1. Federal Information Security Management Act�An IG Perspective
FEBRUARY 2, 2004
Presented To: The President’s Council on Integrity and Efficiency
Information Technology Round Table
Presented By: Russell A. Rau, Assistant Inspector General for Audits
Office of Inspector General
Federal Deposit Insurance Corporation
2. 2 Agenda FISMA: An IG Approach
2004 Issues
Future Issues
Challenges Facing IG Auditors
New FISMA Working Group
Questions and Answers
3. 3 Multi-year strategy for auditing the agency information security program
Strategy addresses the security program framework defined by FISMA
Audits conducted throughout the year are risk-based and support the multi-year strategy
FISMA evaluation lead by in-house staff
Contractor supports IG work by testing selected IT technical controls FISMA: An IG Approach
4. 4 FISMA: An IG Approach 2002
Physical Security
Contractor Security
Capital Planning 2003
Network Security (multiple reviews)
Incident Response
Patch Management
Risk Assessment
Personnel Security
IT Strategic Planning
Contractor Security Follow-up
5. 5 Evaluation Scope and Methodology
Government Auditing Standards
Reliance on prior audit and evaluation reports
Independent testing and evaluation procedures
Identified 10 key management controls associated with successful information security programs
Key management controls based on federal laws, regulations, and guidelines
Key management controls assessed using a traffic light scorecard tool FISMA: An IG Approach
6. 6 Government organizations such as GAO, OMB, and NIST have identified fundamental management controls needed for effective information security.
These management controls are abstracted from long-standing requirements found in statutes, policies, and guidance. They cover topics such as:
Risk Management
Security Control Reviews
Contingency Planning
Access Controls
Incident Response FISMA: An IG Approach
7. 7 Fundamental security management principles and controls can be found in:
NIST SP 800-26, Security Self-Assessment Guide for Information Technology Systems
NIST SP 800-14, Generally Accepted Principles and Practices for Securing Information Technology Systems
NIST SP 800-12, An Introduction to Computer Security: The NIST Handbook
GAO Executive Guide, Information Security Management: Learning From Leading Organizations
FISMA and OMB Circular No. A-130 Appendix III FISMA: An IG Approach
8. 8 FISMA: An IG Approach
9. 9 FISMA: An IG Approach Scorecard assessments based on assurance of adequate security:
? Green (Reasonable Assurance)
? Yellow (Limited Assurance)
? Red (Minimal/No Assurance)
Assessments require professional judgment
Scorecard provides a simple and effective method to communicate complex results
Management actions to address scorecard results
Performance measures to improve FISMA ratings
Established a subcommittee of the Audit Committee
“Getting to Green” Initiative
10. 10 Leveraging Agency Reviews
Placing greater reliance on CIO and agency program reviews
Providing independent assurance of agency FISMA submissions
Integrating FISMA evaluation and financial statement audit work
Relying on FISMA results to obtain an understanding of internal controls
Planning financial statement audit work based on FISMA results FISMA 2004 Issues
11. 11 Contractor Security
Auditing major contractors that service multiple federal agencies
Verifying minimum security requirements of contractors, such as security planning, training, etc.
Enterprise Architecture Security Implications
Ensuring major IT projects use security solutions that comply with the agency enterprise architecture
Data Sensitivity
Categorizing data
Protecting sensitive data FISMA 2004 Issues
12. 12 Quantifying the Impact of Security Weaknesses
Considering the cost-benefit of proposed security enhancements
NIST FIPS 199 and Special Publication 800-60
Certification and Accreditation (NIST Special Publication 800-37)
Verifying the effectiveness of security controls required in federal information systems (NIST Special Publication 800-53A) FISMA 2004 Issues
13. 13 Timing of FISMA and Accountability Reports
Interagency Issues
Federal Bridge (Authentication and Encryption)
Federal Enterprise Architecture
Servicers that cross agency lines Future FISMA Issues
14. 14 How much audit work is enough?
How much is too much?
We can’t fully evaluate everything every year!
At FDIC, we found a balance through a multi-year
strategy of performance auditing. Challenges Facing IG Auditors
15. 15 Changing Criteria
Planned revisions to OMB A-130
Recently published NIST Special Publications:
800-50, Building an IT Security Awareness and Training Program
800-42, Guideline on Network Security Testing
800-36, Guide to Selecting IT Security Products
800-35, Guide to IT Security Services
800-64, Security Considerations in the Information SDLC
And more to come…
Draft 800-53, Recommended Security Controls for Federal Information Systems�Draft 800-37, Guide for the Security Certification and Accreditation of Federal Information Systems�
Impact of new technology, such as wireless communications explosion Challenges Facing IG Auditors
16. 16 Impact of major events, such as the focus on disaster recovery following 9/11
Inconsistent application of standards
How does your agency define an information system?
What constitutes a material weakness?
How does your agency categorize information and information systems?
Growing importance of IG auditors to be “technically capable” and possess professional certifications
Challenges Facing IG Auditors
17. 17 Established for the IG community under the Federal Audit Executive Council
Promotes interagency coordination of information security and evaluation requirements established by FISMA
FISMA update conferences and training
Sharing lessons-learned
Interacting with OMB, NIST, CIO Council and GAO
Coordinating on issues and initiatives that cross agency lines
For more information, contact Judy Hoyle at (202) 416-4088 or jhoyle@fdic.gov.
FISMA Working Group
18. Questions and Answers
