Tag Archives: risk management

InfoSecCompliance.com – Technology, Privacy and Security Law & Risk Management » Blog Archive » PCI Service Provider Contracting

One of the key areas I get involved in is service provider relationships, and in particular section 12.8 of PCI and service provider contracts. There are many aspects of 12.8 (and its subsections) that are potentially ambiguous and open to interpretation, but this particular article is not going to focus on those. This post concerns the “written agreement” referenced in 12.8.2

via InfoSecCompliance.com – Technology, Privacy and Security Law & Risk Management » Blog Archive » PCI Service Provider Contracting.

American Recovery & Reinvestment Act Significantly Impacts HIPAA – Mayer Brown – 14/03/2009, Information Security & Risk Management, Information Technology Law, Data Protection, Pharmaceutical, Healthcare & Life Sciences, Healthcare

United States: American Recovery & Reinvestment Act Significantly Impacts HIPAA

14 March 2009

Article by Debra Bogo-Ernst, Rebecca Eisner Jeffrey P. Taft, and A. John P. Mancini

Originally published March 12, 2009

Keywords: American Recovery & Reinvestment Act, ARRA, Health Insurance Portability and Accountability Act, HIPAA, HITECH Act, Covered Entities, Business Associates, direct liability

The American Recovery & Reinvestment Act of 2009 (ARRA), signed into law on February 17, 2009, includes significant changes to the Health Insurance Portability and Accountability Act of 1996 (HIPAA). More specifically, Title XIII of ARRA, known as the Health Information Technology for Economic and Clinical Health (HITECH) Act, greatly expands the HIPAA obligations of “Covered Entities” and “Business Associates.”

Direct Liability for Business Associates in Certain Circumstances

Previously, Business Associates — persons who perform any function or activity involving the use or disclosure of Protected Health Information on behalf of a Covered Entity — were not directly liable for HIPAA violations. Instead, Business Associates had the potential for contractual liability to Covered Entities through contracts known as Business Associate Agreements. The HITECH Act now imposes direct civil and criminal penalties on Business Associates for certain security and privacy violations under HIPAA.

Under the HITECH Act, the majority of the HIPAA Security Rule now directly applies to Business Associates in the same manner as it applies to Covered Entities. For example, Business Associates will now be required to implement and maintain certain security policies and procedures, appoint a security officer and provide related training.

In addition, the HITECH Act imposes new Privacy Rule-related obligations on Business Associates. More specifically, the HITECH Act provides that Business Associates may use and disclose Protected Health Information only to the extent that such use or disclosure complies with certain requirements in Business Associate Agreements. Effectively, by way of this statutory tie to certain contractual provisions, Business Associates must directly comply with aspects of the Privacy Rule.

The HITECH Act specifically requires that Business Associate Agreements be modified to incorporate the new Security Rule and Privacy Rule requirements.

New Notification Requirements

Covered Entities and Business Associates alike will be subject to new notification requirements. For example, within 60 calendar days of discovering a breach of “unsecured” Protected Health Information (including breaches that should reasonably have been known), Covered Entities must notify:

Individuals with respect to a breach of their information;

“Prominent media outlets serving a State or jurisdiction” if more than 500 residents of such State or jurisdiction are affected; and

The Secretary of the Department of Health and Human Services (Secretary).

The Secretary will post a list of each Covered Entity involved in a breach of “unsecured” Protected Health Information concerning more than 500 individuals on the Department of Health and Human Services’ web site.

Enforcement Expanded to State Attorneys General

The HITECH Act empowers state attorneys general to bring civil actions in federal court if they have “reason to believe” that “one or more of the residents of that State has been or is threatened or adversely affected” by a violator for injunctive relief or statutory damages as well as attorneys’ fees. Previously, the Secretary had the sole right to enforce HIPAA through her delegations to the Centers for Medicare & Medicaid Services (Security) and the Office of Civil Rights (Privacy).

