Presentation is loading. Please wait.

Presentation is loading. Please wait.

Matthew Christian Dave Maddox Tim Toennies

Published bySévérine Breton Modified over 5 years ago

Similar presentations

Presentation on theme: "Matthew Christian Dave Maddox Tim Toennies"— Presentation transcript:

1 Matthew Christian Dave Maddox Tim Toennies
FISMA at SLU Matthew Christian Dave Maddox Tim Toennies

2 Agenda FISMA overview Current state of FISMA at SLU Future state

3 Acronym soup oversimplification
FERPA: Federal Educational Rights and Privacy Act; students HIPAA: Health Insurance Portability and Accountability Act; patients PII: Personally Identifiable data; all people PCI: Payment Card Industry; credit cards FISMA: Federal Information Security Management Act; government

4 What is FISMA? Included by Congress as part of e-Government act in 2002, modernized in Codified by Department of Homeland Security. Establishes security guidelines for federal agencies or those providing services to federal agencies Mandatory for federal contracts, may be required for federal grants. How do I know? FISMA: Effective in 2002, modernized in 2014. (1) if the grant requires the research organization to return the data to the federal project sponsor, and (2) if the grant has been awarded using a contracting form.

5 Does my work need FISMA cert?
Look for language in the contract to know if FISMA is required: System Security Plan Authority to Operate (ATO) OMB A­130 FIPS 199 Comply with all applicable NIST standards If any of these are in a Grant treat it as a red flag, confirm. OMB: White House Office of Management and Budget FIPS 199: Government standard for categorizing federal information and information systems according to an agency's level of concern for data & confidentiality. NIST: National Institute of Standards and Technology

6 FISMA security levels Different security levels Low Moderate High
​. Each level has a mandatory set of security controls, with each level building upon the previous. In addition, FISMA mandates separate evaluations for the confidentiality​, integrity​, and availability ​of the sensitive data. For example, research data containing individually identifiable health information would pose significant consequences to the university if that data was stolen, lost, or inadvertently disclosed, and thus the confidentiality security category would likely be Moderate. This same historical data may not require 24/7 access so the security category for availability may be Low. FISMA Low could be done by CDC, FISMA High by DOD.

7 FISMA impact Separate Accounts Remote Access Controlled Data Transfer
Formal Change Management Proactive Log Review Security Assessment ​. Each level has a mandatory set of security controls, with each level building upon the previous. In addition, FISMA mandates separate evaluations for the confidentiality​, integrity​, and availability ​of the sensitive data. For example, research data containing individually identifiable health information would pose significant consequences to the university if that data was stolen, lost, or inadvertently disclosed, and thus the confidentiality security category would likely be Moderate. This same historical data may not require 24/7 access so the security category for availability may be Low.

8 FISMA is a Framework

9 Top FISMA Requirements
Maintain an inventory of information systems Categorize information and information systems according to risk level Maintain a system security plan Utilize security controls Conduct risk assessments Certification and accreditation Conduct continuous monitoring While the full FISMA are extensive and very detailed, the top requirements can be summarized by the following: Maintain an inventory of information systems – Every agency should have in place an inventory of information systems that are operated by or under the control of the agency. The inventory must include an identification of the interfaces between each system and all other systems or networks, including those not operated by or under the control of the agency. Categorize information and information systems according to risk level – All information and information systems should be categorized based on the objectives of providing appropriate levels of information security according to a range of risk levels defined by FIPS 199 “Standards for Security Categorization of Federal Information and Information Systems.” The guidelines are provided by NIST SP “Guide for Mapping Types of Information and Information Systems to Security Categories.” Maintain a system security plan – Agencies should develop and maintain a system security plan, which is a living document that requires periodic review, modification, and plans of action and milestones for implementing security controls. The system security plan is the major input to the security certification and accreditation process for the system. Utilize security controls – Federal information systems must meet the minimum security requirements which are defined in FIPS 200 “Minimum Security Requirements for Federal Information and Information Systems.” Organizations must meet the minimum security requirements by selecting the appropriate security controls and assurance requirements as described in NIST Special Publication , “Recommended Security Controls for Federal Information Systems.” Agencies have flexibility in applying the baseline security controls to more closely fit their mission requirements and operational environments. The controls selected or planned must be documented in the System Security Plan. Conduct risk assessments – Each agency should conduct risk assessments to validate its security controls and to determine if any additional controls are needed to protect agency operations (including mission, functions, image, or reputation), agency assets, individuals, other organizations, or the United States. The resulting set of security controls establishes a level of “security due diligence” for the federal agency and its contractors. Certification and accreditation – Once the system documentation and risk assessment have been completed, the system’s controls must be reviewed and certified to be functioning appropriately. Based on the results of the review, the information system is accredited. The certification and accreditation process is defined in NIST SP “Guide for the Security Certification and Accreditation of Federal Information Systems.” Conduct continuous monitoring – All accredited systems are required to monitor a selected set of security controls and the system documentation should be updated to reflect changes and modifications to the system. Continuous monitoring activities include configuration management and control of information system components, security impact analyses of changes to the system, ongoing assessment of security controls, and status reporting.

10 Current State FISMA Ready Compliance is not a quick effort; lots of planning and coordination are needed. At this time there are is no research at SLU which requires FISMA but… We have the hardware on site and to the best of our knowledge it has been built to the standards but.. It’s necessary to qualify the hardware which would need to be done by the Agency we work with for Certification. The Agency chosen would be dependent on the security level. Once completed the Agency would provide an Authority to Operate (ATO) FISMA Low could be done by CDC, FISMA High by DOD.

