Presentation is loading. Please wait.

Presentation is loading. Please wait.

FISMA 101.

Published byOphelia Marshall Modified over 8 years ago

Similar presentations

Presentation on theme: "FISMA 101."— Presentation transcript:

1 FISMA 101

2 AGENDA FISMA Project Overview The Basics: FISMA and NIST RMF
The Details: Six specific processes Portable Computing Devices and Media Getting Help Next Steps: Timeline, Rules of Behavior, HIPAA

3 FISMA PROJECT OVERVIEW
The UF contract with the State of Texas requires compliance with FISMA and NIST standards for work supporting this project In response to the contract requirements: UFIT sponsored and invested in a significant project to support this contract ($1.5M/70-80 UFIT employees) On-track to complete the initial build-out by June 30th, 2015 The new FISMA environment replaces the current SAS and SQL environments used for Texas contract deliverables and research

4 FISMA @ UF Enables $40M State of Texas Contract
UF will be eligible for additional contracts and grants via the FISMA-compliant, multi- tenant environment Requires End-users/Researchers: Heightened security requirements Office of Research: Revised contract /negotiation process UFIT: Additional compliance requirements

5 THE BASICS FISMA AND NIST RMF

6 WHAT IS FISMA? Federal Information Security Management Act (FISMA) of 2002 Included by Congress as part of the E-Government Act of 2002 Establishes security guidelines for federal agencies or those providing services to federal agencies Sets forth: Specific requirements for security programs Specific documentation, policies and procedures Defined processes required to be in place in accordance with NIST – a national security standard Brings standardization to security control selection and assessment by providing a/an: Consistent framework for protecting information Effective management of risks to information security Development of adequate controls to protect information and systems Mechanism for effective oversight of security programs Essentially, every federal agency “did security differently or not at all” and Congress decided to enforce minimum standards.

7 NIST RISK MANAGEMENT FRAMEWORK (RMF)
Prepare the POA&M Submit Security Authorization Package (Security Plan, SAR, and POA&M) to AO AO conducts final risk determination AO makes authorization decision Ultimately, NIST wants an organization to intelligently address the entire lifecycle of an information system to ensure security is “baked into” all components. This process has created a framework, titled “Risk Management Framework” (RMF) NIST guidance includes: Standards for categorizing information Standards for minimum security requirements Guidance for selecting appropriate security controls Guidance for assessing security controls and systems Guidance for “assess and authorize” information systems Basically, detailed documents that explain the entire security lifecycle: the who, what, when, and why of implementing secure environments to federal standards

8 RMF ALIGNED WITH INFORMATION SYSTEM
Risk Management Framework Authorization Package SECURITY PLAN including updated Risk Assessment SECURITY ASSESSMENT REPORT PLAN OF ACTION AND MILESTONES INFORMATION SYSTEM CATEGORIZE Information System ASSESS Security Controls AUTHORIZE IMPLEMENT MONITOR Security State SELECT

9 SIX SPECIFIC PROCESSES
THE DETAILS SIX SPECIFIC PROCESSES

10 1. GETTING AN ACCOUNT Non-FISMA Accounts were provided on an ad hoc basis (phone, , etc.): accounts maintained as necessary FISMA Accounts have to be formally authorized and approved by management: processes need to ensure account list is current and appropriate Why Additional controls implement appropriate accountability and assurance of minimum necessary access rights

11 2. REMOTE ACCESS & LOGGING IN
Non-FISMA Access was available through a variety of means and mechanisms simply requiring a user name and password (RDP, telnet, SSH, web portals, etc.) FISMA Remote access into the environment has to be secured with both something you know (a password) and something you have (a token) Why Passwords are easily stolen (Target, Home Depot, Anthem, Premera, etc.), so best practices and compliance require additional verification

12 3. DATA TRANSFERS Non-FISMA Systems allow whatever means for data transfer most convenient or available to users FISMA Sensitive data are regulated and therefore must have controlled mechanisms to allow data in and out Why Complexity and lack of control provide opportunities for loss or misuse

