David Missouri VP- Governance ISACA

Similar documents
NIST Security Certification and Accreditation Project

Certification Exam Outline Effective Date: September 2013

TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION

Fiscal Year 2013 Federal Information Security Management Act Report

FISMAand the Risk Management Framework

Executive Order 13556

New Information Collection Request: The Department of. Homeland Security, Office of Cybersecurity and

Continuous Monitoring & Security Authorization XACTA IA MANAGER: COST SAVINGS AND RETURN ON INVESTMENT IA MANAGER

existing customer base (commercial and guidance and directives and all Federal regulations as federal)

INFORMATION ASSURANCE DIRECTORATE

Information Systems Security Requirements for Federal GIS Initiatives

Does a SAS 70 Audit Leave you at Risk of a Security Exposure or Failure to Comply with FISMA?

3/2/2012. Background on FISMA-Reheuser. NIST guidelines-cantor. IT security-huelseman. Federal Information Security Management Act

Inspector General. Report on the Peace Corps Information Security Program. Peace Corps Office of. Background FISCAL YEAR 2017

Ensuring System Protection throughout the Operational Lifecycle

Streamlined FISMA Compliance For Hosted Information Systems

The next generation of knowledge and expertise

New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines

Compliance Brief: The National Institute of Standards and Technology (NIST) , for Federal Organizations

EVALUATION REPORT. Independent Evaluation of NRC s Implementation of the Federal Information Security Management Act (FISMA) for Fiscal Year 2011

FedRAMP Training - Continuous Monitoring (ConMon) Overview

Managed Trusted Internet Protocol Service (MTIPS) Enterprise Infrastructure Solutions (EIS) Risk Management Framework Plan (RMFP)

Agency Guide for FedRAMP Authorizations

FedRAMP Security Assessment Plan (SAP) Training

Monthly Cyber Threat Briefing

Program Review for Information Security Management Assistance. Keith Watson, CISSP- ISSAP, CISA IA Research Engineer, CERIAS

SAC PA Security Frameworks - FISMA and NIST

Information Security Continuous Monitoring (ISCM) Program Evaluation

Continuous Monitoring Strategy & Guide

Information Security Program

Tinker & The Primes 2017 Innovating Together

Introduction to the Federal Risk and Authorization Management Program (FedRAMP)

ACR 2 Solutions Compliance Tools

New Guidance on Privacy Controls for the Federal Government

INTERNATIONAL CIVIL AVIATION ORGANIZATION ASIA and PACIFIC OFFICE ASIA/PAC RECOMMENDED SECURITY CHECKLIST

Big Brother is Watching Your Big Data: z/os Actions Buried in the FISMA Security Regulation

STUDENT GUIDE Risk Management Framework Step 1: Categorization of the Information System

Cybersecurity & Privacy Enhancements

Varonis and FISMA Compliance

Exhibit A1-1. Risk Management Framework

Virginia State University Policies Manual. Title: Information Security Program Policy: 6110

Information Technology Branch Organization of Cyber Security Technical Standard

FPM-IT-420B: FAC-P/PM-IT Planning & Acquiring Operations of IT Systems Course Details

Guide for Assessing the Security Controls in Federal Information Systems

Annex 3 to NIST Special Publication Recommended Security Controls for Federal Information Systems

FedRAMP: Understanding Agency and Cloud Provider Responsibilities

Outline. Why protect CUI? Current Practices. Information Security Reform. Implementation. Understanding the CUI Program. Impacts to National Security

Leveraging FISMA Guidance to Support an Effective Risk Management Strategy to Secure IT Systems and Meet Regulatory Requirements.

