TRENDING:

Taskforce Tackles New IT Security Metrics

Group to Create Measurement Focusing on Outcomes Eric Chabrow (GovInfoSecurity) • October 2, 2009    
Taskforce Tackles New IT Security Metrics
The Federal Chief Information Officers Council has established a taskforce to develop new information security performance metrics that focus on outcomes.

On the blog of the IT Dashboard, federal CIO Vivek Kundra and Navy CIO Robert Carey and Justice CIO Vance Hitch (co-chairs of the council's Information Security and Identity Management Committee) write that approaches to cybersecurity must confront new realities as threats to the nation's IT security evolve, adding:

"In order to meet the evolving challenges we now face, Federal Information Security Management Act metrics need to be rationalized to focus on outcomes over compliance. Doing so will enable new and actionable insight into agencies' information and network security postures, possible vulnerabilities and the ability to better protect our federal systems."

Besides the CIO Council, among those participating in the task force are the Council of Inspectors General on Integrity and Efficiency, National Institute of Standards and Technology, Department of Homeland Security, Department of Defense, director of National Intelligence, Government Accountability Office and the Information Security and Privacy Advisory Board.

The taskforce held its first meeting on Sept. 17. The Office of Management and Budget plans to have the taskforce develop a draft set of metrics for comment by the end of November.

According to the blog, the participants agreed that a new set of security metrics could move the agencies forward in securing their systems as "what gets measured, gets done." They discussed the various factors that will impact the development of new metrics, including:

A trust but verify approach.
Fulfilling statutory requirements.
Real-time awareness security posture.

FISMA reform legislation before Congress, the United States Information and Communication Act, takes the same tact as the taskforce, emphasizing real-time verification of IT security rather than departmental and agency compliance with cybersecurity rules.

Previous
IT Unemployment at Near 5-Year High
Next
Lawsuit: Heartland Knew Data Security Standard was 'Insufficient'

About the Author

Eric Chabrow

Eric Chabrow

Retired Executive Editor, GovInfoSecurity

Chabrow, who retired at the end of 2017, hosted and produced the semi-weekly podcast ISMG Security Report and oversaw ISMG's GovInfoSecurity and InfoRiskToday. He's a veteran multimedia journalist who has covered information technology, government and business.



Around the Network

Are We Doomed? Not If We Focus on Cyber Resilience
Are We Doomed? Not If We Focus on Cyber Resilience
Protecting the Hidden Layer in Neural Networks
Protecting the Hidden Layer in Neural Networks
The Persisting Risks Posed by Legacy Medical Devices
The Persisting Risks Posed by Legacy Medical Devices
Craig Box of ARMO on Kubernetes and Complexity
Craig Box of ARMO on Kubernetes and Complexity
Organization-Wide Passwordless Orchestration
Organization-Wide Passwordless Orchestration
David Derigiotis on the Complex World of Cyber Insurance
David Derigiotis on the Complex World of Cyber Insurance
Whistleblowing Brings Visibility to the Role of CISOs
Whistleblowing Brings Visibility to the Role of CISOs
Securing the SaaS Layer
Securing the SaaS Layer
How 2U Inc. Is Fortifying Its Systems and Solutions Designs
How 2U Inc. Is Fortifying Its Systems and Solutions Designs
Showing Evidence of 'Recognized Security Practices'
Showing Evidence of 'Recognized Security Practices'

Continue »

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing govinfosecurity.com, you agree to our use of cookies.