[ISN] Guidance drafted on security reports

From: InfoSec News (isnat_private)
Date: Thu Apr 19 2001 - 23:48:17 PDT

Next message: InfoSec News: "[ISN] Exploit devastates WinNT/2K security"

Previous message: InfoSec News: "[ISN] Key to breaking Nazi code was in the patent office"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

http://www.fcw.com/fcw/articles/2001/0416/web-draft-04-19-01.asp

BY Diane Frank
04/19/2001

The Office of Management and Budget is circulating draft guidance on
what agencies should include in the annual reports they must produce
under the Government Information Security Reform Act.

The act, passed in October 2000 as part of the fiscal 2001 Defense
Authorization Act, is intended to foster good security practices
within civilian and national security agencies. It requires chief
information officers and inspectors general to perform vulnerability
assessments on their agencies security programs and practices.

OMB issued general guidance in January on the approach that agency
program managers and IGs should take on the assessments. But now, OMB
is providing a draft of guidance that details exactly what information
should be included in the reports. In the draft guidance, which is not
available online, OMB asks agencies for:

* An executive summary from the agency head on how the agency is
  implementing GISRA. The summary should combine information from the
  agency CIO and the agency IG, and it will form the basis of OMBs
  summary to Congress.

* Details about the agencies annual program reviews and
  evaluations. Agencies will provide details on every program and
  system by answering 11 questions that range from identifying funding
  to describing the performance measures used by program managers and
  CIOs.

Agencies reports on their security evaluations are due to OMB by
September. OMB will compile the reports and submit a governmentwide
report to Congress. Congress in turn will use the reports to determine
whether an agency is adequately protecting the systems that support
its services to employees and citizens.

By Oct. 30, agencies must report to OMB the strategies, milestones and
obstacles involved in addressing any security weaknesses found in the
assessments.

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERVat_private with a message body of
"SIGNOFF ISN".

Next message: InfoSec News: "[ISN] Exploit devastates WinNT/2K security"
Previous message: InfoSec News: "[ISN] Key to breaking Nazi code was in the patent office"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 20 2001 - 03:45:38 PDT