Information Security News mailing list archives

Previous By Date Next
Previous By Thread Next

Is 'fear the auditor' holding back real IT security?

From: InfoSec News <alerts () infosecnews org>
Date: Fri, 10 May 2013 03:13:04 -0500 (CDT)
http://gcn.com/blogs/cybereye/2013/05/is-fear-of-audit-holding-back-real-it-security.aspx

By William Jackson
Cybereye
GCN.com
May 09, 2013
Leo Scanlon, chief information security officer of the National Archives and Records Administration, has an information security question for federal CIOs: “Are you satisfied that where you are is good enough? Do you understand the risk?”
Too often, he says, federal C-level officials do not know if their security is adequate because they do not understand the risks they face and what the risk tolerance of their agencies should be. And too often, they are content to remain that way.
The issue of understanding and managing IT risk takes on greater significance with the growing emphasis on automating security. Security professionals, system administrators and agency executives have been fighting a battle over IT security vs. regulatory compliance since the passage of the Federal Information Security Management Act of 2002.
Critics of the act -- or at least of how it has been implemented — say that an emphasis on grading agency performance based on compliance scores has undermined efforts to improve security. With the introduction of tools to monitor systems, respond to incidents and report on status, there is a chance to finally settle the battle in favor of security.
The question, said Scanlon, is “are we going to automate compliance or automate risk management?”
Speaking at cybersecurity conference hosted by (ISC)2, Scanlon said that FISMA was never intended to be about compliance. The opening paragraphs of the act spell out that its intent is to “provide a comprehensive framework for ensuring the effectiveness of information security controls,” and “. . . provide effective governmentwide management and oversight of the related information security risks . . . .” 

[...]


______________________________________________
Visit the InfoSec News Security Bookstore
Best Selling Security Books and More!
http://www.shopinfosecnews.org
Previous By Date Next
Previous By Thread Next

Current thread: