Inherent in FISMA are strict (and oftentimes onerous) requirements. To satisfy this mandate, agencies and contractors conduct regular independent assessments to determine how they are performing as prescribed by the NIST 800-53 control requirements. Some organizations conduct this FISMA audit internally using an internal audit function, while others outsource it to a third party. With either approach, the executive management team is ultimately responsible for reporting on identified risks and evaluating the effectiveness of an organization’s security controls. So what are the main components of a FISMA audit? As with most audits, you will want to include each of the following:
- Interview the individuals responsible for the control documentation process to gain an understanding of the overall process and key contacts and control owners.
- Gain an understanding of the current processing environment to determine where commonalities are expected within the control environment.
- Determine appropriate sample size and characteristics for each of the control areas under review.
- Conduct a performance review audit using the NIST Assessment Methods and Objects to achieve the Assessment Objectives.
- Document testing results within the FISMA Audit Report.
As you can imagine, a FISMA audit can be fairly disruptive and is often greeted with a general air of trepidation. Collecting supporting documents takes time away from daily operations, and most people are hesitant to build a case against themselves by helping auditors find issues. Process owners may become defensive or even try to conceal areas of control weakness.
That said, there are ways to lessen the inconvenience and threatening nature of an audit. Gather the key players and enroll them in your vision: an assessment is an opportunity to protect the company’s assets and reduce the number of security incidents. Help your staff understand how the assessment will facilitate change for the better, and be sure to provide a list of supporting documentation that each stakeholder is required to submit so your staff can be prepared in advance.
As a best practice, the audit team should make an effort to give credit where credit is due, which audit teams oftentimes fail to do. While lapses in a policy or procedure update shouldn’t be sugarcoated, it’s important to balance the findings by identifying what’s working. If you are seeking an outside vendor to conduct your assessment, make sure they are prepared to partner with you and your staff, rather than creating an environment of fear and generating findings to justify their fees. You want to challenge your staff to ‘better their best.’ If they understand the value of the assessment, they will be more likely to cooperate and work toward the common goal of having a better-protected system.
Building a Solid Foundation
Many organizations struggle to even cover the basics. They are constantly putting out fires and struggling to respond to new threats. They tend to perform poorly in audits. In fact, this type of organization is often unable to get out of audit mode, continually finding themselves responding to findings or scrambling to prepare for the next audit.
To counter this and to build a secure environment down to its core, we recommend implementing a solid foundation of security controls in several key areas. This set of controls will serve as a strong base and will eliminate the root causes of most high-risk audit findings. The initial effort to do this is costly, but in the long run, you will save time, money, and headaches; and your data will be more secure. We recommend that you evaluate the following process areas and institute a foundation of strong controls in each.
Information Technology Asset Tracking
Maintaining a controlled and accurate inventory of all IT assets is a critical underpinning of any information security program. The basic premise here is that you can’t control what you don’t know you have. For example, if an employee checks out a loaner laptop and doesn’t connect to the network for an extended period of time to update system patches, that system is officially in an insecure state. The unaccounted-for laptop has potential to show up at the worst possible moment—during an audit, of course, or when a malware outbreak is scanning your system for vulnerable machines. Evaluate your current IT asset inventory process and develop an enterprise approach to managing these assets across all business units and facilities. By carefully examining your business units, the flow of IT assets within your facilities, and the interrelationships of the departments that need IT asset tracking, system requirements can be defined to drive solid processes and an appropriate tracking solution.
Configuration & Patch Management
In today’s threat environment, strong configuration and patch management are vital to ensure that systems do not fall victim to malicious software and attacks. Historically, many would consider a 95% patch rate as very good, but today we have to be nearly perfect to be effective. The bar has been raised dramatically due to automated hacker tools that scan networks, looking for vulnerable systems. Configuration standards need to be developed for all major applications and general support systems. Furthermore, these configuration standards must be consistently implemented and continuously monitored for compliance at all times.
Effective change management is one of the most important core elements of a sound control environment. Establish an upper management control board to review changes and make risk determinations. Ideally, board members will serve for a long time, as continuity of this group is critical to ensure consistency of treatment for each type of request or change. The board is responsible for evaluating and accepting the risk of each change based on the following factors: the inherent level of risk in the change, the adequacy of test plans and related results, and possible backout procedures in the event of an issue. Access Controls: User access control is a multi-faceted area that encompasses user identity management, facility access, and authorization from cradle-to-grave—from on-boarding a new user, through transfers, promotions, and termination. It is critical that procedures are put in place to notify the IT department immediately when there has been a change in an employee’s status. Password configurations, levels of access, equipment assignments, remote transaction permissions, and facility accessibility all need to be considered and changed on a regular basis.
System Event Monitoring
Done manually, this control requires a massive amount of human capital to perform effectively. Even then, the ability to do the job manually is questionable. Automating this process is far superior in today’s threat environment; it is advisable to deploy centralized logging and monitoring solutions to ensure that all major applications and general support systems are being monitored around the clock. Systems must be tuned and rules developed, which is an ongoing process as the threat environment is constantly changing. Consider using advanced techniques such as “honey tokens” to find anomalies. Having a robust anomaly detection strategy is the best defense against APTs, spear phishing, and zero day attacks.
Documentation Requirements & Formality
Documentation must be accessible to those who use it, updated as changes occur, and at your fingertips during an audit. A centralized repository of documentation is recommended; use of a single product on a corporate-wide basis is typically the best solution. That said, for many companies, the migration from a disparate system to a centralized one is a significant undertaking. We suggest the following approach:
- Inventory all existing policies and procedures; corporate-wide is recommended, but IT-wide is a minimum
- Identify gaps between required and existing documentation
- Document the desired business process to maintain documentation
- Determine the user population for the document repository and level of access needed
- Document the requirements and desired features for a robust solution
- Determine if a new solution is needed or if use of an existing solution can be expanded
- Define document templates—enforcing an organization structure and use of templates is critical to a successful implementation
Testing & Validation
A common characteristic of high-performing security programs is an integrated testing and validation program. On an on-going basis, validate current processes in light of both compliance requirements and the threat environment. The key to a successful testing & validation program is the ability to subsequently hold stakeholders responsible for controls and make improvements as appropriate. A testing and validation program should not be viewed as a policing activity; rather, it should have a philosophy of continuous process improvement and innovation. Testing and validation will necessarily include: annual FISMA audits, penetration testing, security testing, and due diligence testing on new technology and connections.