by clicking on the page. A slider will appear, allowing you to adjust your zoom level. Return to the original size by clicking on the page again.
the page around when zoomed in by dragging it.
the zoom using the slider on the top right.
by clicking on the zoomed-in page.
by entering text in the search field and click on "In This Issue" or "All Issues" to search the current issue or the archive of back issues respectively.
by clicking on thumbnails to select pages, and then press the print button.
this publication and page.
displays a table of sections with thumbnails and descriptions.
displays thumbnails of every page in the issue. Click on a page to jump.
allows you to browse through every available issue.
FCW : April 30, 2014
Public-sector organizations depend on information and IT systems to make informed, critical decisions and successfully carry out their missions. And those systems and resources are subject to almost con- stant threats that can have signi - cant and wide-ranging impacts on operations. Given the growing danger of those threats, leaders must under- stand their responsibilities for achieving sound information secu- rity and managing IT-related security risks. The Obama administration s Cybersecurity Framework provides a broad road map for government and commercial organizations to get started on this effort. And sev- eral resources can help agencies improve cybersecurity. The National Institute of Stan- dards and Technology developed a common information security framework for the federal govern- ment and its contractors in order to improve information security and strengthen risk management processes. The six-step Risk Management Framework: • Promotes the implementation of robust continuous monitoring. • Encourages the use of automation to provide senior leaders with the necessary information to make cost- effective, risk-based decisions. • Integrates information security into the enterprise architecture and system development life cycle. • Emphasizes the selection, imple- mentation, assessment and monitor- ing of security controls throughout the system s life cycle. • Suggests creating a risk execu- tive --- a senior of cial dedicated to understanding how risks can affect strategic goals and objectives. • Establishes responsibility and accountability for security controls deployed within organizational information systems and inherited by those systems. In addition, NIST has published two additional documents --- SP 800-39 and SP 800-30 --- that empha- size the need for integrated risk management and risk assessments. Agencies can use the connection between information/IT systems and critical business processes to form a focal point for assessing risk through the threat, vulnerability and consequence concept. This targeted approach to implementing security controls reduces budget impact while increasing effectiveness. It allows agencies to implement an effective information security pro- gram with three primary goals: • Protect data and information systems. • Conduct security protection activi- ties with respect to security compli- ance requirements. • Analyze cyberthreat data and develop predictive and proactive threat prevention. In addition, agencies can use cyberthreat analysis and security intelligence to address vulnerability management in two critical areas. The rst area focuses on under- standing and assessing an organiza- tion s security compliance pro le and using analysis to develop actions that remediate compliance-related vulnerabilities as quickly as possible, through immediate response and the plan of action and milestones pro- cess required by law and Of ce of Management and Budget policy. The second area aggregates and correlates security threat intelli- gence data to create actionable and operationally relevant recommen- dations. This approach increases awareness of vulnerabilities that might allow an organizational com- promise prior to an actual breach or network penetration. It can also be framed with risk management to identify insider threat vulnerabilities or compromises. Taken together, the resources from NIST and growing capabilities for assessing risk and using analyt- ics provide a strong road map for agencies to follow in the continual improvement of their cybersecurity posture. ■ The key to cost-effective cybersecurity Leaders need to understand their responsibilities for achieving sound information security and managing IT-related security risks Agencies can use the connection between information/IT systems and critical business processes to form a focal point for assessing risk. Commentary JOHN LAINHART AND DAN CHENOK JOHN LAINHART leads IBM's Public Sector Cybersecurity and Privacy Services, and DAN CHENOK is executive director of the IBM Center for the Business of Government. 12 April 30, 2014 FCW.COM
April 15, 2014
May 15, 2014