In theory, a FISMA compliant organization should be largely protected from hackers, data thieves, and malware. After all, that’s why FISMA was enacted in the first place—to institute a higher standard of data security within all government agencies and the contractors who work for them. Right? Think again. As with many noble government initiatives, the real-world translation of FISMA might not be having the far-reaching impact that was hoped for.
One of the biggest complaints about this regulatory act is that FISMA Compliance takes a boilerplate approach, mandating minimum security measures and burdensome reporting, rather than addressing actual threats to the well-being of the organization as a whole. If you are an entity doing business with the Federal Government or you are the Federal Government, compliance with FISMA regulations is mandatory. The good news is, many of the mandated safeguards will keep your data safer. But a smart organization will adopt a broader perspective on protecting data by taking a risk-based approach and figuring out what’s at stake behind each decision.
FISMA Compliance vs. Risk-based Decision-making
Your data is one of your most valuable assets. Just as you would when introducing a new product, investing in capital equipment or taking on a new business partner, you will want to make your decisions about security controls based on the amount of risk you can tolerate.
- How proprietary and sensitive is the nature of your data?
- What kind of impact would it have on your business or operations if someone stole or gained unauthorized access to this data?
- Do you have the resources needed to contain a serious breach?
- A vicious spear phishing attack?
Organizations that take a risk-based approach tend to think through each major decision with regards to security controls and conduct a risk assessment or a cost/benefit analysis to decide whether or not to move forward. Rather than being reactive when incidents occur (or an audit is coming up), this type of organization develops a thoughtful data security plan based on the impact an incident would have on each of their business operations.
Oftentimes, a risk-based security solution goes beyond FISMA compliance. Take your system passwords, for example, which may be required to have an eight-character length. Should you adopt an eight-character password in order to be compliant? Possibly. However, if upon examination you conclude that you need better control over access to your system, you might consider instituting a ten-character password instead. But don’t stop there.
Generally speaking, passwords are not a particularly airtight form of authentication. Consider a stronger multifactor ID, like a token, biometric or callback authentication. Even if the FISMA compliance requirement doesn’t mandate this, you can if the business risk warrants this control. In other words, meeting compliance might be all you need to do. But don’t just accept it as such. Analyze each requirement and its implications for your business before making a decision.
Granted, it’s not always clear what to do. One organization we know of had fallen below compliance in a particular area, thereby incurring fines of $20,000 per month. The executive team decided they were willing to pay the fines and accept the level of risk the infraction posed, rather than invest the 6-8 million dollars required to fix the problem. They chose this route largely because they had other revenue-generating initiatives competing for those same dollars. Maybe if the team had factored the business risk and associated costs of a major breach into their decision-making process, they would have decided differently. Aside from the direct costs of recovering from a breach, the loss of goodwill and public trust need to be factored in as well. However, we applaud this executive team for weighing their organization’s business needs against the commensurate risk before making a decision.
Benefits of Risk-based Decisions: Going Beyond Data Security
Organizations that adopt a risk-based approach place a premium on protecting their data as it pertains to the viability of their business. As such, they tend to have tighter but practical security controls in place, which confers upon them added rewards.
Competing for government contracts is one area where taking a risk-based approach may benefit you. A pro-active, risk-based data protection strategy can be a differentiator that puts you in a better competitive position, as many companies are struggling to even meet compliance. We saw companies take a risk-based approach to data security years ago when FISMA was just getting off the ground, and those companies have consistently won new contracts as a result of their ability to verify that their systems are safe. In short, choosing a risk-based approach aligns data security with business strategies.
Communicating to the board and executive management about proposed security controls becomes more relevant to them, as the implications tie into areas of the business they deal with every day. Funding for controls is more likely to be granted when the powers-that-be understand the business reasons behind each request. The organization’s security posture increases as responsibilities are pushed throughout the organization instead of relegated to an isolated policing function in the IT department. By adopting such a forward-thinking stance, you will be doing the right thing by your organization. Furthermore, you will build an industry-wide reputation as a reliable partner to do business with.