13 4. CHANGE MANAGEMENT Non-FISMA Changes are made on an ad hoc basis, not formally tracked or reviewed for security impact (updates to applications, databases, etc.) FISMA Changes must be formally reviewed, approved and tracked Why Oversight is necessary to ensure changes do not impact the integrity of the system’s security and tracking is necessary for audit purposes

14 5. LOGGING AND MONITORING
Non-FISMA Logs and review of logs are performed on an ad hoc basis FISMA All systems enforce required logging measures to ensure they remain secure Why Logs are necessary to both detect adverse events (breaches, misuse of data, etc.) and for audit purposes

15 6. SECURITY ASSESSMENTS Non-FISMA No formal security assessments are performed FISMA Regular security assessments for vulnerabilities and compliance are conducted Why To ensure ongoing security of the environment

16 PORTABLE COMPUTING DEVICES AND MEDIA
DATA PROTECTION AND PRIVACY

17 PORTABLE COMPUTING DEVICES
Must comply with current UF policy which requires full disk encryption to protect the confidentiality and integrity of systems and data The FISMA environment is designed such that data is contained fully within the protected environment Users traveling to areas deemed as high risk are advised not to access the FISMA environment from those locations Portable devices taken to high risk areas will be completely erased and restored to the baseline configuration upon return and before being allowed to access the FISMA environment again

18 MEDIA ACCESS No ability is provided for users to use or access data on removable media as part of the ResShield system Privileged users are authorized to use removable media for the purpose of system installation and maintenance activities, as approved by the Change Advisory Board (CAB) No restricted data is stored on removable media, and media is scanned for malware before use with the ResShield system

19 MEDIA LABELING External labels are affixed to all removable media used with the ResShield system. Labels identify the data or software included and the note “Not for use with Restricted Data” If Restricted Data is stored on removable media, it is labeled as “UF ResShield” and “UF Restricted Data”

20 MEDIA STORAGE Privileged users store removable media used for system installation and maintenance in locked and controlled office facilities when not in use to prevent tampering See ResShield Standard Operating Procedures MP-4

21 MEDIA TRANSPORT Privileged users keep all removable media in their possession during transport to locked and controlled office facilities and the data center Transport of removable media that does not contain Restricted Data does not need to be documented and logged If Restricted Data is stored on removable media, the FISMA Operations Manager will individually authorize and document transport of such media outside of locked and controlled office facilities See ResShield Standard Operating Procedures MP-5

22 MEDIA ENCRYPTION UF Policy allows the use of unencrypted removable media only when encryption interferes with the media’s essential function As removable media is only used with ResShield for system installation and maintenance (which is usually not possible with encrypted media) encryption is not required for removable media If Restricted Data is stored on removable media, the media will be fully encrypted with FIPS compliant products See ResShield Standard Operating Procedures

23 OUTPUT DEVICE PHYSICAL SECURITY
UFIT staff with privileged access work in physically secured areas without public access Screen guards must be used with any monitors removed from the secure office area See ResShield Standard Operating Procedures PE-5

24 INSIDER THREATS

25 INSIDER THREATS What is an Insider Threat?
An insider threat is a malicious threat to an organization that comes from people within the organization, such as employees, former employees, contractors or business associates, who have inside information concerning the organization’s security practices, data and computer systems What are some signs of this type of behavior and/or activities that you may encounter? Job dissatisfaction that may be in the form of verbal complaints against the university Harassment of fellow co-workers (which should be reported immediately) Violations of other university policies What should you do if you suspect Insider Threat Activity? Report it!! Call the Privacy Hotline – HIPA Use the web form: privacy/report-an-incident

26 GETTING HELP

27 WHAT IF I NEED HELP? Nothing changes with your workstation support
Contact UFHealth AHC-IT as you normally do UFHealth AHC-IT will route FISMA support requests to the FISMA team Additionally, for a few weeks after go-live, UFIT FISMA staff will rotate at 3 locations for user support services: CTRB 1329 Bldg. 2020 Bldg. (HOP Modular)

