2005 -- A Year for New Security Policies

Share it on Twitter  
Share it on Facebook  
Share it on Google+
Share it on Linked in  
January 2005 -- a new year -- a time when everyone is making resolutionsto lose weight, eat healthy, and exercise more. However, I haven't heardmany people making a resolution to be more security conscience.

I guess that even though we live in a time when hackers are prevalent;viruses, worms and Trojans are household words; and identity theft is inthe news, the general pubic still believes ''it can't happen to me''.Even more surprising, is that many businesses still have not implementednor embraced strong security.

Being an optimist, I am hopeful that this may yet be the year of securityawareness.

Security awareness begins with policies and procedures. People like tohave structure in their workplace and lives, and polices/proceduresprovide that structure. The same goes for government agencies, too.Traditionally, it's the government that develops these polices, which arethen adopted by cutting edge businesses, and eventually become the waybusiness is done.

In 2005, there are numerous security policies and guidelines that areexpected to be published to assist the information assurance community inassessing risk to our enterprises. Hopefully, these policies andguidelines will raise security awareness to a management level sosecurity can be viewed as value-added, instead of as a hindrance.

One of the first lines of defense is the certification and accreditationprocess -- or the process of ensuring that appropriate security controlshave been implemented.

The Department of Defense has just completed the first round ofconcurrence (with comments) on the DOD Information AssuranceCertification and Accreditation Process (DIACAP). This policy willupdate/replace the current process of completing certification andaccreditations on systems and networks. The instruction focuses onidentifying, implementing, and validating IA controls. In addition, thispolicy provides guidance on authorizing operation of systems/networks andhow to manage these assets to be consistent with the Federal InformationSecurity Management Act (FISMA).

The impact on the DOD infrastructure will be dependent upon the''marketing'' and the incorporation of comments into the final document.

In addition to the Department of Defense, the National Institute ofStandards and Technology (NIST) is developing a series of guidelines oninformation assurance standards. This series, the Special Publications800-xxx, will assist with the implementation of FISMA legislation.

NIST SP 800-53 -- Recommended Security Controls for FederalInformation Systems -- will assist in identifying security controlsfor Federal systems. This draft guideline provides a recommended set ofsecurity controls for low-, moderate-, and high-impact informationsystems based upon the system's FIPS 199 security categorization.

The second is NIST SP 800-37 -- Guide for the Security Certificationand Accreditation of Federal Information Systems. This specialpublication provides guidance for the security certification andaccreditation of information systems supporting the executive agencies ofthe federal government. NIST representatives worked with DOD OSD to tryand make the DOD and Federal certification and accreditation processescomplimentary to each other.

Last is the NIST SP 800-53A. This particular guideline assists the NISTSP 800-53. The Techniques and Procedures for Verifying theeffectiveness of Security Controls in Federal Information Systemswill begin development this year. This document will specify, for eachsecurity control, a corresponding assessment procedure.

All of these documents will assist security managers in assessing risk.And that's what information assurance is suppose to provide -- managementof risk.

It will be interesting to see if 2005 provides the tools, via thesepolicies, to implement security controls and raise the general awareness.

Submit a Comment

Loading Comments...