William Jackson | Security is a culture
Cybereye'commentary: Beyond FISMA <@VM>Coda: One more reason to dread April 15
- By William Jackson
- Mar 27, 2008
A Senate subcommittee came to an unsurprising conclusion earlier this month about the Federal Information Security Management Act: FISMA compliance does not equal security.
The Homeland Security and Governmental Affairs Committee's Federal Financial Management, Government Information, Federal Services and International Security Subcommittee held a hearing to wrestle with the question of why we continue to see data losses and breaches of federal information technology systems at the same time that metrics for FISMA compliance are improving.
Tim Bennett, president of the Cyber Security Business Alliance, pointed out the obvious: 'FISMA does not tell the whole story when it comes to agencies' information security practices. Nowhere is an agency's ability to detect and respond to intrusions measured in FISMA.'
This doesn't mean FISMA, imperfect as it might be, is at fault. The 2002 act is merely a tool, requiring a set of practices that can be used to improve information security.
Karen Evans, Office of Management and Budget administrator for e-government and IT, said FISMA's ability to improve security 'depends on how the agency is doing this work.'
In measuring the effectiveness of the six-year-old law, it's worth keeping in mind that the government, like the rest of the world, is facing a continually changing set of IT threats. Hacking has gone from a vanity pastime for a handful of whiz kids to a sophisticated criminal enterprise supported by its own black market for botnets, vulnerabilities, malicious code and stolen information.
In some cases, we might well be up against rival nations looking to tap into our information infrastructure.
Penetration of a system does not necessarily mean that overall security has failed. It merely means that security is a constantly evolving goal with new challenges to be met every day.
Even an agency that is doing everything right could occasionally find itself a victim.
The important question to consider is: How well is the agency prepared to deal with it when this happens? Recommendations for fine-tuning FISMA with better guidance, audit and reporting requirements make sense. But flaws in our IT security are not the fault of FISMA, and no amount of legislation will make our IT systems secure. In the long run, two things need to be done to improve IT security.
First, there has to be a culture of security in the agencies so FISMA is used as the tool it is meant to be and not as a goal in itself.
This is the only way our security can continue to evolve with the threats. When security is a static condition, it becomes a Maginot line, and it will not take long for someone to find a way around it.
Second, agencies must have adequate funding for IT security. Without it, agencies too often have to choose between merely complying with FISMA and using it as an effective tool. Given that compliance is required by law, compliance will win ' and time and effort will go into paperwork. In an ideal world, that documentation would be a byproduct of better security, not an end in itself.Tax season is bad enough with only the Internal Revenue Service to worry about.
But this year we also have some clever ' or not-so-clever ' spammers to deal with.
Security companies are reporting spam e-mail messages that target the greedy and the careless this tax season. If you are gullible enough to believe that someone is going to send you a tax refund if you go to a Web site and enter your credit card information, you are likely to find yourself a lot poorer rather than richer. If you are entitled to a tax refund, the IRS doesn't need your credit card information to send it to you.
Then there are the e-mail messages purporting to be from the IRS or TurboTax requiring you to update your tax software. Of course, what you end up with is some malicious code that will compromise your computer's security and put your data at risk.
The IRS does not require anyone to have tax preparation software, and if you need to update software from a legitimate company, go to that company's Web site rather than clicking on a link in an e-mail. A simple rule of thumb for tax season ' and every season ' is to remember that the government does not conduct business with its citizens by e-mail.
And anytime you see an e-mail message stating that you are required to do anything, you should be suspicious.
William Jackson is freelance writer and the author of the CyberEye blog.