The next generation of knowledge and expertise
|
|
- Clyde Simmons
- 6 years ago
- Views:
Transcription
1 The next generation of knowledge and expertise UNDERSTANDING FISMA REPORTING REQUIREMENTS 1 HTA Technology Security Consulting., 30 S. Wacker Dr, 22 nd Floor, Chicago, IL 60606, (voice), (fax),
2 Background The Government Information Security Act of 2000 (GISRA) combined existing IT security requirements in previous legislation; the Computer Security Act of 1987, the Paperwork Reduction Act of 1995, and the Information Technology Reform Act of 1996 (Clinger- Cohen). After GISRA expired in November 2002, The Federal Information Security Management Act (FISMA) was passed by Congress and signed into law by the President as part of the Electronic Government (E-Government) Act of FISMA includes new requirements targeted at further strengthening information and system security. Because FISMA applies to information and information systems used by the agency, contractors, and other organizations, it has a wider applicability than previous security laws. It applies to all organizations which possess or use Federal information, or which operate, use, or have access to Federal information systems, on behalf of a Federal agency, including contractors, state and local governments, and industry partners. It requires that agencies utilize a risk-based, cost-effective approach to secure their information and systems, identify and resolve current IT security weaknesses and risks, as well as protect against future vulnerabilities and threats 1 FISMA s scope includes periodic risk assessments; use of controls and techniques to comply with information security standards; training requirements; periodic testing and evaluation; reporting; and plans for remedial action, security incident response, and continuity of operations. FISMA also requires annual independent evaluation of federal agency information security programs and practices. Agency information security activities are guided by Office of Management and Budget (OMB) policy and the development of information security standards by the National Institute of Standards and Technology (NIST) that will include mandatory requirements by risk level. Status of Federal Agencies Today In 2003, federal information security programs received poor FISMA marks. Although federal agencies showed progress in some areas of compliance with FISMA in 2004, they must still make significant improvements. Efforts led by Representative Adam Putnam and the House Government Reform Subcommittee on Technology have drawn attention to FISMA and compliance. Most federal agencies have hundreds, if not thousands, of systems that compromise the IT/IS infrastructure that must be protected. These numbers intensify the compliance reporting requirements and ultimately lead to FISMA compliance failure. Additionally, federal agencies are struggling with FISMA compliance due to lack of funding; misinterpretation of the requirements; lack of existing policy and process; and time constraints. FISMA is critical to ensuring the integrity and security of federal systems, but it has added significant reporting responsibilities to the federal workforce buried under a mountain of multiple mandates. Federal agencies face significant challenges in addressing FISMA s broad set of requirements and are looking to the private sector for help in meeting those challenges with solutions that will help in assessment, implementation, and reporting. HTA Technology Security Consulting is 1 Memo from OMB August 6, 2003, 2
3 designed to help organizations achieve compliancy by providing a complete Best Practices approach to supporting the FISMA initiative. In 2005 federal agencies which scored poorly on their annual security report cards in 2004, will encounter even tougher grading standards this year. Expect Chairman of the House Government Reform Committee Representative Tom Davis to become a major figure in the information technology community. According to Davis, FISMA is not receiving the attention it deserves, and it should be something that every committee in Congress is concerned about. Davis said his committee will lobby for more awareness and funding for FISMA in 2005 to ease the costly and time-consuming FISMA burden. He hopes the new information policy, information technology, and information security challenges that have arisen since FISMA will be addressed. Reporting Requirements Federal agencies must submit their reports to OMB by October 6, OMB uses the reports to help evaluate the government-wide security performance, develop its annual security report to Congress, assist in improving and maintaining adequate agency security performance, and provide input to the E-Gov Scorecard under the President s Management Agenda. The report shall summarize the results of annual IT security reviews of systems and programs, agency progress on correcting weaknesses reflected in Plan of Action and Milestones (POA&M), and the results of IG independent evaluations. Verifying compliance for every IT system within the organization requires comprehensive validation testing and remediation planning with coordinated reporting and the information flow to allow the Agency head to accurately report on their current FISMA compliance status. To ensure that security remains a top management priority, FISMA requires that annual security reports and documented plans of action to correct security weaknesses be cross-referenced to budget materials sent to OMB. This increases the ability of OMB to directly monitor agency spending and overall security program progress, with ramifications if the two don t correlate. Key FISMA Areas FISMA requires each agency, including agencies with national security systems, to develop, document, and implement agency-wide information security programs. Specifically, this program is to include the following key areas: Security Policies and Procedures Periodic Risk Assessments Subordinate plans for providing adequate information security Annual Testing and Evaluation of security controls Corrective Action Process (Plan of Actions and Milestones (POA&M)) Continuity of operations (Contingency Plans) Incident Detection and Handling Security Incident Reporting Security Awareness Training Configuration Management 3
