http://www.compliancehome.com/ ComplianceHome is one of the Web's largest library of resources for compliance management of HIPAA, SOX, FISMA, GLBA, FDA, COOP & COG, FFIEC, Basel II, OSHA and ISO 27002/17799. Visit our directories which are the best source on White papers, related news articles, resources on the web, training, webinars, conferences, rules & regulation overview, ask the expert, job and search on vendors, solutions & products. http://www.compliancehome.com/images/rsslogo.gif http://www.compliancehome.com/ en-us Thu, 01 May 2008 00:00:00 CST http://www.compliancehome.com/resources/FISMA/Articles/abstract13639.html These days in the IT security world there is more of everything. More devices. More compliance regulations. More data breaches. And certainly more malware and malicious threats. And in an era where there's more of everything, companies should start to think about reducing the number of appliances to tackle these threats without compromising business productivity and performance. That was the overriding message imparted by McAfee President and CEO Dave Dewalt in an afternoon keynote during Interop Las Vegas 2008 on Wednesday. With the maelstrom of security threats and regulations facing companies every day, Dewalt said, http://www.compliancehome.com/resources/FISMA/Articles/abstract13639.html Thu, 01 May 2008 00:00:00 CST http://www.compliancehome.com/resources/FISMA/Articles/abstract13612.html With large enterprises sporting hundreds of applications, firewalls, routers, and other networking devices -- and more than 139 newly announced vulnerabilities each week -- how do they know what vulnerabilities actually matter? Answering that question is a lot harder than just looking at software vendor risk rankings and rushing to patch the http://www.compliancehome.com/resources/FISMA/Articles/abstract13612.html Thu, 01 May 2008 00:00:00 CST http://www.compliancehome.com/resources/FISMA/Articles/abstract13603.html There's an alphabet soup of acronyms -- including SOX, HIPAA, GLBA and FISMA -- that enterprises must become familiar with in their effort to comply with data management regulations. Compliance with these regulations keep them in the clear legally, and also helps them stem the tide of cyber-crime.When it comes to properly managing and protecting critical enterprise data and information resources, Corporate America is stuck between two strongly opposing forces. The U.S. is world http://www.compliancehome.com/resources/FISMA/Articles/abstract13603.html Thu, 01 May 2008 00:00:00 CST http://www.compliancehome.com/resources/FISMA/Articles/abstract13586.html Silicon Valley entrepreneurs are infamous for complaining about the burden of government regulations. But as Splunk, a San Francisco-based data analytics and search company, has discovered, there can be gold in red tape. Splunk's software organizes and tags unstructured, computer-generated information such as Web server access logs, configurations and alerts. Splunk users can then search that indexed data, via a browser-like interface, to troubleshoot network problems, monitor security and track trends such as Web surfing behavior. http://www.compliancehome.com/resources/FISMA/Articles/abstract13586.html Wed, 23 Apr 2008 00:00:00 CST http://www.compliancehome.com/resources/FISMA/Articles/abstract13544.html Malicious attacks come in a variety of forms, whether it's e-mail spam, phishing sites, active denial-of-service or hacking attempts, or viruses. Security vendors offer a number of solutions intended to identify and remove these attacks before they cause any damage. Web gateway (NYSE:GTW) products vendor Finjan recently unveiled version 9 of its Vital Security Web appliance. Finjan's secure Web gateway protects from Web attacks such as crimeware, Web 2.0 attacks, spyware, phishing, Trojans, and obfuscated malicious code. The Vital Security Web appliance features an active real-time inspection technology that checks both inbound and outbound Web and SSL traffic. Enterprises receive security and risk levels information in real-time. Test Center received and tested a beta of the new version. http://www.compliancehome.com/resources/FISMA/Articles/abstract13544.html Wed, 23 Apr 2008 00:00:00 CST http://www.compliancehome.com/resources/FISMA/Articles/abstract13455.html Security awareness within government agencies has risen sharply over the past few years, thanks to a more aggressive view taken by OMB. The requirements to maintain a security Certification & Accreditation (C&A) program have been around for many years, along with much guidance and supporting documentation. Unfortunately, it wasn't until the Government Information Security Reform Act (GISRA) and the Federal Information Security Management Act (FISMA) were put into place that agencies started to take these Federal Regulations more seriously. Randy Nash asks this question: Does FISMA make our agencies any more secure? http://www.compliancehome.com/resources/FISMA/Articles/abstract13455.html Wed, 23 Apr 2008 00:00:00 CST http://www.compliancehome.com/resources/FISMA/Articles/abstract13445.html For federal managers of information technology, FISMA is one of the most challenging pieces of federal legislation to be enacted in recent years. On the one hand, FISMA imposes strong requirements to rapidly improve the security of government information, and it holds agencies fully accountable for their success in meeting this goal. On the other hand, for managers who can meet those requirements, there are new opportunities to refocus resources within security programs and to obtain tools to manage them adequately. As discussed in this White