Wave Systems Corp. (fka WAVXQ)

[rooster1]

Seven policies to watch in 2007
http://www.gcn.com/print/26_01/42897-1.html

Data security

Impact in 2007: Agencies can expect more support this year from the National Institute of Standards and Technology to help assess the effectiveness of IT security controls.

NIST will publish procedures in a document, 800-53A, which will be a companion piece to updated guidelines published last month for selecting and specifying security controls to comply with the Federal Information Security Management Act, said Ron Ross, NIST’s senior computer scientist.

The guidance documents build on mandates from the Office of Management and Budget in the wake of a wave of lost and stolen notebook PCs that put personal data at risk at a number of agencies, most spectacularly at the Veterans Affairs and Commerce departments.

NIST will release a draft of the procedures in March and finalize it by July, Ross said.

“We’re trying to deal with the security problem by establishing a common language for specifying and assessing security. It provides enough structure so we’re all focusing in the same direction, but it doesn’t lock you in so tightly that agencies can’t have flexibility to deploy the controls and assess them in accordance with their own operational environment,” he said.

Agencies this year should expect an increased emphasis on two-factor authentication at key locations within the IT infrastructure, such as at network boundaries.

Agencies also can expect more attention to building trust relationships to assure security controls at vendors; restrictions on systems that federal employees can access or use when telecommuting or traveling; and greater boundary protection, such as cordoning off some critical data into subnets, Ross said.