Annex 1 to NIST Special Publication Recommended Security Controls for Federal Information Systems

INFORMATION ASSURANCE DIRECTORATE

SECURITY & PRIVACY DOCUMENTATION

Compliance with NIST

Interagency Advisory Board Meeting Agenda, December 7, 2009

Protecting Controlled Unclassified Information(CUI) in Nonfederal Information Systems and Organizations

STRENGTHENING THE CYBERSECURITY OF FEDERAL NETWORKS AND CRITICAL INFRASTRUCTURE

Information Technology Security Plan Policies, Controls, and Procedures Identify Risk Assessment ID.RA

Boston Chapter AGA 2018 Regional Professional Development Conference Cyber Security MAY 2018

Appendix 12 Risk Assessment Plan

Rev.1 Solution Brief

Security and Privacy Governance Program Guidelines

Guide to Understanding FedRAMP. Version 2.0

Evolving Cybersecurity Strategies

WHITE PAPER CONTINUOUS MONITORING INTRODUCTION & CONSIDERATIONS PART 2 OF 3

The NIST Cybersecurity Framework

Notification of Issuance of Binding Operational Directive and Establishment of. AGENCY: National Protection and Programs Directorate, DHS.

NIST s Industrial Control System (ICS) Security Project

Information Technology Security Plan Policy, Control, and Procedures Manual Detect: Anomalies and Events

Appendix 12 Risk Assessment Plan

Federal Information Security Management Act (FISMA) Operational Controls and Their Relationship to Process Maturity

Why is the CUI Program necessary?

OFFICE OF INSPECTOR GENERAL

10/18/2016. Preparing Your Organization for a HHS OIG Information Security Audit. Models for Risk Assessment

_isms_27001_fnd_en_sample_set01_v2, Group A

MIS Week 9 Host Hardening

WHITE PAPER CONTINUOUS MONITORING INTRODUCTION & CONSIDERATIONS PART 1 OF 3

Enterprise Risk Management (ERM) and Cybersecurity. Na9onal Science Founda9on March 14, 2018

SYSTEMS ASSET MANAGEMENT POLICY

MNsure Privacy Program Strategic Plan FY

Developed by the Defense Information Systems Agency (DISA) for the Department of Defense (DoD)

Security Awareness Compliance Requirements. Updated: 11 October, 2017

Four Deadly Traps of Using Frameworks NIST Examples

Implementation Plan for the UW-Madison Cybersecurity Risk Management Policy. August 10, 2017 version

GAO INFORMATION SECURITY. Veterans Affairs Needs to Address Long-Standing Weaknesses

Information Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV

Click to edit Master title style

ISOO CUI Overview for ACSAC

Cybersecurity Risk Management

Information Collection Request: The Department of Homeland. Security, Stakeholder Engagement and Cyber Infrastructure

FedRAMP Security Assessment Framework. Version 2.0

Information Technology Security Plan Policies, Controls, and Procedures Protect: Identity Management and Access Control PR.AC

DRAFT DEPARTMENT OF DEFENSE (DOD) CLOUD COMPUTING SECURITY REQUIREMENTS GUIDE (SRG) Version 1, Release December, 2014

10/12/2017 WHAT IS NIST SP & WHY SHOULD I CARE ABOUT IT? OVERVIEW SO, WHAT IS NIST?

Controlled Unclassified Information (CUI) and FISMA: an update. May 12, 2017 Mark Sweet, Nancy Lewis, Grace Park Stephanie Gray, Alicia Turner

Information Security Policy

Enhancing the Cybersecurity of Federal Information and Assets through CSIP

Certified Information Security Manager (CISM) Course Overview

Altius IT Policy Collection Compliance and Standards Matrix

REVIEW OF MANAGEMENT AND OVERSIGHT OF THE INTEGRATED BUSINESS MANAGEMENT SYSTEM (IBMS) January 16, 2009

Information Assurance 101

Checklist for Applying ISO 27000, PCI DSS v2 & NIST to Address HIPAA & HITECH Mandates. Ali Pabrai, MSEE, CISSP (ISSAP, ISSMP)

Transcription:

David Missouri VP- Governance ISACA Present-Senior Agency Information Security Officer (SAISO) @GA DJJ 2012-2016 Information System Security Officer (ISSO) @ US DOL WHD 2011-2012 Network Administrator (CCNA) @ITT Exelis in IRAQ & Afghanistan 1997-Present- Residential Custom Home Builder @ Huios Development, LLC

Topics FISMA NIST 800-53 What do I do?!

