Auditors find that the SEC's IT office documented and incorporated National Institute of Standards and Technology patch requirements in its policies and procedures but that guidance wasn't always followed.
"Managing risk with regard to information systems and security sometimes doesn't go to the highest levels and that's why the risk framework is a way to get senior leaders involved early in the process," NIST senior computer scientist Ron Ross says.
The Protecting Cyberspace as a National Asset Act also would replace paper-based FISMA compliance with continuous monitoring of technology systems and assaults by "friendly hackers" to test IT vulnerabilities.
The $60 million settlement announced by Heartland Payment Systems and Visa on Friday didn't come without some provisions (translated: strings attached) for those institutions thinking about taking the settlement offer.
Congress should consider enacting legislation allowing the government to regulate how the private sector handles and stores data to battle the growing problem of data breaches, Rep. Yvette Clarke says.