FISMA Compliance: Making the Grade



Similar documents
IBM Internet Security Systems October FISMA Compliance A Holistic Approach to FISMA and Information Security

Independent Evaluation of NRC s Implementation of the Federal Information Security Modernization Act of 2014 for Fiscal Year 2015

U.S. ELECTION ASSISTANCE COMMISSION OFFICE OF INSPECTOR GENERAL

FREQUENTLY ASKED QUESTIONS

Using QUalysgUard to Meet sox CoMplianCe & it Control objectives

Fiscal Year 2014 Federal Information Security Management Act Report: Status of EPA s Computer Security Program

Security Control Standard

Audit of the Board s Information Security Program

Evaluation Report. Weaknesses Identified During the FY 2013 Federal Information Security Management Act Review. April 30, 2014 Report Number 14-12

NATIONAL CREDIT UNION ADMINISTRATION OFFICE OF INSPECTOR GENERAL

NetIQ FISMA Compliance & Risk Management Solutions

Office of Inspector General

EXECUTIVE OFFICE OF THE PRESIDENT OFFICE OF MANAGEMENT AND BUDGET WASHINGTON, D.C

TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION

Audit Report. The Social Security Administration s Compliance with the Federal Information Security Management Act of 2002 for Fiscal Year 2013

Information Security Series: Security Practices. Integrated Contract Management System

2014 Audit of the Board s Information Security Program

Fiscal Year 2007 Federal Information Security Management Act Report

How To Check If Nasa Can Protect Itself From Hackers

VA Office of Inspector General

EPA Could Improve Its Information Security by Strengthening Verification and Validation Processes

CA Vulnerability Manager r8.3

NASA OFFICE OF INSPECTOR GENERAL

Office of Inspector General

NATIONAL CREDIT UNION ADMINISTRATION OFFICE OF INSPECTOR GENERAL

U.S. Department of Energy Office of Inspector General Office of Audits & Inspections. Evaluation Report

GAO. INFORMATION SECURITY Persistent Weaknesses Highlight Need for Further Improvement

How To Monitor Your Entire It Environment

Protect the data that drives our customers business. Data Security. Imperva s mission is simple:

TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION

VA Office of Inspector General

FEDERAL HOUSING FINANCE AGENCY OFFICE OF INSPECTOR GENERAL

Improved Security Planning Needed for the Customer Technology Solutions Project

Information Security for Managers

FEDERAL INFORMATION SECURITY. Mixed Progress in Implementing Program Components; Improved Metrics Needed to Measure Effectiveness

SMITHSONIAN INSTITUTION

Department of Homeland Security

Department of Veterans Affairs VA Directive 6004 CONFIGURATION, CHANGE, AND RELEASE MANAGEMENT PROGRAMS

IT Security & Compliance. On Time. On Budget. On Demand.

EPA Needs to Improve Security Planning and Remediation of Identified Weaknesses in Systems Used to Protect Human Health and the Environment

Agency Security - What Are the Advantages and Disadvantages

EVALUATION REPORT. Weaknesses Identified During the FY 2014 Federal Information Security Management Act Review. March 13, 2015 REPORT NUMBER 15-07

White Paper. Understanding NIST FISMA Requirements

NARA s Information Security Program. OIG Audit Report No October 27, 2014

Evaluation of DHS' Information Security Program for Fiscal Year 2014

Criticial Need for Stronger Network Security. QualysGuard SaaS-based Vulnerability Management for Stronger Security and Verification of Compliance

AUDIT OF NASA S EFFORTS TO CONTINUOUSLY MONITOR CRITICAL INFORMATION TECHNOLOGY SECURITY CONTROLS

GAO INFORMATION SECURITY. FBI Needs to Address Weaknesses in Critical Network

2012 FISMA Executive Summary Report

Addressing FISMA Assessment Requirements

Department of Homeland Security Office of Inspector General. DHS Needs to Improve the Security Posture of Its Cybersecurity Program Systems

TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION

CORE Security and GLBA

Compliance Risk Management IT Governance Assurance

Audit of the Department of State Information Security Program

Get Confidence in Mission Security with IV&V Information Assurance

Network Security Audits for automated. Vulnerability Management for protecting

Security Control Standard

U.S. Department of Energy Office of Inspector General Office of Audits and Inspections. Evaluation Report

