Complying With The Federal Information Security Act (FISMA)

Slides:



Advertisements
Similar presentations
Jump to first page NIST Risk Management Guide for Information Technology Systems Reference:
Advertisements

Effectively Integrating Information Technology (IT) Security into the Acquisition Process Section 4: Effective Integration.
1 NIST, FIPS, and you... Bob Grill Medi-Cal ISO July 16, 2009.
IT Security Law for Federal Agencies As of: 30 December 2002.
29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29 th INTERNATIONAL DATA PROTECTION AND PRIVACY COMMISSIONERS.
The Office of Information Technology Information Security Administrator Kenneth Pierce, Vice Provost for IT and Chief Information Officer.
Presented By: Thelma Ameyaw Security Management TEL2813 4/18/2008Thelma Ameyaw TEL2813.
National Institute of Standards and Technology 1 NIST Guidance and Standards on System Level Information Security Management Dr. Alicia Clay Deputy Chief.
Security Controls – What Works
NLRB: Information Security & FISMA Daniel Wood, Chief IT Security February 19, 2004.
Introduction to the State-Level Mitigation 20/20 TM Software for Management of State-Level Hazard Mitigation Planning and Programming A software program.
Overarching Roles of Critical Partners In A Project 9:30 – 10:00 Rob Curlee, FMO Joseph Dominque, OCISO Mike Perry, EA.
Presented by Loren Schwartz, CPA, CISSP, CISA, CIPP
Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.
Secure System Administration & Certification DITSCAP Manual (Chapter 6) Phase 4 Post Accreditation Stephen I. Khan Ted Chapman University of Tulsa Department.
Risk Assessment Frameworks
Risk Management Framework
Federal IT Security Professional - Manager FITSP-M Module 1.
1 Dan Steinberg, JD Portland, OR May 4, 2011 Speaking Notes Privacy and Security for Research Repositories Please do not reuse or republish without attribution.
1 IT Security Awareness, Training and Education Trends Dan Costello Policy Analyst OMB.
Dr. Ron Ross Computer Security Division
US Federal Industrial Control System (ICS) Security Standards and Guidelines Keith Stouffer National Institute of Standards and Technology (NIST) June.
Information Security Compliance System Owner Training Richard Gadsden Information Security Office Office of the CIO – Information Services Sharon Knowles.
CUI Statistical: Collaborative Efforts of Federal Statistical Agencies Eve Powell-Griner National Center for Health Statistics.
Information Security Framework & Standards
1 NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY Federal Government Perspectives on Secure Information Sharing Technology Leadership Series August 14,
Applied Technology Services, Inc. Your Partner in Technology Applied Technology Services, Inc. Your Partner in Technology.
CORPORATE COMPLIANCE Tim Timmons Vice President Compliance and Regulatory Services Health Future, LLC.
Organization and Implementation of a National Regulatory Program for the Control of Radiation Sources Staffing and Training.
Unit 8:COOP Plan and Procedures  Explain purpose of a COOP plan  Propose an outline for a COOP plan  Identify procedures that can effectively support.
NIST Special Publication Revision 1
Federal IT Security Professional - Auditor
Federal Aviation Administration Federal Aviation Administration 1 Presentation to: Name: Date: Federal Aviation Administration AMHS Security Security Sub-Group.
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.
NMS Certification and Accreditation (C&A) Removal of Material Weakness for NMS Security and Access Controls Jim Craft USAID ISSO.
Module N° 8 – SSP implementation plan. SSP – A structured approach Module 2 Basic safety management concepts Module 2 Basic safety management concepts.
TEL2813/IS2820 Security Management Security Management Models And Practices Feb 5, 2008.
Risk and Subaward Management under the Uniform Guidance U.S. Department of Education.
IRS Enterprise Risk Management (ERM)
Certification and Accreditation CS Phase-1: Definition Atif Sultanuddin Raja Chawat Raja Chawat.
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 1 Integrated Enterprise-wide Risk Management Protecting Critical Information Assets and Records FIRM Forum.
National Institute of Standards and Technology 1 The Federal Information Security Management Act Reinforcing the Requirements for Security Awareness Training.
Disaster Recover Planning & Federal Information Systems Management Act Requirements December 2007 Central Maryland ISACA Chapter.
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 1 Managing Risk in New Computing Paradigms Applying FISMA Standards and Guidelines to Cloud Computing Workshop.
1 © Material United States Department of the Interior Federal Information Security Management Act (FISMA) April 2008 Larry Ruffin & Joe Seger.
Audit Planning Process
Federal Information Security Management Act (FISMA) By K. Brenner OCIO Internship Summer 2013.
NIST / URAC / WEDi Health Care Security Workgroup Presented by: Andrew Melczer, Ph.D. Illinois State Medical Society.
University of Maryland University College (UMUC) 3/11/2004 POA&M and FISMA What does it really mean? FISSEA Annual Conference.
Information Security IBK3IBV01 College 2 Paul J. Cornelisse.
NIST Computer Security Framework and Grids Original Slides by Irwin Gaines (FNAL) 20-Apr-2006 Freely Adapted by Bob Cowles (SLAC/OSG) for JSPG 13-Mar-2007.
FISMA 101.
A Case Study of GAO’s Review of FY06 Exhibit 300s “Agencies Need to Improve the Accuracy & Reliability of Investment Information” GAO Carol Cha.
The NIST Special Publications for Security Management By: Waylon Coulter.
Information Security Office: Function, Alignment in the Organization, Goals, and Objectives Presentation to Sacramento PMO March 2011 Kevin Dickey.
Regional Accreditation Workshop For Asia and Eastern Europe Manila, Philippines th March, 2012.
Internal Audit Section. Authorized in Section , Florida Statutes Section , Florida Statutes (F.S.), authorizes the Inspector General to review.
National Institute of Standards and Technology 1 Information Systems Under Attack Managing Enterprise Risk in Today's World of Sophisticated Threats and.
Federal Information Security Management Act (F.I.S.M.A.) [ Justin Killian ]
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.
NIST SP800 53R4 WMISACA Conferance April 2016 By Dean E Brown CISSP, ISSMP, CSSLP, MCSD Owner – ITSecurityAxioms.com 262 Barrington Cir Lansing, MI
SUNY Maritime Internal Control Program. New York State Internal Control Act of 1987 Establish and maintain guidelines for a system of internal controls.
Computer Security Division Information Technology Laboratory
Information Security for Executives v1.0
Security Methods and Practice CET4884
Matthew Christian Dave Maddox Tim Toennies
Group Meeting Ming Hong Tsai Date :
Nuts and Bolts of Good Budgetary Practices
Radiopharmaceutical Production
MANAGEMENT of INFORMATION SECURITY, Fifth Edition
Presentation transcript:

