Presentation is loading. Please wait.

Presentation is loading. Please wait.

Federal Information Security Management Act (FISMA) By K. Brenner OCIO Internship Summer 2013.

Published byDomenic Nelson Modified over 8 years ago

Similar presentations

Presentation on theme: "Federal Information Security Management Act (FISMA) By K. Brenner OCIO Internship Summer 2013."— Presentation transcript:

1 Federal Information Security Management Act (FISMA) By K. Brenner OCIO Internship Summer 2013

2 National Institute of Standards and Technology 2 FISMA Legislation Overview “Each federal agency shall develop, document, and implement an agency-wide information security program to provide information security for the information and information systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor, or other source…” -- Federal Information Security Management Act of 2002

3 Information Security Program Adversaries attack the weakest link…where is yours? Risk assessment Security planning Security policies and procedures Contingency planning Incident response planning Security awareness and training Physical security Personnel security Certification, accreditation, and security assessments Access control mechanisms Identification & authentication mechanisms (Biometrics, tokens, passwords) Audit mechanisms Encryption mechanisms Firewalls and network security mechanisms Intrusion detection systems Security configuration settings Anti-viral software Smart cards Links in the Security Chain: Management, Operational, and Technical Controls

4 A Closer Look NIST FISMA NIST USGCB DOD DISA DHS NVDB OMB Audits (Scorecard)

5 National Institute of Standards and Technology 5 Managing Enterprise Risk The Framework In system security plan, provides a an overview of the security requirements for the information system and documents the security controls planned or in place SP 800-18 Security Control Documentation Defines category of information system according to potential impact of loss FIPS 199 / SP 800-60 Security Categorization Selects minimum security controls (i.e., safeguards and countermeasures) planned or in place to protect the information system SP 800-53 / FIPS 200 Security Control Selection Determines extent to which the security controls are implemented correctly, operating as intended, and producing desired outcome with respect to meeting security requirements SP 800-53A / SP 800-37 Security Control Assessment SP 800-53 / FIPS 200 / SP 800-30 Security Control Refinement Uses risk assessment to adjust minimum control set based on local conditions, required threat coverage, and specific agency requirements SP 800-37 System Authorization Determines risk to agency operations, agency assets, or individuals and, if acceptable, authorizes information system processing SP 800-37 Security Control Monitoring Continuously tracks changes to the information system that may affect security controls and assesses control effectiveness Implements security controls in new or legacy information systems; implements security configuration checklists Security Control Implementation SP 800-70 Starting Point

6 SysOps Process Risk Management (Baseline of Security Controls) Document (Change Request) Implement (Test Server) Authorize (Review BoardAuthorize (Review Board) Monitor [Responsible] (tools)

7

8

9 United States Department of Treasury’s Departmental Offices Monthly Security Updates Program Server(s) Classification

10 Security Categorization FIPS Publication 199 LowModerateHigh Confidentiality The loss of confidentiality could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals. The loss of confidentiality could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals. The loss of confidentiality could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals. Integrity The loss of integrity could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals. The loss of integrity could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals. The loss of integrity could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals. Availability The loss of availability could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals. The loss of availability could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals. The loss of availability could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals. Example: An Enterprise Information System Guidance for Mapping Types of Information and Information Systems to FIPS Publication 199 Security Categories SP 800-60

11 WORKS CITED NIST. Computer Security Resource Center. Federal Information Security Management Act (FISMA) Implementation Project. N.p., n.d. Web. 27 June 2013..

Download ppt "Federal Information Security Management Act (FISMA) By K. Brenner OCIO Internship Summer 2013."

Similar presentations

1 NIST, FIPS, and you... Bob Grill Medi-Cal ISO July 16, 2009.

1 NIST, FIPS, and you... Bob Grill Medi-Cal ISO July 16, 2009.
FIPS 201 Personal Identity Verification For Federal Employees and Contractors National Institute of Standards and Technology Information Technology Laboratory.

FIPS 201 Personal Identity Verification For Federal Employees and Contractors National Institute of Standards and Technology Information Technology Laboratory.
National Institute of Standards and Technology 1 NIST Guidance and Standards on System Level Information Security Management Dr. Alicia Clay Deputy Chief.

National Institute of Standards and Technology 1 NIST Guidance and Standards on System Level Information Security Management Dr. Alicia Clay Deputy Chief.
Security Controls – What Works

Security Controls – What Works
NLRB: Information Security & FISMA Daniel Wood, Chief IT Security February 19, 2004.

NLRB: Information Security & FISMA Daniel Wood, Chief IT Security February 19, 2004.
Information Security Policies and Standards

Information Security Policies and Standards
Trusted Internet Connections. Background Pervasive and sustained cyber attacks against the United States continue to pose a potentially devastating impact.

Trusted Internet Connections. Background Pervasive and sustained cyber attacks against the United States continue to pose a potentially devastating impact.
Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.

Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Qualitative.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Qualitative.
Risk Assessment Frameworks

Risk Assessment Frameworks
Federal IT Security Professional - Manager FITSP-M Module 1.

Federal IT Security Professional - Manager FITSP-M Module 1.
Dr. Ron Ross Computer Security Division

Dr. Ron Ross Computer Security Division
Information System Security Control Architecture (ISSCA) Stuart Katzke, Ph.D. Senior Research Scientist National Institute of Standards & Technology.

Information System Security Control Architecture (ISSCA) Stuart Katzke, Ph.D. Senior Research Scientist National Institute of Standards & Technology.
Complying With The Federal Information Security Act (FISMA)

Complying With The Federal Information Security Act (FISMA)
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 1 Information Systems Under Attack Managing Enterprise Risk in Today's World of Sophisticated Threats and.

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 1 Information Systems Under Attack Managing Enterprise Risk in Today's World of Sophisticated Threats and.
US Federal Industrial Control System (ICS) Security Standards and Guidelines Keith Stouffer National Institute of Standards and Technology (NIST) June.

US Federal Industrial Control System (ICS) Security Standards and Guidelines Keith Stouffer National Institute of Standards and Technology (NIST) June.
Information Security Compliance System Owner Training Richard Gadsden Information Security Office Office of the CIO – Information Services Sharon Knowles.

Information Security Compliance System Owner Training Richard Gadsden Information Security Office Office of the CIO – Information Services Sharon Knowles.
Information Security Framework & Standards

Information Security Framework & Standards
SEC835 Database and Web application security Information Security Architecture.

SEC835 Database and Web application security Information Security Architecture.
Lesson 8-Information Security Process. Overview Introducing information security process. Conducting an assessment. Developing a policy. Implementing.

Lesson 8-Information Security Process. Overview Introducing information security process. Conducting an assessment. Developing a policy. Implementing.

Similar presentations

Ads by Google