How To Improve Nasa'S Security

Continuous Monitoring in a Risk Management Framework. US Census Bureau Oct 2012

Total Protection for Compliance: Unified IT Policy Auditing

Information Technology Security Review April 16, 2012

U.S. ELECTION ASSISTANCE COMMISSION OFFICE OF INSPECTOR GENERAL

a GAO GAO INFORMATION SECURITY Department of Homeland Security Needs to Fully Implement Its Security Program

QualysGuard WAS. Getting Started Guide Version 4.1. April 24, 2015

HOW TO PASS AN IT AUDIT

Continuous Network Monitoring

Qualys PC/SCAP Auditor

HHS Information System Security Controls Catalog V 1.0

EPA Classification No.: CIO P-04.1 CIO Approval Date: 08/06/2012 CIO Transmittal No.: Review Date: 08/06/2015

Security Language for IT Acquisition Efforts CIO-IT Security-09-48

EVALUATION REPORT. The Department of Energy's Unclassified Cybersecurity Program 2014

5 FAH-11 H-500 PERFORMANCE MEASURES FOR INFORMATION ASSURANCE

BIG SHIFT TO CLOUD-BASED SECURITY

Payment Card Industry Data Security Standard

Simply Sophisticated. Information Security and Compliance

EPA s Computer Security Self-Assessment Process Needs Improvement

ForeScout CounterACT CONTINUOUS DIAGNOSTICS & MITIGATION (CDM)

NUMBER OF MATERIAL WEAKNESSES

MANAGING THE CONFIGURATION OF INFORMATION SYSTEMS WITH A FOCUS ON SECURITY

United States Patent and Trademark Office

Audit Report. Management of Naval Reactors' Cyber Security Program

CONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL

U.S. ENVIRONMENTAL PROTECTION AGENCY OFFICE OF INSPECTOR GENERAL

Audit Report. Natural Resources Conservation Service Water and Climate Information System Review of Application Controls Portland, Oregon

Vulnerability Risk Management 2.0. Best Practices for Managing Risk in the New Digital War

REPORT ON FY 2006 FISMA AUDIT OF THE SMITHSONIAN INSTITUTION S INFORMATION SECURITY PROGRAM

The U.S. Department of Education s Compliance with the Federal Information Security Management Act of 2002 for Fiscal Year 2014 FINAL AUDIT REPORT

NOTICE: This publication is available at:

Information Security Guide For Government Executives. Pauline Bowen Elizabeth Chew Joan Hash

Avoiding the Top 5 Vulnerability Management Mistakes

POSTAL REGULATORY COMMISSION

Maintaining PCI-DSS compliance. Daniele Bertolotti Antonio Ricci

FISH AND WILDLIFE SERVICE INFORMATION RESOURCES MANAGEMENT. Chapter 7 Information Technology (IT) Security Program 270 FW 7 TABLE OF CONTENTS

STATEMENT OF MARK A.S. HOUSE OF REPRESENTATIVES

Symantec Control Compliance Suite. Overview

Office of Inspector General Audit Report

Statement of Danny Harris, Ph.D. Chief Information Officer U.S. Department of Education

INFORMATION SECURITY. Evaluation of GAO s Program and Practices for Fiscal Year 2012 OIG-13-2

Transcription:

FISMA Compliance: Making the Grade A Qualys Guide to Measuring Risk, Enforcing Policies, and Complying with Regulations EXECUTIVE SUMMARY For federal managers of information technology, FISMA is one of the most challenging pieces of federal legislation to be enacted in recent years. On the one hand, FISMA imposes strong requirements to rapidly improve the security of government information, and it holds agencies fully accountable for their success in meeting this goal. On the other hand, for managers who can meet those requirements, there are new opportunities to refocus resources within security programs and to obtain tools to manage them adequately. As discussed in this White Paper, QualysGuard can help agencies meet FISMA requirements, reduce the cost of compliance, and use industry best practices to meet FISMA challenges head-on. FISMA Defined Formally titled The Federal Information Security Management Act of 2002, FISMA is part of the E-Government Act of the same year. FISMA s provisions fall into three major categories: assessment, enforcement, and compliance. The first pertains to determining the adequacy of the security of federal assets, the second requires that key information security provisions be implemented and managed, and the third establishes provisions for the management of each agency s information security program and the accountability of each agency for compliance and reporting. QualysGuard Supports FISMA Compliance To be successful in meeting FISMA requirements, federal agencies need automated tools to help them manage their security programs, perform continuous system assessments, support accurate reporting on compliance activities, and enable measurements of how well they are meeting all of FISMA s provisions. QualysGuard is the ideal tool for this purpose. Requiring no software to install or maintain, QualysGuard automates security audits, providing strong protection against the myriad of threats to federal agency technology. This Paper describes key provisions of FISMA and shows how QualysGuard supports compliance by enabling federal IT managers to collect, manage, and report on accurate information about their enterprise security posture.