4 The following sections emphasize some of major areas of FISMA. Agency-wide Security Policies and Procedures FISMA requires that each agency develops and implements information security policies, procedures, and security controls in accordance with risk and magnitude of potential harm. Effective agency-wide security programs ensure information integrity by mandating the confidentiality, privacy, availability, controlled access, monitoring and reporting of federal information. Agencies that are required to meet FISMA compliance standards will need to develop such security programs. Sound practices include agencywide information security policies and enforced implementation of these policies for personnel at all levels. Additionally, security awareness training is required to inform all personnel, including contractors and other users of information systems that support the operations and assets of the agency, of risks and responsibilities in accordance with their activities. Risk Assessment and Security Plans The assessment of risk and development of security plans are two important activities in an agency s information security program that directly supports the accreditation process and are required under FISMA. Risk assessments, whether done formally or informally, influence the development of the security requirements and the security controls for information systems and generate much of the information needed for the security plans. It is essential to ensure that controls are fully commensurate with the risks to which the agency is exposed. Security plans document the security requirements and security controls for information systems and provide essential information for security accreditations. System Inventory Before any organization can assess its security risk, it needs to have a full inventory of critical IT assets and infrastructure components. FISMA requires that each federal agency develop and maintain an inventory of major information systems (including major national security systems) operated by or under the control of the agency. A complete inventory of major information systems is a key element of managing the agency s IT resources, including security of those resources. Additionally, monitoring, testing, and evaluation of information security controls must also be included as part of the inventory record. Federal agencies have not made much progress in this area. Lack of a complete inventory of federal agencies was one of the main points made by Chairman Putnam s committee and by OMB in their review of the agencies FY 2003 FISMA reports. They reported that only five federal agencies have completed reliable inventories of their critical IT assets leaving 19 without reliable inventories. Testing and Evaluation of Security Controls FISMA requires testing and evaluation of security controls, to be performed at least annually. The evaluation includes testing of management, operational, and technical controls. It determines the extent to which the security controls are implemented 4
5 correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system. Continuous risk assessment and monitoring of security controls must be performed to ensure that security controls maintain risk at an acceptable level. The necessary depth and breadth of an annual FISMA review depends on several factors such as acceptable level of risk, extent to which patch management is employed, scope of most recent reviews, and date of most recent in-depth testing and evaluation as part of system C&A. Plan of Actions and Milestones (POA&M) Process FISMA requires agencies to implement a POA&M process that tracks system weaknesses individually and in aggregate. The POA&M document, one of the three key documents in the security accreditation package, describes actions taken or planned by the information system owner to correct deficiencies in security controls and to address remaining vulnerabilities in the information system (reduce, eliminate, or accept the vulnerabilities). The POA&M identifies the tasks to be accomplished, the resources required to accomplish the elements of the plan, any milestones in meeting those tasks, and scheduled completion dates for the milestones. FISMA directs agency program officials to develop, implement, and manage POA&Ms for all programs and systems they operate and control for which security weaknesses have been identified. System Configuration Management FISMA requires that each agency develop its own specific configuration management requirements and ensure each system is compliant with those requirements. Documenting information system changes and assessing the potential impact on the security posture of the system is an ongoing process and is an essential aspect of maintaining security accreditation. System configuration management includes both establishment and maintenance of standard system security settings as well as patch management process. A robust patch management system will use risk as a determining factor in prioritizing patch management actions, to assure that the most critical vulnerable systems are addressed first. Continuity of Operations FISMA requires that each system security plan include the provision for continuity of operations for information systems that support the operations and assets of the agency, to include any information or information systems provided or managed by another agency, contractor, or other source. It is important for these plans to be clearly documented, communicated to potentially affected personnel and updated to reflect current operations. Contingency plans provide specific instructions for restoring critical systems, including such elements as arrangements for alternative processing facilities in case the usual facilities are significantly damaged or cannot be accessed due to unexpected events such as power failures, accidental loss of files, or a major disaster. Additionally, testing of contingency plans is essential to determining whether the plans will function as intended in an emergency situation. FISMA requires agencies to report the number of systems that have a contingency plan and the number that have contingency plans that have been tested. 5
6 Summary FISMA codifies specific responsibilities of federal agency officials, addresses protection of agency information resources, calls for agency officials to manage risk to an appropriate level, and requires agencies to incorporate security into the life cycle of information systems. Federal agencies are spending a large portion of their time on administrative activities related to FISMA compliance. Although agencies generally reported increases in their compliance with information security requirements in 2004 as compared to 2003, analysis of key measures revealed areas where agencies face challenges. Implementing an effective information security program requires a well designed strategy based on sound principles, a solid framework, and robust monitoring and reporting functionality. HTA is committed to helping agencies by defining the methodology which can be applied to address security requirements and identify high-priority corrective actions necessary to achieve and maintain compliance with FISMA. In 2005, expect to hear more about FISMA and the challenges and changes in attitude toward IT security within the federal government. 6
Information Systems Security Requirements for Federal GIS Initiatives
Requirements for Federal GIS Initiatives Alan R. Butler, CDP Senior Project Manager Penobscot Bay Media, LLC 32 Washington Street, Suite 230 Camden, ME 04841 1 Federal GIS "We are at risk," advises the
More informationDoes a SAS 70 Audit Leave you at Risk of a Security Exposure or Failure to Comply with FISMA?
