http://gcn.com/articles/2010/07/12/cybereye-fisma-evolving.aspx By William Jackson GCN.com July 12, 2010 The Federal Information Security Management Act has become the whipping boy for security vendors, chief information security officers and legislators, but we should not be too eager to abandon it, says a leading security researcher at the National Institute of Standards and Technology. "We tend to want to make 'compliance' a bad word today," said NIST senior computer scientist Ron Ross. But regulatory compliance does not have to be a static checklist, and it is part of effective risk management, he said. If the regulations are fundamentally sound and adaptable, they can evolve to address a rapidly changing security environment, and that is what is happening with FISMA, he said. "The fundamental reforms already are ongoing, coming from grass-roots activities," not from policy or legislative changes, Ross said. As the head of NIST's FISMA implementation program, Ross, who spoke recently about changes in cybersecurity requirements at a forum hosted by InformationWeek, is hardly a disinterested observer. Since the passage of FISMA in 2002, a great deal of the resources of NIST's Computer Security Division have gone to creating standards, recommendations and guidelines on how to achieve compliance. That body of work has been praised as one of the accomplishments of FISMA while at the same time condemned as overly comprehensive and prescriptive. [...] _________________________________________________________________ Attend Black Hat USA 2010, hosted at Caesars Palace in Las Vegas, Nevada July 24-29th, offering over 60 training sessions and 11 tracks of Briefings from security industry elite. To sign up visit http://www.blackhat.comReceived on Tue Jul 13 2010 - 01:06:29 PDT
This archive was generated by hypermail 2.2.0 : Tue Jul 13 2010 - 01:16:04 PDT