QUALYSGUARD ASSESSES SECURITY FISMA Requires Agencies to: 1. ASSESS Measure the agency s security posture. 2. ENFORCE Ensure that security requirements are met. 3. COMPLY Assign accountability for results. See the full text of FISMA at csrc.nist.gov/policies/fismafinal.pdf Government Scorecard One of the most disturbing findings is that 19 of the 24 agencies reviewed had not completed an inventory of their mission critical systems. Obviously, an agency can t ensure its systems are secure if it can t account for all of its mission critical systems. Everything starts with the inventory, and this aspect must improve -- and improve quickly. Gov t Reform Subcommittee on Technology Information Policy, Intergovernmental Relations and the Census Chmn. Adam H. Putnam (R-FL) Remarks concerning the 2003 Federal Computer Security Report Card Recognizing that what cannot be measured cannot be improved, FISMA requires that agencies maintain an inventory of major information systems and a set of baseline system configuration requirements. Agencies must undertake regular security assessments with clear plans of action for correcting any issues found, and must handle security incidents as they are found. Inventory QualysGuard inventories the agency s network-attached hosts and IP devices through a series of advanced discovery techniques. During Certification and Accreditation, each system s assets can be identified and grouped together in various ways, such as by organization, operating system or network location. Most important for FISMA, QualysGuard maps the relationships between assets to help assign accountability and system ownership for inventoried assets. System Configuration Additional system configuration reports show more specific features, such as operating system, protocols and services present on each inventoried item. Vulnerabilities are identified by asset, allowing audits to be targeted as appropriate and enabling quick decisions about where to focus mitigation activity. Assessments Vulnerability assessments can be configured in a number of effective ways, including using scans input to risk assessments, displaying the likelihood and potential impact of exploitation, and mapping changes to the existence of vulnerabilities over time. Incident Handling and Response QualysGuard scans give an early warning of organizational exposure to new vulnerabilities, so that incidents are prevented before they even occur. Reports recommend mitigation techniques, including links to vendor web sites for downloading patches and other remedial resources. This feature fosters a unified organizational approach to potential incidents. It ensures that all system administrators have access to the same tool sets, the same knowledge about how to correct vulnerabilities and a common framework for response. Qualys, Inc. FISMA Security Guide Page 2

QUALYSGUARD SUPPORTS ENFORCEMENT Each Federal agency shall develop, document, and implement an agency-wide information security program to provide information security for the information and information systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor, or other source The Federal Information Security Management Act of 2002, 3544 Related Legislations Homeland Security Presidential Directive #7 (Critical Infrastructure Identification, Prioritization, and Protection) OMB Circular A-130 Appendix III (Security of Federal Automated Information Resources) FISMA requires the reporting of significant deficiencies. Agencies must identify and track material weaknesses, reporting progress on corrective action quarterly. Using a Plan of Action and Milestones (POA&M), each agency must commit to a schedule of remediation and is held accountable for completing each corrective task. The agency s success in undertaking corrective action and in improving compliance is tied directly to its requests for funding and to the budgets that are allocated for IT programs and systems. Management Accountability A fundamental new requirement imposed by FISMA is increased accountability of agencies and officials. QualysGuard addresses this requirement with a robust set of management reports showing the security status of assets owned by each organization and manager. This information documents accountability for enforcement in each agency for each person with authority for management of each asset. Reports can be configured to show a static moment in time or to view trends across time. Determination of Risk FISMA reinforces existing federal requirements to determine agency risk by mandating that agencies meet security objectives commensurate with the risk and magnitude of the harm inherent in that risk. QualysGuard reports identify the specific level of risk for each vulnerability identified in the network. In the next product release, system administrators and managers will be able to create user-defined risk levels, a particularly important feature for agencies with unique or self-defined assessment methodologies. Mitigation and Tracking Given FISMA s focus on measurement, enforcement and compliance, it is critical for agency managers to be able to track significant deficiencies and the remediation actions taken to correct them. With QualysGuard, system administrators can filter reports to show specific vulnerabilities and their recommended corrective measures. Trouble tickets can be assigned to appropriate personnel to enforce remediation requirements, and to ensure that enforcement is handled consistently across the agency. QualysGuard reports demonstrate the exact status of all mitigation activity. Items that have been corrected can be highlighted; vulnerabilities that are still active can be referred for follow-up activity. Qualys, Inc. FISMA Security Guide Page 3

