Tuesday, December 16, 2008

Analysis: FISMA Not Real Security Measure

A UPI article by Shawn Waterman , via The Middle East Times, reports that:

The Federal Information Security Management Act of 2002 says all federal departments and agencies must conduct yearly assessments to measure their compliance with information security standards in the act.

In May the Justice Department's compliance was rated A-plus by the U.S. House Committee on Oversight and Government Reform.

But FISMA mandates, as the inspector general's report noted, are primarily concerned with ensuring that all agencies "have policies and procedures to enhance the security of information in their IT systems."

The Justice Department's A-plus grade, therefore, "did not assess whether the Department has actually implemented these processes, nor did it assess the actual security of the Department's IT systems."

"Unfortunately, FISMA has become a compliance exercise," said Shannon Kellogg, director of information security policy for EMC Corp. As a result, he said, "even if an agency receives a good grade, it does not mean that that agency has significantly reduced risks to information security or reduced the number of serious cyber incidents."

More here.


Post a Comment

<< Home