Focus of SRA on the national security market:

The main focus of SRA is the national security market of the federal government
departments and agencies because it is mandatory for the federal agencies, to get them
verified as a compliant with the information security regulations of the government but this
process is very complicated & takes a lot of time. SRA understands well the market needs,
so it knows well that there is very much scope for its growth if it works with federal
government departments and its agencies. This strategy has proven itself to be a good
strategy for SRA because most of the revenue generated by the company is from the
national security market.

Open source intelligence:

Open source intelligence means information collected from the public resources like
newspaper, magazines, journals, social websites, etc.

Open source intelligence is gathered or achieved by text and data mining software and the
nation’s security is improved by these tasks.

Business must consider the open source intelligence to check the new and latest market
trends, business can create new or alter their marketing or other business strategies as per
the current trends & this information can be easily gathered from the open sources of
intelligence.

Critical infrastructures:

Critical infrastructures are those special and valuable assets or systems or resources,
(virtual or physical) which are very important of any nation’s security. Any harm or strike
on those resources may affect badly on the economic security and safety of the nation.

U.S. critical infrastructure sectors are listed below:

Food & Agriculture

Commercial Facilities

Banking and Finance

Chemical
Critical Manufacturing

Communications

Dams

Defense Industrial Base

Emergency Services

Energy

Government Facilities

Healthcare and Public Health

Nuclear Reactors, Materials and Waste

National Monuments and Icons

Information Technology

Postal and Shipping

Transportation Systems

Water

Interoperability between federal agency systems:

The improved interoperability between the federal agency systems is necessary for national
security purposes, because when all the systems are following same hardware and software
standards, the integration of the systems and the online communication between them
becomes easier and more convenient, so when data is easy to handle, it will also increase
the security standards of the entire system.

Overview of GISRA:

Formerly Government Information Security Reform Act (GISRA) was known as the
Thompson-Liebermann Act. It was implemented in 2000 but due to some reasons, FISMA
replaced it. This is a federal law. Due to the implementation of this law, all of the
government agencies of the US had to implement a security program regarding information
& this program consists of planning, evaluation and security.
FISMA is different from GISRA in many significant ways. One of the major differences is that
GISRA did not include the compulsory INFOSEC standards but these standards are included
in FISMA. Due to the implementation of FISMA, each and every agency has to have a regular
audit process & this need to be complied with requirements of NIST.

FISMA’s eight requirements:

The mentioned eight requirements of FISMA are a basic of a good model for business
information security programs.

The first requirement is related with the risk assessment on periodic basis. This is very
important to deal with the future risks that may come up & can harm the system.

The second requirement deals with the implementation of the risk-based policies.
Implementation of these policies ensures the end to end security of the information across
the organization. These policies are cost-effective too.

The system security plans needs to be implemented in the next requirement. A security
plan will describe an abstract layout of the security requirements of the existing system.
This will help in finding the loopholes in the system, so we can plan a model, which will
control the things in a better way.

Mandatory security training is scheduled for its employees is also one of the FISMA’s
requirement. The employees will get training regarding the security of the system & what
should be their role and responsibility for the organization and how they can help in
improving the security of the organization?

Testing is done on regular basis of all the security policies and plans across the
organization. Whether the company is following the planned security policies or not, which
helps in maintaining the security basis at regular intervals.

A plan of action is required in case of errors or in system downtime. This will help in
finding the errors and risks in the existing system, & a proper plan of action can be
designed to fill up the security flaws in the system.

Security incident reporting method is required in this implementation. With the execution
of a reporting plan, the direct reporting of the issues will take place & these will be reported
to the concerned person straightaway and so right action can be taken at the right time,
which in turn helps in improving the security of an organization.

Disaster management is also implemented in this plan. It will help in the smooth running of
the system even in case of disasters. The system will be recovered to the previous safe state
after the disaster recovery process implementation. This reduces the security risks to a
great extent.

So we can say that the above requirements form a good basis for the robust business
security information plan.

Low grades of many federal agencies:

Although FISMA has mandated policies for strengthening the information security across
then the federal government, but still there are many federal agencies which have not
scored good in the Report Card of Federal Computer Security. This happened because of the
weaknesses in their information systems and information security programs. The main
reason is that the companies do not follow properly all the required rules and regulations.
Sometimes these companies lack in their audit process, do not take seriously the incident
reporting systems, do not implement the disaster recovery system in the organization, do
not have any work-around documents in case of system failures.

Federal government and industry:

Federal government has to fulfill with all the officially authorized regulations and guidance
for maintaining the security of information and the information systems. These
organizations cannot ignore any of the said rules and regulations but the industries need
not to follow all the rules and regulations, they can define their own rules and policies
regarding information and the security.

Comparison of the classes and families of the minimum security control

requirements to the classes and control objectives of ASSERT's assessment questions:

There are differences between specific security control categories and the questions for
assessment. All the issues are not handled properly while evaluating the security controls.
The questions should be aligned specific to the categories but this is not happening as
mentioned in the report format. All the possible scenarios must be taken in consideration
while assessing the security parameters.

Impact of ASSERT's question on business:

ASSERT stands for Automated Security Self Evaluation and Remediation Tracking. It is a
guide which automatically checks the information and the system. All the activities
regarding the information and its access is monitored by ASSERT, based on the analysis it
creates the recovery plans, keeps track of the issues and the work around done for them,
after that it creates report which helps the management to take a better decision. It is based
on the oracle database integrated with Macromedia’s ColdFusion.

References:

www.whitehouse.gov/omb/memoranda/m03-19.pdf

www.dhs.gov/critical-infrastructure

www.fas.org/irp/doddir/army/fmi2-22-9.pdf