Does a SAS 70 Audit Leave you at Risk of a Security Exposure or Failure to Comply with FISMA? A brief overview of security requirements for Federal government agencies applicable to contracted IT services,
More informationFedRAMP: Understanding Agency and Cloud Provider Responsibilities
May 2013 Walter E. Washington Convention Center Washington, DC FedRAMP: Understanding Agency and Cloud Provider Responsibilities Matthew Goodrich, JD FedRAMP Program Manager US General Services Administration
More informationStreamlined FISMA Compliance For Hosted Information Systems
Streamlined FISMA Compliance For Hosted Information Systems Faster Certification and Accreditation at a Reduced Cost IT-CNP, INC. WWW.GOVDATAHOSTING.COM WHITEPAPER :: Executive Summary Federal, State and
More informationDavid Missouri VP- Governance ISACA
David Missouri VP- Governance ISACA Present-Senior Agency Information Security Officer (SAISO) @GA DJJ 2012-2016 Information System Security Officer (ISSO) @ US DOL WHD 2011-2012 Network Administrator
More informationVaronis and FISMA Compliance
Contents of This White Paper Who Needs to Comply...2 What Are the Risks of Non-Compliance...2 How Varonis Can Help With FISMA Compliance...3 Mapping FISMA Requirements to Varonis Functionality...4 Varonis
More informationContinuous Monitoring & Security Authorization XACTA IA MANAGER: COST SAVINGS AND RETURN ON INVESTMENT IA MANAGER
Continuous Monitoring & Security Authorization XACTA IA MANAGER: COST SAVINGS AND RETURN ON INVESTMENT IA MANAGER Continuous Monitoring & Security Authorization >> TOTAL COST OF OWNERSHIP Xacta IA Manager
More informationInspector General. Report on the Peace Corps Information Security Program. Peace Corps Office of. Background FISCAL YEAR 2017
Peace Corps Office of Inspector General Our Mission: Through audits, evaluations, and investigations, the Office of Inspector General provides independent oversight of agency programs and operations in
More informationexisting customer base (commercial and guidance and directives and all Federal regulations as federal)
ATTACHMENT 7 BSS RISK MANAGEMENT FRAMEWORK PLAN [L.30.2.7, M.2.2.(7), G.5.6; F.2.1(41) THROUGH (76)] A7.1 BSS SECURITY REQUIREMENTS Our Business Support Systems (BSS) Risk MetTel ensures the security of
More informationINFORMATION ASSURANCE DIRECTORATE
National Security Agency/Central Security Service INFORMATION ASSURANCE DIRECTORATE CGS Risk Monitoring Risk Monitoring assesses the effectiveness of the risk decisions that are made by the Enterprise.
More informationGAO INFORMATION SECURITY. Comments on the Proposed Federal Information Security Management Act of Testimony
GAO For Release on Delivery Expected at 10 a.m. EDT Thursday, May 2, 2002 United States General Accounting Office Testimony Before the Subcommittee on Government Efficiency, Financial Management and Intergovernmental
More informationGAO INFORMATION SECURITY. Veterans Affairs Needs to Address Long-Standing Weaknesses
GAO United States Government Accountability Office Testimony Before the Subcommittee on Oversight and Investigations, Committee on Veterans Affairs, House of Representatives For Release on Delivery Expected
More informationStrengthening the Cybersecurity of Federal Networks and Critical Infrastructure
Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure Executive Order 13800 Update July 2017 In Brief On May 11, 2017, President Trump issued Executive Order 13800, Strengthening
More informationSECURITY & PRIVACY DOCUMENTATION
Okta s Commitment to Security & Privacy SECURITY & PRIVACY DOCUMENTATION (last updated September 15, 2017) Okta is committed to achieving and preserving the trust of our customers, by providing a comprehensive
More informationFiscal Year 2013 Federal Information Security Management Act Report
U.S. ENVIRONMENTAL PROTECTION AGENCY OFFICE OF INSPECTOR GENERAL Fiscal Year 2013 Federal Information Security Management Act Report Status of EPA s Computer Security Program Report. 14-P-0033 vember 26,
More informationLeveraging FISMA Guidance to Support an Effective Risk Management Strategy to Secure IT Systems and Meet Regulatory Requirements.
