Example of fisma compliance analysis.1
Download as DOCX, PDF1 like650 views
FISMA requires federal agencies to comply with eight categories related to information security: 1) conducting risk assessments, 2) establishing policies and procedures, 3) creating security plans, 4) providing security awareness training, 5) performing annual security testing, 6) developing remediation procedures, 7) implementing incident response procedures, and 8) creating contingency plans. Agencies must address these areas to detect and respond to security incidents, report attacks to US-CERT, and ensure system continuity through documented contingency plans tested annually. Risk assessments allow agencies to determine appropriate security based on potential harm from disrupted services.
Example of fisma compliance analysis.1
- 1. FISMA Requirements In preparing agencies for FISMA compliance, agency heads, in conjunction with CIOs and CISOs, must develop provisions according to eight broad categories: 1. Risk Assessments- we can help with a risk assessment of common high risk areas with an ISO Information Risk Pre- Assessment engagement. 2. Policies and Procedures 3. Security Plans 4. Security Awareness Training 5. Annual Security Testing 6. Remediation Procedures 7. SIEM Alerting: Incident Response Procedures FISMA requires each agency to develop or acquire sufficient capability to detect and respond to information security incidents within their agency. This includes the ability to mitigate the risks of attacks in progress. In an effort to foster collaboration and communication in pursuit of the goal of responding pro-actively to threats, FISMA specifies that agencies report all information security attacks to a central federal information security incident center, the US-CERT. This means that agencies must perform constant, vigilant scanning of all systems. 8. SIEM backup and restore: Contingency Plans FISMA requires every information system on the agency’s inventory to be subject to a documented plan containing procedures to ensure continuity of system operations in the event of a failure or system corruption. As part of the operational security controls for the system, such plans must also be tested annually. Additional Information: Risk Assessments Engagement Performing risk assessments is vital (in addition to being required) simply because they allow evaluating parties to determine the degree to which information security provisions are commensurate with the risk they are designed to mitigate. (FISMA requires that assessments be performed at least annually; however, the optimal frequency for a positive overall FISMA evaluation will vary from agency to agency.) Through the course of such assessments, agencies will be called upon to estimate the amount of harm that would be caused by disruption of its services. These risks are the cornerstone for many of the other required activities. Policies and Procedures Agencies will be called upon to formulate information security policies and procedures to cost-effectively mitigate the risk uncovered through the assessments described above. FISMA specifically calls for agencies to design policies and procedures that ensure that information security is addressed throughout the lifecycle of an information-technology system, and not simply as a final, quality control procedure performed prior to deployment. Security Plans FISMA requires agencies to draft plans which describe security measures that address specific system requirements and comply with policies and procedures. Such plans must take into account the guidelines issued by the National Institute of Standards & Technology (NIST). FISMA specifies that such plans must cover training (of both security professionals and intended users), incident response capabilities, contingency plans, remediation, and system configuration standards. Security Awareness Training Under FISMA, all agencies are required to offer ongoing security awareness training to all personnel, including contractors and all other users of the agency’s information technology systems. FISMA requires that such training acquaint participants with the risks associated with handling critical data and the responsibilities involved in providing effective security. Annual Security Testing FISMA calls for the evaluation of policies, procedures, and practices through annual testing of every information system on the agency’s inventory. FISMA requires that these tests be performed as often as necessary, based on the amount of risk such systems are designed to protect, but at least once a year. FISMA further requires that such testing include not only the technical controls of the system, but also management and operational controls. Remediation Procedures Agencies are required to track all security deficiencies identified through testing and monitoring and to measure remediation progress and effectiveness for every system regardless of its level of importance.