| Throughout the 1990s, pressure was on the US government to reduce inefficiencies in federal programs. In an effort to increase public confidence, Congress enacted the Chief Financial Officers Act (CFO Act) in 1990, in order to regulate accounting, auditing and financial reporting practices of the federal government. In addition to the CFO Act, the article also explores a number of amendments and related Acts which build upon the goals of improved efficiency, productivity and efficacy in federal agencies. Requirements under the CFO Act To meet the demand for improved accountability and transparency from the financial management practices of federal agencies, the CFO Act [...] Cybersecurity is one of the highest national priorities in the US. In order to preserve cybersecurity, legislation such as the FISMA (Federal Information Security Management Act) has been substantially updated to improve capacity for preventing, detecting and responding to threats. Ongoing updates to legislation seem to suggest a shift from simply demanding compliance to adoption of a continuous monitoring model. What is Continuous Monitoring? In contrast to traditional monitoring processes, which use only a small sample of events, continuous monitoring audits the system during or immediately after they occur. What is being monitored? 1. Primary Monitoring – this involves security controls. The primary focus [...] In October 2009, the US federal Office of Management and Budget (OMB) released CyberScope, a reporting tool for federal agencies. Under the FISMA (the Federal Information Security Management Act of 2002), agencies are obliged to report on their information security statuses. The introduction of CyberScope aimed to correct any weaknesses and streamline the IT security reporting process. This article takes a look at how CyberScope has improved upon the FISMA reporting approach. Background The FISMA, enacted in 2002 under the E-Government Act of 2002, required regular reporting from federal agencies regarding their information security practices. These reports were to be submitted on [...] The National Institute of Standards and Technology (NIST) is responsible for developing standards and guidelines for information security for all civilian federal agencies. It produces security controls for information systems, which are the safeguards necessary to protect the confidentiality, integrity and availability of the data. The NIST SP (Special Publication) 800-53: Recommended Security Controls for Federal Information Systems defines security controls for executive agencies of the US federal government. This article introduces the publication and some of its key concepts. Purpose of NIST SP 800-53 The FISMA (Federal Information Security Management Act) mandates that information system must adequately protect government data. Under [...] SCAP is a means of applying standards to ensure management and measurement of vulnerabilities. The objective of SCAP is to facilitate evaluation and policy compliance by integrating the goals of IT with those of IT security. What is SCAP? SCAP (Security Content Automation Protocol) enables maintenance and assessment of enterprise systems security to be conducted in a standardized manner. SCAP is made up of several open standards that are used to identify and describe flaws and other security issues. SCAP standards may be able to carry out any of the following tasks: - Automatically verify patches - Check system security [...] Canadian Privacy Impact Assessments (PIAs) identify potential privacy threats that exist in new or revamped federal government programs or services. The objective of the assessment is to eliminate or reduce privacy or security threats. All federal departments, agencies and institutions are obliged to conduct PIAs for any programs or services that may raise privacy concerns. As part of the process, the department must examine and asses the procedures for protection of personal information throughout the program’s lifecycle (i.e. collection, storage, usage, disclosure and [...] Executive Order 13402 commanded the creation of a Presidential Identity Theft Task Force to examine how the Federal Government could better respond to and protect against data breaches resulting in identity theft. Under Federal regulations, such as the Privacy Act of 1974 and the Federal Information Security Management Act, individuals are guaranteed the security of their data, making adequate protection of data a matter of [...] Memorandum 06-19 was issued by the Office of Management and Budget in July 2006 to update the reporting requirements for data breaches involving personally identifiable information. It also addressed the need to budget in anticipation of providing adequate data security. Memorandum 04-26 was issued in September 2004 regarding personal use policies for employees accessing government computers and the use of file sharing [...] In September 2006, The Office of Management and Budget issued a memorandum suggested by the President’s Identity Theft Task Force to help government departments and agencies adequately protect data. What is Identity Theft? Identity theft is the unauthorized use of personally identifiable information (PII) by an individual to commit fraud, usually financial related fraud. This is achieved either by using financial account information or using an individual’s Social Security Number (SSN) to open new financial accounts. Identity theft is a serious problem costing American citizens millions of dollars every year. As one of the largest collectors of information, the U.S. Government must implement strong measures to reduce the risk of security breaches leading to identity [...] In May 2006, an Executive Order of the President created the Identity Theft Task Force. The Task Force includes members of several Federal agencies and departments. In September 2006, the Task Force released a number of recommendations ahead of the May 2007 document “Combatting ID Theft: Strategic Plan” in order to help agencies get a head start on the growing problem of identity [...] | |
