Download presentation
Presentation is loading. Please wait.
Published byLoraine McDaniel Modified over 9 years ago
1
1 © Material United States Department of the Interior Federal Information Security Management Act (FISMA) April 2008 Larry Ruffin & Joe Seger
2
Agenda u FISMA - It’s about enabling mission success through the protection of our sensitive agency information. Ø Federal Legislation & Directives Ø BIG PICTURE u Roles and Responsibilities Ø Mission Executives & Chief Information Officers Ø System Owners & Information System Security Managers u Certification & Accreditation Assessments, Audits, Evaluations and Testing Plans of Actions and Milestones u Enabling Efficient Mission Delivery and Success Mission Efficiency through Business and Information Technology Integration Integrating Risk Management into the Enterprise
3
Federal Legislation & Directives - Driving IT Security Improvements - u E-Government Act of 2002 - Public Law 107-347 Enhance management and promote e-Gov services/processes u Title III - FISMA Development and maintain minimum controls to protect Federal systems u Section 208 – Privacy Provisions Protect the privacy of personal information u OMB Circular A-130 (Office of Management and Budget) Policy for the management of Federal information resources. Requires protection commensurate with risk and magnitude of harm Requires security’s role be explicit in IT investments and capital programming u Appendix III - Security of Federal Automated Information Resources Minimum set of controls for Federal information security programs Requires a security plan for information systems Requires reviews of security controls
4
Big Picture Federal Information Security Management Act E-Government Act Presidential Management Agenda C&ACIRTSATEPM Assess- ments CIP EA (IS) Capital Planning Patch Mgmt System & Program POA&Ms Asset Inventory Security Program E-Gov: Enhance management and promote electronic Government services and processes Establish a Federal CIO in OMB Establish a framework of measures Enhance citizen access to Government information and services E-Gov: Enhance management and promote electronic Government services and processes Establish a Federal CIO in OMB Establish a framework of measures Enhance citizen access to Government information and services FISMA (Title III of E-gov): Comprehensive framework to ensure effectiveness of system controls Recognize highly networked nature of Federal computing Minimum controls required to protect Federal Information FISMA (Title III of E-gov): Comprehensive framework to ensure effectiveness of system controls Recognize highly networked nature of Federal computing Minimum controls required to protect Federal Information PMA: Strategic management of human capital Budget and performance integration Competitive sourcing Electronic-Government Improved financial management PMA: Strategic management of human capital Budget and performance integration Competitive sourcing Electronic-Government Improved financial management
5
u FISMA – Programs that make a comprehensive security program. u Protecting our Critical Infrastructure, responding quickly to incidents, educating the community, assess ourselves, Planning for security from the start, and of course documenting proof of what we have done and performing risk analysis and management through C&A. These are just a few of the elements that FISMA mandates, but how do we know it’s effective? u E-Gov – It measures how well we are managing our e-business, and how well is our business serving the U.S. citizens. E-Govs mandates the reporting how well we are managing electronic services, but how do we know we are working toward the same goal as the rest of the Federal Government? u PMA – Managing human capital, budget and performance, competitive sourcing, and the financial services we provide is essential to carrying out an efficient, accurate, and effective mission, for which we are accountable. The electronic-Government mission is the common thread that runs through all missions. It supports them all, so it must be planned for, properly implemented, protected, and reviewed periodically, all in an efficient manner. u Integration is the key to making this all work together, and to optimize resources.
6
Roles & Responsibilities Mission Executives (Business Process Owners) Responsible to ensure security controls commensurate with risk (control the budget and the requirements) Missions require the deployment of systems before relevant IT security disciplines are defined, integrated, and standardized Chief Information Officers Ensure compliance with security requirements while enabling the mission Provide assurance of security effectiveness
7
Roles & Responsibilities System owner Procures, implements, and integrates information systems Represents mission priorities and security requirements to the Designated Approving Authority (DAA) supporting risk-based decisions Makes judgments on independent advise of reasonable risk Information System Security Manager Ensures systems are Certified and Accredited Implements agency policies and standards Coordinates with system owners and business process owners Balances mission risk in consideration of IT Security Risks
8
Certification and Accreditation Accountability for: Adequate safeguards and countermeasures are employed within information systems. Information system safeguards and countermeasures are effective in their application. Risk to organizational operations, assets, individuals, other organizations, and the Nation is explicitly understood and accepted by leaders at all levels.
