Information Security: Impacts of Leadership and Organizational Culture

摘要

Since the early 1970s computer security has been the focus of many researcher's efforts (Bell and Lapadula, 1976). Following the terrorist attack of 9/11, Congress and the Executive Branch reemphasized the need for security in general and information or cyber security in particular. The E-Government Act of 2002 (Public Law 107-347) kicked off a new national strategy for information security that built upon the previous laws. On October 30, 2000, the President signed into law the Fiscal 2001 Defense Authorization Act (Public Law 106-398), including Title X, subtitle G, "Government Information Security Reform Act (GISRA)". GISRA brought together existing IT security requirements in previous legislation. This included the Computer Security Act of 1987, the Paperwork Reduction Act of 1995, and the Information Technology Reform Act of 1996 (Clinger-Cohen). Additionally, GISRA enacted in statute existing OMB IT security policies found in OMB Circular A-130 on IT management and OMB budget guidance in Circular A-11. GISRA integrated long-standing IT security requirements. GISRA also introduced new review and reporting requirements and defined a critical role for agency Inspectors Generals in independently evaluating the agency's IT security. In March 2002 the Director of NIST, in congressional testimony, discussed the ongoing need for attention at all levels within the government to information security (Bement, 2002). The GISRA information security requirements were institutionalized when the President signed E-Government Act of 2002 on December 17, 2002. Title III of that act is called the Federal Information Security Management Act (FISMA). FISMA requires Federal agencies to annually evaluate and assess the status of the security of their information systems according to requirements established by the Office of Management and Budget (OMB), which administers the Act.