[ISN] Improved FISMA scores don't add up to better security,
auditor says
InfoSec News
alerts at infosecnews.org
Tue Jun 30 00:18:29 CDT 2009
http://fcw.com/articles/2009/06/29/fcw-fisma-metric-change.aspx
By Ben Bain
FCW.com
June 29, 2009
The government’s current choice of metrics is partly to blame for the
fact that agencies are reporting improved compliance with security
requirements even while government investigators continue to find
security gaps, auditors say.
Part of the problem is that although the Office of Management and Budget
requires agencies to establish information technology security controls,
the metrics generally do not measure how well those controls are
implemented, according to the Government Accountability Office.
“Developing and using metrics that measure how well agencies implement
important controls can contribute to increased focus on the effective
implementation of federal information security,” said Gregory Wilshusen,
director of information security issues at GAO, testifying June 25
before the House Science and Technology Committee’s Technology and
Innovation Subcommittee.
Wilshusen said the current metrics probably served a useful purpose when
they were developed because, at that time, many agencies weren’t
performing basic security controls. However, he said, it’s time to
examine how agencies implement the controls and consider other types of
metrics.
[...]
More information about the ISN
mailing list