2 cissp ® Official Study Guide Eighth Edition

National Information Infrastructure Protection Act of 1996

Download 19,3 Mb.

Pdf ko'rish

bet	137/881
Sana	08.04.2023
Hajmi	19,3 Mb.
	#925879

1 ... 133 134 135 136 137 138 139 140 ... 881

Bog'liq
(CISSP) Mike Chapple, James Michael Stewart, Darril Gibson - CISSP Official Study Guide-Sybex (2018)

Federal Information Security Management Act

National Information Infrastructure Protection Act of 1996
In 1996, Congress passed yet another set of amendments to the Computer Fraud and Abuse
Act designed to further extend the protection it provides. The National Information Infra-
structure Protection Act included the following main new areas of coverage:
■
Broadens CFAA to cover computer systems used in international commerce in addition
to systems used in interstate commerce
■
Extends similar protections to portions of the national infrastructure other than com-
puting systems, such as railroads, gas pipelines, electric power grids, and telecommuni-
cations circuits
■
Treats any intentional or reckless act that causes damage to critical portions of the
national infrastructure as a felony
Federal Information Security Management Act
The Federal Information Security Management Act (FISMA), passed in 2002, requires
that federal agencies implement an information security program that covers the agency’s
operations. FISMA also requires that government agencies include the activities of con-
tractors in their security management programs. FISMA repealed and replaced two earlier
laws: the Computer Security Act of 1987 and the Government Information Security
Reform Act of 2000.
The National Institute of Standards and Technology (NIST), responsible for developing
the FISMA implementation guidelines, outlines the following elements of an effective infor-
mation security program:
■
Periodic assessments of risk, including the magnitude of harm that could result from
the unauthorized access, use, disclosure, disruption, modification, or destruction of
information and information systems that support the operations and assets of the
organization
■
Policies and procedures that are based on risk assessments, cost-effectively reducing
information security risks to an acceptable level and ensuring that information security
is addressed throughout the lifecycle of each organizational information system
■
Subordinate plans for providing adequate information security for networks, facilities,
information systems, or groups of information systems, as appropriate
■
Security awareness training to inform personnel (including contractors and other
users of information systems that support the operations and assets of the organiza-
tion) of the information security risks associated with their activities and their respon-
sibilities in complying with organizational policies and procedures designed to reduce
these risks

Laws
133
■
Periodic testing and evaluation of the effectiveness of information security policies,
procedures, practices, and security controls to be performed with a frequency depend-
ing on risk, but no less than annually
■
A process for planning, implementing, evaluating, and documenting remedial actions
to address any deficiencies in the information security policies, procedures, and
practices of the organization
■
Procedures for detecting, reporting, and responding to security incidents
■
Plans and procedures to ensure continuity of operations for information systems that
support the operations and assets of the organization
FISMA places a significant burden on federal agencies and government contractors,
who must develop and maintain substantial documentation of their FISMA compliance
activities.

Download 19,3 Mb.

Do'stlaringiz bilan baham:

1 ... 133 134 135 136 137 138 139 140 ... 881