How to Ace a FISMA Audit An Auditor s Perspective

Similar documents
Independent Evaluation of NRC s Implementation of the Federal Information Security Modernization Act of 2014 for Fiscal Year 2015

5 FAH-11 H-500 PERFORMANCE MEASURES FOR INFORMATION ASSURANCE

Office of Inspector General

Fiscal Year 2014 Federal Information Security Management Act Report: Status of EPA s Computer Security Program

UNITED STATES COMMISSION ON CIVIL RIGHTS. Fiscal Year 2012 Federal Information Security Management Act Evaluation

Evaluation Report. Weaknesses Identified During the FY 2013 Federal Information Security Management Act Review. April 30, 2014 Report Number 14-12

NATIONAL CREDIT UNION ADMINISTRATION OFFICE OF INSPECTOR GENERAL

United States Patent and Trademark Office

U.S. OFFICE OF PERSONNEL MANAGEMENT OFFICE OF THE INSPECTOR GENERAL OFFICE OF AUDITS. Final Audit Report

EVALUATION REPORT. Weaknesses Identified During the FY 2014 Federal Information Security Management Act Review. March 13, 2015 REPORT NUMBER 15-07

OFFICE OF INSPECTOR GENERAL

Final Audit Report -- CAUTION --

POSTAL REGULATORY COMMISSION

U.S. ELECTION ASSISTANCE COMMISSION OFFICE OF INSPECTOR GENERAL

INSPECTION U.S. DEPARTMENT OF THE INTERIOR WEB HOSTING SERVICES

2014 Audit of the Board s Information Security Program

IG ISCM MATURITY MODEL FOR FY 2015 FISMA FOR OFFICIAL USE ONLY

Cybersecurity Risk Management Activities Instructions Fiscal Year 2015

How To Check If Nasa Can Protect Itself From Hackers

NARA s Information Security Program. OIG Audit Report No October 27, 2014

CTR System Report FISMA

2012 FISMA Executive Summary Report

Office of Inspector General

Review of the SEC s Systems Certification and Accreditation Process

TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION

VA Office of Inspector General

Overview. FedRAMP CONOPS

FY 2016 Inspector General Federal Information Security Modernization Act of 2014 Reporting Metrics V1.0

INFORMATION SECURITY. Evaluation of GAO s Program and Practices for Fiscal Year 2012 OIG-13-2

Audit of the Board s Information Security Program

EPA Needs to Improve Security Planning and Remediation of Identified Weaknesses in Systems Used to Protect Human Health and the Environment

Fiscal Year 2007 Federal Information Security Management Act Report

4 Testing General and Automated Controls

ACSAC NOAA/NESDIS Case Study. December, 2006

Following is a discussion of the Hub s role within the health insurance exchanges, the results of our review, and concluding observations.

Final Audit Report. Report No. 4A-CI-OO

REVIEW OF THE DEPARTMENT OF HEALTH AND HUMAN SERVICES COMPLIANCE WITH THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2015

FREQUENTLY ASKED QUESTIONS

FY 2015 Inspector General Federal Information Security Modernization Act Reporting Metrics V1.2

Security Control Standard

International Trade Administration

REPORT ON FY 2006 FISMA AUDIT OF THE SMITHSONIAN INSTITUTION S INFORMATION SECURITY PROGRAM

U.S. DEPARTMENT OF THE INTERIOR OFFICE OF INSPECTOR GENERAL Verification of Previous Office of Inspector General Recommendations September 2009

AUDIT REPORT. The Energy Information Administration s Information Technology Program

Audit Report. The Social Security Administration s Compliance with the Federal Information Security Management Act of 2002 for Fiscal Year 2013

Why are PMO s are Needed on Large Projects?

Audit of the Data Center Consolidation Initiative at NARA. OIG Draft Audit Report No May 10, 2012

MANAGING THE CONFIGURATION OF INFORMATION SYSTEMS WITH A FOCUS ON SECURITY

CIP Cyber Security Configuration Change Management and Vulnerability Assessments

IBM Internet Security Systems October FISMA Compliance A Holistic Approach to FISMA and Information Security

AUDIT REPORT. Cybersecurity Controls Over a Major National Nuclear Security Administration Information System

NEIAF June 18, IS Auditing 101

FedRAMP Standard Contract Language

FISH AND WILDLIFE SERVICE INFORMATION RESOURCES MANAGEMENT. Chapter 7 Information Technology (IT) Security Program 270 FW 7 TABLE OF CONTENTS

