Information security refers to the process of safeguarding information from unapproved contact, consumption, exposure, examination or destruction. Information security standards refer to laid down policies and practices by an organization aimed at protecting information security. Some policies may include standard documents, which are mandatory and others which are optional. This study identifies standards used by NASA (NATIONAL AERONAUTICS AND SPACE ADMINISTRATION), comparing and contrasting them with other similar standards in other organizations. It also describes the impact of these technical standards to the information security programs of the organizations.
Information security at NASA
In preparing and creating information security programs and policies, NASA provided an effective and standard diffusion of information regarding its activities, and withholding public scrutiny of information categorized to protect national security (NASA, 2011). In trying to modernize the information security programs, NASA tried to face out the paper based procedure. Organizations are supposed to have their methods licensed and recognized under “Federal Information Security Management” (FISMA). NASA in its process of creating its information and other security policies, legislative document FISMA was incorporated. FISMA was incorporated in 2002 due to acknowledgement of the U.S. requirement that advances information security to safeguard resources, and protect national security and economic importance the state (NASA, 2011). FISMA incorporates other principles and structures comprising National Institute of Standards and Technology (NIST), and Federal Information Processing Standards (FIPS).
NASA has made FISMA compliancy mandatory. FISMA valuation point out to areas where an association does not conform to NIST or FISMA standards, and states areas to be remedied (NASA, 2011). FISMA describes information security as safeguarding information and their systems from unpermitted access, usage, adjustment, interruption or destruction of information (NASA, 2011). In addition, FISMA recommends continuous assessment of risk that could compromise the information security. It also offers flexibility concerning presentation of security controls. For NASA to implement its policies, FISMA permits various responsibilities into operational roles. The NASA management at senior level has put up an information security program and its independent roles. It established satellites and support centers in order to use its interior structures to achieve goals and responsibilities as mandated in the policy. NASA has implemented a strategy that manages risks. This strategy emphasizes on the basis of management of risks, constant assessment of information security policies, modernization of security objectives, monitoring, and implementation of security measures. The most paramount feature under this framework is that security measures are operated and weighed by considering information security policies and their influence, which can compromise the objective of the whole strategy (Grossman, 2007).
“National Institute of Standards and Technology” (NIST) is an agency that regulates information that concerns national security. NIST builds standards and plans to help the concerned agencies to effect information security measures according to FISMA act of 2002 (NIST, 2007). This aids in operating programs, which are cost effective and at the same time protecting information and the structures of information. NIST has a distinctive publication that reports on research on information and progress made in information security structure on government and educational organizations (NIST, 2007). According to NIST there are various standards, which can be applied to come out with effective management of information security programs. NIST has introduced an update of unique publication that includes a new version of security controls, guidance and improvement to create boasted elements in the process of control selection. It mainly focuses on security of web applications, interactive networking media, privacy, and process of supplying security, emerging threats, and procedures that control the system among others.
Another NIST’s recommendation is a reduction of security controls to systems that have less impact on organizations to review the security control. It also incorporates measures that seek to show that the level of security is at the same level as recommended by NIST. It also standardizes the security requirement in government and other non-governmental organizations systems. These enhanced security controls include a management system that is simplified, and enhanced controls aimed at monitoring emerging cyber threats. It also endorses the prioritization of security control in the implementation process, an improved structure of security control, direction in using risk controlling in information from external information system. Updates and guidance are based on existing and upcoming cyber and information threats. Guidelines and security standards are out in place to harmonize FISMA standards with other global security standards (NIST, 2010)
When an organization plans to create an information security program, there are various standards that can be applied. Standards refer to rules and put in place by those who are creating policies. These conducts must conform to applicable policies.
In addition to FISMA, NASA has laid down other standards pertaining protection of information security. Under private notice, NASA states information obtained from an individual will be used in the issuance of badges. If one does not provide Social Security identification, it becomes hard to be issued with s badge. This will hinder the performance of assigned duties since disclosure of this identity is mandatory. Information pertaining security violation is collected from various sources such as security searches, witnesses, and guard’s information, which sometimes can be compromised. This can put information security standards into disarray (NASA, 2011). This is contrast with an organization which has an elaborate procedure of collecting information security. NASA states clearly that personal information will not be obtained from children. Other organization do not have a clear guideline how information should be obtained therefore making their security information questionable.
NASA provides for five years period for retention of information. After this, information is extracted from data system and the data is also overwritten so as the media can access. NASA does not have a follow up mechanisms to ensure that data with other media is destroyed fully. This data may be used in bad faith. Also, if there arises need to use information exceeding the duration of five years, it will not be available. NASA does not give consent to individuals the ability to regulate the usage of information collected from them. This is not good because it is not right to deny a person the right to regulate one’s personal information. NASA may publish information about an individual which the person may feel offended. This is against human rights (Grossman, 2007).
Some organizations do not have an elaborate laid down measures to conduct the process of program control effectively. Some do not have proper identification documents. The process of recruiting the applicant is not detailed. The concept of separation of duties in some is not observed. This can lead to inefficient process of information security (Grossman, 2007). NASA, however; has majorly elaborate measures to counteract this. Issuance of badges, cross examination of applicant, and duty separation ensures smooth operation of the whole program.
It is of utter importance for organizations scrutinize various practices when creating their information security programs and policies. The organization should consider the most effective standards when creating information security program and should put into consideration into the mandatory ones. Identification and description of these technical standards is essential. This will aid the organization in consolidating their information security programs. Also, this will ensure that control of information security program is safeguarded.
Grossman, J. 2007. Cross-site Scripting Attacks. Boston, MA; Syngress
NASA, 2011. Information Technology Security Program (NPR). Available at: www.nasa.gov
NIST, 2003. Federal Information Security management Act (FISMA) Implementation Project. Available at: http://csrc.nist.gov/publications/.