William Jackson | Security is a culture

 

Connecting state and local government leaders

Cybereye'commentary: : FISMA compliance does not equal security.

A Senate subcommittee came to an unsurprising conclusion earlier this month about the Federal Information Security Management Act: FISMA compliance does not equal security.The Homeland Security and Governmental Affairs Committee's Federal Financial Management, Government Information, Federal Services and International Security Subcommittee held a hearing to wrestle with the question of why we continue to see data losses and breaches of federal information technology systems at the same time that metrics for FISMA compliance are improving.Tim Bennett, president of the Cyber Security Business Alliance, pointed out the obvious: 'FISMA does not tell the whole story when it comes to agencies' information security practices. Nowhere is an agency's ability to detect and respond to intrusions measured in FISMA.'This doesn't mean FISMA, imperfect as it might be, is at fault. The 2002 act is merely a tool, requiring a set of practices that can be used to improve information security.Karen Evans, Office of Management and Budget administrator for e-government and IT, said FISMA's ability to improve security 'depends on how the agency is doing this work.'In measuring the effectiveness of the six-year-old law, it's worth keeping in mind that the government, like the rest of the world, is facing a continually changing set of IT threats. Hacking has gone from a vanity pastime for a handful of whiz kids to a sophisticated criminal enterprise supported by its own black market for botnets, vulnerabilities, malicious code and stolen information.In some cases, we might well be up against rival nations looking to tap into our information infrastructure.Penetration of a system does not necessarily mean that overall security has failed. It merely means that security is a constantly evolving goal with new challenges to be met every day.Even an agency that is doing everything right could occasionally find itself a victim.The important question to consider is: How well is the agency prepared to deal with it when this happens? Recommendations for fine-tuning FISMA with better guidance, audit and reporting requirements make sense. But flaws in our IT security are not the fault of FISMA, and no amount of legislation will make our IT systems secure. In the long run, two things need to be done to improve IT security.First, there has to be a culture of security in the agencies so FISMA is used as the tool it is meant to be and not as a goal in itself.This is the only way our security can continue to evolve with the threats. When security is a static condition, it becomes a Maginot line, and it will not take long for someone to find a way around it.Second, agencies must have adequate funding for IT security. Without it, agencies too often have to choose between merely complying with FISMA and using it as an effective tool. Given that compliance is required by law, compliance will win ' and time and effort will go into paperwork. In an ideal world, that documentation would be a byproduct of better security, not an end in itself.XXXSPLITXXX-But this year we also have some clever ' or not-so-clever ' spammers to deal with.Security companies are reporting spam e-mail messages that target the greedy and the careless this tax season. If you are gullible enough to believe that someone is going to send you a tax refund if you go to a Web site and enter your credit card information, you are likely to find yourself a lot poorer rather than richer. If you are entitled to a tax refund, the IRS doesn't need your credit card information to send it to you.Then there are the e-mail messages purporting to be from the IRS or TurboTax requiring you to update your tax software. Of course, what you end up with is some malicious code that will compromise your computer's security and put your data at risk.The IRS does not require anyone to have tax preparation software, and if you need to update software from a legitimate company, go to that company's Web site rather than clicking on a link in an e-mail. A simple rule of thumb for tax season ' and every season ' is to remember that the government does not conduct business with its citizens by e-mail.And anytime you see an e-mail message stating that you are required to do anything, you should be suspicious.

























Tax season is bad enough with only the Internal Revenue Service to worry about.









X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.