Presentation is loading. Please wait.

Presentation is loading. Please wait.

Federal IT Security Professional - Auditor

Published byMercy Cole Modified over 8 years ago

Similar presentations

Presentation on theme: "Federal IT Security Professional - Auditor"— Presentation transcript:

1 Federal IT Security Professional - Auditor
FITSP-A Module 1 We count on computer networks to deliver our oil and gas, our power and our water. We rely on them for public transportation and air traffic control… But just as we failed in the past to invest in our physical infrastructure – our roads, our bridges and rails – we've failed to invest in the security of our digital infrastructure… This status quo is no longer acceptable – not when there's so much at stake. We can and we must do better. – President Obama, May 29, 2009 Federal IT Security Professional - Auditor

2 Leadership Only through diligence and a well-trained workforce will we be able to adequately defend the nation’s vital information resources. - Michael V. Hayden CNSS Secretariat Securing the United States against cyber attacks has become one of the nation's highest priorities. To achieve this objective, networks and systems, as well as the operations teams that support them, must vigorously defend against a variety of internal and external threats. To respond to those attacks that are successful, defenses must be prepared to detect and thwart follow-on attacks on internal enterprise networks as attackers spread inside a compromised network. A critical component of such a defense system is continuous monitoring--that is, the ability to automatically test and validate whether current security measures are working and proactively remediate vulnerabilities in a timely manner.

3 Overview Section A: Objectives, Expectations, & Introductions
FISMA Compliance Defined Expectation & Goals Target Audience Introductions Section B: Security Certifications Exams Federal IT Security Institute FITSP – Auditor Certification Section C: FITSP-A Courseware Logistics Course Outline Course Materials Course Evaluation This module is intended to set your expectations for what you will learn from this training. At the conclusion of this course, you will have a clear understanding of the 6 RMF steps, as defined by NIST SP r1, with an overview of additional NIST guidance supporting the RMF. You will be shown how to apply this knowledge immediately, using basic database and spreadsheet applications that will help organize the large amounts of data required during the initials steps of the RMF. You will know where to look for staying current on the mandates that drive the RMF standards and guidelines, and to be able to anticipate, monitor, and even influence changes to those documents. Finally, you will have the material to prepare for the FITSP-A certification exam, issued by the Federal IT Security Institute (

4 Objectives, Expectations, & Introductions
Section A Objectives, Expectations, & Introductions

5 In Accordance with FISMA…
Secretary of Commerce shall, on the basis of standards and guidelines developed by NIST, prescribe standards and guidelines pertaining to federal information systems. FISMA requires that federal agencies comply with FIPS standards Federal agencies must follow NIST Special Publications mandated in FIPS. Other security-related publications are mandatory only when specified by OMB. Compliance schedules are established by OMB (and now the DHS - e.g., annual FISMA Reporting Guidance) In accordance with the provisions of FISMA, the Secretary of Commerce shall, on the basis of standards and guidelines developed by NIST, prescribe standards and guidelines pertaining to federal information systems. The Secretary shall make standards compulsory and binding to the extent determined necessary by the Secretary to improve the efficiency of operation or security of federal information systems. Standards prescribed shall include information security standards that provide minimum information security requirements and are otherwise necessary to improve the security of federal information and information systems. Federal Information Processing Standards (FIPS) are approved by the Secretary of Commerce and issued by NIST in accordance with FISMA. FIPS are compulsory and binding for federal agencies. FISMA requires that federal agencies comply with these standards, and therefore, agencies may not waive their use. Special Publications (SPs) are developed and issued by NIST as recommendations and guidance documents. For other than national security programs and systems, federal agencies must follow those NIST Special Publications mandated in a Federal Information Processing Standard. FIPS 200 mandates the use of Special Publication , as amended. In addition, OMB policies (including OMB Reporting Instructions for FISMA and Agency Privacy Management) state that for other than national security programs and systems, federal agencies must follow certain specific NIST Special Publications.