9
Certification and Accreditation Federal Information Systems An information system used or operated by an executive agency (of the federal government), by a contractor of an executive agency, or by another organization on behalf of an executive agency. Federal information systems process, store, and/or transmit federal information. Authorization decisions for federal information systems are an inherently federal responsibility and cannot be delegated to other than federal officials.
10
Certification and Accreditation Accreditation Boundary All components of an organizational information system to be accredited by an authorizing official; excludes separately accredited systems, to which the information system is connected. Defines the scope of protection for the organizational information system (i.e., what the organization agrees to protect under its direct control). Includes the people, processes, and technologies that are part of the information system supporting enterprise missions and business processes.
11
Certification and Accreditation Four Phase C&A Process Initiation Phase Certification Phase Accreditation Phase Continuous Monitoring Phase Expressed within the context of the NIST Risk Management Framework as follows…
12
C&A Risk Management Framework ASSESS Security Controls MONITOR Security Controls DOCUMENT Security Controls AUTHORIZE Information System SUPPLEMENT Security Controls SELECT Security Controls IMPLEMENT Security Controls CATEGORIZE Information System Starting Point
13
Management Controls Security Planning Risk Assessment System and Services Acquisition Certification, Accreditation, and Security Assessments Operational Controls Security Awareness and Training Configuration Management Contingency Planning Media Protection Physical and Environmental Protection System and Information Integrity Incident Response System Maintenance Personnel Security Technical Controls Access Control Auditing and Accountability Identification and Authentication System and Communications Protection Types of Controls
14
Assessments, Audits, Evaluations and Testing Part of IT Security Program
15
Plans of Actions and Milestones u Audit or Assessment Findings: Identified vulnerabilities and weaknesses Documented on program- or system-level POA&Ms Corrective/mitigating action plans tracked to resolution I found a weakness!
16
IT System Lifecycle PlanDesignBuildTestDeployOperateDispose Mission Customers SuppliersPartners Employees
17
IT Security Lifecycle PlanDesignBuildTestDeployOperate Identify Risks Implement Controls Inspect Controls Capital Planning & Investment Resolve Weaknesses Dispose Monitor & Respond
18
Enabling Efficient Mission Delivery and Success u “Baking-in” IT Security & Privacy Protections Information security requirements must be considered first order requirements and are critical to mission and business success. An effective organization-wide information security program helps to ensure that security considerations are specifically addressed in the enterprise architecture for the organization and are integrated early into the system development life cycle.
19
Enabling Mission Efficiency through Information Technology u Mission – Provide what’s needed to get the job done u Challenge – Meet mission and security needs and remain effective Critical assets are frequently updated and customized Business solutions require interconnections to internal and external systems Security of interconnections relies on cooperation and integration Mission Customers SuppliersPartners Employees
20
NIST Computer Security Division & OMB Sites u Computer Security Resource Center (CSRC) library http://csrc.nist.gov/index.html http://csrc.nist.gov/index.html u Federal Information Processing Standard (FIPS) publications FIPS 199 and 200 http://csrc.nist.gov/publications/fips http://csrc.nist.gov/publications/fips u Special Publications (SP) 800 Series (primarily 800-18, 34, 37, 47, 53, 53A and 60) http://csrc.nist.gov/publications/nistpubs/index.html http://csrc.nist.gov/publications/nistpubs/index.html u OMB Memoranda Memoranda M07-19, 06-19, 05-15, 04-25 and 03-19 http://www.whitehouse.gov/omb/memoranda/index.html http://www.whitehouse.gov/omb/memoranda/index.html
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.