|
|
Sponsored Content
Special Forums
Cybersecurity
IT Security RSS
CSIS Cybersecurity Report - FISMA
Post 302266235 by Linux Bot on Tuesday 9th of December 2008 05:00:05 PM
12-09-2008
CSIS Cybersecurity Report - FISMA
The Federal Information Security Management Act (FISMA) as represented in the report by the CSIS Commission on Cyber Security for the 44th Presidency, was noted as needing an overhaul; however the report only considered a limited scope in evaluating the purpose and role FISMA plays in securing federal government information systems. Notwithstanding the discussion of making progressive updates to FISMA, in fairness with the intent of FISMA, the report fails to present many of the improvements already made as a result to the initial implementation of FISMA. A key point this section of the report focuses on is integrating performance-based measures of security into FISMA. However this ideal concept of a performance-based system only expands upon the current scorecard approach that seemingly puts agencies into a false sense of security if they achieve a higher score. Performance as a measure for security only causes an undue burden on agencies to try to improve a scores (or a performance metric), rather than improve security as a function of the operational environment that must have a directly relationship with mission assurance.
The report does indicate an active role of the government in conducting cyber assessments to assess the cyber infrastructure, but again the report does not consider the larger picture of security. The importance in external entities evaluating agency policies and procedures demonstrate the weaknesses in the organization structure for effectively delivering a mature security program. How the agency integrates security into budgetary decision-making process is key to ensure security is adequately funded (with directly relationship in the financial reports to security costs). Additionally, it is important to ensure agencies do not places security into the IT organization which must work extra hard at demonstrating to the business-side the value security provides as a cost-savings, rather than a necessary component of protecting the overall mission.
The report lacked significant substance regarding any currently ongoing activities to revamp the Federal Information Security Management Act by the amendment of the original law through the adoption (in whole or part), the Federal Information Security Management Act of 2008 (S.3474) that recently received approval by the Senate Homeland Security and Governmental Affairs. The bill in its current state takes some aggressive steps to achieve a more proactive role by the federal agencies to demonstrate their security posture to Congress, hopefully giving the American's public more confidence in the security of the federal government.
Some points really not emphasized in the report that would improve the discussion of FISMA as part of the overall advice to “Modernize authorities”, should have considered organizational improvement in information security. FISMA it a good framework, however it lacks in necessary authorities and should emphasize the realistic nature of the operations of the federal government (a diverse and decentralized infrastructure) and the challenges for implementing government policy, that do not provide flexibility to the mission constraints. The report should have added substance that reflects the role security plays in the overall strategy presented by the executive leadership. Agencies should adopt leadership roles that place information security at the executive level with a decision-making authority that enables security to be part of the business, rather than represented as a “compliance arm” or “cyber cop” of the organization.
More...
The report does indicate an active role of the government in conducting cyber assessments to assess the cyber infrastructure, but again the report does not consider the larger picture of security. The importance in external entities evaluating agency policies and procedures demonstrate the weaknesses in the organization structure for effectively delivering a mature security program. How the agency integrates security into budgetary decision-making process is key to ensure security is adequately funded (with directly relationship in the financial reports to security costs). Additionally, it is important to ensure agencies do not places security into the IT organization which must work extra hard at demonstrating to the business-side the value security provides as a cost-savings, rather than a necessary component of protecting the overall mission.
The report lacked significant substance regarding any currently ongoing activities to revamp the Federal Information Security Management Act by the amendment of the original law through the adoption (in whole or part), the Federal Information Security Management Act of 2008 (S.3474) that recently received approval by the Senate Homeland Security and Governmental Affairs. The bill in its current state takes some aggressive steps to achieve a more proactive role by the federal agencies to demonstrate their security posture to Congress, hopefully giving the American's public more confidence in the security of the federal government.
Some points really not emphasized in the report that would improve the discussion of FISMA as part of the overall advice to “Modernize authorities”, should have considered organizational improvement in information security. FISMA it a good framework, however it lacks in necessary authorities and should emphasize the realistic nature of the operations of the federal government (a diverse and decentralized infrastructure) and the challenges for implementing government policy, that do not provide flexibility to the mission constraints. The report should have added substance that reflects the role security plays in the overall strategy presented by the executive leadership. Agencies should adopt leadership roles that place information security at the executive level with a decision-making authority that enables security to be part of the business, rather than represented as a “compliance arm” or “cyber cop” of the organization.
More...
|
|
We Also Found This Discussion For You
1. What is on Your Mind?
https://www.unix.com/members/1-albums112-picture680.png (0 Replies)
Discussion started by: Neo
0 Replies
LEARN ABOUT SUNOS
auths
auths(1) User Commands auths(1) NAME
auths - print authorizations granted to a user SYNOPSIS
auths [ user ...] DESCRIPTION
The auths command prints on standard output the authorizations that you or the optionally-specified user or role have been granted. Autho- rizations are rights that are checked by certain privileged programs to determine whether a user may execute restricted functionality. Each user may have zero or more authorizations. Authorizations are represented by fully-qualified names, which identify the organization that created the authorization and the functionality that it controls. Following the Java convention, the hierarchical components of an authorization are separated by dots (.), starting with the reverse order Internet domain name of the creating organization, and ending with the specific function within a class of authorizations. An asterisk (*) indicates all authorizations in a class. A user's authorizations are looked up in user_attr(4) and in the /etc/security/policy.conf file (see policy.conf(4)). Authorizations may be specified directly in user_attr(4) or indirectly through prof_attr(4). Authorizations may also be assigned to every user in the system directly as default authorizations or indirectly as default profiles in the /etc/security/policy.conf file. EXAMPLES
Example 1: Sample output The auths output has the following form: example% auths tester01 tester02 tester01 : solaris.system.date,solaris.jobs.admin tester02 : solaris.system.* example% Notice that there is no space after the comma separating the authorization names in tester01. EXIT STATUS
The following exit values are returned: 0 Successful completion. 1 An error occurred. FILES
/etc/user_attr /etc/security/auth_attr /etc/security/policy.conf /etc/security/prof_attr ATTRIBUTES
See attributes(5) for descriptions of the following attributes: +-----------------------------+-----------------------------+ | ATTRIBUTE TYPE | ATTRIBUTE VALUE | +-----------------------------+-----------------------------+ |Availability |SUNWcsu | +-----------------------------+-----------------------------+ SEE ALSO
profiles(1), roles(1), getauthattr(3SECDB), auth_attr(4), policy.conf(4), prof_attr(4), user_attr(4), attributes(5) SunOS 5.10 25 Mar 2004 auths(1)