FISMA: ADDRESSING CONFIDENTIALITY, INTEGRITY AND ACCESSIBILITY
ABSTRACT
The continuous proliferation of information facilitated by the advancement in technology is a constant and continuous threat to information security and privacy. The various schemes and acts by the various government agencies in sectors such as health, finance and so on amongst other acts have constituted to information vulnerability and enhanced the breach of information security. Many people are of the opinion that the government has legalized spying on them, acquiring and using their private data at will. The confidentiality, Integrity and Availability of information has been greatly affected and many private information have been released to the public domain either
…show more content…
The act recognized the importance of information security to the economic and national security interests of the United States. The act requires each federal agency to develop, document, and implement an agency-wide program to provide information security for the information and information systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor, or other source …show more content…
The development of standards and techniques for all agency operations and assets (which excludes national security systems) therefore became the responsibility of NIST. NIST develops standards, metrics, tests, and validation programs to promote, measure, and validate the security in information systems and services while working closely with all federal agencies (https://en.wikipedia.org/wiki?curid=1523470).
FISMA through NIST and the various programs it hosts has been able to create a framework for the compliance with the standards created. The standards put in place by NIST to enforce compliance with FISMA are highlighted as follows:
Take Proper Inventory of information systems: It is mandatory for all agencies to have proper information systems inventory in place.
Categorization of information systems according to respective risk level: In a bid to provide appropriate levels of information security, all information and information systems must be categorized according to risk
During SDLC phase one, the initiation phase, “the need for a system is expressed and the purpose of the system is documented” (NIST, 2008). Some of the expected outcomes from this phase would be a project plan and schedule; system performance specifications outlining the operational requirements, system design documents, and a document that defines roles and responsibilities. The corresponding RMF step, security categorization, establishes the foundation for security standardization among information systems and provides a vital step towards integrating security into the information system (NIST, 2008). During this step, the type(s) of information processed by the information system are identified and the information system is categorized to determine the level of protection requirements to put in place. Some of the expected outputs of this step include a security project plan and schedule, documented system boundary, the system categorization, and the security roles and responsibilities. These two process steps are very similar except the focus of RMF is on information security related functions. In some cases, SDLC produces the expected outputs that RMF requires, and the security professionals only require a copy of the documentation for their records. For example, the system design document often depicts the system boundary. The reason this step is so critical is that it
“The Federal Information Processing Standards Publication Series of the National Institute of Standards and Technology (NIST) is the official series of publications relating to standards and guidelines adopted and promulgated under the provisions of Section 5131 of the Information Technology Management Reform Act of 1996 (Public Law 104-106) and the Federal Information Security Management Act of 2002 (Public Law 107-347)” ("FIPS PUB 199," 2004). In this paper, FIPS PUB 199 has been chosen as the security standard used by State of Maryland Department of information technology. This standard addresses to develop standards for categorizing information and information systems. On the other hand, ISO/IEC 27001 is the other standard not used by State of Maryland which has been discussed as a contrast standard.
Congress had a substantial issue with that because NSA was forbidden from collecting any data on American citizens, and by charter, its mission was to surveil foreigners. The President’s directive was revised, denying the NSA the National Manager role. It was not until 1987 for Congress to pass a bill, assigning the National Bureau of Standards (now NIST), under the Department of Commerce, responsibility for developing standards and guidelines for the security of Federal computer systems, drawing upon technical
More and more people fight back against NSA surveillance. They are on the opinion that their personal information should be kept in secret. Moreover, a fair bit of organizations and even individuals unite together in order to react against such actions of NSA as they are afraid that vital information about them might become known for everyone and those NSA’s actions disturb privacy of organizations as well as ordinary people.
The increasing power and functionality of technology has increasingly invaded privacy and complicated security. Technology has made it possible for the government to
While many areas of the nation try to hang on in a stagnant economy, Texas is booming, including the DFW Metroplex. Frisco is an affluent suburb of Dallas, and is also experiencing a booming economy. The population is growing at a rate higher than ever before as people move in for jobs, the high quality of living, housing opportunities in Frisco, TX real estate, and its highly-ranked school districts. In fact, Frisco is ranked as number 1 in the fastest growing school district in Texas. Furthermore, the projected growth is expected to reach an additional 70,000 students within the next 5 years.
Assess the adequacy and effectiveness of the organization’s IS security policy. In addition, assess whether the control requirements specified in the organization’s IS security standards adequately protect the information assets of the organization. At a minimum, the standards should specify the following controls and require them to be applicable to all information systems:
The main goal of information security is to prevent the all network system from loss of confidentiality, integrity, and availability. All data and information transferred and stored on the DoD system will require encryption for protection of confidentiality.
Federal Information Security Management Act- This act was passed in 2002 as part of the title 3 of the E-Government Act. Its purpose is to ensure that federal agencies protect their data. It gives specific responsibilities for federal agencies. They are responsible for protecting the system and data, complying with all elements of FISMA and integrating security in all processes.
Government surveillance in the past was not a big threat due to the limitations on technology; however, in the current day, it has become an immense power for the government. Taylor, author of a book on Electronic Surveillance supports, "A generation ago, when records were tucked away on paper in manila folders, there was some assurance that such information wouldn 't be spread everywhere. Now, however, our life stories are available at the push of a button" (Taylor 111). With more and more Americans logging into social media cites and using text-messaging devices, the more providers of metadata the government has. In her journal “The Virtuous Spy: Privacy as an Ethical Limit”, Anita L. Allen, an expert on privacy law, writes, “Contemporary technologies of data collection make secret, privacy invading surveillance easy and nearly irresistible. For every technology of confidential personal communication…there are one or more counter-technologies of eavesdropping” (Allen 1). Being in the middle of the Digital Age, we have to be much more careful of the kinds of information we put in our digital devices.
“The American National Standards Institute (ANSI) was founded in 1918 and is headquartered in Washington, D.C., with an operational office in New York City. Its mission is “to enhance both the global competitiveness of U.S. business and the
A security administrator can look to the Information Technology- Code of Practice for Information Security Management, ISO 17799/BS 7799 as well as ISO 17799/BS 7799, the NIST Security Models including the SP 800-12, 14, 18, 26, and 30, and the VISA International Security Model are just a few of the established security frameworks available.
The National Institute of Standards and Technology (NIST), an agency of the U.S. Department of Commerce, manages the Baldrige National Quality Program. NIST promotes U.S. innovation and industrial competitiveness by advancing measurement science, standards, and technology in ways that enhance economic security and improve our quality of life. Through a network of technology extension centers and field offices serving all 50 states and Puerto Rico, NIST helps small- and medium-sized businesses access the information and expertise they need to improve their competitiveness in the global marketplace.
The heightened level of impact of data breaches on users necessitated emergence of state and federal laws mandating organizations to adhere to certain information security protocols. FERPA, HIPPA, GLBA, PCIDSS are few laws that requires organizations to draft and implement information security practices to protect the information at their disposal. Organizations started creating compliance teams and compliance programs to ensure their adherence and compliance with various laws and regulation.
Information classification assure confidentiality using a predefined measure to classify and handle information and whether it is allowed for distribution or not.