Contact Us: (314) 644-6400
Bing

More on FISMA

Risk Assessment:

The first step in any comprehensive security management strategy is risk assessment. FISMA requires periodic risk assessments to understand the potential impact of security threats. With regards to messaging, the impacts can include:

  • Loss of confidentiality if messages are intercepted
  • Loss of availability as a result of Denial of Service (DoS) attacks, rapidly spreading malware, or other disruption to agency operations
  • Loss of integrity from tampering, such as via a man-in-the-middle attack
  • Threats to messaging security are well known, and they can originate both within and outside of an agency.

External Threats to Messaging

External threats include viruses, worms, Trojan horses, spyware, keyloggers, botnets, and rootkits—all of which can compromise a messaging system. Malware can disrupt operations, and the speed at which malware can spread and the sophistication of the software is making the control of malicious code more difficult. Previously effective security measures, such as reformatting hard drives and reinstalling the operating system (OS) are no longer effective as rootkits may be using advanced power control and PCI subsystems for storage.

The consequences of external threats can be severe. In October 2006, the U.S. Commerce Department reported that attacks on computers at the Bureau of Industry and Security forced the department to shut down Internet access in September. InformationWeek reported that the bureau had decided to replace workstations compromised with rootkits rather than trust the devices after the attack (Source: InformationWeek)

Internal Threats

Risk assessments of messaging must also consider threats from within the organization. Information theft and leaks are clearly confidentiality problems. The well-publicized theft of a Veterans Administration (VA) employee’s laptop containing more than 28 million personal information records is an obvious example. Information leaks can also occur through messaging systems without adequate filtering. The product of a risk analysis is a set of threats and impacts that can be used to prioritize security policies and procedures.

Messaging Policies and Procedures

Messaging policies and procedures are the bridge between the strategic security objectives that emerge from the risk assessment process and the operational aspects of implementing security controls. Policies describe the mechanisms for controlling threats without delving into technical detail. For example, an email retention policy may describe which types of messages must be retained and the length of time they must be retained but not detail specific steps or technologies for implementing those guidelines.

Identification and Authentication:

Governs the process by which users and user agents are granted access to systems and resources. This is especially challenging in highly distributed environments such as those found in federal agencies. For example, the use of federated identity management adds a layer of trust between agencies or departments that must be governed by policies, implemented with comprehensive procedures, and audited to ensure proper implementation.

Awareness Training

Security professionals and other information technology (IT) specialists cannot maintain security on their own. All users of information systems must be aware of risks related to information management and act in a responsible manner.

FISMA’s requirements are twofold in this case. First, users must be made aware of relevant laws, executive orders, policies, and procedures in the area of computer security. Second, personnel must be trained in information security so that they can carry out their responsibilities knowledgeable of security threats.

Contingency Planning

Contingency planning is essential to messaging security because it is one of the foundations for ensuring service availability. Contingency planning includes day-to-day operations, such as backup and recovery, as well as longer-term planning and operations, including failover systems, emergency response plans, and transition plans for moving operations to backup systems and then back to production systems.

Auditing and Accountability

Up to this point, all aspects of FISMA are generally applicable to information security best practices. Although auditing and accountability are also elements of these best practices, they are especially important to the practice of FISMA compliance.

In addition to implementing security controls, security managers must be able to prove with documentation that their systems are compliant, their users are trained, and their risk assessments are up to date. A sound security strategy can be undermined by weak documentation, which leads to audit reports that do not accurately reflect the state of an agency’s or department’s security status.

Premier Knoweldge Solutions on TwitterPremier Knowledge Solutions on LinkedinComputer Training and Computer Classes Blog

Home | Courses | Training Class Schedule | Training Options | Locations & Information | Pricing | Registration | About Us | Contact Us

Microsoft Gold Partner

© Copyright Premier Knowledge Solutions - Computer Training Classes in St. Louis, MO Logo Design | Web Design