Federal Information Security Modernization Act (FISMA) of 2014 FISMA 2014 codifies the Department of Homeland Security s role in administering the implementation of information security policies for federal Executive Branch civilian agencies, overseeing agencies compliance with those policies, and assisting OMB in developing those policies. The legislation provides the Department authority to develop and oversee the implementation of binding operational directives to other agencies, in coordination and consistent with OMB policies and practices. It also: Authorizes DHS to provide operational and technical assistance to other federal Executive Branch civilian agencies at the agency s request; Places the federal information security incident center (a function fulfilled by US-CERT) within DHS by law; Authorizes DHS technology deployments to other agencies' networks (upon those agencies' request); Directs OMB to revise policies regarding notification of individuals affected by federal agency data breaches; Requires agencies to report major information security incidents as well as data breaches to Congress as they occur and annually; and Simplifies existing FISMA reporting to eliminate inefficient or wasteful reporting while adding new reporting requirements for major information security incidents. The Federal Information Security Modernization Act of 2014 amends the Federal Information Security Management Act of 2002 (FISMA).

Federal Information Security Management Act of 2002 FISMA defines a framework for managing information security that must be followed for all information systems used or operated by a U.S. federal government agency in the executive or legislative branches, or by a contractor or other organization on behalf of a federal agency in those branches. This framework is further defined by the standards and guidelines developed by NIST.

FISMA Purpose of the act: FISMA assigns specific responsibilities to federal agencies, the National Institute of Standards and Technology (NIST) and the Office of Management and Budget (OMB) in order to strengthen information security systems. In particular, FISMA requires the head of each agency to implement policies and procedures to cost-effectively reduce information technology security risks to an acceptable level. According to FISMA, the term information security means protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide integrity, confidentiality and availability.

FISMA Requirements Inventory of information systems Categorize information and information systems according to risk level Security controls Risk assessment System Authorization (Certification & Accreditation) Continuous monitoring

How Do I Implement the ACT? The Risk Management Framework (RMF), illustrated in the next slide, provides a disciplined and structured process that integrates information security and risk management activities into the system development life cycle. The RMF steps include: Categorize the information system and the information processed, stored, and transmitted by that system based on an impact analysis. Select an initial set of baseline security controls for the information system based on the security categorization; tailoring and supplementing the security control baseline as needed based on an organizational assessment of risk and local conditions. Implement the security controls and describe how the controls are employed within the information system and its environment of operation. Assess the security controls using appropriate assessment procedures to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system. Authorize information system operation based on a determination of the risk to organizational operations and assets, individuals, other organizations, and the Nation resulting from the operation of the information system and the decision that this risk is acceptable. Monitor the security controls in the information system on an ongoing basis including assessing control effectiveness, documenting changes to the system or its environment of operation, conducting security impact analyses of the associated changes, and reporting the security state of the system to designated organizational officials

RMF

How often do I have to do this? 1. The security plan should be reauthorized every three years or at any major change to the system. 2. The security controls should be divided by 3. a third of the controls should be self assessed in the first and second year, while all of the controls should be audited in the third year, by a third party.

NIST 800-53 rev 4 NIST 800-53 is a publication that recommends security controls for federal information systems and organizations and documents security controls for all federal information systems, except those designed for national security.

NIST 800-53 rev 5 Major Changes Removing the words federal and information. This change makes the controls apply to all organizations and systems, so no more federal information systems. The controls will read the organization systems.

Where do I find the NIST controls? NVD - 800-53 - National Vulnerability Database NIST https://web.nvd.nist.gov/view/800-53/home NIST SP 800-53 database represents the security controls and associated assessment procedures defined in NIST SP 800-53 Revision 4 Recommended Security Controls for Federal Information Systems and Organizations.

What do I do? They want me to implement FISMA Identify a senior C level executive to champion information security and play the role of the Authorization Official Categorize your data Select NIST controls Implement the controls Assess the controls Obtain authorization Continue to monitor controls

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback