Presentation is loading. Please wait.

Presentation is loading. Please wait.

Federal Information Security Management Act (F.I.S.M.A.) [ Justin Killian ]

Published byJeffrey Austin Modified over 8 years ago

Similar presentations

Presentation on theme: "Federal Information Security Management Act (F.I.S.M.A.) [ Justin Killian ]"— Presentation transcript:

1 Federal Information Security Management Act (F.I.S.M.A.) [ Justin Killian ]

2 Overview Existing Security Standards Advantages of FISMA Decipher Key Points Future Security Legislation

3 Premise of FISMA Gov. Information Security Reform Act of 2000 Need for unified approach to information security

4 Various Articles (Section 3451) Basic goals of FISMA –Comprehensive framework –Value Federal Information Assets –Provide oversight of federal agencies

5 Responsibilities Of… –The “Director” § 3543. Authority and functions of the Director (a) IN GENERAL.—The Director shall oversee agency information security policies and practices, including— (1) developing and overseeing the implementation of policies, principles, standards, and guidelines on information security, including through ensuring timely agency adoption of and compliance with standards promulgated under section 11331 of title 40; (2) requiring agencies, consistent with the standards promulgated under such section 11331 and the requirements of this subchapter, to identify and provide information security protections commensurate with the risk and magnitude of the H. R. 2458—50 harm resulting from the unauthorized access, use, disclosure, disruption, modification, or destruction of— (A) information collected or maintained by or on behalf of an agency; or (B) information systems used or operated by an agency or by a contractor of an agency or other organization on behalf of an agency;

6 Director Continued (3) coordinating the development of standards and guidelines under section 20 of the National Institute of Standards and Technology Act (15 U.S.C. 278g–3) with agencies and offices operating or exercising control of national security systems (including the National Security Agency) to assure, to the maximum extent feasible, that such standards and guidelines are complementary with standards and guidelines developed for national security systems; (4) overseeing agency compliance with the requirements of this subchapter, including through any authorized action under section 11303 of title 40, to enforce accountability for compliance with such requirements; (5) reviewing at least annually, and approving or disapproving, agency information security programs required under section 3544(b); (6) coordinating information security policies and procedures with related information resources management policies and procedures; (7) overseeing the operation of the Federal information security incident center required under section 3546; and (8) reporting to Congress no later than March 1 of each year on agency compliance with the requirements of this subchapter

7 .. Agency Officials (a) IN GENERAL.—The head of each agency shall— (1) be responsible for— (A) providing information security protections commensurate with the risk and magnitude of the harm resulting from unauthorized access, use, disclosure, disruption, modification, or destruction of— (i) information collected or maintained by or on behalf of the agency; (ii) information systems used or operated by an agency or by a contractor of an agency or other organization on behalf of an agency; (B) complying with the requirements of this subchapter and related policies, procedures, standards, andguidelines, including— (i) information security standards promulgated under section 11331 of title 40; and (ii) information security standards and guidelines for national security systems issued in accordance with law and as directed by the President; and (C) ensuring that information security management processes are integrated with agency strategic and operational planning processes;

8 .. Agency Officials (2) Ensure that senior agency officials provide information security for the information and information systems that support the operations and assets under their control, including through— (A) assessing the risk and magnitude of the harm that could result from the unauthorized access, use, disclosure, disruption, modification, or destruction of such information or information systems; (B) determining the levels of information security appropriate to protect such information and information systems in accordance with standards promulgated under section 11331 of title 40, for information security classifications and related requirements; (C) implementing policies and procedures to cost-effectively reduce risks to an acceptable level; and (D) periodically testing and evaluating information security controls and techniques to ensure that they are effectively implemented;

9 .. Agency Officials (3) Delegate to the agency Chief Information Officer established under section 3506 (or comparable official in an agency not covered by such section) the authority to ensure compliance with the requirements imposed on the agency under this subchapter, (4) Ensure that the agency has trained personnel sufficient to assist the agency in complying with the requirements of this subchapter and related policies, procedures, standards, and guidelines; and (5) Ensure that the agency Chief Information Officer, in coordination with other senior agency officials, reports annually to the agency head on the effectiveness of the agency information security program, including progress of remedial actions

10 Conclusion Security is more of a “people problem” According to Rep. Tom Davis (R-Va), 16 of 24 agencies immediately received failing grades, with only one agency scoring as high as a C+ SearchSecurity survey of 500 corporate security –“More than half -- 55% -- said they've seen no improvement in their organization's security since last fall's attacks, with another 35% describing their security as "somewhat more effective" and 8% reporting a dramatic improvement” –“Nor have the attacks changed behavior at most companies. Fifty-seven percent of respondents reported no change in their information security budgets as a result of the September 11 attacks, and 84% report their security staffs have no more clout to enforce security rules than they did before last fall”

11 Resources http://csrc.nist.gov/policies/FISMA-final.pdf http://www.whitehouse.gov/omb/memoranda/fy2005/m05-15.html http://news.com.com/U.S.+computer+security+focus+of+new+bill/21 00-1023_3-853090.html http://searchsecurity.techtarget.com/originalContent/0,289142,sid14 _gci846961,00.html http://www.technology.gov/Testimony/p_BHW-020502_SecAct.htm http://www.findarticles.com/p/articles/mi_m0OBA/is_1_22/ai_n61348 58

12 Questions?

Download ppt "Federal Information Security Management Act (F.I.S.M.A.) [ Justin Killian ]"

Similar presentations

Subchapter M-Indian Self- Determination and Education Assistance Act Program Part 273-Education Contracts under Johnson-OMalley Act.

