FISMA Security Policy Solutions

Federal Information Security Management Act

Under FISMA, which supercedes the Government Information Security Reform Act of 2000 (GISRA), federal agencies are required to assess the state of their security before being approved for budget items by the OMB. To accurately assess the security state of federal agencies, NIST has published (NIST SP 800-26) 17 Information Technology (IT) security topics that affect the security posture of an organization. These 17 security control areas form the framework for a complete, policy-based approach to security.

According to maturity model defined in the Federal IT Security Assessment Framework, the security program progresses from having policies (Level 1) to having detailed procedures (Level 2), implementing these procedures (Level 3), testing compliance with and effectiveness of the procedures (Level 4), and finally fully integrating policies and procedures into daily operations (Level 5).

Information Security Policies Made Easy provides a complete set of security policies and standards that cover each key control area. Essentially, organizations can implement Level 1 compliance by customizing our pre-written policies. Specific benefits include:

• Over 1300 pre-written security polices and standards ready to customize.
• Complete policy coverage for 17 key assessment areas.
• Detailed implementation advice to create an effective security environment.
• Policies targeted at different organizational roles (management, technical, end-user).
• Policies organized for different risk environments, facilitating a control maturity model as outlined in Federal IT Security Assessment Framework.

Information Security Roles and Responsibilities Made Easy provides expert guidance and templates for building an effective security organization. According to NIST, security roles and responsibilities are key to implementing an effective control over security. (For example Section 17.1.5 - Segregation of duties for security personnel, Section 9.1.2 - Employees trained in their roles and responsibilities.) Information Security Roles and Responsibilities Made Easy is the only resource available that can save your organization hundreds of hours of effort in developing your security organization. Information Security Roles and Responsibilities Made Easy contains:

• 40 pre-written job description with detailed security requirements for each job function.
• Pre-written organization charts that map security roles and reporting relationships.
• Detailed implementation advice to create an effective security environment.
• Advice on proper staffing and budgeting for security roles.
• Standard practices that have been shown to be effective at over 125 organizations around the world .

Other Federal Security Requirements

The establishment of a sound security program is mandated by other Federal laws, including the Clinger-Cohen Act, the Computer Security Act of 1987, the Government Performance and Results Act (GPRA), and the Government Paperwork Elimination Act (GPEA). Key to an effective security posture is a robust set of security policies and standards backed by an effective security organization. Information Shield publications will save your organization hundreds of development hours by providing pre-written best practices that have been tested in hundreds or organizations around the world.

For more information on using Information Shield solutions for your FISMA compliance efforts, please contact us.