State of Oregon. State of Oregon 1

Office of the Auditor General Performance Audit Report. Statewide UNIX Security Controls Department of Technology, Management, and Budget

U.S. ELECTION ASSISTANCE COMMISSION OFFICE OF INSPECTOR GENERAL

Final Audit Report FEDERAL INFORMATION SECURITY MANAGEMENT ACT AUDIT FY Report No. 4A-CI

Information Security Series: Security Practices. Integrated Contract Management System

Internal Audit Checklist

STATEMENT OF JOHN E. MCCOY II DEPUTY ASSISTANT INSPECTOR GENERAL FOR AUDITS U.S. DEPARTMENT OF HOMELAND SECURITY BEFORE THE

SMITHSONIAN INSTITUTION

Final Audit Report -- CAUTION --

Plan of Action and Milestones (POA&M) Training Session

OFFICE OF INSPECTOR GENERAL. Audit Report. Evaluation of the Railroad Retirement Board Medicare Contractor s Information Security

VA Office of Inspector General

Department of Homeland Security

2008 FISMA Executive Summary Report

VA Office of Inspector General

Security Controls Assessment for Federal Information Systems

Information Security for Managers

Report of Evaluation OFFICE OF INSPECTOR GENERAL E Tammy Rapp Auditor-in-Charge FARM CREDIT ADMINISTRATION

Auditing in the New Millennium:

In Brief. Smithsonian Institution Office of the Inspector General

Agency Security - What Are the Advantages and Disadvantages

Chapter 5. Planning the Audit Engagement

CHAPTER 5 - SAFETY ASSESSMENTS, LOG OF DEFICIENCIES AND CORRECTIVE ACTION PLANS

How To Improve Nasa'S Security

NIST A: Guide for Assessing the Security Controls in Federal Information Systems. Samuel R. Ashmore Margarita Castillo Barry Gavrich

Continuous Monitoring in a Risk Management Framework. US Census Bureau Oct 2012

SECURITY WEAKNESSES IN DOT S COMMON OPERATING ENVIRONMENT EXPOSE ITS SYSTEMS AND DATA TO COMPROMISE

Lots of Updates! Where do we start?

January 15, Office of Inspector General (OIG)

EPA s Computer Security Self-Assessment Process Needs Improvement

REVIEW OF MEDICARE CONTRACTOR INFORMATION SECURITY PROGRAM EVALUATIONS FOR FISCAL YEAR 2013

Office of Inspector General Corporation for National and Community Service

EXECUTIVE OFFICE OF THE PRESIDENT OFFICE OF MANAGEMENT AND BUDGET WASHINGTON, D.C

Secure Content Automation Protocol (SCAP): How it is increasingly used to automate enterprise security management activities

Audit Report. Management of Naval Reactors' Cyber Security Program

U.S. Department of Energy Office of Inspector General Office of Audits & Inspections. Evaluation Report

Cloud Computing. Report No. OIG-AMR UNITED STATES GOVERNMENT National Labor Relations Board Office of Inspector General.

Report of Evaluation OFFICE OF INSPECTOR GENERAL. OIG 2014 Evaluation of the Farm Credit OIG 2014 Administration s. Management Act.

The Certification and Accreditation of Computer Systems Should Remain in the Computer Security Material Weakness. August 2004

OFFICIAL USE ONLY. Department of Energy. DATE: January 31, 2007 Audit Report Number: OAS-L-07-06

Deputy Chief Financial Officer Peggy Sherry. And. Chief Information Security Officer Robert West. U.S. Department of Homeland Security.

NASA OFFICE OF INSPECTOR GENERAL

Audit Report on the New York City Police Department Data Center 7A06-093

FEDERAL INFORMATION SECURITY. Mixed Progress in Implementing Program Components; Improved Metrics Needed to Measure Effectiveness

Audit of the Department of State Information Security Program

Evaluation of DHS' Information Security Program for Fiscal Year 2014

Transcription:

How to Ace a FISMA Audit An Auditor s Perspective By Tyler Harding, Principal Kearney & Company tyler.harding@kearneyco.com 1

Agenda 1. What can go wrong with the FISMA Audit 2. Different OIG Approaches to FISMA 3. Strategies for Successful Outcomes 4. Anticipating 2012 FISMA OIG Questions 5. Closing Thoughts and Questions 2 2

