Find White Papers
Home About Contact Help
Free Membership Member Login
Oct 15, 2008
View Popular Research Browse Topics Find Business Solutions RSS Feeds List Your Research
Search the Library                  Advanced Search

Making the Grade: Automating IT Compliance for FISMA

Preventsys
By : Preventsys
INFORMATION
Published : Nov 29, 2005
Length : 16
Type : White Paper
 
Download Now
Save for Later
  Email This Page
Overview :

Increased assessment, reporting and compliance requirements are going to be difficult to manage from year to year, and organizations without the right strategy, will face a significant increase in costs to audit and report on compliance annually. FISMA and its resulting compliance, report cards, have made government agencies accountable for implementing and reporting upon defensible security measures.

The intent of the report cards is to show government regulators an agency's security benchmark, how each agency is progressing against this benchmark and how they continue to improve agency security measures on a year-over-year basis. Download this white paper to learn more.
View All Items By This Company
Browse Related Categories :

Compliance

,

Software Compliance
 
The Federal Information Security Management Act of 2002 (FISMA) has changed the way U.S. Government agencies manage information security. It presents a number of challenges and requirements for every agency's Information Technology security efforts. Increased assessment, reporting and compliance requirements are going to be difficult to manage from year to year, and organizations without the right strategy, will face a significant increase in costs to audit and report on compliance annually.

The E-Government Act of 2002 was signed into legislation on December 17, 2002. Title III of this Act removed the sunset of the Government Information Security Reform Act (GISRA) and renamed it the Federal Information Security Management Act of 2002 (FISMA). FISMA is intended to provide a framework for government agencies to improve their security and risk management processes. This legislation provides a mandate for reporting on security compliance with a set of standard internal controls driven primarily by National Institute for Standards and Technology (NIST) standards, specifically NIST special publication 800-53.

FISMA and its resulting compliance ?report cards' have made government agencies accountable for implementing and reporting upon defensible security measures. The intent of the report cards is to show government regulators an agency's security benchmark, how each agency is progressing against this benchmark and how they continue to improve agency security measures on a year-over-year basis.

Each agency is graded (A through F) on the following items and their overall FISMA compliance efforts. The body of this whitepaper discusses the steps agencies should take to ?make the grade?:

1. Develop a documented security and assessment program

2. Develop documented security policies and procedures based on accepted risk management and assessment practices

3. Comply with mandated NIST 800-53 internal control standards

4. Implement cost effective tools and corrective policy actions and periodically testing those tools

5. Conduct independent evaluations yearly by an Inspector General (IG), IG delegate or by an external auditing entity

6. Report annually on the progress of the security program, policy compliance; remediation tasks, and overall budgets, funding and spending to support the agency's security program.

No one technology or system will make an agency FISMA-compliant. Compliance can only be achieved with a comprehensive approach to policy management, auditing, reporting and remediation. To ensure the approach is repeatable year to year, and even month to month, Agencies must find a way to tie these discrete activities together with a repeatable workflow process. To reduce auditing costs, this process should be automated as much as possible. Software systems designed specifically for the purpose of centralized compliance reporting and management already exist. This paper will highlight what you need to consider when evaluating such systems for adoption.

FISMA: Internal Controls

The E-Government Act of 2002 was signed into legislation on December 17, 2002. Title III of this Act removed the sunset of the Government Information Security Reform Act (GISRA) and renamed it the Federal Information Security Management Act of 2002 (FISMA). FISMA is intended to provide a framework for government agencies to improve their security and risk management processes while providing a mandate for reporting on security compliance against a set of standard internal controls. FISMA also endorses the Federal Computer Incident Response Center (FedCIRC) as the incident response center for national cyber security and it strengthens the National Institute of Standards and Technology (NIST, a division of the Dept. of Commerce) role in promulgating computer security standards (i.e., the Special Publications Series 800 documents). All federal government agencies must report their overall security posture to the office of Management and Budget (OMB). OMB then turns their report cards to Congress on or by March 1 of every year. These reports are designed to provide insight into agency's effectiveness to achieve the following goals:

1. Present a comprehensive framework and mechanism for security controls

2. Provide effective Government management and oversight of each system for security risks

3. Develop and maintain a set of consistent minimum internal controls

4. Utilize commercially developed information security products and

5. Allow agencies the freedom of choosing the commercial tools of their preference
Search the Library                  Advanced Search
Today's Popular Reports This Weeks Most Popular Reports Most Popular Topics Vendor Directory Home
About Us Contact Us List Your Papers Partner With Us Site Map