AUTOMATINGCOMPLIANCEWITH FEDERALINFORMATIONSECURITYREQUIREMENTS
SRA strategy for to focus its efforts on federal government departments and agencies within the national security market
SRA International was established in 1976 though as Systems Research and Applications Corporation. Two years later the company initiated its operations while in 1984 a parent company was enacted as SRA International Inc (SRA, 2009). The company had been help publicly since 2004. The company has been successful in its operations where it has been exchanging stocks on the New York Stock Exchange. The headquarters are located in Fairfax, Virginia with over 42 operational offices in fifteen states and the District of Columbia and one in Canada. The strategy deployed by the company to serve the federal government has been very beneficial to the company profit margin. It has developed and enacted strategies that are aimed at efficiently and effectively servicing the federal government client base. The federal government forms their largest client accounting for 90% of the company revenue. To effectively serve the federal government the company has embarked on strategies such as locating the greatest concentration offices in Washington D.C that is over around fifteen within the metropolitan area. The strategy to focus on the federal government has not only been their greatest source of revenue but also increased employment where in 2005 the company employed over 4, 777 people with security skills and IT competence. In the same year the company developed strategies where it entered in to a contract to provide IT services and solutions to the three primarily markets that is; national security, civil government, health care and public health. This concludes the vast benefits that company enjoys due to the strategic approaches based on its competence, efficiency and effectiveness to offer service to the federal government. Developing strategies complying with the government requirements has enabled the company achieve a competitive advantage within the industry having the federal government as their largest client.
Relationship between open source intelligence, national security, and text and data mining software
Open-source intelligence commonly abbreviated as OSINT entails the form of intelligence that the government collects from the sources available in the public. The information generated from the sources is later used by the government to formulate and enact policies through a detailed analysis. The information generated from these sources is later used by the national security community as an essential baseline in developing approaches aimed at enhancing national security. The government uses the text and data mining software’s to gather and analyse the data. Some of the Open-source intelligence sources that are publicly available include; the internet boosted by the increasing innovation and usage of social media websites, the traditional mass media such as television, radio, newspapers and magazines, specialized journals, conference proceedings and the famous think tank studies, photos and geospatial information from maps and commercial imaginary products (Wilson, 2006). Researchers indicate that the open-source intelligence is and will always remain an essential part of all-source analysis. Though the analysis of the information though termed as free since available in the public it is complicated o compile. This has largely been influenced by the increasing usage communication technology devices. Other aspect that limits the efficiency and effectiveness of collecting the data is the cultural diversity. Organizations and firms are increasingly concerned by the availability of the open source intelligence based on various aspects such as; the increasing large volume hence requiring skills and competence especially due to the increasing technological advances and misuse such as frauds. There is need for every organization to invest on the benefits of the information for both short come and long term benefits. The information can be used by the organizations to effectively and efficiently offer services their customers based on a deep analysis on the various sources.
Critical infrastructures and list of the U.S .critical infrastructure sectors and provide examples of each
Critical Infrastructure has received varying definitions by various researchers based on their take on what it entails. Encompassing some of these definitions it is evident that Critical infrastructure entails the essential assets that facilitate full functionality of the entire society and the economy. These infrastructures enhance the full functionality of the society by facilitating efficiency and effectiveness of the society and the economy. They include; electricity, telecommunications, water supply, agriculture, heating, public health, transportation, financial services and security services. In the United States the government has developed some of the best critical infrastructure sectors which are managed by various agencies. The preceding list offers a distinctive analysis. The list offers the various critical infrastructures and the responsible agencies:
- Food and Agricultural infrastructure managed by the departments of Agriculture and Health and Human Service
- The Water infrastructure managed by the department of Health and Human Services
- Emergency Service managed by the department of Homeland Security
- Defense Industrial Base managed by the department of Defense
- Transportation and Shipping overseen by department of transportation
The proffered list above complies some of the various critical infrastructures that the U.S government has enacted and developed to enhance economic and societal development. They are the core assets that every government aims at effectively and efficiently establishing. They are the cornerstones or the baselines under which a nation development and progress are based. They are critical for every sector within an economy.
Essence of improved interoperability between federal agency systems for national security purposes
The benefits attached to improved interoperability within the various federal agencies systems are vast based on the national security policies. Interoperability entails the aptitude of making systems and organizations integrate various activities together towards achievement of a common objective. Improved interoperability through enacting strategic approaches within the various federal agencies will facilitate easy communication and sharing of information which can be used to enact and develop policies to boost national security measures. Enhancing integration and cooperating among these agencies will witness an increase source of information through sharing the data base where the agencies after acquiring the information can reflect the essential information to the national security agency. Expansion of the various resources based on pulling together the various resources can only be experienced through improved interoperability. This can also increase privacy and quality information generated by the various agencies. Though improving interoperability is challenging, various strategies can be enacted by the various stakeholders to facilitate the process. This includes setting up policies and guidelines by the various agencies on the essence to work towards a common goal. The increasing global attacks on the cyber and terrorism acts can only be curbed and averted through increased interoperability. The stipulated benefits are some of the vast essential attached developments that the national security agency can harvest from increased interoperability by the federal systems. It is essential therefore to enact approaches to improve interoperability to enhance effectiveness and efficiency in the policy formulation by national security team.
FISMA replaced the Government Information Security Reform Act (GISRA). Provide an overview of GISRA
The Government Information Security Reform Act GISRA was signed into law in October 2000. The primarily reason for its enactment was to address program management and evaluation aspects of information security. It applied to unclassified and national security systems. The basic purposes were to ensure confidentiality, integrity and availability on the government information. The GISRA expired in 2002 and was replaced by FISMA. The Federal Information Security Management Act was enacted in 2002 after expiry of GISRA. It offers an ample framework that protects the United States government information, the operations and assets from natural and man-made threats or disasters. The main role of the body is to assign responsibilities to the various agencies to enhance secure and responsible management of the data generated to and from the federal government. The body develops various strategies that ensure that the data is secured. Though there some slight differences between the two bodies it is evident that there are no significant differences. This is evident based on the tasks that were stipulated to be executed by GISRA which were ensure confidentiality, integrity and availability on the government information in comparison with the responsibilities allocated to FISMA. However FISMA received higher effective and efficient policies and programs an upgrade on some aspects that GISRA couldn’t handle. This include mandated not only to manage and ensure security of the information by the federal agencies but also provision of strategies to enhance exceptional security baselines within the large organizations within the globe. The organization is more effective and efficient data security an essential aspect within the federal governments to secure the people welfare.
Analysis on FISMA requirements a good model for business information security program and their effectiveness
FISMA has enact various compliance requirements that business information security program should uphold. These requirements are essential in the management and ensuring that the data or information generated within the organization is secured against inappropriate usage such as fraud. These strategies are essential in every organization that wishes to ensure that the data and information within the organization is secured. Organizations seeking to achieve the FISMA compliance requirements out to benefit in various ways, some of the requirements avails the organization or the firm with diverse exposure on the various essential aspects to consider while establishing and managing their information systems ensuring that the information is secured. The major entities that the compliance list entails have significant benefits within the organizations. This includes aspects such as; periodic risk assessments where the organization is required to conduct periodic evaluation procedures to outline potential damages and disruption led by unauthorized access, policies and procedures where the strategies enacted are cost effective, subordinate plans under which the organization is required to develop secured networks and facilities for communicating. Another essential compliance that is essential within the organizations include conduct or introducing security awareness training programs for the employees on the essentiality of information systems security plus risks that the organization is implicated with if the employees fail to adhere with the set regulations or compliance baselines. The body also advocates for periodic testing and evaluation to ensure that the policies, procedures and controls of the information security systems are up to date. As offered in the stipulated analysis on some of the compliance requirements as set by FISMA, it is evident that the requirements are essential for every organization on setting up or establishing secure information systems.
Reasons behind many federal agencies receiving low grades on the Federal Computer Security Report Card in spite of FISMA’s mandate to strengthen information security within the federal government
Though FISMA has developed strategic approaches aimed fostering and strengthening information security systems various federal agencies fail to either adhere to the set regulations or FISMA strategies have minimal influence on the policies and strategies deployed by these federal governments. Information security is a sensitive aspect hence demoralizing in relation to the damages that can implicate the state and the people in the information is acquired for fraud and other threatening cases. These federal governments fail develop strategies that comply with the FISMA compliance standards or upon enactment fail to develop evaluation and control measures plus procedures to enhance effectiveness and effectiveness. Some of the areas that the agencies may be failing to strategize on encompassing the various reasons under which agencies perform poorly include:
- Failure to establish strong governance such failing to develop responsible governance to manage the risks, report, control, test, train and poor accountability, this is one of the leading reason that can be attached to the poor performance by these agencies
- Poor inventory IT assets deployed within these agencies, effective security programs calls for efficient strategies safeguarding the assets and enhancing their protection failure to which leads to poor performance.
