1 / 18

Federal Information Security Management Act An IG Perspective

2. Agenda. FISMA: An IG Approach2004 IssuesFuture IssuesChallenges Facing IG AuditorsNew FISMA Working GroupQuestions and Answers. 3. Multi-year strategy for auditing the agency information security programStrategy addresses the security program framework defined by FISMAAudits conduct

early
Download Presentation

Federal Information Security Management Act An IG Perspective

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


    1. Federal Information Security Management Act An IG Perspective FEBRUARY 2, 2004 Presented To: The President’s Council on Integrity and Efficiency Information Technology Round Table Presented By: Russell A. Rau, Assistant Inspector General for Audits Office of Inspector General Federal Deposit Insurance Corporation

    2. 2 Agenda FISMA: An IG Approach 2004 Issues Future Issues Challenges Facing IG Auditors New FISMA Working Group Questions and Answers

    3. 3 Multi-year strategy for auditing the agency information security program Strategy addresses the security program framework defined by FISMA Audits conducted throughout the year are risk-based and support the multi-year strategy FISMA evaluation lead by in-house staff Contractor supports IG work by testing selected IT technical controls FISMA: An IG Approach

    4. 4 FISMA: An IG Approach 2002 Physical Security Contractor Security Capital Planning 2003 Network Security (multiple reviews) Incident Response Patch Management Risk Assessment Personnel Security IT Strategic Planning Contractor Security Follow-up

    5. 5 Evaluation Scope and Methodology Government Auditing Standards Reliance on prior audit and evaluation reports Independent testing and evaluation procedures Identified 10 key management controls associated with successful information security programs Key management controls based on federal laws, regulations, and guidelines Key management controls assessed using a traffic light scorecard tool FISMA: An IG Approach

    6. 6 Government organizations such as GAO, OMB, and NIST have identified fundamental management controls needed for effective information security. These management controls are abstracted from long-standing requirements found in statutes, policies, and guidance. They cover topics such as: Risk Management Security Control Reviews Contingency Planning Access Controls Incident Response FISMA: An IG Approach

    7. 7 Fundamental security management principles and controls can be found in: NIST SP 800-26, Security Self-Assessment Guide for Information Technology Systems NIST SP 800-14, Generally Accepted Principles and Practices for Securing Information Technology Systems NIST SP 800-12, An Introduction to Computer Security: The NIST Handbook GAO Executive Guide, Information Security Management: Learning From Leading Organizations FISMA and OMB Circular No. A-130 Appendix III FISMA: An IG Approach

    8. 8 FISMA: An IG Approach

    9. 9 FISMA: An IG Approach Scorecard assessments based on assurance of adequate security: ? Green (Reasonable Assurance) ? Yellow (Limited Assurance) ? Red (Minimal/No Assurance) Assessments require professional judgment Scorecard provides a simple and effective method to communicate complex results Management actions to address scorecard results Performance measures to improve FISMA ratings Established a subcommittee of the Audit Committee “Getting to Green” Initiative

    10. 10 Leveraging Agency Reviews Placing greater reliance on CIO and agency program reviews Providing independent assurance of agency FISMA submissions Integrating FISMA evaluation and financial statement audit work Relying on FISMA results to obtain an understanding of internal controls Planning financial statement audit work based on FISMA results FISMA 2004 Issues

    11. 11 Contractor Security Auditing major contractors that service multiple federal agencies Verifying minimum security requirements of contractors, such as security planning, training, etc. Enterprise Architecture Security Implications Ensuring major IT projects use security solutions that comply with the agency enterprise architecture Data Sensitivity Categorizing data Protecting sensitive data FISMA 2004 Issues

    12. 12 Quantifying the Impact of Security Weaknesses Considering the cost-benefit of proposed security enhancements NIST FIPS 199 and Special Publication 800-60 Certification and Accreditation (NIST Special Publication 800-37) Verifying the effectiveness of security controls required in federal information systems (NIST Special Publication 800-53A) FISMA 2004 Issues

    13. 13 Timing of FISMA and Accountability Reports Interagency Issues Federal Bridge (Authentication and Encryption) Federal Enterprise Architecture Servicers that cross agency lines Future FISMA Issues

    14. 14 How much audit work is enough? How much is too much? We can’t fully evaluate everything every year! At FDIC, we found a balance through a multi-year strategy of performance auditing. Challenges Facing IG Auditors

    15. 15 Changing Criteria Planned revisions to OMB A-130 Recently published NIST Special Publications: 800-50, Building an IT Security Awareness and Training Program 800-42, Guideline on Network Security Testing 800-36, Guide to Selecting IT Security Products 800-35, Guide to IT Security Services 800-64, Security Considerations in the Information SDLC And more to come… Draft 800-53, Recommended Security Controls for Federal Information Systems Draft 800-37, Guide for the Security Certification and Accreditation of Federal Information Systems                       Impact of new technology, such as wireless communications explosion Challenges Facing IG Auditors

    16. 16 Impact of major events, such as the focus on disaster recovery following 9/11 Inconsistent application of standards How does your agency define an information system? What constitutes a material weakness? How does your agency categorize information and information systems? Growing importance of IG auditors to be “technically capable” and possess professional certifications Challenges Facing IG Auditors

    17. 17 Established for the IG community under the Federal Audit Executive Council Promotes interagency coordination of information security and evaluation requirements established by FISMA FISMA update conferences and training Sharing lessons-learned Interacting with OMB, NIST, CIO Council and GAO Coordinating on issues and initiatives that cross agency lines For more information, contact Judy Hoyle at (202) 416-4088 or jhoyle@fdic.gov. FISMA Working Group

    18. Questions and Answers

More Related