Presentation is loading. Please wait.

Presentation is loading. Please wait.

Presented by Loren Schwartz, CPA, CISSP, CISA, CIPP

Published byPiers Preston Modified over 9 years ago

Similar presentations

Presentation on theme: "Presented by Loren Schwartz, CPA, CISSP, CISA, CIPP"— Presentation transcript:

1 Presented by Loren Schwartz, CPA, CISSP, CISA, CIPP
The Federal Information Security Management Act (FISMA): An Auditor’s View Presented by Loren Schwartz, CPA, CISSP, CISA, CIPP February 2015

2 Agenda What Is FISMA? NIST Framework How To Perform a FISMA Audit
Future of FISMA

3 What Is FISMA? It's the great irony of our Information Age – the very technologies that empower us to create and to build also empower those who would disrupt and destroy.  – President Barack Obama, May 29, 2009

4 What Is FISMA? Given the rapid agility of those seeking to compromise Federal systems and data, the Federal Government needs a consistent, central, and repeatable method for identifying cybersecurity threats and vulnerabilities. – Office of Management and Budget (OMB) Memorandum M-15-01, Fiscal Year Guidance on Improving Federal Information Security and Privacy Management Practices

5 What Is FISMA? The Federal Information Security Modernization Act (FISMA) Formerly known as the Federal Information Security Management Act and Title III of the E-Government Act of 2002 Serves as a framework to manage risk and ensure the confidentiality, availability, and integrity of federal information and information systems

6 What Is FISMA? FISMA (cont.)
Assigns specific development, management, oversight, and reporting responsibilities to two federal agencies: The National Institute of Standards and Technology (NIST) The Office of Management and Budget (OMB)

7 What Is FISMA? FISMA establishes the following roles and responsibilities for the IT security management team: Agency Head Is ultimately accountable for protecting the agency’s systems Must include security as part of strategic and operational planning Assigns responsibility for compliance to Chief Information Officers (CIOs)

8 What Is FISMA? FISMA roles and responsibilities (cont.):
Inspector General Performs an annual independent evaluation of the agency’s security program The evaluation must include testing the effectiveness of information security policies, procedures, and practices of a representative subset of the agency's information systems.

9 What Is FISMA? FISMA roles and responsibilities (cont.):
Chief Information Officer Designates a senior information security officer Is accountable for the agency-wide security program Develops and implements policies, procedures, and controls Provides quarterly progress reports to OMB

10 What Is FISMA? FISMA roles and responsibilities (cont.):
Information System Security Officer (ISSO)/Chief Information Security Officer (CISO) Carries out responsibilities delegated by the CIO Security is the ISSO’s primary responsibility Maintains professional qualifications

11 What Is FISMA? FISMA roles and responsibilities (cont.):
Program Officials and System Owners Assess risk and test controls Update system documentation Ensure that systems are certified and accredited (SA&A)

12 What Is FISMA? [FISMA] requires each federal agency to develop, document, and implement an agency-wide program to provide information security for the information and information systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor, or other source. – NIST website

13 What Is FISMA? FISMA is intended to assist federal agencies in standardizing their security control selection and assessment by providing: A consistent framework for protecting information at the federal level Effective management for information security risks Assistance in developing adequate controls to protect information and systems A mechanism for effective oversight of federal security programs

14 What Is FISMA? FISMA is probably the most criticized law since Prohibition. That MAY be an overstatement When implemented poorly, FISMA is an exercise in paperwork. When implemented well, FISMA can be the cornerstone of a well-designed, well-implemented, and well-managed information security program.

15 What Is FISMA? FISMA requires agencies to submit quarterly reports to OMB on the status of their information security program. OMB sets reporting standards annually; these standards have become more stringent over time The quarterly reports consist of the annual report and three quarterly updates in December, March, and June These reports are also submitted to other groups, including: House Committees on Government Reform and Science Senate Committees on Government Affairs and Commerce, Science, and Transportation Authorization and appropriations committees for each individual agency of Congress Government Accountability Office

16 NIST Framework FISMA granted NIST responsibility for developing information security standards and guidelines for federal information systems other than those designated as national security systems. Information security standards include NIST’s Federal Information Processing Standards (FIPS) Guidelines include Special Publications (SPs) in the 800 series FISMA also assigned NIST specific responsibilities.

