| Cybersecurity is one of the highest national priorities in the US. In order to preserve cybersecurity, legislation such as the FISMA (Federal Information Security Management Act) has been substantially updated to improve capacity for preventing, detecting and responding to threats. Ongoing updates to legislation seem to suggest a shift from simply demanding compliance to adoption of a continuous monitoring model. What is Continuous Monitoring? In contrast to traditional monitoring processes, which use only a small sample of events, continuous monitoring audits the system during or immediately after they occur. What is being monitored? 1. Primary Monitoring – this involves security controls. The primary focus [...] In October 2009, the US federal Office of Management and Budget (OMB) released CyberScope, a reporting tool for federal agencies. Under the FISMA (the Federal Information Security Management Act of 2002), agencies are obliged to report on their information security statuses. The introduction of CyberScope aimed to correct any weaknesses and streamline the IT security reporting process. This article takes a look at how CyberScope has improved upon the FISMA reporting approach. Background The FISMA, enacted in 2002 under the E-Government Act of 2002, required regular reporting from federal agencies regarding their information security practices. These reports were to be submitted on [...] The National Institute of Standards and Technology (NIST) is responsible for developing standards and guidelines for information security for all civilian federal agencies. It produces security controls for information systems, which are the safeguards necessary to protect the confidentiality, integrity and availability of the data. The NIST SP (Special Publication) 800-53: Recommended Security Controls for Federal Information Systems defines security controls for executive agencies of the US federal government. This article introduces the publication and some of its key concepts. Purpose of NIST SP 800-53 The FISMA (Federal Information Security Management Act) mandates that information system must adequately protect government data. Under [...] SCAP is a means of applying standards to ensure management and measurement of vulnerabilities. The objective of SCAP is to facilitate evaluation and policy compliance by integrating the goals of IT with those of IT security. What is SCAP? SCAP (Security Content Automation Protocol) enables maintenance and assessment of enterprise systems security to be conducted in a standardized manner. SCAP is made up of several open standards that are used to identify and describe flaws and other security issues. SCAP standards may be able to carry out any of the following tasks: - Automatically verify patches - Check system security [...] Executive Order 13402 commanded the creation of a Presidential Identity Theft Task Force to examine how the Federal Government could better respond to and protect against data breaches resulting in identity theft. Under Federal regulations, such as the Privacy Act of 1974 and the Federal Information Security Management Act, individuals are guaranteed the security of their data, making adequate protection of data a matter of [...] Memorandum 06-19 was issued by the Office of Management and Budget in July 2006 to update the reporting requirements for data breaches involving personally identifiable information. It also addressed the need to budget in anticipation of providing adequate data security. Memorandum 04-26 was issued in September 2004 regarding personal use policies for employees accessing government computers and the use of file sharing [...] OMB Memoranda 06-15 and 06-16: Safeguarding Information Maintained by the U.S. Government In 2006, the Office of Management and Budget published two memoranda back to back dealing specifically with protecting certain types of information maintained by the Federal Government. M-06-15 addresses safeguarding personally identifiable information. M-06-16 deals with the protection of sensitive agency information. Both memoranda reiterate the security requirements of previous regulations, and expand upon them to make them more effective. OMB M-06-15: Safeguarding Personally Identifiable Information M-06-15 served as a reminder to government agencies of their responsibilities towards protecting personally identifiable information. Under the Privacy Act of 1974 agencies must: Establish rules [...] The E-Government Acts of 2002 involved a large number of new regulations to implement and control the use of electronic technologies by the U.S. Government. Title III of this Act, called the Federal Information Security Management Act required all Government agencies to develop extensive information security [...] If asked to identify the point in the information lifecycle in which data is often most vulnerable, most people would not say “Destruction.” Destruction itself is a simple concept. After personal data or technology storing personal data is no longer useful it is discarded. However, completely erasing data from existence is not that easy. Computer files are particularly difficult to destroy. Furthermore, with the increasing use of cloud computing services, more and more personal data is being stored on third party servers, where the information controller has to trust their provider to remove the information when requested. Control over the deletion and destruction of data is taken out of the data controller and the data subject’s hands. The problems associated with proper disposal, make it so that the destruction of data is one of the times personal information is most likely to be at risk for unauthorized access. Because of this, data destruction remains an important privacy issue discussed among professionals in the industry [...] | |