Increased Penalties and Compensation for Harmed Individuals

The new legislation significantly increases the existing civil monetary penalties for each violation. Civil penalties now generally range from $100 to $50,000 per violation, with caps of $25,000 to $1.5 million for all violations of a single requirement in a calendar year. The severity of the penalties is based upon the violator’s knowledge: from no knowledge (and by exercising reasonable diligence would not have known) of violation, to reasonable cause for the violation, to willful neglect. The Secretary is required to impose penalties for “willful neglect” violations. Within three years of the HITECH Act, the Secretary must establish, via regulation, a methodology for providing a percentage of any civil monetary penalty or monetary settlement collected with respect to such offense to any harmed individual.

Effective Date

The effective dates for the HITECH Act changes to HIPAA vary. For example, the increased penalty provisions are effective immediately. In contrast, other provisions will be effective within a year of the legislation (i.e., February 2010) or after related regulations are published.

There are many other provisions of the HITECH Act that will affect the HIPAA obligations of Covered Entities and/or Business Associates

via United States, IT & Telecoms, American Recovery & Reinvestment Act Significantly Impacts HIPAA – Mayer Brown – 14/03/2009, Information Security & Risk Management, Information Technology Law, Data Protection, Pharmaceutical, Healthcare & Life Sciences, Healthcare.

NIST releases draft guidelines for FISMA compliance

The National Institute of Standards and Technology (NIST) on Thursday released new guidelines to help federal agencies comply with the Federal Information Security Management Act (FISMA).

The document, titled “Recommended Security Controls for Federal Information Systems and Organizations,” is in its third revision, but this is the first major update since its initial publication in December 2005. NIST is accepting comments on the document until March 27, Ron Ross, the organization’s FISMA implementation project leader, told SCMagazineUS.com Friday.

“During the past three years we have learned a lot from our federal agencies implementing these controls,” Ross said. “[The revisions are] based on new threats we are seeing and the type of cyberattacks that are ongoing within our federal agencies.”

Ross said federal government, private sector and companies abroad are encouraged to review and comment. NIST likely will put out a final draft before the document is finalized for release around April.

“We like to make sure our customers are part of the process because they have to implement this stuff — so we want to get their perspective with everything we do,” Ross said.

Changes to the document include: A restructuring of the security control catalog to include guidance requirements that were previously supplemental; adjusted security control/control enhancement allocations in the low-, moderate- and high-impact baselines; added security control enhancements for advanced cyberthreats, including supply chain threats; and elimination of redundant security controls/control enhancements.

“The biggest improvement is the addition of the new controls and control enhancements with regard to the new threats we are seeing,” Ross said.

Security program management controls were added relating to capital planning, budgeting, enterprise architecture and risk management. Additional guidance was added for the management of common controls.

A revised and simplified six-step risk management framework also was incorporated, in addition to a three-part strategy for harmonizing the FISMA security standards and guidelines with international security standards.

This will help align the federal law with standards that are generally accepted by corporations, Christopher Fountain, president and CEO of SecureInfo, provider of information assurance solutions for the federal government, told SCMagazineUS.com Friday in an email.

“It begins to incorporate [ISO 27001] that is generally accepted in the private sector,” he said. “Since the private sector controls over 90 percent of the nation’s critical infrastructure, which depends heavily on complex networks and systems, having common standards to secure all networks and systems across the public and private sectors is much needed.”

via NIST releases draft guidelines for FISMA compliance – SC Magazine US.

Palo Alto Networks Hosting Webinar with Forrester on PCI Audit Process

Jan 29, 2009 (Close-Up Media via COMTEX) —

Palo Alto Networks will host a webinar with Forrester Research Security and Risk Management Analyst, John Kindervag on Tuesday, February 10 at 10 a.m. PST, 1 p.m. EST.

PCI audits are often daunting, both in scope of effort and associated costs, and this informative webinar will review how to simplify the process through network segmentation and user-based security policies.

The October 2008 update of the PCI DSS documentation states that companies can reduce the cost and complexity of PCI compliance by using network segmentation to isolate the cardholder data in a secure segment. Without adequate network segmentation – sometimes called a “flat network” – the entire network is in scope of the PCI DSS assessment. This webinar will offer insight into the issues, challenges and strategies required to meet PCI compliance.

http://paloaltonetworks.com/events/webinars/index.html

via Palo Alto Networks Hosting Webinar with Forrester on PCI Audit Process.

