Commentary: Five recommendations to improve how federal agencies authorize their IT systems as secure.
Patrick D. Howard CISSP, CISM, Kratos Technology & Training Solutions, was lead author of this peer-reviewed article, written by the (ISC)² U.S. Government Advisory Council Executive Writers Bureau.
The number and severity of recent data breaches has called into question the effectiveness of federal agency processes employed to secure government information systems. But the cybersecurity guidance issued by the White House last week fails to highlight the need for improvement in arguably the most important agency security process — System Security Authorization, which focuses on identifying and addressing risks to government information.
SSA is required by the Federal Information Security Management Act, and is documented by the National Institute of Standards and Technology, to increase management involvement in protecting government information systems. FISMA requires agencies to formally assign government executives or managers authority over the operation of each federal information system. These officials are responsible for considering information risks in their decision to allow an IT system to go live or continue to operate.
However, despite this mandate and clearly defined guidance, some agencies give system security authorization short shrift.
For instance, a July 2015 report on the Office of Personnel Managementdata breach from the Institute for Critical Infrastructure Technologyindicated that a number of OPM information systems were working without an “authorization to operate” at the time of the breach. Additionally, the report casts doubt about the security of systems with ATOs, noting from unconfirmed “whistleblower” reports that numerous systems barely met compliance requirements or that security had been “shored up” merely for the purpose of passing inspection.
For the full article click here
from cyber security caucus http://ift.tt/1RwjWUh
via IFTTT
No comments:
Post a Comment