by clicking on the page. A slider will appear, allowing you to adjust your zoom level. Return to the original size by clicking on the page again.
the page around when zoomed in by dragging it.
the zoom using the slider on the top right.
by clicking on the zoomed-in page.
by entering text in the search field and click on "In This Issue" or "All Issues" to search the current issue or the archive of back issues respectively.
by clicking on thumbnails to select pages, and then press the print button.
this publication and page.
displays a table of sections with thumbnails and descriptions.
displays thumbnails of every page in the issue. Click on a page to jump.
allows you to browse through every available issue.
FCW : October 30, 2012
A RISK MANAGEMENT READING LIST The Federal Information Security Management Act of 2002 and the newer Federal Risk and Authoriza- tion Management Program provide detailed requirements regarding what agencies need to consider when assessing and managing security risks. The National Institute of Stan- dards and Technology takes those requirements into account in develop- ing its guidelines for agencies. FISMA sets various standards and guidance for agencies to use when assessing risks and establishing security controls, and agencies must comply with them annually. However, the law does not yet tell agencies that they must improve security, only that they must show that they have a process in place that will enable them to do so. However, FISMA is credited with providing a good foundation for risk management in the federal govern- ment. Its requirement for continuous monitoring of security risks and con- trols is considered a fundamental shift in risk management because it moves reporting from periodic snapshots to a real-time process. NIST has a portfolio of documents that provide detailed guidance on risk management, including: • SP 800-30 --- Risk Management Guide for IT Systems • SP 800-37 --- Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach • SP 800-39 --- Managing Informa- tion Security Risk: Organization, Mission and Information Sys- tem View • SP 800-53 --- Recommended Security Controls for Fed- eral Information Systems and Organizations • SP 800-53A --- Guide for Assessing the Security Con- trols in Federal Information Systems and Organizations: Building Effective Security Assessment Plans The big new idea in the latest set of documents is that agen- cies should look at risk man- agement as an enterprisewide process and not something to be performed at the system level, said Ron Ross, a NIST fellow and leader of the agency's FISMA Implementation Project. "It applies to all three tiers in an organization --- from where the assessment is done at the highest level, where the risk management strategy is produced [and] is pushed down through Tier 2, where assess- ments have an impact on mission and business operations, to the system security design at Tier 3, " he said. --- Brian Robinson 18 October 30, 2012 FCW.COM RISK MANAGEMENT descriptive than prescriptive and leave it to the organization to determine the most suitable approach for itself, tak- ing into account factors such as system use and mission requirements. Agencies will have to make it up on their own to some extent and choose standards for risk assessments that they will be able to carry forward, said Tim Erlin, director of IT security and risk strategy at nCircle, a company that specializes in risk and security perfor- mance management. "There also isn't a consistent meth- odology for assessing multidimensional risks or the combination of risk and environment that might be dependent on each other," he said. "While the NIST guidance is very comprehen- sive, it doesn't seem to provide a lot of guidance on how to chain these things together." One constant in any government pro- gram, of course, is cost. Given the bud- get constraints agencies face today and will have to operate under for the fore- seeable future, any sizable new invest- ment will be closely scrutinized. Risk management will involve some upfront costs in terms of process and tools, such as new automation technologies, but it could result in savings down the road. In researching the costs of risk management, the Ponemon Institute has come up with a range that covers short-term costs such as extra people and new technology, indirect costs, and what it calls opportunity costs, the potential for damage to agency missions through data loss and a con- sequent drop in user trust if security is not done right, for example. "The reality is that the short-term costs probably do go up pretty sub- stantially if you do it right," Ponemon said. "But over time, we would expect to see a reduction, especially in indirect and opportunity costs." ■
October 15, 2012
November 15, 2012