ISACA Journal article -‘FISMA 2010: What it Means for IT Security Professionals’

The US Federal Information Security Management Act (FISMA) passed in 2002 was the launch of major cybersecurity efforts by the US federal government. This article is an update on FISMA as the ‘centerpiece’ of all US laws to improve cyberdefense. The ‘family’ of National Institute of Standards and Technology (NIST) Special Publications are a direct extension from FISMA and play a big role in the security of US government information assets.

We are big fans of NIST Special Publications and use them extensively in our audits. The article also refers to recent US Government Accountability Office (GAO) reports on the huge increase in attacks on federal information systems in the last few years.

We recommend this article to anyone in the IT audit and security industry whether they work in the government or in the private sector.

References:
ISACA Journal. FISMA 2010: What It Means for IT Security Professionals By Tarak Modi, CISA, CISSP, PMP. http://www.isaca.org/Journal/Past-Issues/2010/Volume-5/Pages/default.aspx

National Institute of Standards and Technology, Computer Security Division, Special Publications. http://csrc.nist.gov/publications/PubsSPs.html

DarkReading.com is an excellent dashboard on IT security

We have become big fans of the 'Dark Reading' website (www.darkreading.com) on IT security. The site is the result of combining CMP Media's Secure Enterprise and Security Pipeline publications - part of United Business Media's Techweb (www.techweb.com). The mission is basically comprehensive coverage of IT and information security - a 'security dashboard' for IT professionals.

There are specialized webpages on application security, perimeter security, security management and more. We are regular readers of the database security page. Bravo! Pass the good word on this excellent site.

2010 Oracle Database surveys – widespread weakness in database security and control

Two new surveys were published recently on data security and database growth. These are 2010 surveys sponsored by Oracle Corporation, conducted by Unisphere Research and published by the Independent Oracle Users Group (IOUG) – see links below.

The surveys found that there is widespread weakness and vulnerability in commercial databases. In spite of government and industry regulations around the world, there is a continuing problem of weak database security and control.

The surveys found that a majority of companies are expecting a data security incident or attack in the next 12 months. Only 30% of companies are encrypting personally identifiable information – the most sensitive data. An even smaller number of companies have controls to prevent privileged users from accessing sensitive data. Companies do not appear to have a good handle on database security.

There is much work to be done. Our opinion at Continental Audit is that this is an urgent issue. A company’s data is its ‘crown jewels.’ It should be protected accordingly.

The surveys can be found at the following URLs:
http://www.ioug.org/tabid/90/Default.aspx
http://www.oracle.com/newsletters/information-indepth/security/oct-10/iougsurvey.html?msgid=3-2401132434