Paper, QualysGuard can help agencies meet FISMA requirements, reduce the cost of compliance, and use industry best practices to meet FISMA challenges head-on. http://www.compliancehome.com/resources/FISMA/Articles/abstract13445.html Wed, 23 Apr 2008 00:00:00 CST http://www.compliancehome.com/resources/FISMA/Articles/abstract13443.html Qualys Inc. introduced last week at the RSA Conference 2008 its QualysGuard Security and Compliance Suite, a suite of SaaS (Software-as-a-Service) products aimed at helping global organizations to better manage the operational challenges and costs associated with securing their IT infrastructure, and complying with an increasing set of regulations. Qualys offers on-demand IT security risk and compliance management solutions. Qualys delivers these solutions through a single SaaS platform. QualysGuard allows organizations to strengthen the security of their networks and conduct automated security audits to ensure compliance with policies and regulations. As a scalable and open platform, QualysGuard enables partners to broaden their managed security offerings and expand their consulting services. Qualys' on demand solutions are deployed in a matter of hours anywhere in the world, providing customers an immediate view of their security and compliance posture. http://www.compliancehome.com/resources/FISMA/Articles/abstract13443.html Mon, 14 Apr 2008 00:00:00 CST http://www.compliancehome.com/resources/FISMA/Articles/abstract13435.html McAfee officials elaborated on their plan to put a greater emphasis on IT governance, risk and compliance April 9 at the RSA Conference here. The security vendor's recently established Risk and Compliance Business Unit allows the company to focus on integrating and adding products and services to its GRC portfolio - starting with the release of McAfee Vulnerability Manager 6.5. Vulnerability Manager 6.5, which supports Windows and Unix systems, includes agent-less scanning to assist in policy compliance audits and is meant to help companies meet the requirements for compliance reporting mandated by both regulatory and industry standards. http://www.compliancehome.com/resources/FISMA/Articles/abstract13435.html Fri, 11 Apr 2008 00:00:00 CST http://www.compliancehome.com/resources/FISMA/Articles/abstract13404.html Qualys is launching what it claims is the first security and compliance software-as-a-service suite on the market. Qualys, the company most known for its on-demand approach to security and compliance, has released what it says is the first software-as-a-service security suite. The QualysGuard Security and Compliance Suite, which will be delivered to companies as a hosted service, is designed to combine security monitoring with compliance challenges by marrying the two. http://www.compliancehome.com/resources/FISMA/Articles/abstract13404.html Fri, 11 Apr 2008 00:00:00 CST http://www.compliancehome.com/resources/FISMA/Articles/abstract13393.html Manufacturers laughed nervously Tuesday as they heard about one local company that got an audit notice from the Office of Federal Contract Compliance Programs. It was during the holidays, so the receptionist simply laid the notice on top of the boss's desk with the rest of the mail. There the notice sat until the boss returned weeks later. It took some fancy footwork by the company's lawyer to postpone the audit and, even then, the company only got a week's extension. G. Thomas Harper, a Jacksonville lawyer, is used to getting companies out of such scrapes. He talked to members of the Volusia Manufacturers Association on Tuesday about how to comply with government requirements on affirmative action plans and filing Equal Employment Opportunity reports. http://www.compliancehome.com/resources/FISMA/Articles/abstract13393.html Wed, 09 Apr 2008 00:00:00 CST http://www.compliancehome.com/resources/FISMA/Articles/abstract13366.html This report represents the results of our review to determine whether controls were sufficient to detect and deter unauthorized use of Internal Revenue Service (IRS) routers and switches, two key components used to direct network traffic. This review was included in the Treasury Inspector General for Tax Administration Fiscal Year 2007 Annual Audit Plan and was part of the Information Systems Programs business units statutory requirements to annually review the adequacy and security of IRS technology. http://www.compliancehome.com/resources/FISMA/Articles/abstract13366.html Wed, 09 Apr 2008 00:00:00 CST http://www.compliancehome.com/resources/FISMA/Articles/abstract13365.html Secure Web gateway products vendor Finjan unveiled version 9.0 of its Vital Security Web appliance on Monday at the RSA Security (Nasdaq: RSAS) Latest News about RSA Security Conference. This includes a new active real-time inspection technology that checks both inbound and outbound Web traffic and SSL (secure socket layer) traffic for malicious content to provide enterprises real-time information on system performance and security Free Trial. Security Software As A Service From Webroot. risk levels. The active real-time content inspection capability http://www.compliancehome.com/resources/FISMA/Articles/abstract13365.html Wed, 09 Apr 2008 00:00:00 CST http://www.compliancehome.com/resources/FISMA/Articles/abstract13364.html Global Network Systems Inc. has been picked by the Securities and Exchange Commission to help the agency with several security requirements. Under a $3.5 million contract, GNS of Rockville, Md., will provide SEC with professional services to help it meet requirements from the Office of Management and Budget and the Government Accountability Office, and