17 NIST Framework

18 NIST Framework Knowledge of these and other NIST publications is essential for FISMA compliance. Such publications include: Standards to be used by federal agencies to categorize information and information systems based on the objectives of providing appropriate levels of information security according to a range of risk levels Guidelines recommending the types of information and information systems to be included in each category Minimum information security requirements (management, operational, and technical security controls) for information and information systems in each such category

19 NIST Framework Helpful NIST Publications: NIST Publication Description
FIPS Publication 199 Security Categorization FIPS Publication 200 Minimum Security Requirements NIST SP , Rev. 1 Security Planning NIST SP , Rev. 1 Risk Management NIST SP , Rev. 1 Contingency Planning NIST SP , Rev. 1 Certification & Accreditation NIST SP , Rev. 4 Recommended Security Controls NIST SP A, Rev. 4 Security Control Assessment NIST SP , Rev. 1 Security Category Mapping

20 NIST Framework FIPS 199, Standards for the Security Categorization of Federal Information and Information Systems FIPS 199 is the standard used by federal agencies to categorize information and information systems based on the objective of providing appropriate levels of information security according to a range of risk levels. Information systems are categorized as low, moderate, or high risk based on the confidentiality, integrity, and availability security requirements necessary to protect the data/information processed, stored, or transmitted by the information system.

21 NIST Framework FIPS 200, Minimum Security Requirements for Federal Information and Information Systems FIPS 200 provides the minimum information security requirements for information and information systems in each security category defined in FIPS 199. It requires agencies to use NIST SP for their baseline security control requirements.

22 NIST Framework NIST SP , Rev. 1, Guide for Developing Security Plans for Federal Information Systems NIST SP , Rev. 1 defines the format and content for security plans, as required by OMB Circular A-130. The main functions of the security plan include: Providing an overview of the system’s security requirements Describing the controls in place or planned for meeting those requirements Delineating responsibilities and expected behavior for all individuals who access the system Documenting the structured process of planning adequate, cost-effective security protection for the system

23 NIST Framework NIST SP , Rev. 1, Risk Management Guide for Information Technology Systems NIST SP , Rev. 1 provides definitional and practical guidance regarding the concept and practice of managing IT-related risks. Risk management provides balance between the operational objectives and economic costs of protective measures. It: Enables agencies to better secure IT systems that store, process, or transmit organizational information Enables management to make well-informed risk management decisions to justify expenditures Assists management in authorizing (or accrediting) IT systems

24 NIST Framework NIST SP , Rev. 1, Contingency Planning Guide For Federal Information Systems NIST SP , Rev. 1 provides instructions, recommendations, and considerations for government IT contingency planning. It provides specific contingency planning recommendations for seven IT platforms and includes strategies and techniques common to all systems.

25 NIST Framework NIST SP , Rev. 1, Guide to Apply the Risk Management Framework to Federal Information Systems NIST SP , Rev. 1 establishes a six-step risk management framework for federal information systems: Categorize the Information System Select Security Controls Implement Security Controls Assess Security Controls Authorize the Information System Monitor the Security Controls This SP applies to all federal information systems other than those designated as national security systems, as defined in the Federal Information Security Management Act of 2002.

26 NIST Framework NIST SP , Rev. 4, Recommended Security Controls for Federal Information Systems and Organizations NIST SP , Rev. 4 is intended to provide guidelines for selecting and specifying security controls for information systems. It applies to all federal information systems other than those designated as national security systems, as defined in 44 U.S.C., Section 3542.

27 NIST Framework NIST SP 800-53, Rev. 4 (cont.)
This SP was broadly developed from a technical perspective in order to complement similar guidelines issued by agencies and offices operating or exercising control over national security systems. It provides guidance to federal agencies in accordance with FIPS 200, Minimum Security Controls for Federal Information Systems.