6 Other security-related publications, including interagency reports (NISTIRs) and ITL Bulletins, provide technical and other information about NIST's activities. These publications are mandatory only when specified by OMB. Compliance schedules for NIST security standards and guidelines are established by OMB in policies, directives, or memoranda (e.g., annual FISMA Reporting Guidance).

7 Course Expectations & Goals
Clear Understanding of FISMA Compliance, via NIST Risk Management Framework, based on : Governmental Laws and Regulations OMB/DHS Policies, Directives, Or Memoranda NIST Special Publications NIST Federal Information Processing Standards (FIPS) NIST Interagency Reports Further Education, Training & Certification IT Security Workforce Training is Critical to the FISMA Mandate Any organization that hopes to be ready to find and respond to attacks effectively owes it to its employees and contractors to find the gaps in its knowledge and provide exercises and training to fill those gaps. A solid security skills assessment program can provide actionable information to decision-makers about where security awareness needs to be improved, and can also help determine proper allocation of limited resources to improve security practices. Training is also closely tied to policy and awareness. Policies tell people what to do, training provides them the skills to do it, and awareness changes behaviors so that people follow the policy. Training should be mapped against the skills required to perform a given job. If after training, users are still not following the policy, that policy should be augmented with awareness.

8 Target Audience [Excerpt from SP Guide for Applying the Risk Management Framework to Federal Information Systems] Individuals associated with the design, development, implementation, operation, maintenance, and disposition of federal information: Ownership Responsibilities Development and Integration Responsibilities Oversight Responsibilities Assessment and Monitoring Responsibilities Security Implementation and Operational Responsibilities This Course serves individuals associated with the design, development, implementation, operation, maintenance, and disposition of federal information systems including: Individuals with mission/business ownership responsibilities or fiduciary responsibilities (e.g., heads of federal agencies, chief executive officers, chief financial officers) Individuals with information system development and integration responsibilities (e.g., program managers, information technology product developers, information system developers, information systems integrators, enterprise architects, information security architects) Individuals with information system and/or security management/ oversight responsibilities (e.g., senior leaders, risk executives, authorizing officials, chief information officers, senior information security officers) Individuals with information system and security control assessment and monitoring responsibilities (e.g., system evaluators, assessors/assessment teams, independent verification and validation assessors, auditors, or information system owners) Individuals with information security implementation and operational responsibilities (e.g. information system owners, common control providers, information owners/stewards, mission/business owners, information security architects, information system security engineers/officers)

9 Introductions Introducing Your Instructor Education
Student Information Experience Auditors Operators Managers Employer DoD, NSA Civilian Agency Other Education IT/IA Degrees MBA Certifications FITSP/CAP SANS CISSP Security+ Expectations Starting from 0? What’s New (800-37r1) FITSP Certified Instructors must: Have an established training record, as shown in Knowledge Advisors Metrics-that-Matter Possess a trainer certification from another technical training provider, such as CompTIA CTT, Microsoft MCT, or EC-Council Certified Trainer Pass the FITSP exam with a minimum score of 80 (standard pass score is 75) Attend a 5-day FITSI-authorized train-the-trainer (3T) session Demonstrate their teaching skills and abilities during the 3T training

10 IT Security Training and Certification
Section B IT Security Training and Certification

11 Federal IT Security Institute http://www.FITSI.org
"To help secure the Nation's Federal Information Systems by certifying that Federal Workforce members understand and can apply appropriate Federal IT security standards.“ - Jim Wiggins, FITSI Executive Director 2010 FISSEA Educator of the Year FITSI is the Federal IT Security Institute which is a non-profit organization managing and administering the FITSP certification program. FITSP stands for the Federal IT Security Professional and is broken into four individual IT security certification programs targeted at the Federal workforce based upon role. FITSI's mission is "To help secure the Nation's Federal Information Systems by certifying that Federal Workforce members understand and can apply appropriate Federal IT security standards.“ The Federal Information Systems Security Educators' Association (FISSEA), founded in 1987, is an organization run by and for federal information systems security professionals. FISSEA assists federal agencies in meeting their computer security training responsibilities.