also under the Federal Information Security Management Act. GNS will assist with improving information security programs, while also providing OMB oversight reporting and automating FISMA compliance. http://www.compliancehome.com/resources/FISMA/Articles/abstract13364.html Wed, 09 Apr 2008 00:00:00 CST http://www.compliancehome.com/resources/FISMA/Articles/abstract13362.html Xceedium, the premier provider of solutions that enforce security policy and validate compliance for technical users, has announced the availability of Xceedium GateKeeper 4.0, which delivers patent-pending LeapFrog Prevention technology, FIPS 140-2, Level 2 certification and other new feature enhancements. Many Fortune 200 organizations and top government agencies rely on the Xceedium GateKeeper appliance to manage, control, contain, track and report on technical users who need access to mission-critical resources and systems on the network to do their jobs. The highly-skilled nature of technical employees job requirements and the command line tools they use can make it very difficult to track and contain unauthorized activity on the network, said Scott Crawford, a senior analyst with Enterprise Management Associates. The LeapFrog Prevention technology featured in the Xceedium GateKeeper solution enables organizations to contain users to authorized areas on the server, and its re http://www.compliancehome.com/resources/FISMA/Articles/abstract13362.html Wed, 09 Apr 2008 00:00:00 CST http://www.compliancehome.com/resources/FISMA/Articles/abstract13355.html Should risk managers focus limited financial and internal resources on prevention of corporate fraud, or should they ensure an effective detection and investigation program is in place? In fact, they should do both. Risk managers are faced with difficult decisions during the course of establishing an effective internal risk management program. Do they focus limited financial and internal resources on prevention, or do they ensure there is an effective detection and investigation program in place? In fact, it is often advised that they can and should do both. http://www.compliancehome.com/resources/FISMA/Articles/abstract13355.html Wed, 09 Apr 2008 00:00:00 CST http://www.compliancehome.com/resources/FISMA/Articles/abstract13317.html In a survey of security professionals conducted for the recent research report Security Management Matures, ESG discovered that 72 percent of North American enterprise-class organizations (i.e., organizations with 1,000 or more employees) say they are implementing one or more formal IT best practice control and process models. Among survey participants, 18 percent have simultaneously implemented ITIL, ISO and COBIT. Of those implementing just one set of standards, ITIL is the most frequently selected (16 percent) followed by ISO (11 percent). A significant 17 percent have not implemented any type of framework at this time. An additional 20 percent have implemented other best practices or did not know whether their organization used these types of frameworks. Organizations making concurrent investments in ITIL, ISO and COBIT are often subject to significantly greater levels of external compliance pressure than are organizations choosing to focus on a single set of best practices. Over http://www.compliancehome.com/resources/FISMA/Articles/abstract13317.html Wed, 02 Apr 2008 00:00:00 CST http://www.compliancehome.com/resources/FISMA/Articles/abstract13306.html A Senate subcommittee came to an unsurprising conclusion earlier this month about the Federal Information Security Management Act: FISMA compliance does not equal security. The Homeland Security and Governmental Affairs Committees Federal Financial Management, Government Information, Federal Services and International Security Subcommittee held a hearing to wrestle with the question of why we continue to see data losses and breaches of federal information technology systems at the same time that metrics for FISMA compliance are improving. Tim Bennett, president of the Cyber Security Business Alliance, pointed out the obvious: FISMA does not tell the whole story when it comes to agencies information security practices. Nowhere is an agencys ability to detect and respond to intrusions measured in FISMA. This doesnt mean FISMA, imperfect as it might be, is at fault. The 2002 act is merely a tool, requiring a set of practices that can be used to improve information security. http://www.compliancehome.com/resources/FISMA/Articles/abstract13306.html Wed, 02 Apr 2008 00:00:00 CST http://www.compliancehome.com/resources/FISMA/abstract13286.html One if the biggest mistakes I see when visiting client companies, is their underestimation of how well their compliance data system can be audited. It's understandable. When you build a transaction system, your goal is to run the business. When you build a data warehouse, your goal is to analyze the business. But when does it become your goal to audit your business practices? Usually, auditing business practices and data systems become an executive afterthought. It is in response to some regulation like HIPPA, PCI, or Sarbanes-Oxley ( SOX ). Or, it is when you have received notice that a big contract is being audited by an agency like the General Services Administration (GSA). In all cases, when you are under-prepared for an audit it will cost you time, money and effort. Find out now if your data system proves your innocence and uncover some data audit-proofing tips for total compliance. http://www.compliancehome.com/resources/FISMA/abstract13286.html Wed, 02 Apr 2008 00:00:00 CST http://www.compliancehome.com/resources/FISMA/Articles/abstract13244.html