The Forrester Blog For Security & Risk Professionals

 

Thomson Reuters Gets A Jump On Holiday Shopping, Acquires Paisley

 

Keep an eye out in the next week for Forrester’s GRC Trends 2009 report, which will take a look at how a decidedly rocky end of 2008 will impact those responsible for various aspects of corporate governance, risk management, compliance, audit, and finance… as well as the product and service firms that serve them.

One trend that we call out in the report is the impending consolidation of the GRC technology landscape, which is a top-of mind issue for many leading vendors in the space.

Wednesday, Thomson Reuters got an early start on this trend with a definitive agreement to purchase Paisley. A leader in the GRC platform and audit management markets, Paisley will be a strong addition to the company’s Tax and Accounting group.

Concern among businesses about their risk management practices and impending regulatory actions will be a major driver for growth in the GRC market, and considering this significant potential, we expect other attractive acquisition targets in the space to be scooped up over the next 12 months.

The Forrester Blog For Security & Risk Professionals

PCI’s Post-Audit Pain Points

hose who thought their PCI security challenges would be over after the first passing compliance audit say they continue to be dogged by the same problems that caused pain in the beginning.

For Jennifer Atwell, point-of-sale and communication support manager at Apple Gold Group, log management continues to be a pesky nuisance.

“Log management, while necessary, has turned out to be the biggest issue for us,” says Atwell, who is based in the Raleigh-Durham, North Carolina area. “Partnering with a good vendor helps, but when you’re starting from scratch, it’s a big project.”

Legacy applications continue to challenge PCI security at Lifestyle Services Group, according to Jim Griffiths, the company’s UK-based information security and compliance chief. And at the National Bank of Kuwait, Information Security Officer Imran Minhas continues to be challenged by the task of database encryption.

“Database encryption is turning out to be a huge project in itself,” Minhas says. “A place where no cardholder data is encrypted at all, all of a sudden has to encrypt almost every one of its databases. It’s a bit hard to get everyone to prioritize this project to everything else. Upper management is good with it, but it comes down to the people who are going to implement the solutions.”

But for the vast majority of security pros surveyed by CSOonline in recent weeks, the biggest problem is upper management.

The top brass may be fully supportive during that initial PCI security effort. But once that first audit is complete and the company gets a passing grade, the executives assume the task is done. Instead, security pros have found that the work is never done.

“Everyone, especially senior management, thinks that if we pass a PCI audit then we are safe for a year,” says David Glosser, network security administrator for a company in New York City. “There’s a perception that PCI-compliant shops are perfect.”

The upper management problem
Others polled by CSOonline reported running into the same wall Glosser spoke of. Daniel Blander, a CISM, CISSP and president of Techtonica Inc. in Los Angeles, says he has seen the problem up close.

“Having worked on two PCI projects, the biggest challenge is typically management’s view, ‘Well, were compliant, so we’re done.'” He says. “Some parts of management understand the ‘why’ of PCI, but don’t understand overall risk management. Maintaining attention after the fact is the biggest challenge.”

Serg Anishchenko, the technical manager at a company in Hungary, offered a “funny” example of how clueless upper management can be:

“They were sure I would be able to fix the system alone in couple of weeks,” he says of the top brass at his company. “Another challenge is working out a roadmap to find the easiest way to get compliant and stay that way for the longest period of time.”

Tim Holman, senior consultant at QCC Information Security Ltd. in the UK, says PCI security is still generally being seen as an IT security project, lacking buy-in from senior management, which “leads to all sorts of fun and games.” Taking credit card payments is rarely seen as a risk at the board level.

Documentation, please
The second-biggest ongoing challenge security pros mentioned is log management and documentation. Auditors rabidly digest those logs during audits, and they are a critical tool for spotting security holes and attempted breaches. Unfortunately, good log management isn’t an easy process to maintain.

“My experience with PCI DSS compliance showed that documentation is a problem. Merchants could have good security installations, but it’s a problem to write policy for change management procedures,” says Dmitriy Tsygankov, director of the corporate customer care center at Swedbank in Ukraine. “It’s not difficult to change IP tables or to buy a new server, but it’s much more difficult to use and control all procedures” once they are in place, according the documentation procedures.

