SPECIAL REPORT: Security Directives and Compliance
|Following Directives |
Attend almost any seminar or conference on security directives and inevitably the topic of managing risk is brought up.
What you are likely to hear is that “culture” is a main reason some managers have been deliberate in their efforts to embrace the risk management concept. And even more deliberate when complying with the myriad of security directives they must follow.
But is it really “culture”? Or is it that dollars are limited – with cuts continually looming – while the “compliance requests” from agencies such as OMB keep growing? The list of directives is long (see Sidebar). So what is required by management to really support security and manage risk?
What Is Required
Security risk is the likelihood that something bad will happen that causes harm to an informational asset (or the loss of the asset). The CISA Review Manual 2006 provides the following definition of risk management:
“Risk management is the process of identifying vulnerabilities and threats to the information resources used by an organization in achieving business objectives, and deciding what countermeasures, if any, to take in reducing risk to an acceptable level, based on the value of the information resource to the organization.”
According to management consultant Michael Lisagor of Celerity Works, a manager’s role in managing risk depends on his or her organizational responsibility. “IT infrastructure managers have a different role than finance managers. But, both need to engage in some level of organizational risk management assessment.”
That means managers need to identify the value of the IT and information assets that might be impacted; then conduct a threat and vulnerability analysis to identify the potential effect and the probability of that occurrence. Finally, risk mitigation controls should be identified and implemented in proportion to the cost and potential severity of the risk.
Lisagor urges managers to work in concert with a multi-disciplinary team that includes finance, IT and security specialists.
“Security risk management is not a one-time process,” said Lisagor. “An on-going review of identified risks and periodic assessment of potential new risks are essential for continued security risk management.”
“Management insecurity is no longer an option,” adds Lisagor. “Each manager needs to reach out to the security professionals in the agency and take the initiative to protect our nation’s vital resources.”
Are You Complying With Major Security Directives?
The list is long. Here are just a few of the major directives driving security policies, procedures, standards and training.
Federal Information Security Management Act (FISMA): This is the primary legislation governing the management of federal information security. (Including the latest OMB and NIST guidelines)
OMB M06-16: This requires agencies to establish safeguards for sensitive data on laptops and desktops.
Federal Desktop Core Configuration (FDCC): Security configuration standards for government desktops developed by NIST, DOD and DHS that are mandated by OMB M07-11.
Security Automation Content Protocol (SCAP): This is the repository of security content used for automating technical control compliance activities. NIST recently released Draft NIST Interagency Report (IR) 7511, “Security Content Automation Protocol Validation Program Test Requirements,” which describes the requirements that products must meet to achieve SCAP validation.
Director of Central Intelligence Directive (CID) 6/3: Establishes the security policy and procedures for storing, processing and communicating classified intelligence information in information systems.
Information Assurance Vulnerability Alerts (IAVA): The computer application software or operating system vulnerability security bulletin, determined by JTF-GNO, which alerts on "High-Risk/Threat" vulnerabilities.
NIST SP 800-53 Revision 2 provides guidelines for securing information systems within the federal government by selecting and specifying security controls. These guidelines are applicable to all parts of an information system that process, store, or transmit federal information.
NIST SP 800-27: DRAFT Guide for Security Authorization of Federal Information Systems: A Security Lifecycle Approach.
NIST SP 800-39: DRAFT Managing Risk from Information Systems: An Organizational Perspective.