QUALYSGUARD MEASURES COMPLIANCE FISMA introduces significant new requirements for regular reporting of information security program progress and results. With QualysGuard, FISMA compliance and reporting information is readily available at a moment s notice, including reports on the status of Certification and Accreditation tasks, ongoing monitoring of application systems, and updates on the status of the Plan of Action and Milestones activities. Reporting Management and technical reports can be produced to show any view of the enterprise, at any level of detail. Management can focus on particular vulnerabilities to quickly correct hot issues, such as exposures to the SANS Top 20 list of vulnerabilities. Trend information shows the history of the security program over time, including key changes to the level of threats and vulnerabilities. Strategic Planning FISMA provides for the full integration of information security management processes with strategic and operational planning. To ensure that each agency complies with FISMA s provisions, the Act requires that the success of the security program be highlighted in agency performance and financial planning reports. QualysGuard reports can help with the integration process. High-level reports showing overall status of security and asset management can be included in Exhibits 53 and 300B input to capital planning process. Improvements to security can be measured and used to support program management and operational planning activity. Training Agencies must have policies and procedures that support compliance and training for key ISS personnel. QualysGuard scan output and reports can show where policies and procedures need to be strengthened by highlighting trends where response was inadequate or where issues arose during remediation activity. Agency management can use these reports to assess staff response to vulnerabilities and determine requirements for additional training. Finally, QualysGuard contains many built-in training features, such as those that link to web sites with further information about risks and vulnerabilities, and how to correct security issues. Qualys, Inc. FISMA Security Guide Page 4

SUMMARY OF QUALYSGUARD S FISMA CAPABILITIES The table below provides a quick-reference view of how specific FISMA provisions are supported by QualysGuard s features, functions and capabilities. FISMA Requirement Specific accountability of agencies and officials Assess risk by seeking to meet defined security objectives Maintain an inventory of major systems and interconnections Regular security assessments and reviews Significant regular reporting of ISS program progress and results Tracking of significant deficiencies and remediation actions taken Incident response and prevention processes and capability QualysGuard Capability Regular reports show security status of assets owned by each organization and manager Summary reports show enterprise view for formal FISMA reporting Reports provide identification of levels of risk, including user-defined levels in next release Data can be used in risk assessments to support Certification and Authorization activity Managers can make risk-based decisions about asset management Tool can be used to uncover all assets in defined domain, including those previously undiscovered, to build and maintain the inventory Relationships between assets can be mapped to help assign accountability for inventoried assets Vulnerabilities are identified by asset, allowing audits to be targeted as appropriate Scans can be run and used as input to assessments Assessments are automated, reducing staffing costs, and include identification of likelihood and impact assist with Certification and Accreditation activity. Changes can be mapped over time to audit compliance with recommendations in earlier assessments Trend information includes changes to level of threats and vulnerabilities Management can focus on particular vulnerabilities to quickly correct hot issues, such as SANS Top 20 Reports can list corrected vs. still active vulnerabilities to show status of corrective action Data can be summarized to provide each level of management with their own view of security health System administrators can filter reports to show specific vulnerabilities and recommended corrective measures Trouble tickets can be assigned to appropriate personnel to enforce remediation requirements Reports show exact status of mitigation activity - corrected vs. still active vulnerabilities Scans give early warning of organizational exposure to new vulnerabilities Recommended mitigation actions foster unified organizational approach to potential incidents Specific vulnerabilities are mapped to assets for more rapid assessments and response Reports can be shared with internal and external incident response organizations Qualys, Inc. FISMA Security Guide Page 5