Survival tips
Blander says there are a host of other PCI challenges companies continue to wrestle with. For one thing, he says, the sheer scope of remediation can be overwhelming, given that the standards are so broad. “For a retailer that means all stores (typically in the many hundreds),” he says. “The sheer cost of addressing that large a scope is a factor given the current state of retail. This doesn’t make the standards bad, just a challenge to tightening budgets and limited resources.”

His advice is to not let the scope of the challenge get the better of the organization, and use every remediation and control to give something back to the business that provides a non-PCI return on investment.

“File integrity monitoring is great for improving the quality of implementations and maintaining configuration standards if used correctly; configuration standards can improve the delivery of services and systems by promoting consistency,” he says, noting that’s good for business as a whole.

Griffiths has experienced many of the challenges listed above. But he remains confident in his organization’s ability to do right by PCI security.

“None of the pain points are insurmountable,” he says. “PCI is either a logical extension of current security practices or a huge undertaking in organizations with little or no security appetite.”

The most important ingredient for any organization dealing with PCI security, security experts generally agree, is the security appetite Griffiths mentions.

PCI’s Post-Audit Pain Points | ITworld.

ITWeb :PCI standards must be adopted

PCI standards must be adopted

BY AUDRA MAHLONG , JOURNALIST

[ Johannesburg, 26 November 2008 ] – Symantec has called on South African businesses to widely adopt the Payment Card Industry (PCI) Data Security Standard as a way of improving card security.

Compliance is an essential part of risk management, says Errol Rhoden, IT governance, risk and compliance solutions manager for Symantec emerging region.

“The reality is that companies lose out if they don’t prioritise governance and compliance. The financial implications are huge, with companies which don’t comply with standards receiving tremendous fines. There are also general financial losses which should be considered.”

Currently, organisations which deal with credit card payments have to show compliance with the standard, while finding solutions to challenges such as data breaches and the growing impact of cyber crime.

“The underground criminal activity is growing and becoming more effective. There are also activities, such as corporate warfare, where there are attempts to damage companies’ reputations by other companies or individuals,” explains Rhoden.

He believes the data security standard needs to be willingly adopted by companies to ensure it works effectively, saying: “The standards which guide companies on governance policies need to be accepted by industry. It is a business standard and not a government standard. So it cannot be forced on anyone. Companies need to see the benefits of adopting this.”

Firms that adopt the standard and fail to comply will face fines, to be determined and enforced by banks or similar bodies.

“The South African situation is different as regulations are different, and this has impacted on the slow adoption of the standard. Something like the fact that banks are not required to send notifications to customers if there is a security breach in their account, will definitely be impacted by the standards.”

The standard will be adopted in SA in February 2009, with plans to ensure all industries involved in card payments are fully compliant in September 2010.

ITWeb :PCI standards must be adopted.

IT Management Building an IT Governance Foundation – Baseline

While organizations have similar goals such as controlling costs and achieving data consistency, IT departments across government, corporations and nonprofits operate differently. IT management needs an overarching governance model like CobiT, ITIL, CMM and Six Sigma to ensure that investments in technology generate business value and mitigate risks.

Information technology governance defines the overall structure, policies, processes and relationships necessary to provide the desired level of standardization and consistency across an IT organization. It encompasses systems, performance measures and risk management procedures, helping organizations make informed decisions about their operations and investments. While organizations have similar goals—such as controlling costs and achieving data consistency—IT departments across government, corporations and nonprofits operate differently.

Even after a rigorous focus on compliance initiatives—and the widespread acknowledgment that large-scale, complex, strategic IT projects commonly progress beyond scope and budget without due attention—standardization around IT governance models is still being sought.

When organizations are examined and the use of best-practice disciplines are polled, a number of frameworks and standards for varying aspects of IT operations are found. These frameworks typically include:

* IT Infrastructure Library (ITIL), developed by the United Kingdom’s Office of Government Commerce, focuses on service support and service delivery.

