Amending FISMA:2002 to change emphasis from OMB assessment of a written submission to 3rd Party Assessment of actual Information Security Management practices.

Adopting ISO-27000 certification as compliance to FISMA and reflected in meeting annual FISMA reporting requirements. In between recertification assessments, this could be reduced to a simple annual one-page memo from the agency head to OMB rather than several hundred pages of documentation produced at tax-payer expense.

Spending time and money during interim certification periods to carry out plans for continuous improvement of information security management and reducing risks to information on federal systems from being lost, stolen, misused, or compromised in any way. and finally,

Using data to benchmark against other ISO-27000 certified organizations worldwide.

The CISO needs to be independent of a technology group to function effectively. Similar to an audit or quality function, availability will trump any of these functions if these functions are part of the technology organization. Security will fulfill its mission if it is reporting at the right level, in the appropriate area in an organization and given sufficient budget. Security also needs to be led by someone who can aact as a peer to the CIO, CFO etc. and truly understands how to influence an organization and manage relationships effectively.

Whether it’s used in public or private sector organizations, the 27001 standard creates a known quantity similar to ISO 9000 or 9001 in the manufacturing sector. My hope is that it is broadly adopted and can enable a transparent view of an organization’s security posture.