Leveraging FISMA Guidance to Support an Effective Risk Management Strategy to Secure IT Systems and Meet Regulatory Requirements. Thomas Chimento Ph.D., CISSP, CCE, CISA Product Manager Webroot Software
More informationTREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION
TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION Treasury Inspector General for Tax Administration Federal Information Security Management Act November 10, 2010 Reference Number: 2011-20-003 This report
More informationAgency Guide for FedRAMP Authorizations
How to Functionally Reuse an Existing Authorization Version 1.0 August 5, 2015 Revision History Date Version Page(s) Description Author 08/05/2015 1.0 All Initial Publication FedRAMP PMO 06/06/2017 1.0
More informationIT-CNP, Inc. Capability Statement
Securing America s Infrastructure Security Compliant IT Operations Hosting Cyber Security Information FISMA Cloud Management Hosting Security Compliant IT Logistics Hosting 1 IT-CNP, Inc. is a Government
More informationInformation Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV
Information Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV Location: https://www.pdsimplified.com/ndcbf_pdframework/nist_csf_prc/documents/identify/ndcbf _ITSecPlan_IDGV2017.pdf
More informationSecurity Standards for Electric Market Participants
Security Standards for Electric Market Participants PURPOSE Wholesale electric grid operations are highly interdependent, and a failure of one part of the generation, transmission or grid management system
More informationSTRENGTHENING THE CYBERSECURITY OF FEDERAL NETWORKS AND CRITICAL INFRASTRUCTURE
STRENGTHENING THE CYBERSECURITY OF FEDERAL NETWORKS AND CRITICAL INFRASTRUCTURE By the authority vested in me as President by the Constitution and the laws of the United States of America, it is hereby
More informationInformation Security Continuous Monitoring (ISCM) Program Evaluation
Information Security Continuous Monitoring (ISCM) Program Evaluation Cybersecurity Assurance Branch Federal Network Resilience Division Chad J. Baer FNR Program Manager Chief Operational Assurance Agenda
More informationEnsuring System Protection throughout the Operational Lifecycle
Ensuring System Protection throughout the Operational Lifecycle The global cyber landscape is currently occupied with a diversity of security threats, from novice attackers running pre-packaged distributed-denial-of-service
More informationThe Common Controls Framework BY ADOBE
The Controls Framework BY ADOBE The following table contains the baseline security subset of control activities (derived from the Controls Framework by Adobe) that apply to Adobe s enterprise offerings.
More informationSecurity and Privacy Governance Program Guidelines
Security and Privacy Governance Program Guidelines Effective Security and Privacy Programs start with attention to Governance. Governance refers to the roles and responsibilities that are established by
More informationSecurity Management Models And Practices Feb 5, 2008
TEL2813/IS2820 Security Management Security Management Models And Practices Feb 5, 2008 Objectives Overview basic standards and best practices Overview of ISO 17799 Overview of NIST SP documents related
More informationThe Honest Advantage
The Honest Advantage READY TO CHALLENGE THE STATUS QUO GSA Security Policy and PCI Guidelines The GreenStar Alliance 2017 2017 GreenStar Alliance All Rights Reserved Table of Contents Table of Contents
More informationAssured Compliance through Information Security Continuous Monitoring
Assured Compliance through Information Security Continuous Monitoring Trey Breckenridge Director, High Performance Computing Mississippi State University 24 July 2018 Summary Information Security Continuous
More informationORA HIPAA Security. All Affiliate Research Policy Subject: HIPAA Security File Under: For Researchers
All Affiliate Research Policy Subject: HIPAA File Under: For Researchers ORA HIPAA Issuing Department: Office of Research Administration Original Policy Date Page 1 of 5 Approved by: May 9,2005 Revision
More informationNational Policy and Guiding Principles
National Policy and Guiding Principles National Policy, Principles, and Organization This section describes the national policy that shapes the National Strategy to Secure Cyberspace and the basic framework
More informationAppendix 12 Risk Assessment Plan
Appendix 12 Risk Assessment Plan DRAFT December 13, 2006 Revision XX Qwest Government Services, Inc. 4250 North Fairfax Drive Arlington, VA 22203 A12-1 RFP: TQC-JTB-05-0001 December 13, 2006 REVISION HISTORY
More informationSTRATEGY ATIONAL. National Strategy. for Critical Infrastructure. Government
