Information security is a critical detail of any government seeking to insure its economic growth and national security. With the revolution of technology, globalization, and the advent of the internet, a new crime has emerged waging war on a virtual front in the form of cyber attacks. Consequently, the government has to deal with the ever-increasing threats including defacement of websites, viruses, worms, unauthorized access, server hacking, data leakage, and control system attacks among others.
The downside of all these interferences is that a lot of vital information continues to be relayed, and preserved in government servers, information that would be lethal in the wrong hands, or at least very costly, for instance, financial information, or health insurance data, or any other confidential information. To ensure that this does not happen, the government, over the years, has put in place stringent regulations meant to protect such vital information. These regulations apply mostly to federal agencies, their contractors, and other organizations that may be working on behalf of executive agencies.
Moreover, the government has strategically put in place oversight bodies meant to orchestrate the securing of information and information systems throughout the United States. Examples of these oversight bodies include the Office of Management and budget policies (OMB), the National Institute of Standards and Technology (NIST), the Government Accountability Office (GAO), and the Federal CIO (Chief of Information) Council among others. The result is a well-knit framework of effective regulations and well-run oversight organizations working in harmony to secure confidential and otherwise sensitive information in the USA, which in turn ensures a stable economy by making the country secure for investors to contract their businesses.
The regulations in place to ensure information security are numerous. Government officials began to secure the information systems as far back as 1977 when President Jimmy Carter approved the PD NSC-24 on November 16. This regulation established the National Telecommunications Protection Policy, which, “protected unclassified information (which would be useful to an adversary) transmitted by and between government agencies and contractors.” (Bowen, Chew, & Hash, January 2007, p. 8)
In addition to that, this policy established the position of an Executive Agent for communications Security (COMSEC) and provided that the Secretary of Defense would hold that post. The only bit of information not covered under this policy was national security information. The next crucial regulation was the Executive Order EO 12958-President William J. Clinton (April 17, 1995). This policy “inscribes a uniform system for classifying, safeguarding and declassifying national security information.” (Bowen, Chew, & Hash, January 2007, p. 11)
This covered the gap in national security that Carter’s policy did not cover. Additionally, it defined classification levels (Section 1.3) and classification categories (Section 1.5), which define what information is eligible for classification. Following closely was an amendment of this policy by President George W. Bush, which took the form of Executive Order EO 13292 in March 25, 2003. This policy added to the former’s ambit information relating to defense against transnational security. It is important to note that in 2002, the White House Chief of Staff; Andrew H. Card submitted a memorandum to all heads of executive departments and agencies wit regard to the “safeguarding and protection of sensitive homeland security information.” (Bowen, Chew, & Hash, January 2007, p. 13)
The recipients of that memorandum were expected to re-examine the existent information security policies and execute the necessary changes with regard to “weapons of mass destruction as well as other information that could be misused to harm the security of the nation and the safety of US citizens.” (Bowen, Chew, & Hash, January 2007, p. 14) In 1947, the International Organization of Standardization (ISO), a non-governmental international body, working in tandem with the International Electro-Technical Commission (IEC) and the International Telecommunication Union (ITU) came up with generalized provisions meant to govern Information and Communications Technology Standards (ICT).
One such regulation is the ISO / IEC 27002: 2005 (Code of Practice for Information Security Management). The name of this regulation indicates that by this time, information security had become revolutionized and the government was now recording progress from establishing information security protocol to now managing the same. The next step on this ladder was the formulation of legislative regulations. Following major scandals in the United States such as Enron and Worldcom, investors began to lose faith in the US government’s ability to ensure information security through toothless regulations. To assuage their worries, the government signed in the Sarbanes-Oxley Act in 2002.