* ISO/IEC 27001 (ISO 27001) consists of a set of best practices to implement and maintain an information security program.

* AS8015-2005 is the Australian Standard for Corporate Governance of Information and Communication Technology.

* Capability Maturity Model Integration focuses on software engineering, people and implementation.

* Balanced Scorecard is a strategic planning and management system used to align business activities to the organization’s vision and strategy.

* Six Sigma is a manufacturing-based system focusing on quality assurance.

IT management needs an overarching governance model to ensure that investments in technology generate business value and mitigate associated risks. The model should also provide a common language for IT and users, enable more focused planning, and create a level of standardization, consistency and predictability.

First published in 1996, Control Objectives for Information and Related Technology (CobiT) provides a set of generally accepted best-practice objectives to help maximize the benefits derived through IT use. It further aids in developing appropriate IT governance and control in an organization. Managed by the Information Systems Audit and Control Association and its research body, the IT Governance Institute (ITGI), CobiT became the IT governance standard against which auditors measured process and control maturity in support of compliance with the Sarbanes-Oxley Act of 2002.

CobiT provides a control- and objective-based foundation upon which decisions and investments can be based. These include defining a strategic plan; defining the information architecture; acquiring the necessary hardware and software to execute a strategy; managing projects; ensuring continuous service; and monitoring the performance of the IT system.

This is achieved by providing tools to assess and measure the performance of 34 high-level processes that cover 214 control objectives, which are categorized in four domains: Plan and Organize; Acquire and Implement; Deliver and Support; and Monitor and Evaluate. By implementing processes and procedures supporting the CobiT objectives and identifying and monitoring associated controls, users and auditors will recognize greater reliability and performance throughout the enterprise.

Building IT Governance: Overcoming Challenges

Throughout IT organizations, common themes are described as areas of opportunity: improve project planning and investment; increase collaboration and information sharing; facilitate effective communication and transition across the lifecycle; control cost while providing efficient operations and support; enhance service delivery; and improve security. These themes are usually approached as individual programs or are carefully orchestrated as an overarching organizational transformation related to technology operations.

Certain areas, such as security and managing data across an enterprise, require heavy investment and monitoring. These are also areas that auditors commonly spend time scrutinizing and directing change for heightened control.

When remediation is essential, reactive solutions are typically implemented. Though necessary, these solutions can be costly and inefficient. Once a baseline is set, however, and the auditors leave, it is far more efficient for IT management to proactively design and support an improvement plan with cross-functional reach. The CobiT model can help with this.

By understanding the four domains and the underlying process areas, IT management and staff can begin communicating from a common frame of reference. Leveraging the CobiT toolkits, IT management can promote a standard set of metrics, process structures, improvement plans and self-assessment mechanisms. This allows each area to initiate, report and monitor in a similar fashion.

In almost every change-management or operational-improvement approach, stakeholder involvement is critical, yet this is often where things fall apart. Think how many project managers ask for executive stakeholder meetings to communicate issues and detailed plans. Now ask how many IT managers have enough time to devote to such detail. The answer would be “very few.”

With an understanding of CobiT and having a common approach to managing and measuring processes, IT management will have an informed understanding of the objectives to be achieved. This understanding allows IT management to focus on the actions that require their attention, enabling the program to stay on track based on meaningful risk and opportunity reviews.

From the ITGI CobiT 4.1 framework document, the four domains and their relationships are described and the related process areas listed. The relationships can help IT management focus on areas of opportunity or risk.

Plan and Organize (PO) provides direction to solution delivery (AI) and service delivery (DS); Acquire and Implement (AI) provides the solutions and passes them to be turned into services; Deliver and Support (DS) receives the solutions and makes them usable for end users; and Monitor and Evaluate (ME) monitors all processes to ensure that the direction is followed.

A governance framework is worthwhile only if it is actually used; otherwise, it becomes a waste of money and a burden to the staff. To be effective, its language must permeate regular conversations among the leadership team and find its way into dashboards and documents.

By using CobiT tools, IT management can quickly assess strengths, weaknesses and opportunities. It can then reduce costs, improve the top-line, enhance customer service, or meet compliance and regulatory reporting by balancing risk mitigation and process improvement in a proactive fashion.