What can go wrong? Wasted hours in countless meetings Endless disagreements with auditors Non-issues reported by OIG IT resources and priorities shifted to address insignificant security risks Real security risks left unaddressed Bad audits hinder Security Program progress High distrust between OIG and Agency Management Agency horror stories 3 3

What is a FISMA Audit? FISMA Legislation requires: Each year each agency shall performed an independent evaluation of the information security program and practices of that agency to determine the effectiveness of such program and practices. Each evaluation shall include (a) testing of the effectiveness of information security policies, procedures, and practices of a representative subset of the agency s information systems; (e) The evaluation may be based in whole or in part of an audit, evaluation or reporting relating to programs or practices of the applicable Agency. Problem: OIGs interpret requirement differently 4 4

3 Approaches to FISMA Audits Three OIG Approaches to Annual FISMA Audit / Evaluation Requirement Characteristics Audit Evaluation Other Performed to Government Auditing Standards (GAO) - Requires sufficient & appropriate evidence to provide reasonable assurance on conclusions reached. Quality Standards for Inspection & Evaluation (CIGIE) Includes analysis of Agency s Information Security Policies and Procedures to FISMA legislation, OMB, and NIST guidance Includes responses to annual OMB / DHS questions. X X X X X X X Includes test of controls operating effectiveness for a representative subset of agency s information systems. X Increased discussion of control weaknesses (Condition, Cause, Criteria, Effect, & Recommendation) X Increased disclosure of Objective, Scope, Methodology, Sampling Methods, Fraud Considerations, & Criteria Used. X 5 5

Key Audit Concepts What is an Audit? Involves the comparison of agency practices to a written standard (OMB, NIST, Agency policy, etc.) Emphasis on internal controls and business processes Audit Implications to Agencies: Golden Rule: If it is not written down, then it doesn t count. Agency policies, procedures and practices need to define in writing the who, what, where, why, and how. Agencies must define their technical standards and baseline security requirements. Can you see the looming problems? 6 6

Key FISMA Challenge IT Management Direction: 1. Just get it done 2. I needed XYZ solution deployed yesterday 3. We need to be efficient. OIG / Audit Community Response: 1. Develop policies and procedures 2. Increased emphasis on paperwork 3. More IT security audits (cycle repeats) Final Outcomes 1. Cost effective risk management does not occur 2. FISMA becomes a paper exercise in security How to solve the FISMA Audit Program? 7 7

5 Strategies for Success Five Simple Strategies for Success 1. Understand the audit process 2. Practice good Project Management 3. Frequent communication with OIG / Auditor 4. Document only what is necessary 5. Expand Continuous Monitoring Program to include a Pre-FISMA Self Assessment 8 8

Strategies for Success: (1) Understand Audit Process Typical FISMA Audit Processes A. Planning Phase 1. Scope & Objectives 2. Audit Announcement Memo 3. Audit Entrance Meeting 4. Process Walkthroughs and Follow Up on Prior Year Findings 5. Auditors release data call (i.e. PBC List) B. Performance Phase 1. Confirm security controls exist and properly designed 2. Detailed interviews with IT personnel 3. Analysis of PBC items 4. Testing of operating control effectiveness 5. Identify control deficiencies 6. OIG and IT Department hold periodic status meetings C. Reporting Phase 1. Develop and issue written findings (Notice of Findings and Recommendations) 2. IT responds to individual findings 3. OIG issues draft report inclusive of all significant findings for management comment 4. OIG and IT Department hold an Exit Meeting to discuss audit results and conclusion 5. OIG revises draft report and issues final report with management comments 9 9

Strategies for Success: (2) Practice Project Management Suggested Project Management Activities for Success (Pre-Audit) 1. Assign Senior Management Official to be responsible for Pre-FISMA effort 2. Create a simple Project Plan to prepare for the FISMA Audit 3. Review prior year FISMA audit issues 4. Review prior year FISMA data requests for insight into testing approach. 5. Update PBC documents frequently requested (i.e. Agency IT security policies, organizational charts, etc.) by auditors 2-3 months prior to audit. 6. Update Plans of Actions and Milestones 7. Update Continuous Monitoring Approach 8. Conduct a Pre-Audit of commonly tested audit areas and triage weaknesses 9. Request the Auditor s FISMA PBC list 4 weeks in advance of audit. Project Management Goal: Get the IT auditors OUT of your IT Department fast! Shorter IT Audits Translate into: 1. Fewer Audit Findings 2. Focused FISMA Audit or Evaluation 3. Fewer distractions for IT Department 4. Happy OIG, CIO and Agency Management 10 10