The main objective of this Act was the protection of investors. It achieved this by “improving on the accuracy and reliability f corporate disclosures made pursuant to the securities laws and for their purposes.” (Buchalter, Gibbs, & Marieke, September 2004, p. 32) As a result, many other laws were strengthened and the standard of security as pertained confidential business information rose. The scope of this Act ranged over all the companies listed on the stock exchange. The government enacted the Information Technology Management Reform Act also known as the Clinger-Cohen Act in 1996. This Act was intended to supplement the Paperwork Reduction Act of 1995, which required agencies to perform their information resource management “efficiently, effectively, and economically.” (Buchalter, Gibbs, & Marieke, September 2004, p. 23)
To ensure that they did so, the OMB Circular No-130: Management of Federal Information Resources followed shortly. In its supplementary role, the Clinger-Cohen Act creates a comprehensive framework to govern the acquisition and management of federal agencies’ information resources. In the health sector, regulatory legislation began in 1996 with the enactment of the Health Insurance Portability and Accountability Act. The purpose of this Act was to, “improve portability and continuity of health insurance coverage in both group and individual markets while combating waste, fraud, and abuse in health insurance and health delivery.” (The Government of HKSAR, Feb 2008, p. 2)
This Act defines security standards for healthcare information. It is notable that it also provides for other factors in play, including: the technical capacities of record systems that manage the information; the estimated cost of putting in place security measures; the need to train security personnel; the invaluable nature of audit trails in computerized record systems; and the needs of small-scale healthcare providers. Still in 2002, the government enacted the Federal Information Security Management (FISMA) Act as a part of the E-Government Act, 2002.
The interesting factor characteristic of this Act is that it only applies to information systems operated by the US federal agencies, their contractors, or any other organization that is acting on behalf of the federal agencies. Among other things, it requires them to “develop, document, and implement an agency-wide program to provide information security for the information and information systems supporting the operations and assets of the agencies.
The other requirements include risk management of information security systems with the am of reducing risks to an “acceptable” level, budgeting for information security equipment and training, and putting in place a tested / workable security incident handling procedure. The E-Government Act, 2002 was passed by one hundred and seventh of congress and it promotes a better use of the internet and other information technology resources. The purpose of doing so is to better government service to citizens, improve on internal government operations, provide citizens with an opportunity to participate in government processes, and to regulate the responsibilities of various federal agencies.
As part of the regulation procedure, the Act requires agencies to: comply with FISMA provisions as indicted in Title III of the Act, support government-wide e government initiatives, and to co-operate across the agencies to further Federal Enterprise Architecture Objectives (The Government of HKSAR, Feb 2008, p. III). Finally, this Act tasks NIST with the burden of developing Security Standards and guidelines for the federal government. The Federal Information Processing Standards Publication (FIPS) is a series of the National Institute of Standards and Technology, (NIST) (U.S. Office of Management and Budget, 25, p. 6). Its main objective is to address standards set out by FISMA.
It is important to note here that FIPS publications are compulsory and binding to all federal government agencies (U.S. Office of Management and Budget, 25, part xiii). Examples of its publications include FIPS PUB 201-1 Personal Identification Verification (PIV) of Federal Employees and Contractors, and the FIPS PUB 200; Minimum Security requirements for federal Information and Information Systems.
The latter applies across 17 security-related areas, which include but are not limited to access control, awareness and training, audit and accountability, certification, accreditation, and security assessment, contingency planning, identification and authentication, and incident response. Finally, NIST Special Publications 800 Series issue guidance documents and recommendations to federal agencies. They also report on ITL’s research and guidelines on computer security. Such new developments keep federal agencies abreast with the information security sector. However, NIST publications are not mandatory or binding unless so specified by the OMB
References
Bowen, P., Chew, E., & Hash, J. (2007). Information Security Guide For Government Executives (NISTIR 7359). Gaithersburg, MD: National Institute of Standards and Technology, NIST.
Buchalter, A., Gibbs, J., & Marieke, L. (2004). Laws and Regulations Governing the Protection of Sensitive but Unclassified Information. Washington, D.C.: Federal Research Division Library of Congress.
The Government of HKSAR. (2008). An Overview of Information Security Standards Security Standards. Hong Kong: The Government of the Hong Kong Special Administrative Region.
U.S. Office of Management and Budget. (2003). Circular No. A-130. Web.