How to Ace a FISMA Audit An Auditor s Perspective By Tyler Harding, Principal Kearney & Company tyler.harding@kearneyco.com 1
Agenda 1. What can go wrong with the FISMA Audit 2. Different OIG Approaches to FISMA 3. Strategies for Successful Outcomes 4. Anticipating 2012 FISMA OIG Questions 5. Closing Thoughts and Questions 2 2
What can go wrong? Wasted hours in countless meetings Endless disagreements with auditors Non-issues reported by OIG IT resources and priorities shifted to address insignificant security risks Real security risks left unaddressed Bad audits hinder Security Program progress High distrust between OIG and Agency Management Agency horror stories 3 3
What is a FISMA Audit? FISMA Legislation requires: Each year each agency shall performed an independent evaluation of the information security program and practices of that agency to determine the effectiveness of such program and practices. Each evaluation shall include (a) testing of the effectiveness of information security policies, procedures, and practices of a representative subset of the agency s information systems; (e) The evaluation may be based in whole or in part of an audit, evaluation or reporting relating to programs or practices of the applicable Agency. Problem: OIGs interpret requirement differently 4 4
3 Approaches to FISMA Audits Three OIG Approaches to Annual FISMA Audit / Evaluation Requirement Characteristics Audit Evaluation Other Performed to Government Auditing Standards (GAO) - Requires sufficient & appropriate evidence to provide reasonable assurance on conclusions reached. Quality Standards for Inspection & Evaluation (CIGIE) Includes analysis of Agency s Information Security Policies and Procedures to FISMA legislation, OMB, and NIST guidance Includes responses to annual OMB / DHS questions. X X X X X X X Includes test of controls operating effectiveness for a representative subset of agency s information systems. X Increased discussion of control weaknesses (Condition, Cause, Criteria, Effect, & Recommendation) X Increased disclosure of Objective, Scope, Methodology, Sampling Methods, Fraud Considerations, & Criteria Used. X 5 5
Key Audit Concepts What is an Audit? Involves the comparison of agency practices to a written standard (OMB, NIST, Agency policy, etc.) Emphasis on internal controls and business processes Audit Implications to Agencies: Golden Rule: If it is not written down, then it doesn t count. Agency policies, procedures and practices need to define in writing the who, what, where, why, and how. Agencies must define their technical standards and baseline security requirements. Can you see the looming problems? 6 6
Key FISMA Challenge IT Management Direction: 1. Just get it done 2. I needed XYZ solution deployed yesterday 3. We need to be efficient. OIG / Audit Community Response: 1. Develop policies and procedures 2. Increased emphasis on paperwork 3. More IT security audits (cycle repeats) Final Outcomes 1. Cost effective risk management does not occur 2. FISMA becomes a paper exercise in security How to solve the FISMA Audit Program? 7 7
5 Strategies for Success Five Simple Strategies for Success 1. Understand the audit process 2. Practice good Project Management 3. Frequent communication with OIG / Auditor 4. Document only what is necessary 5. Expand Continuous Monitoring Program to include a Pre-FISMA Self Assessment 8 8
Strategies for Success: (1) Understand Audit Process Typical FISMA Audit Processes A. Planning Phase 1. Scope & Objectives 2. Audit Announcement Memo 3. Audit Entrance Meeting 4. Process Walkthroughs and Follow Up on Prior Year Findings 5. Auditors release data call (i.e. PBC List) B. Performance Phase 1. Confirm security controls exist and properly designed 2. Detailed interviews with IT personnel 3. Analysis of PBC items 4. Testing of operating control effectiveness 5. Identify control deficiencies 6. OIG and IT Department hold periodic status meetings C. Reporting Phase 1. Develop and issue written findings (Notice of Findings and Recommendations) 2. IT responds to individual findings 3. OIG issues draft report inclusive of all significant findings for management comment 4. OIG and IT Department hold an Exit Meeting to discuss audit results and conclusion 5. OIG revises draft report and issues final report with management comments 9 9
Strategies for Success: (2) Practice Project Management Suggested Project Management Activities for Success (Pre-Audit) 1. Assign Senior Management Official to be responsible for Pre-FISMA effort 2. Create a simple Project Plan to prepare for the FISMA Audit 3. Review prior year FISMA audit issues 4. Review prior year FISMA data requests for insight into testing approach. 5. Update PBC documents frequently requested (i.e. Agency IT security policies, organizational charts, etc.) by auditors 2-3 months prior to audit. 6. Update Plans of Actions and Milestones 7. Update Continuous Monitoring Approach 8. Conduct a Pre-Audit of commonly tested audit areas and triage weaknesses 9. Request the Auditor s FISMA PBC list 4 weeks in advance of audit. Project Management Goal: Get the IT auditors OUT of your IT Department fast! Shorter IT Audits Translate into: 1. Fewer Audit Findings 2. Focused FISMA Audit or Evaluation 3. Fewer distractions for IT Department 4. Happy OIG, CIO and Agency Management 10 10
