http://fcw.com/articles/2009/06/29/fcw-fisma-metric-change.aspx By Ben Bain FCW.com June 29, 2009 The government’s current choice of metrics is partly to blame for the fact that agencies are reporting improved compliance with security requirements even while government investigators continue to find security gaps, auditors say. Part of the problem is that although the Office of Management and Budget requires agencies to establish information technology security controls, the metrics generally do not measure how well those controls are implemented, according to the Government Accountability Office. “Developing and using metrics that measure how well agencies implement important controls can contribute to increased focus on the effective implementation of federal information security,” said Gregory Wilshusen, director of information security issues at GAO, testifying June 25 before the House Science and Technology Committee’s Technology and Innovation Subcommittee. Wilshusen said the current metrics probably served a useful purpose when they were developed because, at that time, many agencies weren’t performing basic security controls. However, he said, it’s time to examine how agencies implement the controls and consider other types of metrics. [...] _____________________________________________ Visit the InfoSec News security bookstore! http://www.shopinfosecnews.orgReceived on Mon Jun 29 2009 - 22:18:29 PDT
This archive was generated by hypermail 2.2.0 : Mon Jun 29 2009 - 22:31:32 PDT