- Poor definition on the security roles and responsibilities another aspect that can be attached to the poor performance
- Lack of effective use of technology for automation and threat monitoring
- Failure to align the strategies with the risks
- Poor establishment of quality on the compliance process
The proffered reasons among others are some of the major reasons attached or attributing to the poor performance in spite of FISMA mandate and efforts to increase information security within these federal agencies.
Comparison of the Classes and Families of the minimum security control requirements to the classes and control objectives of ASSERT’s assessment questions
A detailed analysis on the comparison between the classes and families proffered in the case study with the ASSERT’s assessment question provides a clear analogy on various aspects. Under class aspects such as technicality is provided with the family section stipulating incident response, awareness and training, identification and authentication, access control, audit and accountability, system and communications protections, physical and environmental protection and contingency planning. Under each of the stipulated family aspect a list of the requirements is developed to ensure strategies have been deployed in relation to ensuring effectiveness and efficiency of information security systems. The set questions clearly align with the ASSERT’s questions. This include risk management strategies enacted where the questions asked under the section stipulates the essential factors that every organization should develop. The next section after risk management is the review on the security controls which also align with the requirements developed under the class and family aspect hence a clear analysis on the organization set security controls. This section aims at providing the organization security system enacted with essential questions on the effectiveness and efficiency, hence essential in discovering some of the shortcomings within the enacted system hence making adjustments. Another essential entailed factor within the security enhancement under the ASSET’s is the product life cycle where questions on the sensitivity of the system and the duration anticipated to serve are questioned. This is also essential in relation to determining the duration of the enacted system. The stipulated analysis above indicates some of the aspects that have been addressed in the minimum security control requirements and the control objectives of ASSERT’s assessment question, essential in enhancing the effectiveness and efficiency of the enacted security information system.
How ASSERT’s questions could be used by a business to better control its IT systems and to mitigate its security risks
A risk is the possibility of a loss or other adverse event that has the potential to interfere with an organization’s ability to fulfill its objectives. Risk management ensures that an organization identifies and understands the risks to which it is exposed. It’s a process of identification and analyzing uncertainty in the investment decision making. It involves the process of determining what risks that exist in an investment and handling them in a way that is best suited to the investment objectives. The questions stipulated under the ASSERT’s section offer a unique and essential platform for every organization aiming at improving and controlling effectively and efficiently their IT and mitigating its security risks. Under Risk management questions such as the periodical procedures conducted on the risk are asked. Utilizing the provided questions by the organization risk management team can aid the organization avert various risks that may influence the organization performance while enhancing an effective and efficient risk management team. This can also be used not only in the development of policies but also in the control and evolution program. The questions under the review on the security controls can be used in developing the security control policies and during evaluation and control procedures. This can aid the organization with baselines under which effective and efficient security system is based. Under the life cycle analogy proffered based on the set questions can facilitate the monitoring of the system to avoid damages caused by failures or purchase of defective devices.
Differences on legal regulations and guidance for compliance between the federal government and industry in managing the security of information systems
A common aspect between the two bodies is the fact that they all aim at developing and enacting strategies aimed at enhancing secured and safe information systems. The federal government legal regulations and guidance policies are stricter aimed at ensuring that the various organizations and agencies enact strategies to develop secure information systems. The federal government develops regulations that are required to be adhered to base on the performance. The government seems to generalize while the industry may offer though almost similar goal oriented policies the legal regulations are more specific. The government approaches on the requirement compliance focus on the welfare of the entire public while the industry may consider the benefits generated on their venture hence being more reluctant. However, though such differences occur it is essential that every stakeholder within the industry enact strategies safeguarding the security of the every information system for the greater benefits of the people.
References
Pauline. B Joan H. Mark. Wilson 2006 Information Security; A guide for managers NIST publication 800-100
SRA INTERNATIONAL, INC 2009
NATO Open Source Intelligence Reader (2002)
Critical infrastructures and list of the U.S .critical infrastructure sectors 2004
Office of Management and Budget Circular, 2000. Management of Federal Information Resources,
Federal Information, 2004. Standards for Security Categorization of Federal Information and Information Systems, Processing Standard 199
Federal Information 2006 , Minimum Security Requirements for Federal Information and Information Systems, . Processing Standard 200
National Institute of Standards and Technology, 2004. Guide for the Security Certification and Accreditation of Federal Information Systems, Special Publication 800-37
National Institute of Standards and Technology 2006 Revision 1, Recommended Security Controls for Federal Information System, February. Special Publication 800-53,