From: InfoSec News (alertsinfosecnews.org)
Date: Tue Jul 13 2010 - 03:06:29 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

http://gcn.com/articles/2010/07/12/cybereye-fisma-evolving.aspx

By William Jackson
GCN.com
July 12, 2010

The Federal Information Security Management Act has become the whipping
boy for security vendors, chief information security officers and
legislators, but we should not be too eager to abandon it, says a
leading security researcher at the National Institute of Standards and
Technology.

"We tend to want to make 'compliance' a bad word today," said NIST
senior computer scientist Ron Ross. But regulatory compliance does not
have to be a static checklist, and it is part of effective risk
management, he said.

If the regulations are fundamentally sound and adaptable, they can
evolve to address a rapidly changing security environment, and that is
what is happening with FISMA, he said. "The fundamental reforms already
are ongoing, coming from grass-roots activities," not from policy or
legislative changes, Ross said.

As the head of NIST's FISMA implementation program, Ross, who spoke
recently about changes in cybersecurity requirements at a forum hosted
by InformationWeek, is hardly a disinterested observer. Since the
passage of FISMA in 2002, a great deal of the resources of NIST's
Computer Security Division have gone to creating standards,
recommendations and guidelines on how to achieve compliance. That body
of work has been praised as one of the accomplishments of FISMA while at
the same time condemned as overly comprehensive and prescriptive.

[...]

_________________________________________________________________
Attend Black Hat USA 2010, hosted at Caesars Palace in Las Vegas, Nevada
July 24-29th, offering over 60 training sessions and 11 tracks of Briefings
from security industry elite. To sign up visit http://www.blackhat.com

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]