Building IT Governance: Collaboration and Support

As an example, one state government’s IT strategic planning group wanted higher levels of collaboration and a stronger sense of support. The sense of buy-in across multiple agencies would strengthen appropriation requests for strategic initiatives, allowing for economies of scale, including:

  • Solutions that address and automate inter- and intra-agency business processes
  • Smaller, more focused teams to drive progress more quickly
  • More statewide, standardized technology platforms and tool sets
  • Enhanced information sharing and increased reusability
  • Lower total cost of ownership for solutions.

To achieve its goals, the state government embarked on a more collaborative planning effort, beginning with an agency director approach. This top-down model was meant to align agencies having similar business-oriented goals and challenges. Facilitated discussion and collaborative decision making identified and defined capabilities that would help alleviate challenges in support of goals that could be met through technology. This transition—from business-driven need to technology-based capability—also allowed the agency directors to communicate more effectively with the IT directors.

The transition to technology occurred when enabling capabilities, such as business intelligence, were identified. More than 50 agencies were represented and more than 100 directors, chiefs of staff, and IT leads collaborated in the process to iterate balanced objectives and identify existing and new initiatives.

The state’s intent for the strategic planning process was a set of IT-oriented priorities that support state and agency business goals and can be translated into a set of recommended projects and budgets. With the iterative, collaborative process utilized, it was essential to be sensitive to time and competing priorities. In support of the process, the state established a legislative technology committee and formalized the agency director advisory committee.

The state’s approach—developing output for the framework—was designed to facilitate discussion and move quickly toward decisions in a collaborative fashion that built support and consensus.

Looking at CobiT’s Planning and Organizing domain, the very first process area is Define a Strategic IT Plan. This satisfies the business requirement for IT to sustain or extend the strategy and governance requirements, while still being transparent about benefits, costs and risks.

Another CobiT process area, Define the IT Processes, Organization and Relationships, has several applicable objectives. These include Defining an IT Process Framework, Establishing an IT Strategy Committee and Establishing an IT Steering Committee.

The state government achieved several CobiT objectives through its planning process, which had the goal of developing a long-term strategic plan—not overtly aligning with the CobiT framework. This is a model of success that other standard and framework maturity programs can learn from.

{mospagebreak title=Building IT Governance: IT Governance Transformation

Enabling IT Governance Transformation

The steps enabling transformation—in the context of an IT governance, compliance or enterprise risk management initiative—describe a business process. Similar to any other business process, it must be documented, followed with discipline and improved with every iteration.

For a successful CobiT experience, always begin from a perspective of knowledge and leverage experienced support. Implementing an enterprise risk management, compliance or IT governance program is like any other transformation: It must have the support of a dedicated team to be successful.

Lessons taken from enabling organizational transformation hold true for an IT governance program to reduce cost and effort, while enhancing chances of success and building support across an organization. There are only so many tasks that one person or a group working part-time can push forward simultaneously.

For an IT governance effort to succeed, therefore, dedicated resources must be allocated, IT management must have a common understanding to allow for more focused decision making, and progress must not be predetermined by an arbitrary schedule, such as a quarterly earnings call.

PLAN AND ORGANIZE

  • Define a strategic IT plan.
  • Define the information architecture.
  • Determine the technological direction.
  • Define the IT processes, organization and relationships.
  • Manage the IT investment.
  • Communicate management aims and direction.
  • Manage IT human resources.
  • Manage quality.
  • Assess and manage IT risks.
  • Manage projects.

ACQUIRE AND IMPLEMENT

  • Identify automated solutions.
  • Acquire and maintain application software.
  • Acquire and maintain technology infrastructure.
  • Enable operation and use.
  • Procure IT resources.
  • Manage changes.
  • Install and accredit solutions and changes.

DELIVER AND SUPPORT

  • Define and manage service levels.
  • Manage third-party services.
  • Manage performance and capacity.
  • Ensure continuous service.
  • Ensure systems security.
  • Identify and allocate costs.
  • Educate and train users.
  • Manage service desk and incidents.
  • Manage the configuration.
  • Manage problems.
  • Manage data.
  • Manage the physical environment.
  • Manage operations.

