Continuously changing system configurations and attack methods make information system risk management using traditional methods a formidable task. Traditional qualitative approaches usually lack sufficient measurable detail on which to base confident, cost-effective decisions. Traditional quantitative approaches are burdened with the requirement to collect an abundance of detailed asset value and historical incident data and to apply complex calculations to measure the data precisely in work environments where there are limited resources to collect and process it.
To ensure that safeguards (controls) are implemented to protect against a majority of known threats, industry leaders are requiring information processing systems to comply with security standards. The National Institute of Standards and Technology (NIST) Federal Information Risk Management Framework (RMF) and the associated suite of guidance documents describe the minimum security requirements for non-national-security federal information and information systems as mandated by the Federal Information Security Management Act (FISMA), enacted into law on December 17, 2002, as Title III of the E-Government Act of 2002. This study proposes using the Pathfinder procedure to mathematically model an information system FISMA-required security control state and an actual information system security control state. A comparison of these two security control states using the proposed method will generate a quantitative measure of the status of compliance of the actual system with the FISMA-required standard. The quantitative measures generated should provide information sufficient to plan risk mitigation strategy, track system compliance to standard, and allow for the discussion of system compliance with the FISMA-required standard in terms easily understood by participants at various levels of an organization without requiring all to have detailed knowledge of the internals of the security standard or the targeted system. The ability to clearly articulate system compliance status and risk mitigation requirements is critical to gaining the support of upper-level management whose responsibility it is to allocate funds sufficient to support government security programs.
|Advisor:||Vaughn, Rayford B., Jr.|
|Commitee:||Dampier, David A., Ramkumar, Mahalingam, Warkentin, Merrill, Wright, Margaret B.|
|School:||Mississippi State University|
|Department:||Computer Science and Engineering|
|School Location:||United States -- Mississippi|
|Source:||DAI-B 70/12, Dissertation Abstracts International|
|Subjects:||Information Technology, Computer science|
|Keywords:||Feeral Information Security Management Act, Pathfinder networks, Risk analysis, Risk management, Secure architecture, Standards compliance|
Copyright in each Dissertation and Thesis is retained by the author. All Rights Reserved
The supplemental file or files you are about to download were provided to ProQuest by the author as part of a
dissertation or thesis. The supplemental files are provided "AS IS" without warranty. ProQuest is not responsible for the
content, format or impact on the supplemental file(s) on our system. in some cases, the file type may be unknown or
may be a .exe file. We recommend caution as you open such files.
Copyright of the original materials contained in the supplemental file is retained by the author and your access to the
supplemental files is subject to the ProQuest Terms and Conditions of use.
Depending on the size of the file(s) you are downloading, the system may take some time to download them. Please be