Strategies for Success: (3) Frequent Communication Suggested Communication Activities 1. Assign Senior Management Official to be responsible for communicating with IT Auditors 2. Assign a single Agency Point of Contact for all data requests (i.e. preferably an Internal Control specialist with audit experience) 3. Contact OIG / External Auditors to learn testing timeframe, testing approach, etc. 3-6 months before the FISMA Audit begins 4. Request the Auditor s FISMA PBC list and necessary meetings (walkthroughs) 4 weeks in advance of FISMA audit start. 5. Schedule meetings between IT Department and IT Auditor well in advance (2 weeks +) 6. Develop Ground Rules for ad-hoc meetings during the audit a. Meeting Agenda distributed 48 hours in advance of any scheduled meetings b. Required meeting attendees 7. Kick Off Meeting Cover Key FISMA Audit Areas a. Agency s implementation of NIST Risk Management Framework and Agency Security Policy b. Ground Rules for managing and reporting findings Agency needs sufficient time (7 days) to verify facts and respond to any recommendations. c. Auditor s Project Timeline (When are responses due back to OIG). 8. Require weekly meetings to (a) review updates to PBC list with Auditor, (b) discuss preliminary concerns / observations, and (b) confirm last day of fieldwork! Goals of Frequent Communication: 1. Happy auditors are more understanding IT challenges 2. Get the IT Auditors IN and OUT of your IT Department fast 3. Avoid instances of miscommunication 4. Establish reasonable project timelines 5. Provide IT Department adequate time to respond to findings. 11 11

Strategies for Success: (4) Targeted Documentation Targeted Documentation Activities 1. Adopt a Keep-It-Simple-Stupid (KISS) strategy a. Do not over document b. Utilize templates (MS Excel, MS Word) where ever possible c. Avoid regurgitating NIST SP 800-53 controls 2. Prioritize documentation efforts a. Prior year findings b. Updates to existing security policies to meet OMB / DHS requirements c. Frequently requested PBC items (POA&Ms, Contingency Plans) d. Current year OMB / DHS priority areas (Continuous Monitoring Plan) Goals of Targeted Documentation: 1. Avoid documentation for auditor s sake 2. Document only what is necessary to establish Agency standard 3. Avoid petty findings of Establish policies and procedures to 12 12

Strategies for Success: (5) Pre-FISMA Self Assessment Suggested Pre-FISMA Self Assessment Activities 1. Identify frequently tested FISMA Audit areas with operational components a. Access Controls (Employee separations, Employee transfers) b. Configuration Management c. Vulnerability Management (Security patching, vulnerability identification, and remediation) d. Plans of Actions & Milestones e. Contingency Plan Testing / Disaster Recovery 2. Integrate FISMA Self-Assessment activities into broader Continuous Monitoring Program Goals of Pre-FISMA Self Assessments 1. Identify and correct weaknesses before the IT auditors do. 2. Demonstrate automated and manual aspects of Continuous Monitoring 3. Improve Agency risk management practices and security posture 13 13

Draft 2012 OIG FISMA Questions Proposed 2012 OIG FISMA Questions (January 2012 Draft) 1. OIGs to validate accuracy of 2011 CIO Responses. 2. Inclusion of cloud computing questions in FISMA Inventory 3. Emphasis to evaluate Agency s Continuous Monitoring Program 4. Expansion from 11 questions to 17 OIG FISMA Questions. Each question has 5 to 8 sub-questions. 5. New OIG questions in areas of Cloud Computing, Asset Management, Vulnerability Management, Data Protection, Boundary Protection, Network Security Protocols, and Enterprise Security Architecture. 6. Each OIG question has a quantitative aspect and a subjective aspect (i.e. compare and contrast question). (Caveat 2012 OIG Questions were draft and are likely to change.) General Observations 1. Positive change to see emphasis on real-time risk management via automation versus emphasis on paper compliance. 2. Overall OIG questions are more technical than prior years, particularly in areas of network boundary protection and perimeter network security protocols. 3. Level of effort to prepare OIG FISMA responses significantly greater than prior years. 4. OIG s directed to report significant issues rather than minor items of non-compliance. 14 14

Closing Thoughts A computer lets you make more mistakes faster than any invention in human history - with the possible exceptions of handguns and tequila. Mitch Radcliffe Questions Contact Information Tyler Harding, Principal tyler.harding@kearneyco.com Phone: 703-244-8137 15 15

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information