Subscribe to the Free Print Edition!
Celebrating 25 Years

GCN Home > 05/03/04 issue

To make the grade, NRC takes a personal approach

By Richard W. Walker, GCN Staff

The Nuclear Regulatory Commission’s systems have a big, red bull’s-eye on them.

Every day, the agency’s systems face about 500 attempts at reconnaissance and 100 attempted denial-of-service attacks, CIO Ellis Merschoff said.

And every day, NRC’s security systems strip out roughly 300 suspicious e-mail attachments and isolate about 10 virus occurrences, he added.

Last year, the agency reported more than 67,000 security incidents to the Federal Computer Incident Response Center.

It’s no wonder then that officials at the commission’s headquarters relentlessly hammer away about the importance of IT security awareness. The word to NRC’s 3,000 employees—who exchange about 100,000 e-mail messages a day and receive another 40,000 via the Internet—is clear and unequivocal: You’re accountable.

“The message is individual responsibility,” said Louis Numkin, an NRC senior computer security specialist. “Each employee is an agent of the agency and has a responsibility to the agency as well as to their own integrity.”
Ellis Merschoff
Image:
“We require everyone to take computer security training annually. When my boss takes training, it puts a whole lot more pressure on me, which puts pressure on those below me.”

—NRC’s Ellis Merschoff
The approach has paid off. NRC is the only agency to receive a full A grade on the federal computer security report cards issued by the House Government Reform Subcommittee on Technology, Information Policy, Intergovernmental Relations and the Census. (The National Science Foundation received an A-.)

“We have an agency with the foresight to fund and support a computer security program,” Merschoff said. “That can’t be underestimated.”

In some ways, NRC had a jump on security, spurred by the nature of its work. The commission regulates commercial nuclear power plants in the United States and the civilian use of nuclear materials; it goes without saying that a security breach at the agency could be catastrophic.

Its computer security program predates the Web, dating from 1980, about five years after it took over from the former Atomic Energy Commission and became an independent regulatory agency.

More news on related topics: Business Process Management, Management, IT Security