1 N E T I Q C O M P L I A N C E S E R I E S NetIQ FISMA Compliance & Risk Management Solutions The Federal Information Security Management Act (FISMA) requires federal agencies to create and implement a comprehensive information security program and report compliance to Congress Office of Management & Budget (OMB) on an annual basis. Non-compliance could result in IT funding cuts for the agency. Such regulatory requirements call for agencies to implement Managerial, Operational and Technical IT controls. It isn t enough to simply have mechanisms and personnel in place to deal with security problems, FISMA also requires that you must prove compliance with the required controls. Unfortunately, most agencies are experiencing difficulty translating the regulation in to specific tasks, much less demonstrating compliance. With NetIQ s new Knowledge-Based Service Assurance, agencies are offered a multi-pronged approach that enables them to measure and manage risk, remain compliant with corporate policies and new legislation, manage operational configuration and change and provide increased network security, availability and performance.
2 ACHIEVING FISMA COMPLIANCE Information Security and Privacy regulations are purposely vague to ensure they cover a wide range of organizations over a long period of time without having to be amended by Congress. While this is necessary, it leaves organizations in the dark about how to ensure they are compliant with the regulation, so it is then up to the organization's management and security practitioners to determine how to comply. Compliance is aided by guidance from the enforcement agency or use of a generally accepted information security standard such as ISO or CobiT. In the case of FISMA, it will eventually be the final publication of the National Institute of Standards & Technology's (NIST) Federal Information Protection Standard (FIPS) 200 that provides the necessary detailed guidance to federal agencies. Guidance is currently provided in NIST Special Publication , "Recommended Security Controls for Federal Information Systems." However, even these documents do not help an organization know exactly how to configure a particular system to ensure it is adequately secure. NIST thus recommends the use of platform-specific technical checklists from sources such as the Defense Information Systems Agency's Security Technical Implementation Guides (DISA STIGs), the National Security Agency's Security Information Guides (NSA SIGs), and the Center for Internet Security's Benchmarks (CIS). Many security software vendors and consultants also provide additional guidance. Regulation FISMA Standard NIST (FIPS 200) Configuration Baseline DISA STIG NSA SIG CIS VENDOR UNDERSTANDING YOUR FISMA CHALLENGES While agencies want to do the right thing, there are many challenges in complying with FISMA from interpreting the regulation to providing the annual report to the OMB. Complying with FISMA can be both cost- and resource-prohibitive. In addition, auditing in the federal sector means overcoming a number of hurdles throughout the entire compliance process, including: >> Correctly balancing limited resources between FISMA compliance and other agency goals and mandates >> Objectively measuring compliance at the detailed control level consistently across systems >> Easily producing management and compliance-level reports on a regular basis >> Effectively creating a sustainable compliance process that operates efficiently year after year To help you overcome these challenges, NetIQ offers a wide range of solutions designed around a comprehensive Policy Compliance and Risk Management methodology.
3 THE NETIQ SOLUTION With NetIQ, you can assess your technical security posture, continuously ensure you operate within policy and implement cost-effective controls in your security environment to reduce risk and prove compliance. To enhance security and meet your regulatory compliance needs, it is essential to address both the people and technology aspects of your environment. Every component of NetIQ's methodology contains elements of both, but at its simplest, Compliance and Risk Management can be thought of as a three-phase lifecycle centered around a Policy Framework, producing Metrics & Reporting for every aspect. Control Assess Policy Compliance & Risk Management Policies Standards Guidelines SLAs OLAs Contracts Metrics & Reporting Operate From developing your policy framework to automatically producing many of the metrics and reports you need to demonstrate compliance and reduce risk, NetIQ can help. Assess - Before you can implement additional security controls, you must first understand what IT assets you have and which assets are FISMA-compliant. NetIQ Vulnerability Manager can help you with all aspects of the assessment phase and even includes DISA STIG, CIS and NetIQ FISMA Essentials templates to measure system compliance. VigilEnt Policy Center provides everything you need for your Policy Framework and to assess your people compliance. Control - Once you understand your organization's deficiencies, you can begin remediating issues or implementing compensating controls. For issues that are minor or where the cost of remediation is greater than the risk, you can either accept the risk or transfer it to a third party through insurance or outsourcing. NetIQ Vulnerability Manager and NetIQ Security Manager are embedded with remediation instructions and features to automate remediation and both can be used as compensating controls. Operate - While assessments are a beginning, in today's IT threat environment it is important to operationalize security processes so that you are continuously monitoring and addressing security issues. NetIQ Security Manager offers a complete solution in this area from log management to security event monitoring to intrusion detection and management.
