Your SlideShare is downloading. ×
Federal Information Security Management Act An IG Perspective ...
Upcoming SlideShare
Loading in...5

Thanks for flagging this SlideShare!

Oops! An error has occurred.


Introducing the official SlideShare app

Stunning, full-screen experience for iPhone and Android

Text the download link to your phone

Standard text messaging rates apply

Federal Information Security Management Act An IG Perspective ...


Published on

Published in: Technology

1 Like
  • Be the first to comment

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

No notes for slide


  • 1. Federal Information Security Management Act An IG Perspective FEBRUARY 2, 2004 Presented To: The President’s Council on Integrity and Efficiency Information Technology Round Table Presented By: Russell A. Rau, Assistant Inspector General for Audits Office of Inspector General Federal Deposit Insurance Corporation
  • 2. Agenda
    • FISMA: An IG Approach
    • 2004 Issues
    • Future Issues
    • Challenges Facing IG Auditors
    • New FISMA Working Group
    • Questions and Answers
  • 3.
    • Multi-year strategy for auditing the agency information security program
      • Strategy addresses the security program framework defined by FISMA
      • Audits conducted throughout the year are risk-based and support the multi-year strategy
    • FISMA evaluation lead by in-house staff
    • Contractor supports IG work by testing selected IT technical controls
    FISMA: An IG Approach
  • 4. FISMA: An IG Approach
    • 2002
    • Physical Security
    • Contractor Security
    • Capital Planning
    • 2003
    • Network Security (multiple reviews)
    • Incident Response
    • Patch Management
    • Risk Assessment
    • Personnel Security
    • IT Strategic Planning
    • Contractor Security Follow-up
    Targeted Audits Supporting FISMA
    • 2004
    • Public Key Infrastructure
    • Disaster Recovery
    • Data Sensitivity
    • Physical Security
    • Network Perimeter Security
    • Capital Planning & Investment Control
    • Outside Agency Connections
    • Configuration Management
  • 5.
    • Evaluation Scope and Methodology
    • Government Auditing Standards
    • Reliance on prior audit and evaluation reports
    • Independent testing and evaluation procedures
    • Identified 10 key management controls associated with successful information security programs
    • Key management controls based on federal laws, regulations, and guidelines
    • Key management controls assessed using a traffic light scorecard tool
    FISMA: An IG Approach
  • 6.
    • Government organizations such as GAO, OMB, and NIST have identified fundamental management controls needed for effective information security.
    • These management controls are abstracted from long-standing requirements found in statutes, policies, and guidance. They cover topics such as:
          • Risk Management
          • Security Control Reviews
          • Contingency Planning
          • Access Controls
          • Incident Response
    FISMA: An IG Approach
  • 7.
    • Fundamental s ecurity management principles and controls can be found in:
      • NIST SP 800-26, Security Self-Assessment Guide for Information Technology Systems
      • NIST SP 800-14, Generally Accepted Principles and Practices for Securing Information Technology Systems
      • NIST SP 800-12, An Introduction to Computer Security: The NIST Handbook
      • GAO Executive Guide, Information Security Management: Learning From Leading Organizations
      • FISMA and OMB Circular No. A-130 Appendix III
    FISMA: An IG Approach
  • 8. FISMA: An IG Approach Overall Assessment Capital Planning and Investment Control (C.4) Security Training (C.3) Security Oversight (A.4, B.2, & C.2) Contractor and Outside Agency Security (A.2a-b) Information Security Risk Management (C.1) Computer Security Incident Response (B.8 & B.9) Protection of Critical Assets and Operations (B.7) Integration of Security Activities (B.5 & B.6) Security Performance Measures (B.3 & B.4) Security Responsibilities and Authorities (B.1) Implementation of Controls Establishment of Controls Management Control Area
  • 9. FISMA: An IG Approach
    • Scorecard assessments based on assurance of adequate security:
    •  Green (Reasonable Assurance)
    •  Yellow (Limited Assurance)
    •  Red (Minimal/No Assurance)
    • Assessments require professional judgment
    • Scorecard provides a simple and effective method to communicate complex results
    • Management actions to address scorecard results
      • Performance measures to improve FISMA ratings
      • Established a subcommittee of the Audit Committee
      • “ Getting to Green” Initiative
  • 10.
    • Leveraging Agency Reviews
      • Placing greater reliance on CIO and agency program reviews
      • Providing independent assurance of agency FISMA submissions
    • Integrating FISMA evaluation and financial statement audit work
      • Relying on FISMA results to obtain an understanding of internal controls
      • Planning financial statement audit work based on FISMA results
    FISMA 2004 Issues
  • 11.
    • Contractor Security
      • Auditing major contractors that service multiple federal agencies
      • Verifying minimum security requirements of contractors, such as security planning, training, etc.
    • Enterprise Architecture Security Implications
      • Ensuring major IT projects use security solutions that comply with the agency enterprise architecture
    • Data Sensitivity
      • Categorizing data
      • Protecting sensitive data
    FISMA 2004 Issues
  • 12.
    • Quantifying the Impact of Security Weaknesses
      • Considering the cost-benefit of proposed security enhancements
      • NIST FIPS 199 and Special Publication 800-60
    • Certification and Accreditation (NIST Special Publication 800-37)
    • Verifying the effectiveness of security controls required in federal information systems (NIST Special Publication 800-53A)
    FISMA 2004 Issues
  • 13.
    • Timing of FISMA and Accountability Reports
    • Interagency Issues
      • Federal Bridge (Authentication and Encryption)
      • Federal Enterprise Architecture
      • Servicers that cross agency lines
    Future FISMA Issues
  • 14.
    • How much audit work is enough?
    • How much is too much?
    • We can’t fully evaluate everything every year!
    • At FDIC, we found a balance through a multi-year
    • strategy of performance auditing.
    Challenges Facing IG Auditors
  • 15.
    • Changing Criteria
    • Planned revisions to OMB A-130
    • Recently published NIST Special Publications:
    • 800-50, Building an IT Security Awareness and Training Program
    • 800-42, Guideline on Network Security Testing
    • 800-36, Guide to Selecting IT Security Products
    • 800-35, Guide to IT Security Services
    • 800-64, Security Considerations in the Information SDLC
    • And more to come…
    • Draft 800-53, Recommended Security Controls for Federal Information Systems Draft 800-37, Guide for the Security Certification and Accreditation of Federal Information Systems                      
    • Impact of new technology, such as wireless communications explosion
    Challenges Facing IG Auditors
  • 16.
    • Impact of major events, such as the focus on disaster recovery following 9/11
    • Inconsistent application of standards
      • How does your agency define an information system?
      • What constitutes a material weakness?
      • How does your agency categorize information and information systems?
    • Growing importance of IG auditors to be “technically capable” and possess professional certifications
    Challenges Facing IG Auditors
  • 17.
    • Established for the IG community under the Federal Audit Executive Council
    • Promotes interagency coordination of information security and evaluation requirements established by FISMA
      • FISMA update conferences and training
      • Sharing lessons-learned
      • Interacting with OMB, NIST, CIO Council and GAO
      • Coordinating on issues and initiatives that cross agency lines
      • For more information, contact Judy Hoyle at (202) 416-4088 or
    FISMA Working Group
  • 18. Questions and Answers