28 NIST Framework NIST categorizes FISMA principles into 18 security control families, which can be found in NIST SP , Minimum Security Controls for Federal Information Systems Each control area contains numerous requirements based on the sensitivity level of the system. NIST controls often cover most of the controls included in other frameworks, such as International Organization for Standardization (ISO) and Payment Card Industry Data Security Standard (PCI DSS).

29 NIST Framework Management Controls Operational Controls
Technical Controls RA – Risk Assessment PS – Personnel Security IA – Identification & Authentication PL – Planning PE – Physical & Environmental Protection AC – Access Control SA – System & Services Acquisition CP – Contingency Planning AU – Audit & Accountability CA – Security Assessment & Authorization CM – Configuration Management SC – System & Communications Protection PM – Program Management MA – Maintenance SI – System & Information Integrity MP – Media Protection IR – Incident Response AT – Awareness & Training

30 NIST Framework NIST SP A, Rev. 4, Guide for Assessing the Security Controls In Federal Information Systems NIST SP A, Rev. 4 provides standardized techniques and procedures to verify the effectiveness of security controls. It provides a single baseline verification procedure for each security control. It allows agencies to apply additional verification techniques and procedures at their discretion.

31 NIST Framework NIST SP , Rev. 1, Volumes I and II, Guide for Mapping Types of Information and Information Systems to Security Categories NIST SP , Rev. 1 provides guidelines recommending the types of information and information systems to be included in each category of potential security impact. It assists agencies in consistently mapping security impact levels to types of: Information (e.g., privacy, medical, proprietary, financial, contractor-sensitive, trade secret, investigation) Information systems (e.g., mission-critical, mission-support, administrative)

32 NIST Framework Required Documentation:
Authorization Boundary/Security Categorization (FIPS 199) System Security Plan (NIST SP ) Risk Assessment (NIST SP ) Security Assessment Report (NIST SP , ) Contingency Plan/Disaster Recovery Plan (NIST SP ) Privacy Impact Assessment Plan of Action and Milestones (POA&M)

33 NIST Framework POA&Ms are an agency’s primary management tool for tracking the mitigation of its IT security program and system-level weaknesses. POA&Ms are designed to facilitate review, analysis, and decision-making in order to improve performance in implementing corrective actions. Departments use POA&Ms to determine the organization’s progress in the area of IT security. POA&Ms are reviewed both within the department and by OMB.

34 NIST Framework POA&Ms (cont.):
OMB uses all federal POA&Ms in conducting its assessment of the IT security maturity of the federal government. Inspector Generals (IGs) are asked to use specific criteria to assess whether the agency has developed and implemented an agency-wide POA&M process, and whether it is appropriately managing this process. The IG’s assessment in this area is critical. Effective remediation of IT security weaknesses is essential to achieving a mature IT security program.

35 How to Perform a FISMA Audit
FISMA audits: Are driven by the annual DHS/OMB memorandum Are typically (but not always) structured as a performance audit Follow a methodology that is similar to the methodology for an audit under the Federal Information System Controls Audit Manual (FISCAM) Do not have exactly the same scope for each OIG Typically consist of selecting and testing a subset of systems Are performed annually at approximately the same time as the financial statement audit in order to gain possible efficiencies

36 How to Perform a FISMA Audit
Selecting a Representative Subset of Systems The evaluator uses their professional judgment to identify a sufficient scope for systems testing to constitute a representative subset of the entity’s systems. The subset should be representative of all of the entity’s systems covered by FISMA.

37 How to Perform a FISMA Audit
Selecting a Representative Subset of Systems (cont.): The selection should include: Systems at different risk levels (i.e., high, moderate, and low) Both general support systems and major application systems Different types of applications (e.g., financial management, operations) Major processing locations General and business process controls Coverage of the FISCAM control areas Contractor and other non-entity systems that are covered by FISMA requirements

38 How to Perform a FISMA Audit
FISCAM may be used as a basis for the independent evaluation of a federal agency’s information security program as required by FISMA (Appendix IX: Application of FISCAM to FISMA). The agency’s IG must perform independent evaluations of federal information systems other than those designated as national security systems. Evaluations of systems related to national security may only be performed by an entity designated by the agency head.