MONITOR AND EVALUATE

  • Monitor and evaluate IT performance.
  • Monitor and evaluate internal control.
  • Ensure compliance with external requirements.
  • Provide IT governance.

Adam Nelson is director of management and IT consulting at Keane, a global IT consulting firm headquartered in San Ramon, Calif.

Baseline.

NIST Requests Comments on Next Generation CA Process for Information Systems

NIST Requests Comments on Next Generation C/A Process for Information Systems

National Institute of Standards & Technology

Release date: August 19, 2008

The National Institute of Standards and Technology (NIST) has released for public review and comment a major revision to its security certification and accreditation (C&A) guidelines for federal information systems. A substantial rewrite of the original document, the new Guide for Security Authorization of Federal Information Systems: A Security Lifecycle Approach, represents a significant step toward developing a common approach to information security across the Federal government, including civilian, defense, and intelligence agencies, according to NIST security experts.

When finalized, the revised guide will replace NIST Special Publication 800-37, which was issued in 2004 under the title Guide for the Security Certification and Accreditation of federal Information Systems. Like the original, the revised guide maps out a basic framework for managing the risks that arise from the operation and use of federal information systems, the measures taken to address or reduce risk, and a formal managerial process for accepting known risks and granting-or withdrawing-authorization to operate information systems. The guide emphasizes the need to treat information security as a dynamic process, with established procedures to monitor, reassess and update security measures to maintain the authorized security state of an information system. The revised security authorization process is designed to be tightly integrated into enterprise architectures and ongoing system development life cycle processes, promotes the concept of near real-time risk management, capitalizes on investments in technology including automated support tools, and takes advantage of over three decades of lessons learned in previous approaches to certification and accreditation.

Since 2003, NIST has developed and published information security standards and guidelines under the Federal Information Security Management Act (FISMA). While the NIST methodology for analyzing, documenting and authorizing the security of information systems is widely followed by federal agencies operating non-national security systems, other frameworks have coexisted with it for national security systems, including the Department of Defense Information Assurance Certification and Accreditation Process (DIACAP) and the National Information Assurance Certification and Accreditation Process (NIACAP). This first revision to SP 800-37 is the result of an interagency effort that is part of a C&A Transformation Initiative working toward a convergence of information security standards, guidelines and best practices across the government’s civilian, defense and intelligence agencies. NIST is participating in this effort along with the Office of the Director of National Intelligence (DNI), the Department of Defense (DOD) and the Committee on National Security Systems (CNSS). Future updates to NIST FISMA publications will continue this convergence towards common standards and procedures.

Copies of the initial public draft of SP 800-37 Revision 1 are available from the NIST Computer Security Resource Center at http://csrc.nist.gov. NIST is requesting comments on the draft by Sept. 30, 2008.

Media Contact: Michael Baum, michael.baum@nist.gov, (301) 975-2763

NIST Requests Comments on Next Generation CA Process for Information Systems, Natio.

Inquiry Spotlight: Governance, Risk, And Compliance, Q4 2008 by Chris McClean – Forrester Research

Governance, risk, and compliance (GRC) continues to be a hot topic of interest for security and risk professionals. Between July 2007 and July 2008, Forrester’s security and risk management team received 1,798 inquiries on a variety of topics — 198 of which were from clients interested in GRC. Of the GRC-related inquiries recorded, 46% covered compliance best practices, 32% concerned GRC vendor selection, and 24% addressed risk management. Forrester doesn’t expect the focus on compliance to diminish drastically, but maturing companies are focusing more on how to manage a federated compliance program that encompasses all standards and regulations rather than managing separate initiatives for each. Inquiries about enterprise risk management and selecting comprehensive GRC management software platforms also echo the same trend toward maturity. Forrester recommends that professionals looking to adopt GRC programs begin by identifying where converging governance, risk, and compliance can provide greater efficiency and insight, and only then consider technologies that can support these benefits.

Inquiry Spotlight: Governance, Risk, And Compliance, Q4 2008 by Chris McClean – Forrester Research.