Federal Information Security Management ActAn IG Perspective

FEBRUARY 2, 2004

Presented To: The President’s Council on Integrity and EfficiencyInformation Technology Round Table

Presented By: Russell A. Rau, Assistant Inspector General for AuditsOffice of Inspector GeneralFederal Deposit Insurance Corporation

2

Agenda

• FISMA: An IG Approach

• 2004 Issues

• Future Issues

• Challenges Facing IG Auditors

• New FISMA Working Group

• Questions and Answers

3

• Multi-year strategy for auditing the agency information security program

– Strategy addresses the security program framework defined by FISMA

– Audits conducted throughout the year are risk-based and support the multi-year strategy

• FISMA evaluation lead by in-house staff

• Contractor supports IG work by testing selected IT technical controls

FISMA: An IG Approach

4

FISMA: An IG Approach

2002

• Physical Security

• Contractor Security

• Capital Planning

2003

• Network Security (multiple reviews)

• Incident Response• Patch Management• Risk Assessment• Personnel Security• IT Strategic Planning• Contractor Security

Follow-up

Targeted Audits Supporting FISMA

2004

• Public Key Infrastructure

• Disaster Recovery• Data Sensitivity• Physical Security• Network Perimeter

Security• Capital Planning &

Investment Control• Outside Agency

Connections• Configuration

Management

5

Evaluation Scope and Methodology

• Government Auditing Standards• Reliance on prior audit and evaluation reports• Independent testing and evaluation procedures• Identified 10 key management controls associated with

successful information security programs• Key management controls based on federal laws,

regulations, and guidelines• Key management controls assessed using a traffic light

scorecard tool

FISMA: An IG Approach

6

• Government organizations such as GAO, OMB, and NIST have identified fundamental management controls needed for effective information security.

• These management controls are abstracted from long-standing requirements found in statutes, policies, and guidance. They cover topics such as:

– Risk Management– Security Control Reviews– Contingency Planning– Access Controls– Incident Response

FISMA: An IG Approach

7

Fundamental security management principles and controls can be found in:

– NIST SP 800-26, Security Self-Assessment Guide for Information Technology Systems

– NIST SP 800-14, Generally Accepted Principles and Practices for Securing Information Technology Systems

– NIST SP 800-12, An Introduction to Computer Security: The NIST Handbook

– GAO Executive Guide, Information Security Management: Learning From Leading Organizations

– FISMA and OMB Circular No. A-130 Appendix III

FISMA: An IG Approach

8

FISMA: An IG Approach

Management Control Area

Establishment of Controls

Implementation of Controls

Security Responsibilities and Authorities (B.1)

Security Performance Measures (B.3 & B.4)

Integration of Security Activities (B.5 & B.6)

Protection of Critical Assets and Operations (B.7)

Computer Security Incident Response (B.8 & B.9)

Information Security Risk Management (C.1)

Contractor and Outside Agency Security (A.2a-b)

Security Oversight (A.4, B.2, & C.2)

Security Training (C.3)

Capital Planning and Investment Control (C.4)

Overall Assessment

9

FISMA: An IG Approach

• Scorecard assessments based on assurance of adequate security:

Green (Reasonable Assurance) Yellow (Limited Assurance) Red (Minimal/No Assurance)

• Assessments require professional judgment

• Scorecard provides a simple and effective method to communicate complex results

• Management actions to address scorecard results– Performance measures to improve FISMA ratings– Established a subcommittee of the Audit Committee– “Getting to Green” Initiative

10

• Leveraging Agency Reviews– Placing greater reliance on CIO and agency program

reviews– Providing independent assurance of agency FISMA

submissions

• Integrating FISMA evaluation and financial statement audit work

– Relying on FISMA results to obtain an understanding of internal controls

– Planning financial statement audit work based on FISMA results

FISMA 2004 Issues

11

• Contractor Security

– Auditing major contractors that service multiple federal agencies

– Verifying minimum security requirements of contractors, such as security planning, training, etc.

• Enterprise Architecture Security Implications– Ensuring major IT projects use security solutions that

comply with the agency enterprise architecture

• Data Sensitivity– Categorizing data– Protecting sensitive data

FISMA 2004 Issues

12

• Quantifying the Impact of Security Weaknesses

– Considering the cost-benefit of proposed security enhancements

– NIST FIPS 199 and Special Publication 800-60

• Certification and Accreditation (NIST Special Publication 800-37)

• Verifying the effectiveness of security controls required in federal information systems (NIST Special Publication 800-53A)

FISMA 2004 Issues

13

• Timing of FISMA and Accountability Reports

• Interagency Issues

– Federal Bridge (Authentication and Encryption)– Federal Enterprise Architecture– Servicers that cross agency lines

Future FISMA Issues

14

• How much audit work is enough?

• How much is too much?

• We can’t fully evaluate everything every year!

At FDIC, we found a balance through a multi-yearstrategy of performance auditing.

Challenges Facing IG Auditors

15

• Changing Criteria

Planned revisions to OMB A-130Recently published NIST Special Publications:800-50, Building an IT Security Awareness and Training Program800-42, Guideline on Network Security Testing800-36, Guide to Selecting IT Security Products800-35, Guide to IT Security Services800-64, Security Considerations in the Information SDLCAnd more to come…Draft 800-53, Recommended Security Controls for Federal Information SystemsDraft 800-37, Guide for the Security Certification and Accreditation of Federal Information Systems                     

• Impact of new technology, such as wireless communications explosion

Challenges Facing IG Auditors

16

• Impact of major events, such as the focus on disaster recovery following 9/11

• Inconsistent application of standards– How does your agency define an information

system?– What constitutes a material weakness?– How does your agency categorize information and

information systems?

• Growing importance of IG auditors to be “technically capable” and possess professional certifications

Challenges Facing IG Auditors

17

• Established for the IG community under the Federal Audit Executive Council

• Promotes interagency coordination of information security and evaluation requirements established by FISMA– FISMA update conferences and training– Sharing lessons-learned– Interacting with OMB, NIST, CIO Council and GAO– Coordinating on issues and initiatives that cross

agency lines– For more information, contact Judy Hoyle at (202)

416-4088 or jhoyle@fdic.gov.

FISMA Working Group

Questions and Answers