Menu

Introduction to PCI DSS (Payment Card Industry Data Security Standard)   Introduction to PCI DSS (Payment Card Industry Data Security Standard)   

Data Protection Act 1998   Data Protection Act 1998   

Secure HTML Practices   Secure HTML Practices   

SQL Injection Attack - Introduction and Mitigation Steps   SQL Injection Attack - Introduction and Mitigation Steps   

Cross Site Scripting (XSS) – Introduction and Mitigation Steps   Cross Site Scripting (XSS) – Introduction and Mitigation Steps   

Audit and Testing Tools for Web Application Security   Audit and Testing Tools for Web Application Security   

Threat Modeling for Web Application Security - Practice Guide   Threat Modeling for Web Application Security - Practice Guide   

Introduction to FISMA – Federal Information Security Management Act

Published on: 8/17/2014
Topic: Cyber Security Compliance Standards
Federal Information Security Management Act (FISMA) is part of the E-Government Act (Title III) that requires each U.S. federal agency to develop, document, and implement an agency-wide program to provide information security for the information and information systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor, or other source.

Overview

FISMA assigns specific responsibilities to federal agencies to ensure that the head of agency:

- Plan for security

- Ensure that appropriate officials are assigned security responsibility

- Periodically review the security controls in their information systems

- Authorize system processing prior to operations and, periodically, thereafter


The FISMA guidelines ensures that officials understand the risks and other factors that could adversely affect their missions and they understand the current status of their security programs and the security controls planned or in place to protect their information and information systems in order to make informed judgments and investments that appropriately mitigate risk to an acceptable level. The ultimate objective is to conduct the day-to-day operations of the agency and to accomplish the agency’s stated missions with adequate security, or security commensurate with risk, including the magnitude of harm resulting from the unauthorized access, use, disclosure, disruption, modification, or destruction of information.


As a key element of the FISMA Implementation Project, NIST also developed an integrated Risk Management Framework which effectively brings together all of the FISMA-related security standards and guidance to promote the development of comprehensive and balanced information security programs by agencies.


FISMA Framework


FISMA defines a framework for managing information security and the National Institute of Standards and Technology (NIST) publishes standards and guidelines which provide the foundation for strong information security programs at agencies in accordance with FISMA.


Steps involved:

1. Identify Assets and define inventory of information systems

2. Categorize the information to be protected

3. Decide on minimum security requirements and define minimum controls

4. Define risk assessment procedure and identify risks & mitigation plans

5. Prepare comprehensive system security plan and implement security controls

6. Review the effectiveness and certify system controls

7. Provide authorization to information system along with acceptance to open risks

8. Continuous monitoring of security controls


Scope of Information Security Program


An effective information security program should include:



  • Periodic assessments of risk, including the magnitude of harm that could result from the unauthorized access, use, disclosure, disruption, modification, or destruction of information and information systems that support the operations and assets of the organization

  • Policies and procedures that are based on risk assessments, cost-effectively reduce information security risks to an acceptable level, and ensure that information security is addressed throughout the life cycle of each organizational information system

  • Subordinate plans for providing adequate information security for networks, facilities, information systems, or groups of information systems, as appropriate

  • Security awareness training to inform personnel (including contractors and other users of information systems that support the operations and assets of the organization) of the information security risks associated with their activities and their responsibilities in complying with organizational policies and procedures designed to reduce these risks

  • Periodic testing and evaluation of the effectiveness of information security policies, procedures, practices, and security controls to be performed with a frequency depending on risk, but no less than annually

  • A process for planning, implementing, evaluating, and documenting remedial actions to address any deficiencies in the information security policies, procedures, and practices of the organization

  • Procedures for detecting, reporting, and responding to security incidents

  • Plans and procedures to ensure continuity of operations for information systems that support the operations and assets of the organization.


FISMA Security Controls


The security controls (NIST Publication 800-53) have been developed using inputs from a variety of sources including Department of Defense (DoD) Policy, ISO/IEC Standard 17799, General Accounting Office (GAO) Federal Information System Controls Audit Manual (FISCAM), and Health and Human Services (HHS) Centers for Medicare and Medicaid Services (CMS) Core Security Requirements.

The security controls cover the following topic areas:


- Risk Assessment;

- Certification, Accreditation and Security Assessments;

- System Services and Acquisition;

- Security Planning;

- Configuration Management;

- System and Communications Protection;

- Personnel Security;

- Awareness and Training;

- Physical and Environmental Protection;

- Media Protection;

- Contingency Planning;

- Maintenance;

- System and Information Integrity;

- Incident Response;

- Identification and Authentication;

- Access Control; and

- Accountability and Audit


FISMA Risk Management Framework



FISMA Risk Management Framework


The Risk Management Framework provides a structured, yet flexible approach for managing the portion of risk resulting from the incorporation of information systems into the mission and business processes of the organization. The risk management concepts are intentionally broad-based with the specific details of assessing risk and employing appropriate risk mitigation strategies provided by the supporting NIST security standards and guidelines.


Key Standards and Guidelines


FIPS Publication 199(Security Categorization)

FIPS Publication 200(Minimum Security Controls)

NIST Special Publication 800-18(Security Planning)

NIST Special Publication 800-30(Risk Assessment)

NIST Special Publication 800-37(System Risk Management Framework)

NIST Special Publication 800-39(Enterprise-Wide Risk Management)

NIST Special Publication 800-53(Recommended Security Controls)

NIST Special Publication 800-53A(Security Control Assessment)

NIST Special Publication 800-59(National Security Systems)

NIST Special Publication 800-60(Security Category Mapping)


[Show All Sections]