1 / 11

Federal Information Security Management Act (FISMA)

Federal Information Security Management Act (FISMA). By K. Brenner OCIO Internship Summer 2013. FISMA Legislation Overview.

slone
Télécharger la présentation

Federal Information Security Management Act (FISMA)

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Federal Information Security Management Act (FISMA) By K. Brenner OCIO Internship Summer 2013

  2. FISMA LegislationOverview “Each federal agency shall develop, document, and implement an agency-wide information security program to provide information security for the information and information systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor, or other source…” -- Federal Information Security Management Act of 2002

  3. Information Security Program Links in the Security Chain: Management, Operational, and Technical Controls • Risk assessment • Security planning • Security policies and procedures • Contingency planning • Incident response planning • Security awareness and training • Physical security • Personnel security • Certification, accreditation, and security assessments • Access control mechanisms • Identification & authentication mechanisms (Biometrics, tokens, passwords) • Audit mechanisms • Encryption mechanisms • Firewalls and network security mechanisms • Intrusion detection systems • Security configuration settings • Anti-viral software • Smart cards Adversaries attack the weakest link…where is yours?

  4. A Closer Look OMB Audits (Scorecard)

  5. FIPS 199 / SP 800-60 SP 800-37 SP 800-53 / FIPS 200 SP 800-37 Security Categorization Security Control Selection System Authorization Security Control Monitoring Defines category of information system according to potential impact of loss Selects minimum security controls (i.e., safeguards and countermeasures) planned or in place to protect the information system Continuously tracks changes to the information system that may affect security controls and assesses control effectiveness SP 800-53 / FIPS 200 / SP 800-30 Security Control Refinement Uses risk assessment to adjust minimum control set based on local conditions, required threat coverage, and specific agency requirements Determines risk to agency operations, agency assets, or individuals and, if acceptable, authorizes information system processing SP 800-18 SP 800-70 SP 800-53A / SP 800-37 Security Control Documentation Security Control Implementation Security Control Assessment In system security plan, provides a an overview of the security requirements for the information system and documents the security controls planned or in place Implements security controls in new or legacy information systems; implements security configuration checklists Determines extent to which the security controls are implemented correctly, operating as intended, and producing desired outcome with respect to meeting security requirements Managing Enterprise RiskThe Framework Starting Point

  6. SysOps Process

  7. United States Department of Treasury’s Departmental Offices Monthly Security Updates Program Server(s) Classification

  8. Security Categorization SP 800-60 Example: An Enterprise Information System Guidance for Mapping Types of Information and Information Systems to FIPS Publication 199 Security Categories

  9. WORKS CITED • NIST. Computer Security Resource Center. Federal Information Security Management Act (FISMA) Implementation Project. N.p., n.d. Web. 27 June • 2013. <http://www.nist.gov/itl/csd/soi/fisma.cfm>.

More Related