Every week we bring you various compliance checks like PCI-DSS, HIPAA, ISO 27001 and SOX so as to make our readers aware of the various checklists that businesses need to follow in order to be compliant with it. Today we will discuss about FISMA.
FISMA stands for the Federal Information Security Management Act (FISMA). It was signed into law part of the Electronic Government Act of 2002. This act is required for the federal agencies to develop, document, and implement an information security management program for giving safeguard to their information systems which even includes those who are provided or managed by another agency, contractor, or third party.
Purpose of FISMA
The National Institute of Standards and Technology (NIST) and the Office of Management and Budget (OMB) are assigned specific responsibilities by FISMA in order to strengthen information security systems. The head of each agency is required to implement policies and procedures to cost-effectively reduce information technology security risks to an acceptable level.
National Institute of Standards and Technology (NIST)
NIST is responsible for developing standards, guidelines, and associated methods and techniques for providing adequate information security for all agency operations and assets, excluding national security systems. NIST works closely with federal agencies to improve their understanding and implementation of FISMA to protect their information and information systems and publishes standards and guidelines which provide the foundation for strong information security programs at agencies.
It outlines nine steps toward compliance with FISMA:
Categorize the information to be protected.
Select minimum baseline controls.
Refine controls using a risk assessment procedure.
Document the controls in the system security plan.
Implement security controls in appropriate information systems.
Assess the effectiveness of the security controls once they have been implemented.
Determine agency-level risk to the mission or business case.
Authorize the information system for processing.
Monitor the security controls on a continuous basis.
Information Security Program
This program’s main objective is to ensure that the core information security principles namely confidentiality, integrity, authenticity, non-repudiation and availability of information and information systems are provided. The key elements of the program can be summarized as below:
Assignment of Responsibilities
This ensures that the right officials are assigned security responsibilities.
Periodic Assessments of Risk
This includes the risk and consequent impact on the agency and would eventually result from the unauthorized access, disclosure, use, disruption, destruction or modification of information and information systems supporting an agency’s operations and assets.
Policies and Procedures
The policies and procedures are being made to reduce the risks and to ensure that the security of information is addressed throughout the life cycle of each organizational information system in a properly documented manner and this type of procedures include detecting, responding, reporting to security incidents and procedures to ensure continuity of operations.
Security Awareness Training
All the personnel including the contractors are required to be trained in regards to information security principles and the security risks related to their job requirements, and an agency’s policies and procedures.
Periodic Testing and Evaluation
The test should be done annually after some days that the effectiveness of information security policies, procedures, practices.
A Process for Planning, Implementing, Evaluating, and Documenting Remedial Actions: It also has a process for addressing any deficiencies that might occur in the information security policies, procedures, and practices of the organization which needs to be implemented and documented by the agency.
Failure to Comply
If anyone fails a FISMA inspection, then it might have the following negative consequences:
Significant administrative sanctions
Reduction of IT budget
There are many who can help federal agencies with all the requirements mandated by FISMA.
Information Security Program Gap Analysis
The gap analysis of them is to help review the agency information security program and then identify it for the deficiencies and gaps that prevent the agency from achieving compliance.
Information Security Program Implementation
Enterprise Risk Management (ERM can provide support and guidance for the implementation of the information security program including the following key components:
Perform Risk Assessment
Develop and/or review Policies and Procedures
Provide Security Awareness Training
For testing and evaluating the security controls
For creating and documenting a formal agency-wide remediation program