federal information security management act an ig perspective
DESCRIPTION
TRANSCRIPT
Federal Information Security Management ActAn IG Perspective
FEBRUARY 2, 2004
Presented To: The President’s Council on Integrity and EfficiencyInformation Technology Round Table
Presented By: Russell A. Rau, Assistant Inspector General for AuditsOffice of Inspector GeneralFederal Deposit Insurance Corporation
2
Agenda
• FISMA: An IG Approach
• 2004 Issues
• Future Issues
• Challenges Facing IG Auditors
• New FISMA Working Group
• Questions and Answers
3
• Multi-year strategy for auditing the agency information security program
– Strategy addresses the security program framework defined by FISMA
– Audits conducted throughout the year are risk-based and support the multi-year strategy
• FISMA evaluation lead by in-house staff
• Contractor supports IG work by testing selected IT technical controls
FISMA: An IG Approach
4
FISMA: An IG Approach
2002
• Physical Security
• Contractor Security
• Capital Planning
2003
• Network Security (multiple reviews)
• Incident Response• Patch Management• Risk Assessment• Personnel Security• IT Strategic Planning• Contractor Security
Follow-up
Targeted Audits Supporting FISMA
2004
• Public Key Infrastructure
• Disaster Recovery• Data Sensitivity• Physical Security• Network Perimeter
Security• Capital Planning &
Investment Control• Outside Agency
Connections• Configuration
Management
5
Evaluation Scope and Methodology
• Government Auditing Standards• Reliance on prior audit and evaluation reports• Independent testing and evaluation procedures• Identified 10 key management controls associated with
successful information security programs• Key management controls based on federal laws,
regulations, and guidelines• Key management controls assessed using a traffic light
scorecard tool
FISMA: An IG Approach
6
• Government organizations such as GAO, OMB, and NIST have identified fundamental management controls needed for effective information security.
• These management controls are abstracted from long-standing requirements found in statutes, policies, and guidance. They cover topics such as:
– Risk Management– Security Control Reviews– Contingency Planning– Access Controls– Incident Response
FISMA: An IG Approach
7
Fundamental security management principles and controls can be found in:
– NIST SP 800-26, Security Self-Assessment Guide for Information Technology Systems
– NIST SP 800-14, Generally Accepted Principles and Practices for Securing Information Technology Systems
– NIST SP 800-12, An Introduction to Computer Security: The NIST Handbook
– GAO Executive Guide, Information Security Management: Learning From Leading Organizations
– FISMA and OMB Circular No. A-130 Appendix III
FISMA: An IG Approach
8
FISMA: An IG Approach
Management Control Area
Establishment of Controls
Implementation of Controls
Security Responsibilities and Authorities (B.1)
Security Performance Measures (B.3 & B.4)
Integration of Security Activities (B.5 & B.6)
Protection of Critical Assets and Operations (B.7)
Computer Security Incident Response (B.8 & B.9)
Information Security Risk Management (C.1)
Contractor and Outside Agency Security (A.2a-b)
Security Oversight (A.4, B.2, & C.2)
Security Training (C.3)
Capital Planning and Investment Control (C.4)
Overall Assessment
9
FISMA: An IG Approach
• Scorecard assessments based on assurance of adequate security:
Green (Reasonable Assurance) Yellow (Limited Assurance) Red (Minimal/No Assurance)
• Assessments require professional judgment
• Scorecard provides a simple and effective method to communicate complex results
• Management actions to address scorecard results– Performance measures to improve FISMA ratings– Established a subcommittee of the Audit Committee– “Getting to Green” Initiative
10
• Leveraging Agency Reviews– Placing greater reliance on CIO and agency program
reviews– Providing independent assurance of agency FISMA
submissions
• Integrating FISMA evaluation and financial statement audit work
– Relying on FISMA results to obtain an understanding of internal controls
– Planning financial statement audit work based on FISMA results
FISMA 2004 Issues
11
• Contractor Security
– Auditing major contractors that service multiple federal agencies
– Verifying minimum security requirements of contractors, such as security planning, training, etc.
• Enterprise Architecture Security Implications– Ensuring major IT projects use security solutions that
comply with the agency enterprise architecture
• Data Sensitivity– Categorizing data– Protecting sensitive data
FISMA 2004 Issues
12
• Quantifying the Impact of Security Weaknesses
– Considering the cost-benefit of proposed security enhancements
– NIST FIPS 199 and Special Publication 800-60
• Certification and Accreditation (NIST Special Publication 800-37)
• Verifying the effectiveness of security controls required in federal information systems (NIST Special Publication 800-53A)
FISMA 2004 Issues
13
• Timing of FISMA and Accountability Reports
• Interagency Issues
– Federal Bridge (Authentication and Encryption)– Federal Enterprise Architecture– Servicers that cross agency lines
Future FISMA Issues
14
• How much audit work is enough?
• How much is too much?
• We can’t fully evaluate everything every year!
At FDIC, we found a balance through a multi-yearstrategy of performance auditing.
Challenges Facing IG Auditors
15
• Changing Criteria
Planned revisions to OMB A-130Recently published NIST Special Publications:800-50, Building an IT Security Awareness and Training Program800-42, Guideline on Network Security Testing800-36, Guide to Selecting IT Security Products800-35, Guide to IT Security Services800-64, Security Considerations in the Information SDLCAnd more to come…Draft 800-53, Recommended Security Controls for Federal Information SystemsDraft 800-37, Guide for the Security Certification and Accreditation of Federal Information Systems
• Impact of new technology, such as wireless communications explosion
Challenges Facing IG Auditors
16
• Impact of major events, such as the focus on disaster recovery following 9/11
• Inconsistent application of standards– How does your agency define an information
system?– What constitutes a material weakness?– How does your agency categorize information and
information systems?
• Growing importance of IG auditors to be “technically capable” and possess professional certifications
Challenges Facing IG Auditors
17
• Established for the IG community under the Federal Audit Executive Council
• Promotes interagency coordination of information security and evaluation requirements established by FISMA– FISMA update conferences and training– Sharing lessons-learned– Interacting with OMB, NIST, CIO Council and GAO– Coordinating on issues and initiatives that cross
agency lines– For more information, contact Judy Hoyle at (202)
416-4088 or [email protected].
FISMA Working Group
Questions and Answers