The Office of Management and Budget (OMB) has finished its review of proposed rules related to changes to HIPAA privacy and security rules, meaning the rules could hit the streets this week.
The OMB reports that it has concluded its regulatory review of the rules HHS sent in April.
via OMB Completes HIPAA Rules Review.
NIST Special Publication 800-53 – the bible for federal government chief information security officers as well as others charged with securing their organizations IT systems – has been revised by the National Institute of Standards and Technology.
NIST Tuesday issued SP 800-53A, Revision 1, Guide for Assessing the Security Controls in Federal Information Systems and Organizations. This latest guidance is aimed at helping agencies implement continuous monitoring of their IT systems as they move away from the traditional paper-based compliance rules under the Federal Information Security Management Act.
via NIST Revises Security Controls Bible.
Federal auditors have criticized the security and design of a General Services Administration e-travel system, suggesting changes to it as part of a yearly review of the agency's IT process.
In the Office of the Inspector General's semiannual report to Congress, auditors said that the GSA's implementation of the E2 Solutions travel management system has security and usability issues that, among other things, don't properly measure the performance of the system and make it unfriendly for users, particularly disabled ones.
via Auditors Fault GSA Travel System Security — Government Travel — InformationWeek.
The White House issued new cybersecurity marching orders to government agencies Wednesday, which top officials say will help redirect government efforts from wasteful paperwork compliance toward continuous monitoring and patching and more effective cybersecurity spending….
… Agencies have been spending as much as $1,400 per page on those reports under requirements of the Federal Information Systems Management Act….
via New Policy Revamps Agencies’ Approach To FISMA Compliance – DarkReading.
In a notice published Tuesday in the Federal Register, OCR spells out ways in which it will use information reported via a computer system called the Program Information Management System. The American Recovery and Reinvestment Act tightens HIPAA regulations to require healthcare organization to report breaches that may cause direct harm to the affected patients.
via OCR sets rules for sharing HIPAA breach information – FierceEMR.
CloudAudit, launched in January 2010, brings together cloud computing providers, integrators and consultants in an effort to create a common interface and namespace. The volunteer initiative aims to help with an automated risk assessment and audit of Software-as-a-Service (SaaS), Platform-as-a-Service (PaaS) or Infrastructure-as-a-Service (IaaS) environments.
via Q&A: CloudAudit targets automated risk assessment, management.
Data on 3.3 million borrowers was stolen from a nonprofit company that helps with student loan financing.
The theft occurred on March 20 or 21 from the headquarters of Educational Credit Management Corp. (ECMC), which services loans when student borrowers enter bankruptcy. The data was contained on portable media, said the organization, which is a dedicated guaranty agency for Virginia, Oregon and Connecticut.
via Company says 3.3 million student loan records stolen.
In the seven years that it has been the law of the land, FISMA, The Federal Information Security Management Act, has helped raise awareness of the need for information security on the federal government's networks, as well as on the networks supporting private industry.
But this latest version of the Office of Management and Budget's FISMA report to Congress pulls into focus the ways that the Obama Administration wants to change how the federal government complies with FISMA at a time when cyberthreats are escalating.
via Federal News Radio 1500 AM: OMB outlines shift on FISMA.
Today, many people are looking for very simple solutions to big and complex problems – and the area of logging and log management is no exception. Following that theme, we have created a “Critical Log Review Checklist for Security Incidents” which is released to the world today.
In addition to HTML, PDF or DOC versions are available as well (alternative hosting location is here). Feel free to modify the checklist for your own purposes or for internal distribution in your organization – but please keep the attribution to the authors.
via Anton Chuvakin Blog – “Security Warrior”: Simple Log Review Checklist Released!.
Absent such standards, Feigenbaum noted that Google received SaS 70 certification and shares the audit results on its security controls with customers. Google is also now seeking certification to comply with the Federal Information Security Management Act (FISMA).
via Analysis: Does the storm over cloud security mean opportunity?.