39 How to Perform a FISMA Audit
OMB Memorandum (Questionnaire): The OMB memorandum is released annually. It directs CIOs and OIGs as to the areas on which they must report. The Department of Homeland Security (DHS) is currently responsible for information security; DHS therefore designs the questions and reporting requirements while OMB is responsible for sending out the document.

40 How to Perform a FISMA Audit
OMB Memorandum (cont.): The memorandum is primarily comprised of the same questions from year to year, but OMB throws some curveballs. It contains a frequently asked questions (FAQ) section and a questionnaire with separate questions for CIOs, OIGs, and Senior Agency Officials for Privacy (SAOPs). The questions are no longer publically accessible; the auditor receives them from the Contracting Officer’s Technical Representative (COTR).

41 How to Perform a FISMA Audit
OMB Memorandum (cont.): The auditor usually selects a subset of systems to review for the questionnaire, but it depends on the contract. The auditor may also select one of the systems each year to undergo a detailed audit based on NIST SP

42 How to Perform a FISMA Audit
OMB Memorandum (cont.): The memorandum questions have evolved over the years. It originally asked a mix of questions with answers that were qualitative (e.g., excellent, good, fair, poor), percentages, or numbers; now all of the questions have yes/no answers. Questions that have been removed include: Peer-to-peer questions E-authentication questions

43 How to Perform a FISMA Audit
Question areas for the CIO: Data feeds directly from security management tools (or from Excel) Inventory Systems and Services Hardware Software External Connections Security Training Identity Management and Access Government-wide benchmarking on security posture

44 How to Perform a FISMA Audit
Question areas for the SAOP: Update on the breach notification policy, if it has changed significantly since the last year’s report Progress update on eliminating the unnecessary use of social security numbers Progress update on review and reduction of holdings of personally identifiable information

45 How to Perform a FISMA Audit
Question areas for the OIG: Continuous monitoring management Configuration management Identity and access management Incident response and reporting Risk management (security assessment and authorization (SA&A) process) Security training

46 How to Perform a FISMA Audit
Question areas for the OIG (cont.): Plans of action and milestones Remote access management Contingency planning Contractor systems Security capital planning

47 How to Perform a FISMA Audit
Key FAQs from the memorandum include: Should agencies set an internal FISMA reporting cut-off date? Should all of the agency’s information systems be included as part of the FISMA report? Is use of NIST publications required? Are NIST guidelines flexible? Are the security requirements outlined in the Act limited to information in electronic form?

48 How to Perform a FISMA Audit
Key FAQs from the memorandum (cont.): When OMB asks if an agency has a process, is it also asking if the process is implemented and is effective? How do agencies ensure FISMA compliance for connections to non-agency systems? Do Statement on Standards for Attestation Engagements (SSAE) No. 16 audits meet the requirements of FISMA and implementation policies and guidance?

49 How to Perform a FISMA Audit
Key FAQs from the memorandum (cont.): Is a security authorization required for all information systems? OMB Circular A-130 requires a security authorization to process only for general support systems and major applications. Must all agency information systems be tested and evaluated annually? Must government contractors abide by FISMA requirements? Do employees who never access electronic information systems need annual security and privacy awareness training?

50 How to Perform a FISMA Audit
FISMA-specific reporting requirements: Determine whether any weaknesses identified (individually or collectively) represent significant deficiencies under FISMA. FISMA requires agencies to report any significant deficiencies: As material weaknesses under the Federal Managers' Financial Integrity Act (FMFIA) As instances of a lack of substantial compliance under the Federal Financial Management Improvement Act (FFMIA), if related to financial management systems

51 How to Perform a FISMA Audit
FISMA-specific reporting requirements (cont.): A significant deficiency in FISMA is a weakness in an agency’s overall information systems security program or management control structure, or within one or more information systems which: Significantly restricts the capability of the agency to carry out its mission. Compromises the security of its information, information systems, personnel, or other resources, operations, or assets. The risk is great enough that the agency head and outside agencies must be notified and immediate or near-immediate corrective action must be taken.

