
	Home > Ask the Security Channel Experts > Security Management Questions & Answers > Complying with the Federal Information Security Management Act (FISMA)

Ask The Security Channel Expert: Questions & Answers

EMAIL THIS

Complying with the Federal Information Security Management Act (FISMA)

EXPERT RESPONSE FROM: Felicia Wetter

		Pose a Question

		Other Security Channel Categories

		Meet all Security Channel Experts
		Become an Expert for this site

Digg This!

StumbleUpon

Del.icio.us

QUESTION POSED ON: 21 December 2006
Does the FISMA E-Government Act (P.L. 107-347) specifically require changing names/identifiers for personal data in databases and applications/screens?

For example, if "home phone" is considered personal data under this act, is changing its name/label in databases/systems to something like "other phone" to mask the personal nature of the phone number a good idea for compliance?

My customer's system security folks are thinking about changing names of personal data items to hide the personal/private nature of them. That does not make sense to me. I was wondering if changing a data name from SSN to something like GovAssignedIdNumber makes it more secure for compliance under this act.

I agree with your statement on this matter. Who cares if you change a table name if the actual privacy data is still available? FISMA does not explicitly state the requirement of changing names of personal data in applications, or that changing the label of data in a database is recommended or required. In fact, performing this type of action is like an extremely weak "security through obscurity" mechanism and really isn't obscure at all.

Even if you change the name from SSN to GovAssignedIdNumber, certain security controls still need to be applied in order to ensure the data is protected appropriately. The name assigned to the data is not relevant, instead, how the data is secured is the priority. When an assessment is being performed of the data, the assessor is not concerned with what the data is titled, but instead, on how the data is protected. Therefore, even if you title "home phone" as "other phone", the assessor will need to ensure the appropriate security controls are in place in order to show compliance against FISMA.

Digg This!

StumbleUpon

Del.icio.us

RELATED CONTENT

	Regulatory Compliance
	Red Flags Rules compliance: Are your customers informed?
	PCI compliance guide: A resource for solution providers
	PCI DSS pre-assessment services: Prelude to a QSA
	The impact of PCI compliance on the channel
	Compliance drives opportunities for security integrators
	How to turn the HIPAA compliance changes into opportunities
	Data protection services offer revenue for security solution providers
	Agiliance and McAfee partner for better governance, risk and compliance services
	SonicWall announces partnership with Western NRG
	Building a framework-based compliance program

Security Management

Hardening Linux as part of your client's network security policy

Implementing wireless LAN security policies for mobile users

Should hotfix testing be performed by the QA department or by support?

Automated patch management for SMB customers

Understanding ISO 27001 and ISO 17799

Maintaining HIPAA compliance

How do I create a repeatable patch testing methodology?

Creating security policies for an enterprise customer

Implementing third-party patches on customer systems

Patch management system post-deployment considerations for VARs and consultants

RELATED RESOURCES

2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems

Search Bitpipe.com for the latest white papers and business webcasts

Whatis.com, the online computer dictionary

Search and Browse the Expert Answer Center
Search and browse more than 25,000 question and answer pairs from more than 250 TechTarget industry experts.

Browse our Expert Advice
Operating Systems IT Management Networking Database	Security Servers and Storage Applications and Development Career Center

SEARCH

TechTarget provides technology professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective purchase decisions and managing their organizations' technology projects - with its network of technology-specific websites, events and online magazines.


TechTarget Corporate Web Site \| Media Kits \| Site Map All Rights Reserved, Copyright 2006 - 2009, TechTarget \| Read our Privacy Policy