Strategies for Success: (3) Frequent Communication Suggested Communication Activities 1. Assign Senior Management Official to be responsible for communicating with IT Auditors 2. Assign a single Agency Point of Contact for all data requests (i.e. preferably an Internal Control specialist with audit experience) 3. Contact OIG / External Auditors to learn testing timeframe, testing approach, etc. 3-6 months before the FISMA Audit begins 4. Request the Auditor s FISMA PBC list and necessary meetings (walkthroughs) 4 weeks in advance of FISMA audit start. 5. Schedule meetings between IT Department and IT Auditor well in advance (2 weeks +) 6. Develop Ground Rules for ad-hoc meetings during the audit a. Meeting Agenda distributed 48 hours in advance of any scheduled meetings b. Required meeting attendees 7. Kick Off Meeting Cover Key FISMA Audit Areas a. Agency s implementation of NIST Risk Management Framework and Agency Security Policy b. Ground Rules for managing and reporting findings Agency needs sufficient time (7 days) to verify facts and respond to any recommendations. c. Auditor s Project Timeline (When are responses due back to OIG). 8. Require weekly meetings to (a) review updates to PBC list with Auditor, (b) discuss preliminary concerns / observations, and (b) confirm last day of fieldwork! Goals of Frequent Communication: 1. Happy auditors are more understanding IT challenges 2. Get the IT Auditors IN and OUT of your IT Department fast 3. Avoid instances of miscommunication 4. Establish reasonable project timelines 5. Provide IT Department adequate time to respond to findings. 11 11
Strategies for Success: (4) Targeted Documentation Targeted Documentation Activities 1. Adopt a Keep-It-Simple-Stupid (KISS) strategy a. Do not over document b. Utilize templates (MS Excel, MS Word) where ever possible c. Avoid regurgitating NIST SP 800-53 controls 2. Prioritize documentation efforts a. Prior year findings b. Updates to existing security policies to meet OMB / DHS requirements c. Frequently requested PBC items (POA&Ms, Contingency Plans) d. Current year OMB / DHS priority areas (Continuous Monitoring Plan) Goals of Targeted Documentation: 1. Avoid documentation for auditor s sake 2. Document only what is necessary to establish Agency standard 3. Avoid petty findings of Establish policies and procedures to 12 12
Strategies for Success: (5) Pre-FISMA Self Assessment Suggested Pre-FISMA Self Assessment Activities 1. Identify frequently tested FISMA Audit areas with operational components a. Access Controls (Employee separations, Employee transfers) b. Configuration Management c. Vulnerability Management (Security patching, vulnerability identification, and remediation) d. Plans of Actions & Milestones e. Contingency Plan Testing / Disaster Recovery 2. Integrate FISMA Self-Assessment activities into broader Continuous Monitoring Program Goals of Pre-FISMA Self Assessments 1. Identify and correct weaknesses before the IT auditors do. 2. Demonstrate automated and manual aspects of Continuous Monitoring 3. Improve Agency risk management practices and security posture 13 13
Draft 2012 OIG FISMA Questions Proposed 2012 OIG FISMA Questions (January 2012 Draft) 1. OIGs to validate accuracy of 2011 CIO Responses. 2. Inclusion of cloud computing questions in FISMA Inventory 3. Emphasis to evaluate Agency s Continuous Monitoring Program 4. Expansion from 11 questions to 17 OIG FISMA Questions. Each question has 5 to 8 sub-questions. 5. New OIG questions in areas of Cloud Computing, Asset Management, Vulnerability Management, Data Protection, Boundary Protection, Network Security Protocols, and Enterprise Security Architecture. 6. Each OIG question has a quantitative aspect and a subjective aspect (i.e. compare and contrast question). (Caveat 2012 OIG Questions were draft and are likely to change.) General Observations 1. Positive change to see emphasis on real-time risk management via automation versus emphasis on paper compliance. 2. Overall OIG questions are more technical than prior years, particularly in areas of network boundary protection and perimeter network security protocols. 3. Level of effort to prepare OIG FISMA responses significantly greater than prior years. 4. OIG s directed to report significant issues rather than minor items of non-compliance. 14 14
Closing Thoughts A computer lets you make more mistakes faster than any invention in human history - with the possible exceptions of handguns and tequila. Mitch Radcliffe Questions Contact Information Tyler Harding, Principal tyler.harding@kearneyco.com Phone: 703-244-8137 15 15