52 How to Perform a FISMA Audit
FISMA-specific reporting requirements (cont.): The OIG is responsible for entering its responses to template questions using the CyberScope portal hosted by DHS. The OIG will usually also issue a performance audit report, generally supported by the work performed to answer the template questions. The OIG will often perform more detailed testing of a selected system and issue a separate performance audit report on that system. There are also other varieties of reporting, such as separate technical reports for internal use only.

53 How to Perform a FISMA Audit
Common findings in FISMA audits include: SA&A packages are not complete or have issues. Configuration baselines are not developed and in place. The vulnerability management program is not well implemented. The patch management process is ineffective. The agency’s training program is poor, or not all personnel have completed training. Mobile devices have not been adequately secured.

54 Future of FISMA In December 2015, President Barack Obama signed a bill into law that: Changed the name of FISMA from “Management” to “Modernization.” Extended OMB’s responsibility to determine IT security policies for federal agencies. Granted DHS authority to administer the operational aspects of those policies among civilian agencies. Eliminated the requirement for federal agencies to submit a checklist verifying that their IT systems and processes met federal standards and controls. Moved agencies toward continuously monitoring their systems for vulnerabilities.

55 Future of FISMA The new FISMA mandates continuous monitoring and the use of “automated security tools to continuously diagnose and improve security.” This includes: Assessing information security risks on an ongoing basis. Developing an Information Security Continuous Monitoring (ISCM) strategy that supports the implementation of a program to continuously monitor and defend the agency’s network(s) from cyber security risks, threats, and malicious activity.

56 Future of FISMA OMB key initiatives for 2014-2015 include:
New requirements based on assessment of emerging threat activities. Streamlined agency reporting of information security incidents to DHS’s U.S. Computer Emergency Readiness Team (US-CERT) and improvement in DHS US-CERT's ability to respond to information security incidents effectively. Enhanced FISMA metrics, a proactive vulnerability scanning process, and updated incident response procedures.

57 Future of FISMA Cross-Agency Priority (CAP) goals for FY 2015:
National Security Council (NSC) staff and OMB identified cybersecurity as one of the 14 CAP goals for FY 2015, to build on the statutory requirements of FISMA and to provide senior government officials with greater visibility and accountability for this issue. Cybersecurity CAP goal initiatives and metrics are a subset of the FISMA metrics.

58 Future of FISMA CAP goals for FY 2015 (cont.):
OMB and NSC staff will maintain focus on Information Security Continuous Monitoring (ISCM) and Identity, Credential, and Access Management (ICAM). For the first time, OMB and NSC staff have identified "Anti-Phishing and Malware Defense" as an additional priority area.

59 Future of FISMA OMB, NSC staff, and DHS have taken the following approach in developing the enhanced FY 2015 FISMA metrics: Assessed the quality and validity of each metric by soliciting input from more than 100 cybersecurity professionals from more than 24 federal agencies, who made more than 200 recommendations for the metrics. Where possible, removed metrics that had completed their lifecycle or did not add sufficient value to the expanded assessment process. Developed outcome-oriented metrics to complement existing compliance-oriented metrics, to include anti-phishing and malware defense metrics aimed at reducing the risk of malware introduced through and malicious or compromised websites. Where possible, used existing federal agency data feeds to automate responses to improve the quality and timeliness of reported data.

60 Future of FISMA DHS US-CERT will release its updated incident notification guidelines, including: A standard set of data elements for reporting incidents Updated incident notification requirements Updated impact classifications Updated threat vectors used to categorize and address incidents

61 Future of FISMA It’s hard to see where all of this is going, but cyberspace is clearly here to stay in our everyday lives, both professional and personal. Internal audit organizations will therefore need to build their own skill sets to address the risks and opportunities that come with cyberspace.

