FLRA Inspector General FY 2004 Evaluation of
FLRA’s Compliance With The Federal Information Security Management Act of 2002

The Federal Information Security Management Act of 2002 requires Inspectors
General to perform annual independent evaluations of Agency security programs and practices.

Expanding regulatory compliance and heightened security mean companies must adopt a strategic approach to security risk management. The status quo has changed. For years, organizations took a tactical approach to security. IT detected vulnerabilities and threats and reacted to attacks. But today, companies realize that they can't cost-effectively protect themselves from every single security threat. Expanding regulatory pressures means organizations must demonstrate the steps they have taken to reduce risks. Organizations must decide on an acceptable level of risk that meets their business needs and ensures compliance with regulations.

"IT security organizations must transition from the old model of protecting the company as much as possible with the available funding, to the new risk management model in which conscious risk trade-offs are made based on requirements," advises Gartner Research in its "Risk Assessment Approaches for IT Security Risk Management" report written in January 2006. "Companies must accept that they can't protect themselves from everything, so they have to make decisions about what they can protect themselves from," the analysts
conclude.