Information security is a very important element in an organization. This is because information is the core of the organization. As a result, organizational leaders are required to be to be at the forefront in championing information security. Although the need for information security applies to all institutions, government institutions must play a leading role in information security. This write up seeks to explore some of the information security standards as they apply to National Security Agency (NSA) or the Central Security Service (CSS). The essay begins by identifying the information security standards than goes ahead to compare and contrast them.
Information Security Standards
There are various standards of information security in the country. These standards include the OMB Circular A-130, FIPS PUB 200, The Privacy Act of 1974, ISO 270001 and the NIST Special Publication 800-100. OMB Circular A-130 is a guideline from the government on the management of federal information resources. The Federal Information Processing Standards Publication is yet another standard that suggests the minimum security requirements for deferral information and information systems. In addition, the 1974 Privacy act seeks to establish a code or standards of information practice in collection, maintenance dissemination and use of records. Lastly, ISO 270001 also provides international best practices regarding information security.
Comparison of IS Standards
One of the most important roles of standards is to deliver some form of controls. With regard to information, regulation plays a very important role success of government information planning. The NSA is as well guided by the guidelines and standards of the various arms. The OMB Circular A-130 makes several provisions. These include the fact that all federal information systems must have security plans, formal response capacities to respond to emergencies, one person to be in charge of operational security, regular trainings for government administrators and users of the systems, making of regular reports and regular review and improvement of programs. According to Jeffry (2006), although the OMB Circular A-130 and the FIPS PUB 200 may have a converging wider goal, the latter prescribes minimum security requirements for bodies like NSA. It prescribes aspects of awareness and training, access control, audit and accountability and configuration management among other things.
The Privacy Act of 1974 also provides for limited access to security information to unauthorized persons. Further, under this act, NSA officials are forbidden from haphazard disclosure of records in the information system which [records] have not been formerly requested. The major difference between the standards set out by the Act and the above two standards is that NSA is that they are authorized by law to solicit for and manage information regarding the security of the country and persons. The provisions of this Act are very similar to standards and guidelines set by the OMB Circular A-130. For instance, both standards propose training on security information management and continuous improvement must be entrenched.
The other very important standard for information security is the ISO 270001. This standard was jointly created by the International Security Office (ISO) and the International Electro-technical Commission (IEC). In the context of NSA, the standard seeks to harmonize the country guidelines with international provisions. It appears that its role is somewhat oversight while the roles of other standards are operational. In the context of ISO 270001 standards, NSA implements the Plan-to-Check-Act model and also takes into account the propositions of the OECD in 2002 on security of information systems. The National Institute of Standards and Technology also came up with a information security handbook which was recommended to the U.S Department of Commerce (Bowen, Hash & Wilson, 2006). The proposed standards are quite expansive in that they tackle information security governance, system development life cycle, awareness and training, capital planning and investment control and security planning among others. The major difference of these standards and the others is the fact that they are quite expansive including how the managers of information security should conduct themselves. The other major difference with all the other standards is the fact that it includes the aspect of risk management.
It has been shown that indeed, information security is very important for any agency. Some of the information security standards were seen to be OMB Circular A-130, FIPS PUB 200, The Privacy Act of 1974, ISO 270001 and the NIST Special Publication 800-100. It was established that the OMB Circular a-130 and the 1974 Privacy act had much semblance, perhaps because they originated from the federal government. Moreover, NSA is also guided by the international standard organizations such as ISO and other local standards. However, although NSA has a wide range of standards to adhere to, it must develop its internal capacities through trainings and continuous evaluation and for improvement.