Abstract
In today’s technologically advanced and progressively more network-connected world, information technology security management backs economic and organizational technological arrangement, and also guards its IT operations and assets against internal and external threats, planned or otherwise (Peltier, 2001; Thomas, 2002; Dhilon, 2007).
The principle function of IT security management is to guarantee confidentiality, integrity, and availability (CIA) of IT systems (Perrin, 2008). Primarily, security management is part of the risk management procedure and business continuity strategy in an organization.
Introduction
The Federal Information Security Management Act (FISMA) changed what has been generally classified as the Government Information Security Reform Act (GISRA), which was terminated at the end of the 107th Congress (Sebastian, 2010). On the other hand, Congress passed two versions of FISMA at the conclusion of the 107th Congress (Layton, 2007).
The first version approved as part of the Homeland Security Act of 2002 (P.I. 107-296, Title X; 116 Stat. 2135, at 2259). The second version takes an established status the order of its importance. The act concerns government wide, as well as small and independent agencies of the federal government. Many of these prerequisites are now found in the Federal Information Security Management Act of 2002.
Federal Information Security Management Act
The economic and national security significance is acknowledged by the federal information security management act (NIST, 2012). However, FISMA is the primary law controlling information security program.
Title III of the E-Government Act of 2002, and the federal Information Security Management Act of 2002, obliges federal government agencies to present information security protections for economy and business information and information systems (Moteff, 2004; Smedinghoff, 2008; Dacey & Rhodes, 2004, p.5).
Major Provisions of the Act
Section 301
The Federal Information Security Management Act of 2002 has five most important provisions. Section 301 of the act amends Chapter 35 of the Title 44 of the State code by modifying or adding a new Subchapter III on the information Security.
Section 302
Section 302 amends 40 U.S.C. 11331, which concerns the ethical prescription of information security standards.
Section 303
Section 303 of the act amends the National Institute of Standards and Technology Act (NIST; 15 U.S.C. 278G-3), which gives NIST the task of developing standards for information technology, as well as security standards for federal information systems.
Section 304
Section 304 amends the National Institute of Standards and Technology Act (15 U.S.C. 278G-4), which laid the groundwork for the Information Security and Privacy Advisory Board.
Section 305
Section 305 makes technical alteration and amendments that meets the requirements, two of which are of some importance.
Subchapter III
Chapter 35 of Title 44, United States Code, Subchapter III, on Information Security elaborates the power or right and obligations for the development, execution, assessment, and supervision of policies and practices linked with securing federal information systems.
Explicitly, it authorizes the Director of OMB to supervise the development and execution of information security policies, principles, and guidelines across the federal government (Management of Federal Information Resources, n.d).
The director’s authority includes managing the development of policies, principles, values and guidelines; examining and approving or disapproving agency security programs; and, taking actions as authorized by 40 U.S.C 11303 which covers national security systems.
Additionally, Subchapter III also expects each agency to create and execute an information security program. It prescribes what this program should incorporate. It assigns each agency head the task for developing and verifying the execution of the program (Mattord & Whitman, 2010, p.247).
Subchapter III also expects that each agency present its information security program to a yearly independence assessment. The subchapter necessitates that the results be presented to the Director of OMB who is to review them in a report to Congress (Powner, 2009, p.30; Wilshusen, 2008, p.1).
This possibly is the most important element of FISMA by which Congress planned to ensure satisfactory supervision and conformity with federal information security requirements.
FISMA amends 40 U.S.C. 11331 which permits the Secretary of Commerce to lay down principles and strategy concerning federal information systems.
FISMA also amends 15 U.S.C 278g-3, which gives NIST the task of creating principles, rule, and related processes and procedures for information systems (Swanson, 2011, p. iii). These principles and rule consist of those for securing federal information systems, excluding national security systems.
FISMA, above all, amended this section by deciding that NIST shall, at least, develop standards for categorizing all organization information and information systems, proposing what type of information or system should be incorporated in each group, and developing least security requirements for each group.
FISMA also instructs NIST that these standards should, to the most feasible extent possible, be technology unbiased and allow for the use of commercial-off-the-shelf products.
In conclusion, FISMA canceled 40 U.S.C 11332, which integrated language that was formerly passed as part of the Computer Security Act. This language expects agencies to develop security plans for their computer systems and to provide personnel education in security knowledge and practices.
FISMA also amends 44 U.S.C. 3505 to incorporate a requirement that agencies list their most important information systems and identify where these systems hinder with other systems and networks.
Reference List
Dacey, R.F. and Rhodes, K. A. (2004). Information security technologies to secure federal systems. Washington, DC: DIANE Publishing.
Dhillon, G. (2007). Principles of Information Systems Security: text and cases. NY: John Wiley & Sons.
Layton, T. P. (2007). Information Security: Design, Implementation, Measurement, and Compliance. Boca Raton, FL: Auerbach publications.
Management of Federal Information Resources, (n.d). Circular A-130, Office of Management and Budget (OMB). Web.
Mattord, H. J., & Whitman, M. E. (2010). Management of Information Security. Boston, MA: Cengage Learning.
Moteff, J. D. (2004). Computer Security: A Summary of Selected Federal Laws, Executive Orders, and Presidential Directives. CRS Report RL 32(3)57.
NIST: (2012). FISMA Overview. Web.
Peltier, T. R. (2001). Information Security Risk Analysis. Boca Raton, FL: Auerbach publications.
Perrin, C. (2008). “The CIA Triad”, Tech republic. Web.
Powner, D. A. (2009). Cyber Analysis and Warning: DHS Faces Challenges in Establishing a Comprehensive National Capability. Washington, DC: DIANE Publishing.
Sebastian, S. J. (2010). Financial Audit: IRS’s Fiscal Years 2010 and 2009 Financial Statements. Washington, DC: DIANE Publishing.
Smedinghoff, T. J. (2008). The State of Information Security Law: A Focus on the Key Legal Trends. Web.
Swanson, M. (2011). Contingency Planning Guide for Federal Information Systems. Washington, DC: DIANE Publishing.
Thomas, P. R. (2002). Information Security Policies, Procedures, and Standards: guidelines for effective information security management. Boca Raton, FL: Auerbach publications.
Wilshusen, G. (2008). Information Security: Progress Reported, but Weaknesses at Federal Agencies Persist: Congressional Testimony. Washington, DC: DIANE Publishing.