[ISN] Improved FISMA scores don't add up to better security, auditor says

From: InfoSec News <alerts_at_private>
Date: Tue, 30 Jun 2009 00:18:29 -0500 (CDT)

By Ben Bain
June 29, 2009

The government’s current choice of metrics is partly to blame for the 
fact that agencies are reporting improved compliance with security 
requirements even while government investigators continue to find 
security gaps, auditors say.

Part of the problem is that although the Office of Management and Budget 
requires agencies to establish information technology security controls, 
the metrics generally do not measure how well those controls are 
implemented, according to the Government Accountability Office.

“Developing and using metrics that measure how well agencies implement 
important controls can contribute to increased focus on the effective 
implementation of federal information security,” said Gregory Wilshusen, 
director of information security issues at GAO, testifying June 25 
before the House Science and Technology Committee’s Technology and 
Innovation Subcommittee.

Wilshusen said the current metrics probably served a useful purpose when 
they were developed because, at that time, many agencies weren’t 
performing basic security controls. However, he said, it’s time to 
examine how agencies implement the controls and consider other types of 


Visit the InfoSec News security bookstore!
Received on Mon Jun 29 2009 - 22:18:29 PDT

This archive was generated by hypermail 2.2.0 : Mon Jun 29 2009 - 22:31:32 PDT