11 Current State We believe the environment on-site has been built to FISMA standards The environment is capable and scalable for large needs. We have the hardware on site and to the best of our knowledge it has been built to the standards but.. It’s necessary to qualify the hardware which would need to be done by the Agency we work with for Certification. The Agency chosen would be dependent on the security level. Once completed the Agency would provide an Authority to Operate (ATO) FISMA Low could be done by CDC, FISMA High by DOD.

12 Future State Up to all of us…
The FISMA hardware was not a trivial investment; we would love the opportunity to use it.

13 Keep in mind.. FISMA certification is not an overnight process…
There would need to be a project plan and resources marshalled for the effort.

14 Who should I contact? Work with Research department Ask the CISO
Review the material in the Appendix

15 VP Research, Matthew Christian
CISO, Dave Maddox

16 Questions ??

17 Appendix For further research:

18 Contact Information Tim Toennies Dave Maddox Matthew Christian

Download ppt "Matthew Christian Dave Maddox Tim Toennies"

Similar presentations

NISTs Role in Securing Health Information AMA-IEEE Medical Technology Conference on Individualized Healthcare Kevin Stine, Information Security Specialist.

NISTs Role in Securing Health Information AMA-IEEE Medical Technology Conference on Individualized Healthcare Kevin Stine, Information Security Specialist.
Jump to first page NIST 800-30 Risk Management Guide for Information Technology Systems Reference:

Jump to first page NIST Risk Management Guide for Information Technology Systems Reference:
IT Security Policy Framework

IT Security Policy Framework
SHIFTING INFORMATION SECURITY LANDSCAPE FROM C&AS TO CONTINUOUS MONITORING ANDREW PATCHAN JD, CISA ASSOCIATE IG FOR IT, FRB LOUIS C. KING, CPA, CISA, CMA,

SHIFTING INFORMATION SECURITY LANDSCAPE FROM C&AS TO CONTINUOUS MONITORING ANDREW PATCHAN JD, CISA ASSOCIATE IG FOR IT, FRB LOUIS C. KING, CPA, CISA, CMA,
Effectively Integrating Information Technology (IT) Security into the Acquisition Process Section 4: Effective Integration.

Effectively Integrating Information Technology (IT) Security into the Acquisition Process Section 4: Effective Integration.
Nick Vennaro, NHIN Team (Contractor), Office of the National Coordinator for Health IT Michael Torppey, CONNECT Health IT Security Specialist (Contractor)

Nick Vennaro, NHIN Team (Contractor), Office of the National Coordinator for Health IT Michael Torppey, CONNECT Health IT Security Specialist (Contractor)
1 NIST, FIPS, and you... Bob Grill Medi-Cal ISO July 16, 2009.

1 NIST, FIPS, and you... Bob Grill Medi-Cal ISO July 16, 2009.
Federal Risk and Authorization Management Program (FedRAMP) Lisa Carnahan, Computer Scientist National Institute of Standards & Technology Standards Coordination.

Federal Risk and Authorization Management Program (FedRAMP) Lisa Carnahan, Computer Scientist National Institute of Standards & Technology Standards Coordination.
Navigating Compliance Requirements DCM 6.2 Regs and Codes linford & co llp.

Navigating Compliance Requirements DCM 6.2 Regs and Codes linford & co llp.
FIPS 201 Personal Identity Verification For Federal Employees and Contractors National Institute of Standards and Technology Information Technology Laboratory.

FIPS 201 Personal Identity Verification For Federal Employees and Contractors National Institute of Standards and Technology Information Technology Laboratory.
NIH Security, FISMA and EPLC Lots of Updates! Where do we start? Kay Coupe NIH FISMA Program Coordinator Office of the Chief Information Officer Project.

NIH Security, FISMA and EPLC Lots of Updates! Where do we start? Kay Coupe NIH FISMA Program Coordinator Office of the Chief Information Officer Project.
Data Ownership Responsibilities & Procedures

Data Ownership Responsibilities & Procedures
National Institute of Standards and Technology 1 NIST Guidance and Standards on System Level Information Security Management Dr. Alicia Clay Deputy Chief.

National Institute of Standards and Technology 1 NIST Guidance and Standards on System Level Information Security Management Dr. Alicia Clay Deputy Chief.
Information Security Policies Larry Conrad September 29, 2009.

Information Security Policies Larry Conrad September 29, 2009.
Security Controls – What Works

Security Controls – What Works
NLRB: Information Security & FISMA Daniel Wood, Chief IT Security February 19, 2004.

NLRB: Information Security & FISMA Daniel Wood, Chief IT Security February 19, 2004.
Federal Information Processing Standard (FIPS) 201, Personal Identity Verification for Federal Employees and Contractors Tim Polk May.

Federal Information Processing Standard (FIPS) 201, Personal Identity Verification for Federal Employees and Contractors Tim Polk May.
WHY CHOOSE CEO-PE?  We employ International Association of Privacy Professionals (IAPP) Certified and Health Insurance Portability & Accountability Act.

WHY CHOOSE CEO-PE?  We employ International Association of Privacy Professionals (IAPP) Certified and Health Insurance Portability & Accountability Act.
Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.

Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.
Secure System Administration & Certification DITSCAP Manual (Chapter 6) Phase 4 Post Accreditation Stephen I. Khan Ted Chapman University of Tulsa Department.

Secure System Administration & Certification DITSCAP Manual (Chapter 6) Phase 4 Post Accreditation Stephen I. Khan Ted Chapman University of Tulsa Department.

Similar presentations

Ads by Google