Federal Information Security Management Act An IG Perspective ...


Published on

Published in: Technology
1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Federal Information Security Management Act An IG Perspective ...

  1. 1. Federal Information Security Management Act An IG Perspective FEBRUARY 2, 2004 Presented To: The President’s Council on Integrity and Efficiency Information Technology Round Table Presented By: Russell A. Rau, Assistant Inspector General for Audits Office of Inspector General Federal Deposit Insurance Corporation
  2. 2. Agenda <ul><li>FISMA: An IG Approach </li></ul><ul><li>2004 Issues </li></ul><ul><li>Future Issues </li></ul><ul><li>Challenges Facing IG Auditors </li></ul><ul><li>New FISMA Working Group </li></ul><ul><li>Questions and Answers </li></ul>
  3. 3. <ul><li>Multi-year strategy for auditing the agency information security program </li></ul><ul><ul><li>Strategy addresses the security program framework defined by FISMA </li></ul></ul><ul><ul><li>Audits conducted throughout the year are risk-based and support the multi-year strategy </li></ul></ul><ul><li>FISMA evaluation lead by in-house staff </li></ul><ul><li>Contractor supports IG work by testing selected IT technical controls </li></ul>FISMA: An IG Approach
  4. 4. FISMA: An IG Approach <ul><li>2002 </li></ul><ul><li>Physical Security </li></ul><ul><li>Contractor Security </li></ul><ul><li>Capital Planning </li></ul><ul><li>2003 </li></ul><ul><li>Network Security (multiple reviews) </li></ul><ul><li>Incident Response </li></ul><ul><li>Patch Management </li></ul><ul><li>Risk Assessment </li></ul><ul><li>Personnel Security </li></ul><ul><li>IT Strategic Planning </li></ul><ul><li>Contractor Security Follow-up </li></ul>Targeted Audits Supporting FISMA <ul><li>2004 </li></ul><ul><li>Public Key Infrastructure </li></ul><ul><li>Disaster Recovery </li></ul><ul><li>Data Sensitivity </li></ul><ul><li>Physical Security </li></ul><ul><li>Network Perimeter Security </li></ul><ul><li>Capital Planning & Investment Control </li></ul><ul><li>Outside Agency Connections </li></ul><ul><li>Configuration Management </li></ul>
  5. 5. <ul><li>Evaluation Scope and Methodology </li></ul><ul><li>Government Auditing Standards </li></ul><ul><li>Reliance on prior audit and evaluation reports </li></ul><ul><li>Independent testing and evaluation procedures </li></ul><ul><li>Identified 10 key management controls associated with successful information security programs </li></ul><ul><li>Key management controls based on federal laws, regulations, and guidelines </li></ul><ul><li>Key management controls assessed using a traffic light scorecard tool </li></ul>FISMA: An IG Approach
  6. 6. <ul><li>Government organizations such as GAO, OMB, and NIST have identified fundamental management controls needed for effective information security. </li></ul><ul><li>These management controls are abstracted from long-standing requirements found in statutes, policies, and guidance. They cover topics such as: </li></ul><ul><ul><ul><ul><li>Risk Management </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Security Control Reviews </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Contingency Planning </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Access Controls </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Incident Response </li></ul></ul></ul></ul>FISMA: An IG Approach
  7. 7. <ul><li>Fundamental s ecurity management principles and controls can be found in: </li></ul><ul><ul><li>NIST SP 800-26, Security Self-Assessment Guide for Information Technology Systems </li></ul></ul><ul><ul><li>NIST SP 800-14, Generally Accepted Principles and Practices for Securing Information Technology Systems </li></ul></ul><ul><ul><li>NIST SP 800-12, An Introduction to Computer Security: The NIST Handbook </li></ul></ul><ul><ul><li>GAO Executive Guide, Information Security Management: Learning From Leading Organizations </li></ul></ul><ul><ul><li>FISMA and OMB Circular No. A-130 Appendix III </li></ul></ul>FISMA: An IG Approach
  8. 8. FISMA: An IG Approach Overall Assessment Capital Planning and Investment Control (C.4) Security Training (C.3) Security Oversight (A.4, B.2, & C.2) Contractor and Outside Agency Security (A.2a-b) Information Security Risk Management (C.1) Computer Security Incident Response (B.8 & B.9) Protection of Critical Assets and Operations (B.7) Integration of Security Activities (B.5 & B.6) Security Performance Measures (B.3 & B.4) Security Responsibilities and Authorities (B.1) Implementation of Controls Establishment of Controls Management Control Area