As I mentioned in my last article, security policies serve to protect (data, customers, employees, technological systems), define (the company's stance on security), and minimize risk (internal and external exposure and publicity fallout in the event of a breach). Security policy creation and dissemination are not just a good idea; both are mandated by a slew of corporate regulations, including PCI, HIPAA, and FISMA. This story presents five mistakes that companies commonly make when writing and implementing security policies. As simplistic as some of these errors sound, they happen often enough and cause heavy damage to companies' bottom lines. http://www.compliancehome.com/resources/FISMA/Articles/abstract13244.html Mon, 24 Mar 2008 00:00:00 CST http://www.compliancehome.com/resources/FISMA/Articles/abstract13177.html Verizon Business has introduced a new service that seeks to help customers efficiently log, track and analyze user and system activity of software and Web applications, operating systems, and Web and database servers while avoiding the cost and complexity of building, maintaining and monitoring an in-house log management infrastructure. The new Application Log Monitoring and Management Service- part of Verizon Business Managed Security Services (MSS) portfolio enables users to better mitigate risk, control IT costs, reduce complexity, and automate security compliance initiatives. As a result, customers can react more quickly to security threats, gain speedy access to critical information, and facilitate security compliance audits. http://www.compliancehome.com/resources/FISMA/Articles/abstract13177.html Mon, 24 Mar 2008 00:00:00 CST http://www.compliancehome.com/resources/FISMA/Articles/abstract13173.html With threats of cyber attacks mounting, federal chief information officers say ensuring data security is one of their most important roles. But in a survey released last month, many say the mandates they must comply with may be impeding rather than improving security. The Federal Information Security Management Act became law five years ago requiring agencies to establish controls to protect sensitive data contained in information technology systems. It requires agencies to inventory systems and to develop standards for categorizing information contained within them by risk. The Office of Management and Budget has complicated matters, some experts say, by placing even more demands on CIOs, including mandates that all laptops be encrypted and a governmentwide plan to cut down on the number of Internet connections. http://www.compliancehome.com/resources/FISMA/Articles/abstract13173.html Mon, 24 Mar 2008 00:00:00 CST http://www.compliancehome.com/resources/FISMA/Articles/abstract13165.html The revelation that three contract workers at the U.S. Department of State illegally accessed confidential passport records belonging to three presidential candidates comes just weeks after a report in which the agency's Inspector General gave it a http://www.compliancehome.com/resources/FISMA/Articles/abstract13165.html Mon, 24 Mar 2008 00:00:00 CST http://www.compliancehome.com/resources/FISMA/Articles/abstract13155.html As more and more Bangladeshi companies participate as suppliers, contractors or customers in the global commercial hub of today's flat world, understanding of and adherence to global compliance norms has become essential for companies of all hues. Compliance to global operating standards makes good business sense too. Today, irrespective of where a company is based, if it does business on a global scale, which a lot of companies based in Bangladesh, now do they need to understand the best practices and measures for compliance adopted by companies spread across various geographies? It is increasingly becoming essential for them to smoothly and responsibly do business with counterparts worldwide. Whether they are component suppliers to the automobile giants, outsourced partners for retail chains or emerging manufacturers setting up projects overseas, knowledge of global compliance norms is becoming an integral part of their competitive DNA. While compliance has become a necessity due to http://www.compliancehome.com/resources/FISMA/Articles/abstract13155.html Mon, 24 Mar 2008 00:00:00 CST http://www.compliancehome.com/resources/FISMA/Articles/abstract13149.html Recently, security has grown to be on the list of top priorities for many organizations. Despite such prominence, many organizations have not managed to take control over what happens on their network and systems. In fact, CIOs and IT administrators seldom realize that there is an effective way to do this: log management. All users and systems create traces of their activity in the form of log files. Logs are generated at an astounding rate by IT components such as firewalls, routers, server and client operating systems, databases, and even business applications. As a result, mountains of log data accumulate and, often, nobody looks at them despite their usefulness for detecting and troubleshooting security and system operations issues. Actively monitoring log data will help protect businesses not only from external security threats but also from potential threats lingering inside the organization. Whether its a purposeful data leak by a disgruntled employee or an accidental loss of i http://www.compliancehome.com/resources/FISMA/Articles/abstract13149.html Thu, 20 Mar 2008 00:00:00 CST http://www.compliancehome.com/resources/FISMA/Articles/abstract13136.html The FISMA report is one of those federal exercises critics love to hate. AS MIGHT HAVE BEEN expected, the