FISMA Requirement Compliance with minimum system configuration requirements Policies and procedures which support compliance and training for key ISS personnel Integration of security management processes with strategic and operational planning QualysGuard Capability Reports identify asset features and components such as OS, protocols and services The mapping of specific vulnerabilities to assets shows compliance with configuration management requirements Scan output and reports show where policies and procedures need to be strengthened ISS staff response to vulnerabilities can be assessed to determine where training is needed High-level reports showing overall status of security and asset management can be included in Exhibits 53 and 300B input to capital planning process Improvements to security can be measured and used to support program management and operational planning activity Qualys, Inc. FISMA Security Guide Page 6

References 1. Federal Information Security Management Act (FISMA, P.L. 107-347, Title III); December 17, 2002 http://www.csrc.nist.gov/p olicies/fisma-final.pdf 2. OMB Memorandum 03-19, Reporting Instructions for the Federal Information Security Management Act and Updated Guidance on Quarterly IT Security Reporting, August 6, 2003. http://www.whitehouse.go v/omb/memoranda/m03-19.pdf 3. The New FISMA Standards and Guidelines, Changing the Dynamic of Information Security for the Federal Government, Dr. Ron S. Ross, Computer Security Division, National Institute of Standards and Technology, posted at http://csrc.nist.gov/seccert/fisma-article-v15.pdf 4. Executive Order: Critical Infrastructure Protection in the Information Age, http://csrc.nist.gov/policie s/cip-infoage.html CONCLUSION According to NIST, Achieving adequate, cost-effective information system security.in an era where information technology is a commodity requires some fundamental changes in how the protection problem is addressed. 1 Because FISMA compliance is tied to program funding, agencies that do not meet its requirements risk losing critical program and system resources. However, in many agencies, the issue is not becoming compliant, but in managing the data that proves compliance. Sifting through mountains of data can be a daunting task, since it often must be done manually, with risk of errors. QualysGuard makes it possible to demonstrate compliance and to support funding requests without the need to dig into the underlying details. With a few clicks of a mouse, reports can be configured to show the exact status of the agency s security posture, the history of corrective action, the timing of response to incidents, and literally thousands of other statistics that contribute to FISMA compliance reporting. QualysGuard can help create a consistent, enterprise-wide view of each agency s security posture, creating ties between program activities such as assessment and remediation and showing managers at all organizational levels exactly where they stand in addressing security issues. Even when key program components to support FISMA are missing, QualysGuard fills in the gaps. By allowing for collection of a complete inventory, creation and enforcement of configuration management standards, and identification of risks to all inventoried assets, QualysGuard creates a unified, agency-wide, FISMAcompliant view of the state of the agency s security health. In short, WITHOUT QualysGuard, agencies may be non-compliant with FISMA s provisions, and at risk for further security issues. WITH QualysGuard, agencies can quickly see where they stand, correct those issues, and move forward with confidence towards a robust, well-managed security program. 1 The New FISMA Standards and Guidelines Qualys, Inc. FISMA Security Guide Page 7

ABOUT QUALYS, INC. Qualys is the market-leading Web Service Provider offering on-demand Network Security Audits and Vulnerability Management. Qualys enables large and small organizations to manage security from an attacker's perspective and fix real-world weaknesses before they are exploited. Qualys' web services are used simultaneously by executives and technicians to measure security effectiveness, enforce security policy, and comply with regulations. Thousands of customers rely on Qualys, including Hershey Foods, Hewlett Packard, and The Thomson Corporation. Qualys is headquartered in Redwood Shores, California, with global offices in France, Germany and the U.K. Qualys, Inc. 1600 Bridge Parkway Redwood Shores, CA 94065 1 (800) 745 4355 www.qualys.com COPYRIGHT 2004 QUALYS, INC. ALL RIGHTS RESERVED. QUALYS, THE QUALYS LOGO, QUALYSGUARD, AND INTRANET SCANNER ARE TRADEMARKS OF QUALYS, INC. OTHER COMPANY, BRAND AND PRODUCT NAMES MAY BE MARKS OF THEIR RESPECTIVE OWNERS. Qualys, Inc. FISMA Security Guide Page 8

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information