ATIONAL STRATEGY National Strategy for Critical Infrastructure Government Her Majesty the Queen in Right of Canada, 2009 Cat. No.: PS4-65/2009E-PDF ISBN: 978-1-100-11248-0 Printed in Canada Table of contents
More informationViews on the Framework for Improving Critical Infrastructure Cybersecurity
This document is scheduled to be published in the Federal Register on 12/11/2015 and available online at http://federalregister.gov/a/2015-31217, and on FDsys.gov Billing Code: 3510-13 DEPARTMENT OF COMMERCE
More informationOFFICE OF INSPECTOR GENERAL
OFFICE OF INSPECTOR GENERAL Evaluation Report Catalyst for Improving the Environment Evaluation of U.S. Chemical Safety and s Compliance with the Federal Information Security Management Act and Efforts
More informationInformation Security Program
Information Security Program December 15, 2004 FOR OFFICIAL USE ONLY This information is intended for HHS use only. Disclosure is not expected to cause serious harm to HHS, and access is provided freely
More informationInformation Technology Branch Organization of Cyber Security Technical Standard
Information Technology Branch Organization of Cyber Security Technical Standard Information Management, Administrative Directive A1461 Cyber Security Technical Standard # 1 November 20, 2014 Approved:
More informationGuidelines. on the security measures for operational and security risks of payment services under Directive (EU) 2015/2366 (PSD2) EBA/GL/2017/17
GUIDELINES ON SECURITY MEASURES FOR OPERATIONAL AND SECURITY RISKS UNDER EBA/GL/2017/17 12/01/2018 Guidelines on the security measures for operational and security risks of payment services under Directive
More informationFIRE REDUCTION STRATEGY. Fire & Emergency Services Authority GOVERNMENT OF SAMOA April 2017
FIRE REDUCTION STRATEGY Fire & Emergency Services Authority GOVERNMENT OF SAMOA April 2017 FIRE REDUCTION STRATEGY Fire & Emergency Services Authority GOVERNMENT OF SAMOA April 2017 2 1. Introduction The
More informationSTAFF REPORT. January 26, Audit Committee. Information Security Framework. Purpose:
STAFF REPORT January 26, 2001 To: From: Subject: Audit Committee City Auditor Information Security Framework Purpose: To review the adequacy of the Information Security Framework governing the security
More informationIMPROVING NETWORK SECURITY
IMPROVING NETWORK SECURITY How AN Information Assurance Professional Assessment HELPED THE The City of Stow, Ohio is a community of just under 35,000 people, located 35 miles south of Cleveland and part
More informationNIST Security Certification and Accreditation Project
NIST Security Certification and Accreditation Project An Integrated Strategy Supporting FISMA Dr. Ron Ross Computer Security Division Information Technology Laboratory 1 Today s Climate Highly interactive
More informationINFORMATION TECHNOLOGY ( IT ) GOVERNANCE FRAMEWORK
INFORMATION TECHNOLOGY ( IT ) GOVERNANCE FRAMEWORK 1. INTRODUCTION The Board of Directors of the Bidvest Group Limited ( the Company ) acknowledges the need for an IT Governance Framework as recommended
More informationFedRAMP JAB P-ATO Process TIMELINESS AND ACCURACY OF TESTING REQUIREMENTS. VERSION 1.0 October 20, 2016
FedRAMP JAB P-ATO Process TIMELINESS AND ACCURACY OF TESTING REQUIREMENTS VERSION 1.0 October 20, 2016 MONTH 2015 Table of Contents 1. PURPOSE 3 2. BACKGROUND 3 3. TIMELINESS AND ACCURACY OF TESTING OVERVIEW
More informationFISMAand the Risk Management Framework
FISMAand the Risk Management Framework The New Practice of Federal Cyber Security Stephen D. Gantz Daniel R. Phi I pott Darren Windham, Technical Editor ^jm* ELSEVIER AMSTERDAM BOSTON HEIDELBERG LONDON
More informationAnnex 3 to NIST Special Publication Recommended Security Controls for Federal Information Systems
Annex 3 to NIST Special Publication 800-53 Recommended Security Controls for Federal Information Systems Minimum Security Controls High Baseline Includes updates through 04-22-2005 AC-1 ACCESS CONTROL
More informationIT SECURITY RISK ANALYSIS FOR MEANINGFUL USE STAGE I
Standards Sections Checklist Section Security Management Process 164.308(a)(1) Information Security Program Risk Analysis (R) Assigned Security Responsibility 164.308(a)(2) Information Security Program
More informationFedRAMP Security Assessment Framework. Version 2.0
FedRAMP Security Assessment Framework Version 2.0 June 6, 2014 Executive Summary This document describes a general Security Assessment Framework (SAF) for the Federal Risk and Authorization Management
More informationTEL2813/IS2820 Security Management
TEL2813/IS2820 Security Management Security Management Models And Practices Lecture 6 Jan 27, 2005 Introduction To create or maintain a secure environment 1. Design working security plan 2. Implement management