62 Q&A Thank you!

Download ppt "Presented by Loren Schwartz, CPA, CISSP, CISA, CIPP"

Similar presentations

SHIFTING INFORMATION SECURITY LANDSCAPE FROM C&AS TO CONTINUOUS MONITORING ANDREW PATCHAN JD, CISA ASSOCIATE IG FOR IT, FRB LOUIS C. KING, CPA, CISA, CMA,

SHIFTING INFORMATION SECURITY LANDSCAPE FROM C&AS TO CONTINUOUS MONITORING ANDREW PATCHAN JD, CISA ASSOCIATE IG FOR IT, FRB LOUIS C. KING, CPA, CISA, CMA,
Alignment of COBIT to Botswana IT Audit Methodology

Alignment of COBIT to Botswana IT Audit Methodology
DOT Office of Inspector General Audit of DOT’s Office of the Secretary’s Acquisition Function Federal Audit Executive Council Procurement Training Conference.

DOT Office of Inspector General Audit of DOT’s Office of the Secretary’s Acquisition Function Federal Audit Executive Council Procurement Training Conference.
1 NIST, FIPS, and you... Bob Grill Medi-Cal ISO July 16, 2009.

1 NIST, FIPS, and you... Bob Grill Medi-Cal ISO July 16, 2009.
IT Security Law for Federal Agencies As of: 30 December 2002.

IT Security Law for Federal Agencies As of: 30 December 2002.
Federal Risk and Authorization Management Program (FedRAMP) Lisa Carnahan, Computer Scientist National Institute of Standards & Technology Standards Coordination.

Federal Risk and Authorization Management Program (FedRAMP) Lisa Carnahan, Computer Scientist National Institute of Standards & Technology Standards Coordination.
1  AGA-DC and GWSPCA 6 th ANNUAL CONFERENCE OMB Circular A-123, Appendix A Internal Control Over Financial Reporting Innovative Approaches Jerome A. Vaiana.

1  AGA-DC and GWSPCA 6 th ANNUAL CONFERENCE OMB Circular A-123, Appendix A Internal Control Over Financial Reporting Innovative Approaches Jerome A. Vaiana.
Proposed Maturity Model for

Proposed Maturity Model for
NIH Security, FISMA and EPLC Lots of Updates! Where do we start? Kay Coupe NIH FISMA Program Coordinator Office of the Chief Information Officer Project.

NIH Security, FISMA and EPLC Lots of Updates! Where do we start? Kay Coupe NIH FISMA Program Coordinator Office of the Chief Information Officer Project.
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
Presented By: Thelma Ameyaw Security Management TEL2813 4/18/2008Thelma Ameyaw TEL2813.

Presented By: Thelma Ameyaw Security Management TEL2813 4/18/2008Thelma Ameyaw TEL2813.
OMB Circular A-123 – Management’s Responsibility for Internal Control Policy Applicability Sources of Information Assessment, Documentation and Reporting.

OMB Circular A-123 – Management’s Responsibility for Internal Control Policy Applicability Sources of Information Assessment, Documentation and Reporting.
Security Controls – What Works

Security Controls – What Works
NLRB: Information Security & FISMA Daniel Wood, Chief IT Security February 19, 2004.

NLRB: Information Security & FISMA Daniel Wood, Chief IT Security February 19, 2004.
IT Security Essential Body of Knowledge (EBK): A Competency and Functional Framework for IT Security Workforce Development EDUCAUSE Live! November 14,

IT Security Essential Body of Knowledge (EBK): A Competency and Functional Framework for IT Security Workforce Development EDUCAUSE Live! November 14,
Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.

Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.
IS Audit Function Knowledge

IS Audit Function Knowledge
Information Systems Security Officer

Information Systems Security Officer
Secure System Administration & Certification DITSCAP Manual (Chapter 6) Phase 4 Post Accreditation Stephen I. Khan Ted Chapman University of Tulsa Department.

Secure System Administration & Certification DITSCAP Manual (Chapter 6) Phase 4 Post Accreditation Stephen I. Khan Ted Chapman University of Tulsa Department.
Expanded Version of COSO a presentation by Steve Wadleigh Expanded Version of COSO a presentation by Steve Wadleigh Standards for Internal Control in the.

Expanded Version of COSO a presentation by Steve Wadleigh Expanded Version of COSO a presentation by Steve Wadleigh Standards for Internal Control in the.

Similar presentations

Ads by Google