| |
 |
| |
| The Federal Information Security
Management Act of 2002 ("FISMA", 44 U.S.C. §
3541, et seq.) is a United States federal law enacted in 2002
as Title III of the E-Government Act of 2002 (Pub.L. 107-347,
116 Stat. 2899). The Act was meant to bolster computer and network
security within the Federal Government and affiliated parties
(such as government contractors) by mandating yearly audits.
FISMA has brought attention within the Federal Government to
cyber security, which had previously been much neglected. As
of February 2005, many government agencies received extremely
poor marks on the official report card, with an average of 67.3%
for 2004, an improvement of only 2.3 percentage points over
2003.[1] This shows a marginal increase in how federal agencies
prioritize cyber security, but experts warn that this system
of measurement is misleading. Many argue that in actual implementation
across Federal departments and agencies, FISMA measures the
wrong things.[citation needed] Thus, it is entirely possible
that an agency with a high grade can be less secure than an
agency with a lower grade, and a high grade is no guarantee
of actual security. Despite its value for increasing awareness
and bringing attention to such an important issue, there are
some who feel that FISMA is fatally flawed and will never get
Federal information systems, networks and information to the
point where they are safe from those who wish to do them harm.
Those detractors are correct to a degree, namely that FISMA
alone is not the solution to Federal information security challenges.
|
| |
| FISMA imposes a mandatory set of
processes that must be followed for all information systems
used or operated by a US Government federal agency or by a contractor
or other organization on behalf of a US Government agency. These
processes must follow a combination of Federal Information Processing
standards (FIPS) documents, the special publications SP-800
series issued by NIST, and other legislation pertinent to federal
information systems, such as the Privacy Act of 1974 and the
Health Insurance Portability and Accountability Act. Unfortunately,
following these mandates only results in "compliance"
and not "security."
|
| |
| Determine the Boundaries of the
System: The first step is determining what constitutes the "information
system" in question. There is not a direct mapping of computers
to information system; rather an information system can be a
collection of individual computers put to a common purpose and
managed by the same system owner. NIST SP 800-18 revision 1
provides guidance on determining system boundaries. In actual
practice, no two agencies apply the guidance the same way, and
the Office of Management and Budget has yet to provide useful
clarification. Moreover, no two agency inspectors general evaluate
the definition of system boundaries the same way either. Therefore,
no two departments or agencies are applying the same approaches
to defining systems, applications, interconnections or controls.
|
| |
| Source: (www.en.wikipedia.org)
2007 |
| |
|
 |
| |
|
|