More informationEvaluating and Improving Cybersecurity Capabilities of the Electricity Critical Infrastructure
Evaluating and Improving Cybersecurity Capabilities of the Electricity Critical Infrastructure March 2015 Pamela Curtis Dr. Nader Mehravari Katie Stewart Cyber Risk and Resilience Management Team CERT
More informationGood morning, Chairman Harman, Ranking Member Reichert, and Members of
Statement of Michael C. Mines Deputy Assistant Director Directorate of Intelligence Federal Bureau of Investigation Before the Subcommittee on Intelligence, Information Sharing, and Terrorism Risk Assessment,
More informationDIACAP and the GIG IA Architecture. 10 th ICCRTS June 16, 2005 Jenifer M. Wierum (O) (C)
DIACAP and the GIG IA Architecture 10 th ICCRTS June 16, 2005 Jenifer M. Wierum (O) 210-9252417 (C) 210-396-0254 jwierum@cygnacom.com OMB Circular A-130 (1996) OMB A-130 required systems and applications
More informationSAC PA Security Frameworks - FISMA and NIST
SAC PA Security Frameworks - FISMA and NIST 800-171 June 23, 2017 SECURITY FRAMEWORKS Chris Seiders, CISSP Scott Weinman, CISSP, CISA Agenda Compliance standards FISMA NIST SP 800-171 Importance of Compliance
More informationISO STANDARD IMPLEMENTATION AND TECHNOLOGY CONSOLIDATION
ISO STANDARD IMPLEMENTATION AND TECHNOLOGY CONSOLIDATION Cathy Bates Senior Consultant, Vantage Technology Consulting Group January 30, 2018 Campus Orientation Initiative and Project Orientation Project
More informationSYMANTEC: SECURITY ADVISORY SERVICES. Symantec Security Advisory Services The World Leader in Information Security
SYMANTEC: SECURITY ADVISORY SERVICES Symantec Security Advisory Services The World Leader in Information Security Knowledge, as the saying goes, is power. At Symantec we couldn t agree more. And when it
More informationWHITE PAPER CONTINUOUS MONITORING INTRODUCTION & CONSIDERATIONS PART 1 OF 3
WHITE PAPER CONTINUOUS MONITORING INTRODUCTION & CONSIDERATIONS PART 1 OF 3 ABSTRACT This white paper is Part 1 in a three-part series of white papers on the sometimes daunting subject of continuous monitoring
More informationNATIONAL INSTITUTE OF FORENSIC SCIENCE
NATIONAL INSTITUTE OF FORENSIC SCIENCE LEGISLATIVE OUTLINE National Institute of Forensic Sciences (NIFS) The NIFS will be responsible for the coordination, administration, and oversight of all of the
More informationHIPAA Federal Security Rule H I P A A
H I P A A HIPAA Federal Security Rule nsurance ortability ccountability ct of 1996 HIPAA Introduction - What is HIPAA? HIPAA = The Health Insurance Portability and Accountability Act A Federal Law Created
More informationNORTH CAROLINA NC MRITE. Nominating Category: Enterprise IT Management Initiatives
NORTH CAROLINA MANAGING RISK IN THE INFORMATION TECHNOLOGY ENTERPRISE NC MRITE Nominating Category: Nominator: Ann V. Garrett Chief Security and Risk Officer State of North Carolina Office of Information
More informationDeveloping a National Emergency Telecommunications Plan. The Samoan Experience November 2012
Developing a National Emergency Telecommunications Plan The Samoan Experience November 2012 What is The NETP? The National Emergency Telecoms Plan (NETP) is a strategic plan that establishes a national
More informationExhibit A1-1. Risk Management Framework
Appendix B presents the deliverables produced during the execution of the risk management approach to achieve the assessment and authorization process. The steps required by the risk management framework
More informationMitigation Framework Leadership Group (MitFLG) Charter DRAFT
Mitigation Framework Leadership Group (MitFLG) Charter DRAFT October 28, 2013 1.0 Authorities and Oversight The Mitigation Framework Leadership Group (MitFLG) is hereby established in support of and consistent
More informationEVALUATION REPORT. Independent Evaluation of NRC s Implementation of the Federal Information Security Management Act (FISMA) for Fiscal Year 2011
EVALUATION REPORT Independent Evaluation of NRC s Implementation of the Federal Information Security Management Act (FISMA) for Fiscal Year 2011 OIG-12-A-04 November 9, 2011 All publicly available OIG
More informationTechnical Vulnerability and Patch Management Policy Document Number: OIL-IS-POL-TVPM
Technical Vulnerability and Patch Management Policy Document Number: OIL-IS-POL-TVPM Document Details Title Description Version 1.1 Author Classification Technical Vulnerability and Patch Management Policy
More informationAdvisory Circular. Subject: INTERNET COMMUNICATIONS OF Date: 11/1/02 AC No.: AVIATION WEATHER AND NOTAMS Initiated by: ARS-100
U.S. Department of Transportation Federal Aviation Administration Advisory Circular Subject: INTERNET COMMUNICATIONS OF Date: 11/1/02 AC No.: 00-62 AVIATION WEATHER AND NOTAMS Initiated by: ARS-100 1.