Office of Management of Budgets annual Federal Information Security Management Act report to Congress earlier this month drew the usual criticism despite apparent improvements in information security and privacy practices. FISMA, as most of our readers know, requires each agency to protect the governments information, operations and assets. That includes documenting and implementing procedures for detecting, reporting and responding to security incidents. The FISMA report is one of those federal exercises critics love to hate. The primary complaint: Too much energy goes into documenting compliance and too little goes to protecting information. The root of the criticism and the issue facing critics and proponents alike lies in what FISMA measures. http://www.compliancehome.com/resources/FISMA/Articles/abstract13136.html Mon, 17 Mar 2008 00:00:00 CST http://www.compliancehome.com/resources/FISMA/Articles/abstract13096.html Two businesses in Wilkin County failed tobacco compliance checks this month, one of which is on their second offense. The announcement was made at the Wilkin County Alcohol Tobacco and Other Drugs coalition meeting Thursday morning. Wilkin County law enforcement check on all tobacco licensers a couple of times a year. An administrative penalty of $75 is fined to a licensee or employee of a licensee that sells tobacco to an underage individual. If a second violation occurs within a 24 month period, a $200 fine is imposed. For the third violation within the same time frame, a $250 fee is administered and the licensee will be suspended from selling tobacco for seven days. The employee who fails the compliance check receives a $50 fine every single time.In past years, the department has seen a 50 percent failure rate. http://www.compliancehome.com/resources/FISMA/Articles/abstract13096.html Mon, 17 Mar 2008 00:00:00 CST http://www.compliancehome.com/resources/FISMA/Articles/abstract13090.html Agencies have not adopted or are only slowly implementing numerous recommendations and actions that could significantly improve the federal security posture, the Government Accountability Office has said. GAO also reported that agencies did make incremental but steady progress in improving information security in 2007. Persistent weaknesses in agency information security controls still threaten the confidentiality, integrity and availability of federal information and the systems on which the data runs, said Gregory Wilshusen, director of GAOs information technology issues. The latest report to Congress on agencies compliance with the Federal Information Security Management Act also showed a jump in reported security incidents. http://www.compliancehome.com/resources/FISMA/Articles/abstract13090.html Mon, 17 Mar 2008 00:00:00 CST http://www.compliancehome.com/resources/FISMA/Articles/abstract13089.html The Office of Management and Budget reports that as of last year agency compliance with the Federal Information Security Management Act (FISMA) had significantly improved. In 2007, 92 percent of information systems were certified and accredited, 86 percent of agencies had a tested contingency plan, and 95 percent had tested security controls. Unfortunately, FISMA compliance is not necessarily a good measure of information technology security, a panel of witnesses told a Senate subcommittee March 12. There are no consistent assessments of the effectiveness of the controls being put into place, and practical examples of weaknesses, such as system penetrations and data loss, continue to crop up. Despite reported progress, 20 of 24 agencies continue to experience information security control deficiencies, said Gregory Wilshusen, director of information security issues at the Government Accountability Office. Sen. Thomas R. Carper (D-Del.), chairman of the Homeland Security and Government http://www.compliancehome.com/resources/FISMA/Articles/abstract13089.html Mon, 17 Mar 2008 00:00:00 CST http://www.compliancehome.com/resources/FISMA/Articles/abstract13085.html The Internal Revenue Service arguably has the most famous and feared deadline in the United States. But when it comes to deadlines for Freedom of Information Act requests, the tax agency isn't nearly so demanding of itself. http://www.compliancehome.com/resources/FISMA/Articles/abstract13085.html Mon, 17 Mar 2008 00:00:00 CST http://www.compliancehome.com/resources/FISMA/Articles/abstract13075.html The USA Patriot Improvement Reauthorization Act of 2005 directed the Department of Justice Office of the Inspector General to review among other things, http://www.compliancehome.com/resources/FISMA/Articles/abstract13075.html Mon, 17 Mar 2008 00:00:00 CST http://www.compliancehome.com/resources/FISMA/Articles/abstract13043.html Active archiving of information will become more prominent in businesses as shifts in technology enable more comprehensive and additional content, IDC has predicted. The main drivers will be compliance with record retention laws, improving the efficiency and accuracy of legal e-discovery and achieving overall IT optimisation gains. However, companies are more interested in broader information management systems than simple archiving products, the analyst firm claimed in a recent report. The initiatives driving active archiving spending are more about information management than about archiving, although archiving may be a technology that is used to achieve policy objectives, said Laura DuBois, programme director for storage software at IDC. Projects form around information management, records management and electronic discovery. http://www.compliancehome.com/resources/FISMA/Articles/abstract13043.html