Information system security compliance to FISMA standard: a quantitative measure
2010
To ensure that safeguards are implemented to protect against a majority of known threats, industry leaders are requiring information processing systems to comply with security standards. The National Institute of Standards and Technology Federal Information Risk Management Framework (RMF) and the associated suite of guidance documents describe the minimum security requirements (controls) for non-national-security federal information systems mandated by the Federal Information Security Management Act (FISMA), enacted into law on December 17, 2002, as Title III of the E-Government Act of 2002. The subjective compliance assessment approach described in the RMF guidance, though thorough and repeatable, lacks the clarity of a standard quantitative metric to describe for an information system the level of compliance with the FISMA-required standard. Given subjective RMF assessment data, this article suggests the use of Pathfinder networks to generate a quantitative metric suitable to measure, manage, and track the status of information system compliance with FISMA.
Keywords:
- Information security
- NIST Special Publication 800-53
- Information security audit
- Information security standards
- Security information and event management
- Standard of Good Practice
- Computer security
- Certified Information Security Manager
- Certified Information Systems Security Professional
- Computer science
- Information security management
- Information security management system
- Correction
- Source
- Cite
- Save
- Machine Reading By IdeaReader
17
References
20
Citations
NaN
KQI