|
home
Fine
Tuning FISMA
The
Federal Information Systems Security Educator’s Association
(FISSEA) is working on fine tuning FISMA reporting.
Headquartered in
NIST’s Computer Security Resource Center is FISSEA
– The Federal Information Systems Security
Educator’s Association. Founded in 1987, FISSEA is an
organization run by and for federal information systems security
professionals. It assists federal agencies in meeting their computer
security training responsibilities.
One current FISSEA activity is investigating whether to come up with a
framework for standardizing the definition of who has
“significant information security responsibilities”
within a department. Part of the FISMA reports to Congress contains
data on:
• Total number of employees with “significant IS
responsibility”
• Number of employees that got specialized role based training
• The total cost of the training
• A description of what the training was.
IGs also are supposed to report has the agency ensured that those with
significant IT security responsibilities have received their training.
Categorizing
Consistency
While this is not a new requirement, labeling who has
“significant IT security responsibilities” is done
completely different across agencies; there is no consistency. Two
people can have the same title, but work at different agencies. One
agency says the person has “significant
responsibilities”. The other agency says the person
doesn’t.
It begs the question: Without consistency, how can OMB and
Congress do an adequate assessment on who is doing what? So
should there be a Federal standard? Does it need to come from NIST?
FISSEA board members Mark Wilson and Susan Hensche, a Nortel consultant
to the State Department, are working on this effort. Hensche will lead
a session at the upcoming 21st Annual FISSEA Conference that centers on
whether there needs to be a federal standard for who has
“significant information security responsibilities”.
Hensche defines those people as:
“Anyone
who has responsibilities in managing IA or IA programs at the
enterprise level and anyone who has responsibility in owning, managing,
procuring, budgeting for, protecting, developing, operating, overseeing
and/or disposing of a major information system.”
That definition represents a different way of looking at who has
“significant information systems responsibilities”.
The bottom line is while everyone has information security
responsibilities, the key is who has “significant information
security responsibilities” and needs to be reported as part
of the FISMA grade.
Session content will focus on current OPM, OMB and NIST guidelines; how
they evolved; where they don’t meet; and how the guidelines
haven’t kept up with evolution of what’s happening
in the field. The session will also look at the methodology State is
using, which will be made available for other agencies to use if they
want to capitalize on the experience identifying these
individuals.
FISSEA
Conference, NIST HQ, March 11-13
Held at NIST headquarters in
Gaithersburg,
MD, the conference caters to the needs of information systems security
professionals, trainers, developers, educators, managers, CIOs,
academia, and researchers involved with information systems security
awareness, training, education, certification, and professionalism.
Attendees discover new ways to improve their IT security programs, gain
awareness and training ideas and resources and obtain practical
solutions to training problems.
A prime example will be Susan Hensche’s session on fine
tuning
the definition of FISMA’s “Significant IT Security
Responsibilities” and developing a consistent methodology to
report this information.
In addition there are great networking opportunities and professionals
can earn CPE credits and learn about the latest IS products and
services from leading private sector providers.
Register at www.FISSEA.org.
|
|
|
|
|
|
|