Wed, 12 Mar 2008 00:00:00 CST http://www.compliancehome.com/resources/FISMA/Articles/abstract13031.html Security policies serve to protect (data, customers, employees, technological systems), define (the company's stance on security), and minimise risk (internal and external exposure and publicity fallout in the event of a breach). Security policy creation and dissemination are not just a good idea; both are mandated by a slew of corporate regulations, including PCI, HIPAA, and FISMA. This article presents five mistakes that companies commonly make when writing and implementing security policies. As simplistic as some of these errors sound, they happen often enough and cause heavy damage to companies' bottom lines. http://www.compliancehome.com/resources/FISMA/Articles/abstract13031.html Mon, 10 Mar 2008 00:00:00 CST http://www.compliancehome.com/resources/FISMA/Articles/abstract12976.html Information technology contractors pose a major security risk by not locking down their networks properly, according to the Defense Department's top IT official. The threat, along with risks associated with offshoring and acquisitions of American IT firms by foreign companies, are driving defense and intelligence agency initiatives to develop stricter information security standards. Contractors managed 1,353 systems on behalf of federal agencies in fiscal 2007, according to an Office of Management and Budget fiscal 2007 report on the implementation of the 2002 Federal Information Security Management Act, submitted to Congress in late February. Less than half of 25 major agencies said they http://www.compliancehome.com/resources/FISMA/Articles/abstract12976.html Wed, 05 Mar 2008 00:00:00 CST http://www.compliancehome.com/resources/FISMA/Articles/abstract12940.html United States regulation of broker-dealers is governed primarily by certain provisions. The securities Act of 1933 generally referred to as the 33 Act and the rules and regulations promulgated under it. Primarily focused on IPOs. The securities Act of 1934 generally referred to as the 34 Act and the IPO trading of securities and (ii) the reporting obligations of publicly traded companies. The rules of self regulatory organisations such as the stock exchanges (primarily the New York Stock Exchange and the NASDAQ) and the National Association of Securities Dealers (NASD). To a lesser degree; The Investment company Act (regulates mutual funds and other pooled investment vehicles) The investment Advisers Act (regulates entities in the business of advising others on securities transactions and the value of securities) http://www.compliancehome.com/resources/FISMA/Articles/abstract12940.html Tue, 04 Mar 2008 00:00:00 CST http://www.compliancehome.com/resources/FISMA/Articles/abstract12912.html Government IT professionals believe that national security is more important than personal privacy, according to a survey released Monday. Quest Software's Identity Management Government Survey of 474 IT professionals in federal, state, and local government found that 53% believe that national security should take priority over American's personal privacy. The survey, conducted by the public opinion research company Pursuant in January, also showed that 69% of IT professionals in federal, state, and local government believe identity management is very important to their organizations and agencies. Seventy-two percent believe that it will increase in importance over the next five years, the survey revealed. Fifty-nine percent of local and county government IT professionals are very concerned about compromised critical public infrastructure, while 45% of federal and 38% of state government IT professionals are very concerned. http://www.compliancehome.com/resources/FISMA/Articles/abstract12912.html Tue, 04 Mar 2008 00:00:00 CST http://www.compliancehome.com/resources/FISMA/Articles/abstract12911.html The Federal Information Security Management Act turned five in December. As with any milestone, this is a good time to reflect on whats working and whats not with one of the most pervasive and arguably most influential information security laws to be enacted. The purpose of FISMA is to protect the governments information assets no small task. FISMA has had a positive effect on information security, but there is room for improvement. FISMA has done a number of things well. It has raised general awareness of information security and increased executive- level accountability. It generates a standardized system of measurement, which the Office of Management and Budget publishes in an annual FISMA report to Congress. The law provides formalized information security practices and procedures. http://www.compliancehome.com/resources/FISMA/Articles/abstract12911.html Tue, 04 Mar 2008 00:00:00 CST http://www.compliancehome.com/resources/FISMA/Articles/abstract12910.html Their grades have not been posted, but government agencies have generally improved their security this year, as measured by compliance to the Federal Information Security Management Act (FISMA) of 2002, a report issued by the Office of Management and Budget stated on Saturday. In the report (pdf), the OMB stated that, overall, the government did better in fiscal 2007 with certifying systems and testing security controls and contingency plans than the previous year. The Inspectors General for 22 of the 25 agencies required to comply with FISMA inventoried at least 80 percent of their systems in 2007, compared with 20 agencies that had reached that milestone in 2006. While an improvement over the previous year, only two-thirds of the IGs claimed that their auditing processes were rated