12 Federal IT Security Professional
Manager Governance Oversight Designer Build Develop Operator Maintain Implement Auditor Review Check There are a number of IT security certifications on the market today. However, most of these are generalist certifications that promote “international best practices” and methodologies common to all types of organizations. The FITSP certification program is different in that it helps validate the skills and knowledge of Federal employees and contractors against Federal standards and practices. The FITSP certification addresses an important and needed role in validating the skills of IT security professionals against NIST standards and documentation. It is really the intersection of IT security skills, the NIST framework, and an independent third party certification validation of candidates to help increase the knowledge pool of Federal workers and contractors. The FITSP certification is positioned to help protect the nation’s critical infrastructure and by default the information that its people and citizens expect to have protected. When a candidate pursues the FITSP certification he or she selects from four roles. This means there are four different exams and a candidate can pursue one or all four roles to demonstrate competency in any of these areas. While the exams deal with the same domains, each role is tested on a different set of publications, themes, and topical areas that are relevant to each respective job role. These roles are: Federal Body of Knowledge

13 Manager - The Manager role is designed for candidates who act in an oversight capacity with regard to IT security. Candidates for this are usually CISOs, ISMs, IAMs, etc. A candidate would earn a FITSP-Manager (FITSP-M) credential in this area. Designer - The Designer role is designed for candidates who are tasked with designing and developing a system within an organization. These are usually system designers and developers, ISSEs, and other engineers. A candidate would earn a FITSP-Designer (FITSP-D) credential in this area. Operator - The Operator role is designed for candidates who implement and operate an information system within an organization. These are usually the system and application administrators, system owners, ISSOs, DBAs and other personnel who manage and maintain the system. A candidate would earn a FITSP-Operator (FITSP-O) credential in this area. Auditor - The auditor role is designed for candidates who review and audit the IT system. These are usually IT auditors that are found within the Inspector General community as well as public accounting companies. A candidate would earn a FITSP-Auditor (FITSP-A) credential in this area.

14 Federal IT Security Professional Domains & Security Topics
Domain 1 – NIST Special Publications Domain 2 – NIST Federal Information Processing Standards (FIPS) Domain 3 – NIST Control Families Domain 4 – Governmental Laws and Regulations Domain 5 – NIST Risk Management Framework Domain 6 – NIST Interagency Reports The FITSP program is represented by the FITSP FBK (Federal Body of Knowledge). The FBK is broken down into six domains. A domain is considered an area of knowledge. Each certification role contains the same six domains but is tested on a different set of publications, themes, and topical areas that are relevant to each respective job role. See the CEG (Candidate Exam Guide) for each respective FITSP certification role for a full breakdown of publications, themes, and topical area that are covered. Candidates who pursue the FITSP certification will be required to be proficient in each of the following six content areas. NIST Special Publications - This domain focuses on the full range of NIST 800 series special publications. NIST Federal Information Processing Standards - This domain focuses on roughly 13 Federal Information Processing Standards depending upon the role based certification pursued (i.e., FIPS 140-2, FIPS 180-3, FIPS 197, etc.). NIST Control Families - This domain focuses on the 18 control families as defined in NIST SP Candidates are expected to be familiar with the 18 control families and corresponding controls from each family. Government Laws and Regulations - This domain focuses on the memorandums, circulars, executive orders, and laws that are required by OMB, Congress and Presidential Directives. Examples would include the FDCC as detailed in OMB M07-11, FISMA, OMB A-130 Appendix III, HSPD-12, etc.

15 Where it is covered in the FITSP-A Courseware
5. NIST Risk Management Framework - This domain focuses on the NIST RMF in support of system authorization. Documents such as NIST SP Rev 1 and supporting documents are tested. NIST Interagency Reports - This domain focuses on several key NIST Interagency Reports that have been published to date. IT Security Topic Areas Security Topic Area Where it is covered in the FITSP-A Courseware 1. Access Control Module 10 – Technical Controls 2. Application Security Module 3 - RMF 3. Audit & Accountability Module 5 - Assessment 4. Awareness & Training Module 9 – Operational Controls 5. Configuration Management 6. Contingency Planning 7. Data Security Module 4 - Gap Analysis 8. Identification & Authentication 9. Incident Response 10. Maintenance 11. Media Protection 12. Personnel Security 13. Physical & Environmental Protection 14. Planning 15. Program Management Module 8 – Management Controls 16. Regulatory & Standards Compliance Module 2 - Government Laws 17. Risk Assessment 18. Security Assessment & Authorization (Formerly C&A) Module 5 - Assessment Module 6 – Authorization Module 7 – Continuous Monitoring 19. System & Communications Protection 20. System & Information Integrity 21. System & Services Acquisition

