICAL WEAPONS CONVENTION (CWC): FOURTH SECURITY AUDIT TEAM, 23-27 FEBRUARY 2004 This is CWC-29-04. 1. The fourth Security Audit Team (SAT-IV) found that the OPCW Technical Secretariat (TS) had done little to further secure its IT infrastructure since the 2001 security audit. The team noted that significant personnel resources have been directed toward documenting processes and procedures, but few practical steps have been taken to ensure the safe and secure handling of information assets at the TS. Additionally, the SAT-IV noted that paper handling-processes continue to pose a significant vulnerability, and the ability of the TS to assess threat levels from the introduction and use of new technologies is very limited. 2. SAT-IV convened its first session 23 to 27 February 2004 in The Hague and reviewed the TS gap analysis and self assessment as related to implementation of international standards organization (ISO) 17799. (Comment: previous SATs have recommended the adoption of the ISO standard of best practice, as a notional baseline, but cautioned the TS not to expend significant resources seeking ISO certification standards). 3. SAT-IV notes that, as directed by the Office of Confidentiality and Security (OCS), the TS has devoted SIPDIS significant time and manpower resources to documentation of its information technology (IT) procedures, using as its justification the previous SAT recommendation to adopt the ISO standard. In the view of SAT-IV, this effort has done little to promote the overall security of the TS IT environment. Much of the documentation produced remains fragmented, largely due to TS lack of a critically needed IT asset inventory and risk assessment. 4. The consequences of the OCS documentation effort are many. First, the Information Systems Branch (ISB) is producing volumes of systems design and testing documentation but is not developing needed systems until the documentation effort is completed. The SCN upgrade and data migration have been delayed because OCS determined that the necessary documentation is insufficient and relevant testing has not been done. 5. The current SCN/Electronic Document Management System (EDMS) has changed little since 2001, except for a system-wide installation of new network hardware. (Comment: this installation appears to have been done over the past year to year and a half, with network servers being procured and put into place. The software upgrades remain in planning and testing.) ISB is developing a test environment and implementation plan for upgrading the network operating system, but the actual upgrade has been delayed twice and is now projected for the April - July 2004 timeframe. The delays are a consequence of inadequate documentation, resource limitations (i.e., competing priorities), modification to inspector laptops, and inadequate evidence of test results. The upgrade of the operating system to Windows 2000/server, Office 2000/desktop, Unicenter, Info Image, and SQL 7.0 are seen by both the TS and the SAT-IV as critical to the enhanced SCN. SAT-IV offered its assistance in testing the operating system prior to live implementation, and SAT-IV indicated that this will be a critical component of the system-wide audit later this year. A list of suggested automated auditing/testing tools for Windows 2000 environment will be made available to the TS by the USG member of the SAT-IV. 6. A system-wide operational audit of the SCN and inspector laptop environments is proposed for December 2004. Interim documentation reviews and meetings may be requested by SAT-IV, depending on implementation schedule for the operating system upgrade. ------------------------- RDBMS Development Efforts ------------------------- 7. The RDBMS development remains in a planning and documentation stage. Functional, technical, and security requirements are being drafted and coordinated among ISB, OCS, VER/DEB, and the development contractor. An expanded functional database has been proposed which would include declaration processing, declaration redaction, document tracking, inspectable site selection, and generation of a variety of reports. A working prototype is expected in late 2004, and will be available for SAT-IV evaluation. 8. Ito sends. SOBEL
Latest source of this page is cablebrowser-2, released 2011-10-04