Shades of SOX complaints: the U.S. GAO reports that the Federal Information Security Management Act (FISMA) is failing:
When we go out and conduct our security control reviews at federal agencies, we often find serious and significant vulnerabilities in systems that have been certified and accredited. Part of it, I think, is just that agencies may be focusing on just trying to get the systems certified and accredited but not effectively implementing the processes that the certification and accreditation is supposed to reflect.
— Q&A: Federal info security isn't just about FISMA compliance, auditor says, Most agencies still have security gaps, according to Gregory Wilshusen, by Jaikumar Vijayan Computerworld, June 14, 2007
Sounds like they haven't implemented numerous simple security measures that were known before FISMA, they don't have processes to do so, and they don't adequately report what they're doing, even with FISMA. What to do?
The report notes how extensive the problem is:
For example, agencies did not consistently identify and authenticate users to prevent unauthorized access, apply encryption to protect sensitive data on networks and portable devices, and restrict physical access to information assets. In addition, agencies did not always manage the configuration of network devices to prevent unauthorized access and ensure system integrity, such as patching key servers and workstations in a timely manner; assign incompatible duties to different individuals or groups so that one individual does not control all aspects of a process or transaction; and maintain or test continuity of operations plans for key information systems. An underlying cause for these weaknesses is that agencies have not fully or effectively implemented agencywide information security programs. Nevertheless, federal agencies have continued to report steady progress in implementing certain information security requirements. However, IGs at several agencies sometimes disagreed with the agency's reported information and identified weaknesses in the processes used to implement these and other security program activities. Further, opportunities exist to enhance reporting under FISMA and the independent evaluations completed by IGs.
SANS interprets this as a call to better measurement. I agree, as one next step. Eventually, U.S. federal agencies will get serious about security, probably after multiple major breaches cost them billions of dollars, and several Senators and Congress members lose elections over those breaches, and then measurement will happen.
After that, maybe they can move on to risk management for things that can't be completely measured. Plus, as we've seen with SOX, checklists and measurements are no good without better processes, such as those recommended by Basel II. Good agency processes could help establish a culture of security consciousness that could be effective.
None of this is to say that FISMA is necessarily bad; it's at least given the GAO a yardstick to say agencies aren't secure, similarly to how even SOX can be useful in filtering which companies have Initial Public Offerings.
However, not all processes are good:
Another initiative that the OMB is now requiring agencies to undertake, which I think is a very positive step, is the use of common security configurations [on all agency systems]. It is based on an initiative started by the Air Force in which they worked with Microsoft to ship what they called "secure configurations" on each issue of Microsoft Windows that was shipped to the Air Force. Now they are trying to do that on a governmentwide basis. I think that's a very positive thing.
Gregory Wilshusen is saying monoculture is a good thing. Not surprisingly, I disagree, and I predict that government-wide monoculture will be the prime enabler of the big bucks breakins that will finally cause security culture change.
-jsq
It's not that the framework doesn't work, it's that the implementation doesn't work.
In our world of security, you have to make a cost-benefit-risk comparison and the current culture of "there is no such thing as acceptable risk" is what's killing us. As long as we keep referring to the process as "compliance" instead of "risk management", we will have a problem. That's what Gregory Wilshusen is saying, but everybody misinterprets it to mean that the law doesn't work.
Some of my own postings on this subject from the last week:
http://www.guerilla-ciso.com/archives/157
http://www.guerilla-ciso.com/archives/150
And please be careful about what SANS says. They're trying to make money off selling their training: "PPS There is one more week until the deadline for low-cost registration to the largest cyber security program in Washington: SANSFIRE at the end of July."
Posted by: rybolov | June 20, 2007 at 12:43 PM
> SANS interprets this as a call to better measurement.
I interpret this as SANS now selling measurement courses ...
> Eventually, U.S. federal agencies will get serious about security, probably after multiple major breaches cost them billions of dollars, and several Senators and Congress members lose elections over those breaches, and then measurement will happen.
This is the nub of the problem. The risks that are sold (by SANS and others) are not validated, therefore after a decade or two of selling them, the users ignore all warnings. Correctly, coz they were mostly wrong and expensive in the past.
Now what is required is to concentrate on validated risks, so as to prepare an appropriate and measured response. This might change in time due to more breach notification ... it might require simple case studies that stressed costs actually incurred.
For the moment, compliance failures are a bigger risk than security failures, so the agencies' actions seem logical.
Posted by: Iang | July 10, 2007 at 02:59 PM