Complying With The Federal Information Security Act (FISMA)

What is FISMA? FISMA Congress included the FISMA as part of the E-Government Act of 2002 http://thomas.loc.gov/bss/d107/d107laws.html FISMA is the primary legislation that governs required security activities associated with the Certification and Accreditation Process. It sets forth specific requirements for security programs as well as an annual reporting requirement. As a DAA you will be responsible for executive oversight on meeting program and reporting requirements as outlined on the following slides.

Purpose of FISMA Bringing Standardization to security control selection and assessment through: Providing a consistent framework for protecting information at the federal level. Providing effective management of risks to information security. Providing for the development of adequate controls to protect information and systems. Providing a mechanism for effective oversight of federal security programs.

FISMA Requirements Federal agencies are required to establish an integrated, risk-based information security program that adheres to high-level requirements governing how information security is conducted within their agency. Agencies are required to: assess the current level of risk associated with their information and information systems define controls to protect those systems implement policies and procedures to cost-effectively reduce risk periodically test and evaluate those controls train personnel on information security policies and procedures and manage incidents (incident response plan/process).

FISMA Dictates… Responsibilities of chief security officers. Actions required to assess risk. Actions required to mitigate risk. Security awareness training. Testing of security practices and controls. Procedures for responding to security issues. Procedures for business continuity.

FISMA and NIST NIST provides guidance on FISMA that is detailed and in-depth NIST guidance includes: Standards for categorizing information and information systems by mission impact. Standards for minimum security requirements for information and information systems. Guidance for selecting appropriate security controls for information systems. Guidance for assessing security controls in information systems and determining security control effectiveness. Guidance for certifying and accrediting information systems.