16 FITSP-A Courseware Logistics
Section C FITSP-A Courseware Logistics

17 All About the RMF Categorize the information system based on a FIPS 199 impact analysis; Select an initial set of baseline security controls for the information system based on system impact level and apply tailoring guidance, as needed; Implement the security controls and document the design, development, and implementation details for the controls; Assess the security controls to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system; Authorize information system operation based on a determination of risk to organizational operations and assets, individuals, other organizations, and the Nation resulting from the operation and use of the information system and the decision that this risk is acceptable; and Monitor the security controls in the information system and environment of operation on an ongoing basis… What I say = What I mean Controls are working = “…implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system.” Risk = “…risk to organizational operations and assets, individuals, other organizations, and the Nation resulting from the operation and use of the information system . Monitor = “…on an ongoing basis, determine control effectiveness, changes to the system/environment, and compliance to legislation.”

18 FITSP–A Course Outline
US Government Laws Risk Management Framework Overview Gap Analysis Categorization Security Control Selection Security Control Implementation Security Control Assessment Authorization Continuous Monitoring Management Controls Operational Controls Technical Controls First, we’ll review laws and regulations that shape the Risk Management Framework (RMF) standards and guidelines. An understanding of US Laws, relating to information security, is key to knowing how to stay current with federal mandates that drive these standards. It will also unveil the rapidly-changing operational authorities, of the agencies providing leadership and guidance throughout the RMF process. Then we will give an overview of the RMF, and set the foundation for which the rest of the course will build upon. Gap analysis is a term we use to evaluate information systems, in place and operational, against the RMF, to determine the gap between security controls in place, and identifying requirements to evaluate and mitigate risk to an acceptable level. If the system is in development, then the execution of RMF steps are done within the context of the SDLC. Results are documented in the System Security Plan. Once risk to the information system has been assessed, and mitigated, the security controls must be tested to ensure they are implemented correctly, operating as intended, and producing the desired outcome. Evaluation and recommended remediation are documented in the Security Assessment Report, followed up with a formal declaration for remediation in the Plan of Actions and Milestones, which is the first task in the Authorization step of the RMF.

19 Authorization is the careful evaluation of the documentation supporting risk management, and an official, executive-level decision to determine that the risk, imposed by the information system, is acceptable, and to permit an information system to operate in a production environment. Accountability is the primary objective of the Authorization step. We shall conclude with Continuous Monitoring. As it stands with the new RMF, replacing the old C&A, the single most relevant, and game-changing task, is to document a monitoring strategy for each security control listed in your SSP; this will be the foundation of your continuous monitoring program.

20 Course Material Public Domain Reference Documents
Activity Files and Other Miscellaneous: 2011 FISMA Report, 2012 Reporting Metrics for CIOs/OIGs, /SAOPs/Micro Agencies Relative OMB Memos (listed and unlisted) FedRAMP ConOps Bookmark these websites! As FISMA compliance information is updated, so will these web links.

21 Course Evaluation Continuous Monitoring of Student Feedback
Good – What did you like about today’s session? Bad – What would you like to see different in tomorrow’s session? Opportunity – This is your class! Frequent input allows for corrective action to mitigate the risk of disappointment. End of Course Survey You are given the opportunity, throughout the presentation of this course, to control the direction, tone, pace, focus and discussion. This is your class, and adjustments, based on your feedback, are critical for you to get the most out of this training.

