Client Testimonials
Megan Harmon Regional President  |
Return to the list of news releases. Gotta Love a Good Framework...Release Date: 6/16/2009 By: Peter Hefley, Principal of Information SecurityLast week, our CEO received an e-mail from NIST (National Institute of Standards and Technology) announcing the final public draft of Special Publication 800-53, Revision 3 of their Recommended Security Controls for Federal Information Systems and Organizations, and he asked me for my take on it. (Yes, we really gather around the watercooler and talk about this stuff here at HEIT). I think he was intrigued because NIST called this revision “historic in nature.” In response, I decided to get on my virtual soapbox and rant a little about this topic. Please humor me. I think what’s “historic in nature” about Revision 3 is that it’s syncing up the –53 controls with ISO 27001. The federal examiners are a federal agency, thus bound by FISMA and the directive to follow NIST guidelines. The FFIEC Information Security Handbook is not derived from the NIST guidance, rather it references it – and only in an informational fashion. I think it would behoove the FFIEC to adopt a framework such as –53 in order to standardize, strengthen, codify, and clarify the requirements of financial institutions. Compare the FFIEC Information Security Handbook to PCI for example – PCI’s requirements are clearly stated. FFIEC is more wishy washy, recommending a lot of controls but not requiring them. Furthermore, adoption of a certification and accreditation framework would be a step beyond that previously mentioned which would, in my opinion, eliminate many of the problems I encounter with insecure systems and institutions that are not aware of their current risks. Finally, I think that the current regulatory system which financial institutions are under is broken and needs to be fixed badly. PCI is even worse. Consider financial risk analogous to the risk an organization is under from information security threats. Organizations which are publicly traded are required to report their financials to the SEC and stockholders. This allows the stakeholders to observe data about the organization and infer conclusions about that organization’s risk appetite. In my opinion, organizations should also have to publish some sort of reporting on their current risk environment (specifically IT or security). This would allow consumers to make an educated decision about where they place their trust, deposits, and lending. So there you have it. I’ll step off my virtual soapbox…for now. Return to the list of news releases. |
The Eastern Colorado Bank was looking for a Managed Service Provider that could not only monitor our network 24x7 but also possess the expertise to go to the next step and resolve incidents as well. We found this expertise with HEIT. HEIT's Financial Industry knowledge and IT ...