EDUCAUSE | Government Documents, Laws, Testimonies or Reports and Security Policies

Standards for Security Categorization of Federal Information and Information Systems (FIPS-199)

ckeller — Mon, 03 Mar 2008 13:55:22 -0600

The E-Government Act of 2002 (Public Law 107-347), recognized the importance of information security to the economic and national security interests of the United States. Title III of the E-Government Act, entitled the Federal Information Security Management Act of 2002 (FISMA), tasked NIST with responsibilities for standards and guidelines, including the development of:
- Standards to be used by all federal agencies to categorize all information and information systems collected or maintained by or on behalf of each agency based on the objectives of providing appropriate levels of information security according to a range of risk levels;
- Guidelines recommending the types of information and information systems to be included in each category; and
- Minimum information security requirements (i.e., management, operational, and technical controls), for information and information systems in each such category.
FIPS Publication 199 addresses the first task cited -- to develop standards for categorizing information and information systems. Security categorization standards for information and information systems provide a common framework and understanding for expressing security that, for the federal government, promotes: (i) effective management and oversight of information security programs, including the coordination of information security efforts throughout the civilian, national security, emergency preparedness, homeland security, and law enforcement communities; and (ii) consistent reporting to the Office of Management and Budget (OMB) and Congress on the adequacy and effectiveness of information security policies, procedures, and practices. Subsequent NIST standards and guidelines will address the second and third tasks cited.

Corporate Information Security Working Group:

drupal — Wed, 12 Jan 2005 13:01:23 -0600

The Corporate Information Security Working Group (CISWG) was originally convened in November 2003 by Representative Adam Putnam (R-FL). The Best Practices team surveyed available information security guidance. It concluded in its March 2004 report that much of this guidance is expressed at a relatively high level of abstraction and is therefore not immediately useful as actionable guidance without significant and often costly elaboration. In a subsequent phase convened in June 2004, the Best Practices and Metrics teams was charged with refining Information Security Program Elements and developing recommended Metrics supporting each of the elements. This report is the result of that effort and represents a resource that will help Board members, managers, and technical staff establish their own comprehensive structure of principles, policies, processes, controls, and performance metrics to support the people, process, and technology aspects of information security.

Protecting Our Nation's Cyber Space: Educational Awareness for the Cyber Citizen

drupal — Mon, 19 Apr 2004 09:06:40 -0500

Over the last decade, the number of computers connected to the Internet has increased significantly. As a result, the discovery and exploit of a vulnerability in a major software program has become a threat to the stability of the Internet and the continuance of commerce. For example, the Blaster worm infected over 400,000 computers worldwide in less than 5 days. This level of infection occurred despite the fact that the patch that would have prevented infection had been available for over a month. At the same time, millions of copies of the SoBig.F worm spread across the Internet in one of the fastest attacks ever recorded. In fact, about one in three internet users are infected with a virus or worm every year. Moreover, research by security firm, Qualys, Inc., indicates that as the furor over a vulnerability dies down, the number of unpatched systems begins to once again increase. This leads to the chilling conclusion that worms could make second appearances, exploiting the same vulnerabilities.

So, why aren't cyber citizens patching their systems, installing firewalls and keeping their anti-virus programs up to date? What are the best tools available to increase our cyber protection? This hearing will examine the current public and private initiatives underway to educate home users and small business on basic cyber security. Among the initiatives presented will be those aimed at small business, children, older students and the average home user.