This message is in MIME format.  The first part should be readable text,
  while the remaining parts are likely unreadable without MIME-aware tools.

--1457021584-208268913-1179986259=:17324
Content-Type: TEXT/PLAIN; CHARSET=UTF-8
Content-Transfer-Encoding: QUOTED-PRINTABLE
Content-ID:  

http://www.fcw.com/article102777-05-23-07-Web 

By Jason Miller
May 23, 2007

The Federal Information Security Management Act (FISMA) will be five 
years old in November, and it has achieved its goal of raising the 
government=E2=80=99s awareness of cybersecurity, federal officials say.

Some chief information security officers say agencies must move beyond 
the law=E2=80=99s requirements to address real-time monitoring and install 
proactive and dynamic defenses.

=E2=80=9CWe need to move above and beyond the paper exercises and see what is 
happening and evaluate ourselves against it,=E2=80=9D said Ed Meagher, the 
Interior Department=E2=80=99s deputy chief information officer. =E2=80=9CWe can=E2=80=99t stop 
doing the reporting that FISMA requires, but we need to look for ways to 
understand what the threats are and in real time.=E2=80=9D

Michael Castagna, the Commerce Department=E2=80=99s CISO, said FISMA provided 
visibility and a way to communicate security requirements to senior 
managers and other employees.

=E2=80=9CSecurity must be rooted in the organization=E2=80=99s culture,=E2=80=9D he said during 
a panel discussion on information technology security sponsored by Cisco 
Systems and FCW Events. =E2=80=9CFISMA helped us put security in our governance 
processes, [such as] capital planning and investment control, IT 
investments, and enterprise architecture.=E2=80=9D

One agency participant agreed with Meagher and Castagna that FISMA has 
succeeded in getting agencies to focus on security in their day-to-day 
operations.

Now CISOs must take a more aggressive approach to spreading the word 
about cybersecurity, Meagher said.

=E2=80=9CThe CISO community is hesitant to speak up because they feel like they 
are not at the table [with other chiefs] yet,=E2=80=9D he said. =E2=80=9CThe one thing 
they must stop is management complacency. Telling them to do it is not 
enough.=E2=80=9D

Meagher said it is best for CISOs to be visible throughout the agency 
and have a track record of success.

=E2=80=9CYou need to know your priorities based on your mission needs,=E2=80=9D said 
Dennis Heretick, the Justice Department=E2=80=99s CISO. =E2=80=9CYou then prioritize 
your requirements based on risk.=E2=80=9D

Patrick Howard, the Department of Housing and Urban Development=E2=80=99s CISO, 
said the agency focuses on ensuring security when planning and 
developing new systems.

=E2=80=9CWe are designing the controls at the right stage to support our 
business better,=E2=80=9D he said. =E2=80=9CWe are trying to move out of playing 
catch-up with our older systems.=E2=80=9D

Heretick said the risk for most agencies is at the install bases, so 
Justice is focusing on them first and using new systems to replace 
applications that cannot be updated or are too expensive to improve.


--1457021584-208268913-1179986259=:17324
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

_____________________________________________________
Attend Black Hat USA, July 28-August 2 in Las Vegas, 
the world's premier technical event for ICT security 
experts. Featuring 30 hands-on training courses and 
90 Briefings presentations with lots of new content 
and new tools. Network with 4,000 delegates from 
70 nations.   Visit product displays by 30 top
sponsors in a relaxed setting. Rates increase on 
June 1 so register today. http://www.blackhat.com 
--1457021584-208268913-1179986259=:17324--