http://www.compliancehome.com/resources/FISMA/Articles/abstract12910.html Mon, 03 Mar 2008 00:00:00 CST http://www.compliancehome.com/resources/FISMA/Articles/abstract12904.html The number of information security incidents reported by federal agencies jumped from 5,146 in fiscal 2006 to 12,986 last year, with a 70 percent increase in unauthorized access to federal networks alone, according to a report from the Office of Management released Saturday. The results -- which also show a sharp increase in reports of improper usage due mostly to a security breach at the Veteran Affairs Department -- reflect better detection of threats, but also call into question the effectiveness of systems for certifying agencies' information security. OMB submitted its fiscal 2007 report on the implementation of the 2002 Federal Information Security Management Act to Congress Friday. Under the law, chief information officers and inspectors general are required to conduct annual reviews of their agencies' information security programs. FISMA also requires agencies to document and implement procedures for detecting, reporting, and responding to security incidents, and to notify the http://www.compliancehome.com/resources/FISMA/Articles/abstract12904.html Mon, 03 Mar 2008 00:00:00 CST http://www.compliancehome.com/resources/FISMA/Articles/abstract12896.html Agencies reported twice as many information technology security incidents in fiscal 2007 compared with the year before. The number of incidents in six categories reached 12,986, compared with 5,146 in 2006, the Office of Management and Budget said. One of those categories, unauthorized access, jumped to 2,321 in 2007 from 706 the year before, OMB said in its report to Congress that was released today. It contains the results of how agencies strengthened information security and privacy protections under the Federal Information Security Management Act. The increase in unauthorized access is due mainly to reporting required now for all instances where personally identifiable information may have been revealed, the report states. Although OMB is concerned by the increase in incident reporting, its not altogether a bad thing, said Karen Evans, OMBs administrator for e-government and information technology. http://www.compliancehome.com/resources/FISMA/Articles/abstract12896.html Fri, 29 Feb 2008 00:00:00 CST http://www.compliancehome.com/resources/FISMA/Articles/abstract12887.html As security policy mistakes go, this is a big one and can range in practice from not having any policy to only having an http://www.compliancehome.com/resources/FISMA/Articles/abstract12887.html Fri, 29 Feb 2008 00:00:00 CST http://www.compliancehome.com/resources/FISMA/Articles/abstract12868.html There are many policies, mandates, and laws that govern personally identifiable and financial information for federal agencies. So just how many federal agencies are living up to their responsibilities? You guessed it: not many. When it comes to maintaining the privacy of information government agencies collect about U.S. citizenry, there are two overarching laws. These are the Privacy Act of 1974 as well as the E-Government Act of 2002. Each of these laws mandate that federal agencies protect personal information. Other laws and mandates that come into play, depending on the nature of the agency and the information stored, include the Federal Information Security Management Act of 2002, aka FISMA -- which sets forth a good baseline for security policies; the Health Information Portability and Accountability Act, aka HIPPA; as well as the California Database Breach Disclosure law, which is largely known as SB 1386,and now similar laws are in force in more than 40 other states. http://www.compliancehome.com/resources/FISMA/Articles/abstract12868.html Mon, 25 Feb 2008 00:00:00 CST http://www.compliancehome.com/resources/FISMA/Articles/abstract12821.html Indian companies, especially in the pharma, biotech, IT and financial services domain, have drawn up aggressive overseas expansion plans and as they go abroad, compliance becomes a key issue. We believe that the market for Quality, Regulation and Compliance (QRC) business in India would see huge growth over the next couple of years. We estimate that the QRC related spending by India's top 2000 firms to be around US $1 billion, a figure that has ballooned from about US $100 million in 2002-03. On an aggregate basis, including spending by regulators like SEBI, the QRC spend in India is estimated to be around US $8 billion to US $10 billion, though in percentage terms, this is about 10% of what is incurred as QRC spending in the US. http://www.compliancehome.com/resources/FISMA/Articles/abstract12821.html Wed, 20 Feb 2008 00:00:00 CST http://www.compliancehome.com/resources/FISMA/Articles/abstract12774.html Shavlik Technologies, LLC, the market leader in delivering software solutions that rapidly accelerate and continuously improve security and compliance readiness, has enhanced its solution suite to support recently released US Federal government standards and ensure its customers can easily prove compliance with new FISMA reporting requirements. The Federal Information Security Management Act (FISMA) of 2002 mandates yearly audits of government agency IT controls. FISMA recently changed its reporting requirements to now include proof of compliance with specific system configurations as defined by the National Institute of Standards and Technology (NIST) and referred to as the Federal Desktop Core Configuration, or FDCC. By March 31, agencies must submit a technical report to NIST and OMB demonstrating the status of their