Subchapter M-Indian Self- Determination and Education Assistance Act Program Part 273-Education Contracts under Johnson-OMalley Act.
Introduction to Records Management Policy

Introduction to Records Management Policy
What is GARP®? GARP® is an Acronym for Generally Accepted Recordkeeping Principles ARMA understands that records must be.

What is GARP®? GARP® is an Acronym for Generally Accepted Recordkeeping Principles ARMA understands that records must be.
1 A View of the United States Federal Statistical System from OMB Katherine K. Wallman Chief Statistician U. S. Office of Management and Budget.

1 A View of the United States Federal Statistical System from OMB Katherine K. Wallman Chief Statistician U. S. Office of Management and Budget.
Legal and Institutional Framework for Statistical Agencies in the United States Nancy M. Gordon Associate Director for Strategic Planning and Innovation.

Legal and Institutional Framework for Statistical Agencies in the United States Nancy M. Gordon Associate Director for Strategic Planning and Innovation.
IT Security Law for Federal Agencies As of: 30 December 2002.

IT Security Law for Federal Agencies As of: 30 December 2002.
Core principles in the ASX CGC document. Which one do you think is the most important and least important? Presented by Casey Chan Ethics Governance &

Core principles in the ASX CGC document. Which one do you think is the most important and least important? Presented by Casey Chan Ethics Governance &
©2010 Prentice Hall Business Publishing, Auditing 13/e, Arens/Elder/Beasley 2 - 1 The CPA Profession Chapter 2.

©2010 Prentice Hall Business Publishing, Auditing 13/e, Arens/Elder/Beasley The CPA Profession Chapter 2.
Process of CG in Egypt Mohamed Omran Vice Chairman Cairo & Alexandria Stock Exchanges December, 13 th 2006.

Process of CG in Egypt Mohamed Omran Vice Chairman Cairo & Alexandria Stock Exchanges December, 13 th 2006.
The Office of Information Technology Information Security Administrator Kenneth Pierce, Vice Provost for IT and Chief Information Officer.

The Office of Information Technology Information Security Administrator Kenneth Pierce, Vice Provost for IT and Chief Information Officer.
Data Ownership Responsibilities & Procedures

Data Ownership Responsibilities & Procedures
IS 700.a NIMS An Introduction. The NIMS Mandate HSPD-5 requires all Federal departments and agencies to: Adopt and use NIMS in incident management programs.

IS 700.a NIMS An Introduction. The NIMS Mandate HSPD-5 requires all Federal departments and agencies to: Adopt and use NIMS in incident management programs.
Information Governance and the Presidential Memo on Managing Government Records: Converging Issues and the Search for New Ideas Presidential Memorandum:

Information Governance and the Presidential Memo on Managing Government Records: Converging Issues and the Search for New Ideas Presidential Memorandum:
Congress and Contractor Personal Conflicts of Interest May 21, 2008 Jon Etherton Etherton and Associates, Inc.

Congress and Contractor Personal Conflicts of Interest May 21, 2008 Jon Etherton Etherton and Associates, Inc.
E B a n k i n g Information Security Guidelines ABA’s Technology Risk Management – A Strategic Approach Telephone/Webcast Briefing June 17, 2002.

E B a n k i n g Information Security Guidelines ABA’s Technology Risk Management – A Strategic Approach Telephone/Webcast Briefing June 17, 2002.
NLRB: Information Security & FISMA Daniel Wood, Chief IT Security February 19, 2004.

NLRB: Information Security & FISMA Daniel Wood, Chief IT Security February 19, 2004.
Risk Management at ANZ Banking Group Jun 18, 2008 Patrick Zhu Head of Retail Risk China Partnerships.

Risk Management at ANZ Banking Group Jun 18, 2008 Patrick Zhu Head of Retail Risk China Partnerships.
Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.

Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.
1 Program Performance and Evaluation: Policymaker Expectations 2009 International Education Programs Service Technical Assistance Workshop Eleanor Briscoe.

1 Program Performance and Evaluation: Policymaker Expectations 2009 International Education Programs Service Technical Assistance Workshop Eleanor Briscoe.
Information Systems Security Officer

Information Systems Security Officer

Similar presentations

Ads by Google