  9. 9. FISMA: An IG Approach <ul><li>Scorecard assessments based on assurance of adequate security: </li></ul><ul><li> Green (Reasonable Assurance) </li></ul><ul><li> Yellow (Limited Assurance) </li></ul><ul><li> Red (Minimal/No Assurance) </li></ul><ul><li>Assessments require professional judgment </li></ul><ul><li>Scorecard provides a simple and effective method to communicate complex results </li></ul><ul><li>Management actions to address scorecard results </li></ul><ul><ul><li>Performance measures to improve FISMA ratings </li></ul></ul><ul><ul><li>Established a subcommittee of the Audit Committee </li></ul></ul><ul><ul><li>“ Getting to Green” Initiative </li></ul></ul>
  10. 10. <ul><li>Leveraging Agency Reviews </li></ul><ul><ul><li>Placing greater reliance on CIO and agency program reviews </li></ul></ul><ul><ul><li>Providing independent assurance of agency FISMA submissions </li></ul></ul><ul><li>Integrating FISMA evaluation and financial statement audit work </li></ul><ul><ul><li>Relying on FISMA results to obtain an understanding of internal controls </li></ul></ul><ul><ul><li>Planning financial statement audit work based on FISMA results </li></ul></ul>FISMA 2004 Issues
  11. 11. <ul><li>Contractor Security </li></ul><ul><ul><li>Auditing major contractors that service multiple federal agencies </li></ul></ul><ul><ul><li>Verifying minimum security requirements of contractors, such as security planning, training, etc. </li></ul></ul><ul><li>Enterprise Architecture Security Implications </li></ul><ul><ul><li>Ensuring major IT projects use security solutions that comply with the agency enterprise architecture </li></ul></ul><ul><li>Data Sensitivity </li></ul><ul><ul><li>Categorizing data </li></ul></ul><ul><ul><li>Protecting sensitive data </li></ul></ul>FISMA 2004 Issues
  12. 12. <ul><li>Quantifying the Impact of Security Weaknesses </li></ul><ul><ul><li>Considering the cost-benefit of proposed security enhancements </li></ul></ul><ul><ul><li>NIST FIPS 199 and Special Publication 800-60 </li></ul></ul><ul><li>Certification and Accreditation (NIST Special Publication 800-37) </li></ul><ul><li>Verifying the effectiveness of security controls required in federal information systems (NIST Special Publication 800-53A) </li></ul>FISMA 2004 Issues
  13. 13. <ul><li>Timing of FISMA and Accountability Reports </li></ul><ul><li>Interagency Issues </li></ul><ul><ul><li>Federal Bridge (Authentication and Encryption) </li></ul></ul><ul><ul><li>Federal Enterprise Architecture </li></ul></ul><ul><ul><li>Servicers that cross agency lines </li></ul></ul>Future FISMA Issues
  14. 14. <ul><li>How much audit work is enough? </li></ul><ul><li>How much is too much? </li></ul><ul><li>We can’t fully evaluate everything every year! </li></ul><ul><li>At FDIC, we found a balance through a multi-year </li></ul><ul><li>strategy of performance auditing. </li></ul>Challenges Facing IG Auditors
  15. 15. <ul><li>Changing Criteria </li></ul><ul><li>Planned revisions to OMB A-130 </li></ul><ul><li>Recently published NIST Special Publications: </li></ul><ul><li>800-50, Building an IT Security Awareness and Training Program </li></ul><ul><li>800-42, Guideline on Network Security Testing </li></ul><ul><li>800-36, Guide to Selecting IT Security Products </li></ul><ul><li>800-35, Guide to IT Security Services </li></ul><ul><li>800-64, Security Considerations in the Information SDLC </li></ul><ul><li>And more to come… </li></ul><ul><li>Draft 800-53, Recommended Security Controls for Federal Information Systems Draft 800-37, Guide for the Security Certification and Accreditation of Federal Information Systems                       </li></ul><ul><li>Impact of new technology, such as wireless communications explosion </li></ul>Challenges Facing IG Auditors
  16. 16. <ul><li>Impact of major events, such as the focus on disaster recovery following 9/11 </li></ul><ul><li>Inconsistent application of standards </li></ul><ul><ul><li>How does your agency define an information system? </li></ul></ul><ul><ul><li>What constitutes a material weakness? </li></ul></ul><ul><ul><li>How does your agency categorize information and information systems? </li></ul></ul><ul><li>Growing importance of IG auditors to be “technically capable” and possess professional certifications </li></ul>Challenges Facing IG Auditors
  17. 17. <ul><li>Established for the IG community under the Federal Audit Executive Council </li></ul><ul><li>Promotes interagency coordination of information security and evaluation requirements established by FISMA </li></ul><ul><ul><li>FISMA update conferences and training </li></ul></ul><ul><ul><li>Sharing lessons-learned </li></ul></ul><ul><ul><li>Interacting with OMB, NIST, CIO Council and GAO </li></ul></ul><ul><ul><li>Coordinating on issues and initiatives that cross agency lines </li></ul></ul><ul><ul><li>For more information, contact Judy Hoyle at (202) 416-4088 or jhoyle@fdic.gov. </li></ul></ul>FISMA Working Group
  18. 18. Questions and Answers