Questioning FISMA Reform Without a New Law

[InfoSec News <alerts () infosecnews org>]

http://www.bankinfosecurity.com/blogs/questioning-fisma-reform-without-new-law-p-1445

By Bruce Brody
Bank Info Security
April 4, 2013

A recent article concerning how to reform the Federal Information 
Security Management Act without enacting new legislation caught my 
attention.

In my take on that article [see 6 Ways to Reform FISMA without New Law], 
two former Office of Management and Budget officials contend that agency 
inspectors general should adopt an enhanced risk management framework, 
after which the National Institute of Standards and Technology would 
reorient its volumes of guidelines to center on the unknowable threat, 
which would then drive a more threat-informed risk management framework 
in each agency. That, in turn, would compel the IGs to prioritize their 
annual findings against the agency's risk profile, upon which the chief 
information officers would incorporate the IGs findings into the 
agency's strategic plan.

Is this a move that mirrors the best practices of the security programs 
at the Fortune 500 companies? It's not even close. This approach 
disregards the inadequacies of the FISMA legislation and adds naively 
considered processes to the mountain of processes that clog the 
agencies' security arteries.

Simply stated, FISMA is flawed, and FISMA must be reformed. To assert 
otherwise is to not fully appreciate the degree to which FISMA missed 
the mark on information security and risk management. And continuing to 
paper it over is not an approach; it's a never ending tragedy.

[...]


______________________________________________
Attend #HITB2013AMS April 8th - 11th in Amsterdam.
Featuring over 42 international speakers and keynotes
by Bob Lord and Edward Schwartz http://conference.hitb.org