ABSTRACT
Additionally, FISMA’s emphasis on risk management has changed the role of the information security function from being security “tra™c cops” who make decisions on how security is to be achieved to one more focused on enabling business through the provision of sound security advice. Hence, security is no longer simply a binary formulation. In a signi˜cant shift, there is now a requirement that information security specialists understand the role of risk in establishing business needs for security and to enforce compliance with risk-based controls.