22 Next Module: US Government Laws
Questions? Next Module: US Government Laws

Download ppt "Federal IT Security Professional - Auditor"

Similar presentations

Module N° 7 – SSP training programme

Module N° 7 – SSP training programme
1 NORTH CAROLINA COUNCIL OF INTERNAL AUDITING October 31, 2007.

1 NORTH CAROLINA COUNCIL OF INTERNAL AUDITING October 31, 2007.
Subchapter M-Indian Self- Determination and Education Assistance Act Program Part 273-Education Contracts under Johnson-OMalley Act.

Subchapter M-Indian Self- Determination and Education Assistance Act Program Part 273-Education Contracts under Johnson-OMalley Act.
USG INFORMATION SECURITY PROGRAM AUDIT: ACHIEVING SUCCESSFUL AUDIT OUTCOMES Cara King Senior IT Auditor, OIAC.

USG INFORMATION SECURITY PROGRAM AUDIT: ACHIEVING SUCCESSFUL AUDIT OUTCOMES Cara King Senior IT Auditor, OIAC.
Campus Improvement Plans

Campus Improvement Plans
1 NIST, FIPS, and you... Bob Grill Medi-Cal ISO July 16, 2009.

1 NIST, FIPS, and you... Bob Grill Medi-Cal ISO July 16, 2009.
Federal Risk and Authorization Management Program (FedRAMP) Lisa Carnahan, Computer Scientist National Institute of Standards & Technology Standards Coordination.

Federal Risk and Authorization Management Program (FedRAMP) Lisa Carnahan, Computer Scientist National Institute of Standards & Technology Standards Coordination.
SSA’s Electronic Information Data Exchange Information Security Certification and Compliance Monitoring Program Presented by: Michael G. Johnson, Director,

SSA’s Electronic Information Data Exchange Information Security Certification and Compliance Monitoring Program Presented by: Michael G. Johnson, Director,
Near Real Time Risk Management Transforming the Certification and Accreditation Process ISSA-Baltimore Chapter Meeting May 28, 2008 Dr. Ron Ross.

Near Real Time Risk Management Transforming the Certification and Accreditation Process ISSA-Baltimore Chapter Meeting May 28, 2008 Dr. Ron Ross.
Presented By: Thelma Ameyaw Security Management TEL2813 4/18/2008Thelma Ameyaw TEL2813.

Presented By: Thelma Ameyaw Security Management TEL2813 4/18/2008Thelma Ameyaw TEL2813.
Office of the Secretary of Defense – Comptroller Financial Improvement and Audit Readiness Directorate Unclassified 17 September 2014 GAO Revised “Green.

Office of the Secretary of Defense – Comptroller Financial Improvement and Audit Readiness Directorate Unclassified 17 September 2014 GAO Revised “Green.
National Institute of Standards and Technology 1 NIST Guidance and Standards on System Level Information Security Management Dr. Alicia Clay Deputy Chief.

National Institute of Standards and Technology 1 NIST Guidance and Standards on System Level Information Security Management Dr. Alicia Clay Deputy Chief.
Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.

Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.
© 2006 IBM Corporation Introduction to z/OS Security Lesson 9: Standards and Policies.

© 2006 IBM Corporation Introduction to z/OS Security Lesson 9: Standards and Policies.
Expanded Version of COSO a presentation by Steve Wadleigh Expanded Version of COSO a presentation by Steve Wadleigh Standards for Internal Control in the.

Expanded Version of COSO a presentation by Steve Wadleigh Expanded Version of COSO a presentation by Steve Wadleigh Standards for Internal Control in the.
First Practice - Information Security Management System Implementation and ISO 27001 Certification.

First Practice - Information Security Management System Implementation and ISO Certification.
Risk Assessment Frameworks

Risk Assessment Frameworks
Risk Management Framework

Risk Management Framework
Federal IT Security Professional - Manager FITSP-M Module 1.

Federal IT Security Professional - Manager FITSP-M Module 1.
RC14001 ® Update GPCA Responsible Care Committee September 23, 2013.

RC14001 ® Update GPCA Responsible Care Committee September 23, 2013.

Similar presentations

Ads by Google