November 14, 2003
Volume 1, Number 7
|
Submit your press releases,white papers and case studies on innovation and best practices, click here | |
Use Judo, Meet FISMA
Judo recommends that a force thrown against you can be used to your own benefit. Does this include an Inspector General’s report regarding compliance with the Federal Information Security Management Act?
Yes, said Alan Paller, director of education programs at the SANS Institute.
“An IG report can be turned into an action plan,” Paller told the recent Federal Information Assurance Conference. The idea came from a survey performed by SANS across government and industry, and was elicited from a specific agency CIO, Paller said.
Noting that “the IG is the only quality control system we really have,” Paller said that each point of criticism or question in an IG report (or, a General Accounting Office report) can be enumerated as a step in the process in which the “audit,” and not the technology, is the center of IT security focus.
Sharpened Focus
The significance of meeting FISMA has sharpened intensely, with agencies facing a Dec. 17 compliance deadline. The ability to meet FISMA has been linked by the Office of Management and Budget to the chances for e-government systems in particular to sustain funding. There is more to this than mere compliance, Paller stressed at FIAC.
“Doing e-gov without good security, you’ll just end up embarrassing people in your own agency,” he advised IT managers.
Ross Ross, Ph.D., director of the National Information Assurance Partnership at NIST, told the conference that FISMA is basically an “over-write of the 1987 Computer Security Act,” and is still being assimilated and interpreted.
The up side of FISMA is that it has “focused management attention on security” as never before, Paller said. But many agencies are only just now adopting new certification and accreditation (C&A) processes that will help them incorporate FISMA-compliance in the daily IT management process. Paller endorsed C&A “because it engages the system owner, not just the security guy.”
|
Paller noted that the Energy department recently carved out an agreement with Oracle Corp. to provide database systems configured to stiffer benchmarks that might be expected to more smoothly accord to FISMA requirements.
|
NIST 800-37
The National Institute of Standards and Technology’s recently completed Special Pub. 800-37 provides detailed guidelines for building C&A into IT management processes, Ross said. Such tools are ultimately a necessity because attacks on systems are becoming increasingly sophisticated. He borrowed from football when noting “the Offense will always have the advantage” where IT security is concerned.
The evidence is that much of the C&A process will ultimately concern itself with the default conditions, or standard configurations, systems rely on. Ross said NIST/NIAP has determined that 85 percent of all security weaknesses can be corrected with configuration adjustments alone. Paller noted that a study at First Union bank showed that “all successful attacks were found to be enabled by configuration errors.”
Paller noted that the Energy department recently carved out an agreement with Oracle Corp. to provide database systems configured to stiffer benchmarks that might be expected to more smoothly accord to FISMA requirements. The Energy/Oracle deal (negotiated by ex-CIO Karen Evans before she left for OMB) will be examined by other agencies and industries as best practices are pursued, many government and industry stakeholders have said.
For more about NIST 800-37, visit http://csrc.nist.gov/sec-cert/.
The results of the SANS survey of IT security practices are due out in December. You can visit SANS at www.sans.org.
This article was written by Public Sector Institute senior editor Robert Green. He can be reached at RobertGreen@PubSector.net.
|