More informationNew York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines
New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines New York Department of Financial Services ( DFS ) Regulation 23 NYCRR 500 requires that entities
More informationGDPR: Get Prepared! A Checklist for Implementing a Security and Event Management Tool. Contact. Ashley House, Ashley Road London N17 9LZ
GDPR: Get Prepared! A Checklist for Implementing a Security and Event Management Tool Contact Ashley House, Ashley Road London N17 9LZ 0333 234 4288 info@networkiq.co.uk The General Data Privacy Regulation
More informationFedRAMP Security Assessment Framework. Version 2.1
FedRAMP Security Assessment Framework Version 2.1 December 4, 2015 Executive Summary This document describes a general Security Assessment Framework (SAF) for the Federal Risk and Authorization Management
More informationCertification Exam Outline Effective Date: September 2013
Certification Exam Outline Effective Date: September 2013 About CAP The Certified Authorization Professional (CAP) is an information security practitioner who champions system security commensurate with
More informationAppendix 12 Risk Assessment Plan
Appendix 12 Risk Assessment Plan DRAFT March 5, 2007 Revision XX Qwest Government Services, Inc. 4250 North Fairfax Drive Arlington, VA 22203 A12-i RFP: TQC-JTB-05-0002 March 5, 2007 REVISION HISTORY Revision
More informationChecklist for Applying ISO 27000, PCI DSS v2 & NIST to Address HIPAA & HITECH Mandates. Ali Pabrai, MSEE, CISSP (ISSAP, ISSMP)
Checklist for Applying ISO 27000, PCI DSS v2 & NIST to Address HIPAA & HITECH Mandates Ali Pabrai, MSEE, CISSP (ISSAP, ISSMP) ecfirst, chief executive Member, InfraGard Compliance Mandates Key Regulations
More informationCybersecurity Presidential Policy Directive Frequently Asked Questions. kpmg.com
Cybersecurity Presidential Policy Directive Frequently Asked Questions kpmg.com Introduction On February 12, 2013, the White House released the official version of the Presidential Policy Directive regarding
More informationITG. Information Security Management System Manual
ITG Information Security Management System Manual This manual describes the ITG Information Security Management system and must be followed closely in order to ensure compliance with the ISO 27001:2005
More informationProgram Review for Information Security Management Assistance. Keith Watson, CISSP- ISSAP, CISA IA Research Engineer, CERIAS
Program Review for Information Security Management Assistance Keith Watson, CISSP- ISSAP, CISA IA Research Engineer, CERIAS Disclaimer and Purpose PRISMA, FISMA, and NIST, oh my! PRISMA versus an Assessment
More informationTotal Protection for Compliance: Unified IT Policy Auditing
Total Protection for Compliance: Unified IT Policy Auditing McAfee Total Protection for Compliance Regulations and standards are growing in number, and IT audits are increasing in complexity and cost.
More informationUnited States Energy Association Energy Technology and Governance Program REQUEST FOR PROPOSALS
United States Energy Association Energy Technology and Governance Program REQUEST FOR PROPOSALS UTILITY CYBER SECURITY INITIATIVE (UCSI) CYBERSECURITY CAPABILITY MATURITY MODEL (C2M2) ASSESSMENT FOR THE
More informationMember of the County or municipal emergency management organization
EMERGENCY OPERATIONS PLAN SUUPPORT ANNEX B PRIVATE-SECTOR COORDINATION Coordinating Agency: Cooperating Agencies: Chatham Emergency Management Agency All Introduction Purpose This annex describes the policies,
More informationMIS Week 9 Host Hardening
MIS 5214 Week 9 Host Hardening Agenda NIST Risk Management Framework A quick review Implementing controls Host hardening Security configuration checklist (w/disa STIG Viewer) NIST 800-53Ar4 How Controls
More informationITG. Information Security Management System Manual
ITG Information Security Management System Manual This manual describes the ITG Information Security Management system and must be followed closely in order to ensure compliance with the ISO 27001:2005
More informationINFORMATION SECURITY. One line heading. > One line subheading. A briefing on the information security controls at Computershare
INFORMATION SECURITY A briefing on the information security controls at Computershare One line heading > One line subheading INTRODUCTION Information is critical to all of our clients and is therefore
More informationDepartment of Management Services REQUEST FOR INFORMATION
RESPONSE TO Department of Management Services REQUEST FOR INFORMATION Cyber-Security Assessment, Remediation, and Identity Protection, Monitoring, and Restoration Services September 3, 2015 250 South President
More informationTHE WHITE HOUSE. Office of the Press Secretary EXECUTIVE ORDER
THE WHITE HOUSE Office of the Press Secretary FOR IMMEDIATE RELEASE May 11, 2017 EXECUTIVE ORDER - - - - - - - STRENGTHENING THE CYBERSECURITY OF FEDERAL NETWORKS AND CRITICAL INFRASTRUCTURE By the authority
More informationAgenda. Bibliography
Humor 2 1 Agenda 3 Trusted Digital Repositories (TDR) definition Open Archival Information System (OAIS) its relevance to TDRs Requirements for a TDR Trustworthy Repositories Audit & Certification: Criteria
More informationReviewed by ADM(RS) in accordance with the Access to Information Act. Information UNCLASSIFIED.
Assistant Deputy Minister (Review Services) Reviewed by in accordance with the Access to Information Act. Information UNCLASSIFIED. Security Audits: Management Action Plan Follow-up December 2015 1850-3-003
More informationMNsure Privacy Program Strategic Plan FY
MNsure Privacy Program Strategic Plan FY 2018-2019 July 2018 Table of Contents Introduction... 3 Privacy Program Mission... 4 Strategic Goals of the Privacy Office... 4 Short-Term Goals... 4 Long-Term
More information10/18/2016. Preparing Your Organization for a HHS OIG Information Security Audit. Models for Risk Assessment
Preparing Your Organization for a HHS OIG Information Security Audit David Holtzman, JD, CIPP/G CynergisTek, Inc. Brian C. Johnson, CPA, CISA HHS OIG Section 1: Models for Risk Assessment Section 2: Preparing
More informationCybersecurity Risk Mitigation: Protect Your Member Data. Introduction
Cybersecurity Risk Mitigation: Protect Your Member Data Presented by Matt Mitchell, CISSP Knowledge Consulting Group Introduction Matt Mitchell- Director Risk Assurance 17 years information security experience
More informationData Recovery Policy
Data Recovery Policy The Marketware, Inc. Contingency Plan establishes procedures to recover Marketware, Inc. following a disruption resulting from a disaster. This Disaster Recovery Policy is maintained
More informationSection One of the Order: The Cybersecurity of Federal Networks.
Summary and Analysis of the May 11, 2017 Presidential Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure. Introduction On May 11, 2017, President Donald
More informationSTUDENT GUIDE Risk Management Framework Step 5: Authorizing Systems
Slide 1 - Risk Management Framework RMF Module 5 Welcome to Lesson 5 - RMF Step 5 Authorizing Systems. Once the security controls are assessed, the POA&M and security authorization package must be finalized
More informationAUDIT UNITED NATIONS VOLUNTEERS PROGRAMME INFORMATION AND COMMUNICATION TECHNOLOGY. Report No Issue Date: 8 January 2014
UNITED NATIONS DEVELOPMENT PROGRAMME AUDIT OF UNITED NATIONS VOLUNTEERS PROGRAMME INFORMATION AND COMMUNICATION TECHNOLOGY Report No. 1173 Issue Date: 8 January 2014 Table of Contents Executive Summary
More informationCompliance with NIST
Compliance with NIST 800-171 1 What is NIST? 2 Do I Need to Comply? Agenda 3 What Are the Requirements? 4 How Can I Determine If I Am Compliant? 5 Corserva s NIST Assessments What is NIST? NIST (National
More informationTARGET2-SECURITIES INFORMATION SECURITY REQUIREMENTS
Target2-Securities Project Team TARGET2-SECURITIES INFORMATION SECURITY REQUIREMENTS Reference: T2S-07-0270 Date: 09 October 2007 Version: 0.1 Status: Draft Target2-Securities - User s TABLE OF CONTENTS
More informationVulnerability Assessments and Penetration Testing
CYBERSECURITY Vulnerability Assessments and Penetration Testing A guide to understanding vulnerability assessments and penetration tests. OVERVIEW When organizations begin developing a strategy to analyze
More informationCOMMENTARY. Federal Banking Agencies Propose Enhanced Cyber Risk Management Standards
November 2016 COMMENTARY Federal Banking Agencies Propose Enhanced Cyber Risk Management Standards The Board of Governors of the Federal Reserve System ( Federal Reserve Board ), the Federal Deposit Insurance
More informationDoD Information Technology Security Certification and Accreditation Process (DITSCAP) A presentation by Lawrence Feinstein, CISSP
DoD Information Technology Security Certification and Accreditation Process (DITSCAP) A presentation by Lawrence Feinstein, CISSP April 14, 2004 Current Macro Security Context within the Federal Government
More informationEnhancing the Cybersecurity of Federal Information and Assets through CSIP
TECH BRIEF How BeyondTrust Helps Government Agencies Address Privileged Access Management to Improve Security Contents Introduction... 2 Achieving CSIP Objectives... 2 Steps to improve protection... 3
More informationFISMA Cybersecurity Performance Metrics and Scoring
DOT Cybersecurity Summit FISMA Cybersecurity Performance Metrics and Scoring Office of the Federal Chief Information Officer, OMB OMB Cyber and National Security Unit, OMBCyber@omb.eop.gov 2. Cybersecurity
More informationA Government Health Agency Trusts Tenable to Protect Patient Data and Manage Expanding Attack Surface
A Government Health Agency Trusts Tenable to Protect Patient Data and Manage Expanding Attack Surface ORGANIZATION SNAPSHOT The level of visibility Tenable.io provides is phenomenal, something we just
More informationCCISO Blueprint v1. EC-Council
CCISO Blueprint v1 EC-Council Categories Topics Covered Weightage 1. Governance (Policy, Legal, & Compliance) & Risk Management 1.1 Define, implement, manage and maintain an information security governance
More information