NIST FISMA Related Publications FIPS Publication 199 (Security Categorization) FIPS Publication 200 (Minimum Security Requirements) NIST Special Publication 800-18, Rev 1 (Security Planning) NIST Special Publication 800-30, Rev 1 (Risk Management) NIST Special Publication 800-37 (Certification & Accreditation) NIST Special Publication 800-53 Rev 3 (Recommended Security Controls) NIST Special Publication 800-53A Rev 1(Security Control Assessment) NIST Special Publication 800-60 (Security Category Mapping)

FIPS 199, Standards for the Security Categorization of Federal Information and Information Systems The standard used by federal agencies to categorize information and information systems based on the objectives of providing appropriate levels of information security according to a range of risk levels Information systems are categorized as either Low, Moderate, or High Risk Systems based on the Confidentiality, Integrity, and Availability security requirements necessary to protect the data/information processed, stored, or transmitted by the information system.

FIPS 200, Minimum Security Requirements for Federal Information and Information Systems Provides minimum information security requirements for information and information systems in each security category defined in FIPS 199 Dictates the requirements to utilize NIST SP 800-53 for the baseline security control requirements.

NIST SP 800-37 Rev 1, Guide to Apply the Risk Management Framework to Federal Information Systems Establishes a six-step Risk Management Framework for Federal Information Systems: Categorize the Information System Select Security Controls Implement Security Controls Assess Security Controls Authorize the Information System Monitor the Security Controls Applicable to non-national security information systems as defined in the Federal Information Security Management Act of 2002

NIST SP 800-18 Rev 1, Guide for Developing Security Plans for Federal Information Systems Defines the format and content for Security Plans, as required by OMB Circular No. A-130. The Security Plan main functions include: Overviewing the system’s security requirements Describing the controls in place or planned for meeting those requirements Delineating responsibilities and expected behavior of all individuals who access the system Documenting the structured process of planning adequate, cost-effective security protection for the system

NIST SP 800-30 Rev 1, Risk Management Guide for Information Technology Systems Definitional and Practical Guidance regarding concept and practice of managing IT-related risks Risk Management provides balance between operational objectives and economic costs of protective measures better securing of IT systems that store, process, or transmit organizational information; enabling management to make well-informed risk management decisions to justify the expenditures assisting management in authorizing (or accrediting) the IT systems

NIST SP 800-34 Rev 1, Contingency Planning Guide For Federal Information Systems Provides instructions, recommendations, and considerations for government IT contingency planning. Provides specific contingency planning recommendations for seven IT platforms Strategies and techniques common to all systems

NIST SP 800-53 Rev 3, Recommended Security Controls for Federal Information Systems and Organizations The purpose of NIST Special Publication 800-53, rev 3 is to provide guidelines for selecting and specifying security controls for information systems… Applicable to all Federal information systems other than those systems designated as national security systems as defined in 44 U.S.C., Section 3542 Broadly developed from a technical perspective to complement similar guidelines issued by agencies and offices operating or exercising control over national security systems Provides guidance to Federal agencies until the publication of FIPS Publication 200, Minimum Security Controls for Federal Information Systems

NIST SP 800-53a Rev 1, Guide for Assessing the Security Controls In Federal Information Systems Provides standardized techniques and procedures to verify the effectiveness of security controls Provides a single baseline verification procedure for each security control in SP 800-53 , rev 3 Allows additional verification techniques and procedures to be applied at the discretion of the agency

NIST SP 800-60 Vol I and Vol II, Guide for Mapping Types of Information and Information Systems to Security Categories Provides guidelines recommending the types of information and information systems to be included in each category of potential security impact. Assists agencies to map security impact levels in a consistent manner to types of: (i) information (e.g., privacy, medical, proprietary, financial, contractor sensitive, trade secret, investigation); and (ii) information systems (e.g., mission critical, mission support, administrative).

SUMMARY Key activities in managing enterprise-level risk—risk resulting from the operation of an information system: Categorize the information system Select set of minimum (baseline) security controls Refine the security control set based on risk assessment Document security controls in system security plan Implement the security controls in the information system Assess the security controls Determine agency-level risk and risk acceptability Authorize information system operation Monitor security controls on a continuous basis

QUESTIONS?

LARRY CHMIEL Security and Privacy Consulting, LLC larry@securityandprivacyconsulting.com 813-838-2689