implementations. The Shavlik Security Suite provides a sustainable solution for agencies to generate and distribute approved system baseline configurations and security http://www.compliancehome.com/resources/FISMA/Articles/abstract12774.html Wed, 20 Feb 2008 00:00:00 CST http://www.compliancehome.com/resources/FISMA/Articles/abstract12773.html The window for advancing a comprehensive federal data security bill is closing, but stakeholders are holding out hope that narrowly crafted proposals to improve government information security compliance and fight cybercrime might still get traction this spring. A joint hearing of two House Oversight and Government Reform Committee panels Thursday examined one such bill, introduced last year by Information Policy Subcommittee Chairman William Lacy Clay, D-Mo., and co-sponsored by Government Management Subcommittee Chairman Edolphus Towns, D-N.Y. The legislation, which Oversight and Government Reform Committee Chairman Henry Waxman, D-Calif., has also supported, would update the six-year-old Federal Information Security Management Act to establish requirements for securing personal or sensitive data. The bill proposes a broader definition of http://www.compliancehome.com/resources/FISMA/Articles/abstract12773.html Wed, 20 Feb 2008 00:00:00 CST http://www.compliancehome.com/resources/FISMA/Articles/abstract12752.html Suppose we compare your data center to a water balloon. Both have a relatively secure perimeter. Both have content that should remain inside. Both face significant threats from pointed attacks. And in both cases, Bad Things happen when the perimeter is breached. Why the comparison? Consider the following: How much do you spend to protect your data center applications from outside attacks? How about from attacks launched inside your network security perimeter? How secure is your valuable data against the misuse of privileged access accounts? When was the last time you changed all of your database passwords or all of your server passwords? Often, the answers to these questions reveal that a typical data center is about as secure as a water balloon. Here we describe some common yet risky misperceptions about data center security. The goal is to get you thinking about threats that you may not have considered before. Then we describe some proven strategies you can adopt to resist these thre http://www.compliancehome.com/resources/FISMA/Articles/abstract12752.html Mon, 18 Feb 2008 00:00:00 CST http://www.compliancehome.com/resources/FISMA/Articles/abstract12731.html Information security is especially important for federal agencies, where the public's trust is essential and poor information security can have devastating consequences. Since 1997, GAO has identified information security as a governmentwide high-risk issue in each of its biennial reports to the Congress. Concerned by reports of significant weaknesses in federal computer systems, Congress passed the Federal Information Security Management Act (FISMA) of 2002, which permanently authorized and strengthened information security program, evaluation, and annual reporting requirements for federal agencies. GAO was asked to testify on the current state of federal information security and compliance with FISMA. This testimony summarizes (1) agency progress in performing key control activities, (2) the effectiveness of information security at federal agencies, and (3) opportunities to strengthen security. In preparing for this testimony, GAO reviewed prior audit reports; examined federal polici http://www.compliancehome.com/resources/FISMA/Articles/abstract12731.html Mon, 18 Feb 2008 00:00:00 CST http://www.compliancehome.com/resources/FISMA/Articles/abstract12730.html Federal agencies continue to struggle with information security, according to a new report from the Government Accountability Office. Weak access controls, network device configuration, and management procedures leave systems vulnerable to malicious attacks and data at risk of exposure. The report (GAO-08-496), which GAO presented to Congress during a hearing Thursday, summarized agency progress in performing key control activities, the effectiveness of information security efforts, and opportunities to strengthen security, based upon prior audits, federal policies, and inspectors general reports. http://www.compliancehome.com/resources/FISMA/Articles/abstract12730.html Fri, 15 Feb 2008 00:00:00 CST http://www.compliancehome.com/resources/FISMA/Articles/abstract12716.html The Bush administration on Thursday questioned a proposed law that would force federal agencies to develop specific plans for guarding government computers and networks against http://www.compliancehome.com/resources/FISMA/Articles/abstract12716.html Fri, 15 Feb 2008 00:00:00 CST http://www.compliancehome.com/resources/FISMA/Articles/abstract12714.html The Bush administration doesn't support legislation introduced late last year that would modify the Federal Information Security Management Act, an administration official testified today. The bill, sponsored by Reps. William Clay (D-Mo.), Henry Waxman (D-Calif.) and Edolphus Towns (D-N.Y.), would require agencies to develop policies and plans to identify and protect personal information and to develop requirements for reporting data breaches. Karen Evans, the Office of Management and Budgets administrator for e-government and information technology, told House members that current activities being undertaken by agencies are closing the performance gaps and the legislation could cause agencies some unplanned problems. http://www.compliancehome.com/resources/FISMA/Articles/abstract12714.html