I guess that even though we live in a time when hackers are prevalent; viruses, worms and Trojans are household words; and identity theft is in the news, the general pubic still believes ''it can't happen to me''. Even more surprising, is that many businesses still have not implemented nor embraced strong security.
Being an optimist, I am hopeful that this may yet be the year of security awareness.
Security awareness begins with policies and procedures. People like to have structure in their workplace and lives, and polices/procedures provide that structure. The same goes for government agencies, too. Traditionally, it's the government that develops these polices, which are then adopted by cutting edge businesses, and eventually become the way business is done.
One of the first lines of defense is the certification and accreditation process -- or the process of ensuring that appropriate security controls have been implemented.
The Department of Defense has just completed the first round of concurrence (with comments) on the DOD Information Assurance Certification and Accreditation Process (DIACAP). This policy will update/replace the current process of completing certification and accreditations on systems and networks. The instruction focuses on identifying, implementing, and validating IA controls. In addition, this policy provides guidance on authorizing operation of systems/networks and how to manage these assets to be consistent with the Federal Information Security Management Act (FISMA).
The impact on the DOD infrastructure will be dependent upon the ''marketing'' and the incorporation of comments into the final document.
In addition to the Department of Defense, the National Institute of Standards and Technology (NIST) is developing a series of guidelines on information assurance standards. This series, the Special Publications 800-xxx, will assist with the implementation of FISMA legislation.
NIST SP 800-53 -- Recommended Security Controls for Federal Information Systems -- will assist in identifying security controls for Federal systems. This draft guideline provides a recommended set of security controls for low-, moderate-, and high-impact information systems based upon the system's FIPS 199 security categorization.
The second is NIST SP 800-37 -- Guide for the Security Certification and Accreditation of Federal Information Systems. This special publication provides guidance for the security certification and accreditation of information systems supporting the executive agencies of the federal government. NIST representatives worked with DOD OSD to try and make the DOD and Federal certification and accreditation processes complimentary to each other.
Last is the NIST SP 800-53A. This particular guideline assists the NIST SP 800-53. The Techniques and Procedures for Verifying the effectiveness of Security Controls in Federal Information Systems will begin development this year. This document will specify, for each security control, a corresponding assessment procedure.
All of these documents will assist security managers in assessing risk. And that's what information assurance is suppose to provide -- management of risk.
It will be interesting to see if 2005 provides the tools, via these policies, to implement security controls and raise the general awareness.