[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[ISN] Time to move beyond FISMA, CISOs say
By Jason Miller
May 23, 2007
The Federal Information Security Management Act (FISMA) will be five
years old in November, and it has achieved its goal of raising the
government’s awareness of cybersecurity, federal officials say.
Some chief information security officers say agencies must move beyond
the law’s requirements to address real-time monitoring and install
proactive and dynamic defenses.
“We need to move above and beyond the paper exercises and see what is
happening and evaluate ourselves against it,” said Ed Meagher, the
Interior Department’s deputy chief information officer. “We can’t stop
doing the reporting that FISMA requires, but we need to look for ways to
understand what the threats are and in real time.”
Michael Castagna, the Commerce Department’s CISO, said FISMA provided
visibility and a way to communicate security requirements to senior
managers and other employees.
“Security must be rooted in the organization’s culture,” he said during
a panel discussion on information technology security sponsored by Cisco
Systems and FCW Events. “FISMA helped us put security in our governance
processes, [such as] capital planning and investment control, IT
investments, and enterprise architecture.”
One agency participant agreed with Meagher and Castagna that FISMA has
succeeded in getting agencies to focus on security in their day-to-day
Now CISOs must take a more aggressive approach to spreading the word
about cybersecurity, Meagher said.
“The CISO community is hesitant to speak up because they feel like they
are not at the table [with other chiefs] yet,” he said. “The one thing
they must stop is management complacency. Telling them to do it is not
Meagher said it is best for CISOs to be visible throughout the agency
and have a track record of success.
“You need to know your priorities based on your mission needs,” said
Dennis Heretick, the Justice Department’s CISO. “You then prioritize
your requirements based on risk.”
Patrick Howard, the Department of Housing and Urban Development’s CISO,
said the agency focuses on ensuring security when planning and
developing new systems.
“We are designing the controls at the right stage to support our
business better,” he said. “We are trying to move out of playing
catch-up with our older systems.”
Heretick said the risk for most agencies is at the install bases, so
Justice is focusing on them first and using new systems to replace
applications that cannot be updated or are too expensive to improve.
Attend Black Hat USA, July 28-August 2 in Las Vegas,
the world's premier technical event for ICT security
experts. Featuring 30 hands-on training courses and
90 Briefings presentations with lots of new content
and new tools. Network with 4,000 delegates from
70 nations. Visit product displays by 30 top
sponsors in a relaxed setting. Rates increase on
June 1 so register today. http://www.blackhat.com