28 NEXT STEPS

29 NEXT STEPS Timeline: to rd Party Assessment Organization (3PAO), Excentium is performing their Independent Verification and Validation (IV&V) to TX EQRO testing TX Data is inside the FISMA bubble, TX FISMA is LIVE to   day parallel validation period Rules of Behavior Verify HIPAA is up-to-date

30 APPENDIX

31 NIST REFERENCES FIPS Publication 199 (Security Categorization)
FIPS Publication 200 (Minimum Security Requirements) NIST Special Publication (Security Planning) NIST Special Publication (Risk Assessment) NIST Special Publication (Risk Management) NIST Special Publication (Certification & Accreditation) NIST Special Publication (Recommended Security Controls) NIST Special Publication A (Security Control Assessment) NIST Special Publication (Information Types Mapping)

32 INFORMATION SECURITY PROGRAMS 1 of 2
The information security programs are centered around the security control families: Access Control Awareness and Training Audit and Accountability Certification, Accreditation, & Security Assessments Configuration Management Contingency Planning Identification & Authentication Incident Response

33 INFORMATION SECURITY PROGRAMS 2 of 2
The information security programs are centered around the security control families: System Maintenance Media Protection Security Planning Risk Assessment System & Services Acquisition System & Communication System & Information Integrity

Download ppt "FISMA 101."

Similar presentations

HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.

HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.
HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.

HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
NIH Security, FISMA and EPLC Lots of Updates! Where do we start? Kay Coupe NIH FISMA Program Coordinator Office of the Chief Information Officer Project.

NIH Security, FISMA and EPLC Lots of Updates! Where do we start? Kay Coupe NIH FISMA Program Coordinator Office of the Chief Information Officer Project.
2010 Region II Conference Corporate Compliance Panel June 3, 2010

2010 Region II Conference Corporate Compliance Panel June 3, 2010
Security Controls – What Works

Security Controls – What Works
Information Security Policies and Standards

Information Security Policies and Standards
August 9, 2005 UCCSC -- 2005 IT Security at the University of California A New Initiative Jacqueline Craig. Director of Policy Information Resources and.

August 9, 2005 UCCSC IT Security at the University of California A New Initiative Jacqueline Craig. Director of Policy Information Resources and.
ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.

ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.
Secure System Administration & Certification DITSCAP Manual (Chapter 6) Phase 4 Post Accreditation Stephen I. Khan Ted Chapman University of Tulsa Department.

Secure System Administration & Certification DITSCAP Manual (Chapter 6) Phase 4 Post Accreditation Stephen I. Khan Ted Chapman University of Tulsa Department.
Computer Security: Principles and Practice

Computer Security: Principles and Practice
Payment Card Industry (PCI) Data Security Standard

Payment Card Industry (PCI) Data Security Standard
Session 3 – Information Security Policies

Session 3 – Information Security Policies
Network security policy: best practices

Network security policy: best practices
Presented by Manager, MIS.  GRIDCo’s intentions for publishing an Acceptable Use Policy are not to impose restrictions that are contrary to GRIDCo’s.

Presented by Manager, MIS.  GRIDCo’s intentions for publishing an Acceptable Use Policy are not to impose restrictions that are contrary to GRIDCo’s.
Complying With The Federal Information Security Act (FISMA)

Complying With The Federal Information Security Act (FISMA)
Information Security Compliance System Owner Training Richard Gadsden Information Security Office Office of the CIO – Information Services Sharon Knowles.

Information Security Compliance System Owner Training Richard Gadsden Information Security Office Office of the CIO – Information Services Sharon Knowles.
NUAGA May 22, 2014.  IT Specialist, Utah Department of Technology Services (DTS)  Assigned to Department of Alcoholic Beverage Control  PCI Professional.

NUAGA May 22,  IT Specialist, Utah Department of Technology Services (DTS)  Assigned to Department of Alcoholic Beverage Control  PCI Professional.
Information Security Technological Security Implementation and Privacy Protection.

Information Security Technological Security Implementation and Privacy Protection.
SEC835 Database and Web application security Information Security Architecture.

SEC835 Database and Web application security Information Security Architecture.
General Awareness Training

General Awareness Training

Similar presentations

Ads by Google