4 NETIQ S CUSTOMIZED SOLUTIONS While our general methodology provides you with a starting point for efficiently developing a Compliance and Risk Management solution, NetIQ understands that every agency and department has unique needs. NetIQ Professional Services has a staff of experienced consultants with MCSE, CISSP, ITIL and CCSA certifications and security clearances. In addition, we work closely with several partners whose primary focus is delivering services and systems integration to federal agencies. This expertise enables us to work closely with your organization to create a customized FISMA solution that addresses your agency's requirements and fits in with its IT systems and processes. The Services we offer include: >> Policy development and updates >> Technical design workshops >> Installation, configuration and roll-out of NetIQ products >> Customization of NetIQ products and integration with third-party products NETIQ S FISMA PRODUCTS NetIQ's FISMA solution includes these best-of-breed products: VigilEnt Policy Center is a web-based product for developing, approving and distributing any type of document in your policy and planning framework. A FISMA library is available, along with thousands of pre-developed policies written by renowned policy author Charles Cresson Wood. It enables you to meet numerous requirements, including the first control requirement under all 17 NIST control families as well as all of your Awareness and Training requirements. NetIQ Security Compliance Suite - NetIQ Vulnerability Manager is a host-based configuration policy and vulnerability assessment tool. Use it to regularly run DISA STIG, CIS, or NetIQ FISMA Essentials templates to ensure that your systems are configured correctly and up-to-date on their security patches. You can also leverage NetIQ's real-time vulnerability feed from TruSecure can automatically test your systems for exposure or compromise by the latest exploits. NetIQ Security Compliance Suite - NetIQ Security Manager provides continuous monitoring of all your security events. Consolidate and correlate security events from multiple IDS, network devices and software platforms in a single console. You can also collect security, event and audit logs for easy viewing, retention and analysis. NetIQ Security Administration Suite enables you to easily manage your Active Directory and Group Policy environments. You can ensure that administrators have only the privileges they need, changes are properly authorized and tested before implementation and unauthorized changes are quickly detected.
5 MAPPING NETIQ S PRODUCTS TO FISMA This table provides you a quick view of how NetIQ products address each FISMA control family. NIST NetIQ Solutions Class Control Family Policy Center Compliance Suite Administration Suite Managerial Risk Assessment Planning System & Services Acquisition Certification, Accredidation & Security Assessments Operational Personnel Security Physical & Environmental Protection Contingency Planning Configuration Management Maintenance System & Information Integrity Technical Media Protection Incident Response Awareness & Training Identification & Authentication Access Control Audit & Accountability System & Communications Protection Contacts Worldwide Headquarters NetIQ Corporation 3553 North First Street San Jose, CA fax sales NetIQ EMEA +44 (0) NetIQ Japan NetIQ Australia & New Zealand For our offices in Latin America & Asia Pacific, please visit our web site at VigilEnt Policy Center, NetIQ Security Compliance Suite, NetIQ Vulnerability Manager, NetIQ Security Manager, NetIQ Security Administration Suite, NetIQ and the NetIQ logo are trademarks or registered trademarks of NetIQ Corporation or its subsidiaries in the United States and other jurisdictions. All other company and product names may be trademarks or registered trademarks of their respective companies NetIQ Corporation, all rights reserved. DS50172FMVM MB 0905
RSA Security Brief Security Compliance in a Virtual World Best Practices to Build a Solid Foundation Authors Bret Hartman, Chief Technology Officer, RSA, the Security Division of EMC Dr. Stephen Herrod,
