The US Government Accountability Office has released its Information Security Best practices.
The resource has been designed specifically for federal agency managers, and is part of a collection of IT best practice resources that provide a sound foundation for information technology management. Available resources include best practices for Information Security, IT Strategic Planning, Enterprise architecture, IT investment management.
In the US, the Federal Information Security Management Act (FISMA) 2002 requires federal agency to develop, document, and implement an agency-wide program to provide information security for the information and information systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor, or other source.
The Best Practice report recommends agencies should:
- Periodically assess risk and magnitude of harm that could result from unauthorized access, use, disclosure, disruption, modification, or destruction of information and systems.
- Develop risk-based policies and procedures that cost-effectively reduce information security risks throughout the life cycle of information systems
- Develop subordinate system security plans for adequate security of networks, facilities, and systems or groups of information systems
- Provide appropriate security awareness training to personnel, including contractors and other users of information systems that support the operations and assets of the agency
- Test and evaluate the effectiveness of information security policies, procedures, and practices with a risk-based frequency, but no less than annually
- A process for planning, implementing, evaluating, and documenting remedial action to address any deficiencies in information security policies, procedures, and practices
- Have procedures for detecting, reporting, and responding to security incidents
- Have plans and procedures to ensure continuity of operations for information systems that support the operations and assets of the agency.
- Develop, maintain, and annually update an inventory of major information systems.
The Federal Information Security Management Act, forms part of the E-Government Act (2002) which recognises the importance of information security to the economic and national security interests to the United States.