Best Practices for Security and Compliance with Amazon Web Services A Trend Micro White Paper I April 2013 Contents Executive Summary...2 Defining Cloud Computing...2 SERVICE MODELS...3 DEPLOYMENT MODELS...5
Creating Business Value with Effective, Pervasive Cloud Security and Cloud Enablement Services Managing Governance, Risk, and Compliance for Cloud Information Security Introduction Businesses today are
Improving Security Vulnerability and Configuration Management through a Service Oriented Architecture Approach Overcoming the challenges to security vulnerability and compliance management through NIST
Symantec Security Compliance Solution Symantec s automated approach to IT security compliance helps organizations minimize threats, improve security, streamline compliance reporting, and reduce the overall
Checklist to Assess Security in IT Contracts Federal Agencies that outsource or contract IT services or solutions must determine if security is adequate in existing and new contracts. Executive Summary
WHITE PAPER Considerations and Solutions: Juniper Networks and Compliance with Standards and Regulations Copyright 2009, Juniper Networks, Inc. Table of Contents Table of Figures Introduction...1 Defining
Helping to secure critical healthcare infrastructure from internal and external IT threats, ensuring business continuity and supporting compliance requirements. Preemptive security solutions for healthcare
Overcoming Active Directory Audit Log Limitations Written by Randy Franklin Smith President Monterey Technology Group, Inc. White Paper 2009 Quest Software, Inc. ALL RIGHTS RESERVED. This document contains
Dynamic Data Center Compliance with Tripwire and Microsoft white paper Configuration Control for Virtual and Physical Infrastructures For IT, gaining and maintaining compliance with one or more regulations
IBM Global Technology Services Thought Leadership White Paper May 2011 Selecting a Managed Security Services Provider: The 10 most important criteria to consider 2 Selecting a Managed Security Services
Continuous Compliance for Energy and Nuclear Facility Cyber Security Regulations Leveraging Configuration and Vulnerability Analysis for Critical Assets and Infrastructure May 2015 (Revision 2) Table of
COMPREHENSIVE SECURITY ASSESSMENT SYSTEMIZATION Developed by Jesse C. Schroeder August 08, 2015 For Western Governors University Completion of the Masters of Information Security & Assurance Contents COMPREHENSIVE
White Paper Achieving Security through Compliance Policies, plans, and procedures Part I By Jeff Tucker, Principal Security Consultant McAfee Foundstone Professional Services Table of Contents Overview
SECURITY OPERATIONS CENTER (SOC) Implementing Security Monitoring in Small and Mid-Sized Organizations A White Paper Presented by: MindPoint Group, LLC 8078 Edinburgh Drive Springfield, VA 22153 (o) 703.636.2033
Research Publication Date: 24 January 2011 ID Number: G00210104 Understanding Vulnerability Management Life Cycle Functions Mark Nicolett We provide guidance on the elements of an effective vulnerability
S P E C I A L F O C U S S U P P L E M E N T 360-degree security Converged security takes a holistic approach to safeguarding your company Ask what computer security means and many people respond with the
Staying Secure in a Cloudy World The unprecedented rate at which organizations have adopted cloud computing has fundamentally transformed business and government computing infrastructure. IT market researcher
Continuous Cyber Situational Awareness Continuous monitoring of security controls and comprehensive cyber situational awareness represent the building blocks of proactive network security. A publication
EXECUTIVE OFFICE OF THE PRESIDENT OFFICE OF MANAGEMENT AND BUDGET WASHINGTON, D.C. 20503 M-10-15 April 21, 2010 MEMORANDUM FOR HEADS OF EXECUTIVE DEPARTMENTS AND AGENCIES FROM: Jeffrey Zients Deputy Director
Guidance for Addressing Cybersecurity in the Chemical Sector December 2004 Legal and Copyright Notice The Chemical Industry Data Exchange (CIDX) is a nonprofit corporation, incorporated in the State of
VA Office of Inspector General OFFICE OF AUDITS & EVALUATIONS Department of Veterans Affairs Federal Information Security Management Act Audit for Fiscal Year 2013 May 29, 2014 13-01391-72 ACRONYMS AND