|
Established in 2002, the Federal Information Security Management Act (FISMA)
was passed to fortify computer and network security within the federal
government. To that end, FISMA requires federal agencies—and any associated
entities handling federal data such as state and local governments,
contractors and grantees—to implement an integrated, risk-based information
security program as defined by the National Institute of Standards and
Technology (NIST) under the oversight of the Office of Management and Budget
(OMB).
NIST’s definition of an effective information security program includes a
broad range of requirements, such as:
-
Periodic risk assessments
-
Policies and procedures based on the risk assessments
-
Plans for information security in networks, facilities and computer systems
-
Security awareness training
-
Annual program effectiveness testing and evaluation
-
A remediation process to continually improve the program
-
Procedures for responding to security incidents
-
Procedures to maintain continuous operations
To guide agencies tasked with implementing such a comprehensive security
program, NIST provides two types of documents: Special Publications (SP) and
Federal Information Processing Standard (FIPS) circulars. NIST SP 800-53
specifies security controls required for access control, auditing,
configuration management and much more. This publication is augmented by a
range of FIPS circulars for security functions that include: categorization
of data and systems, risk evaluation and security plan creation.
The Business Challenge
Perhaps the greatest challenge presented by FISMA rests in the broad scope
of its security framework. For example, just one element defined in NIST SP 800-53, Security Control Selection, contains 17 control families comprised
of 170 individual controls. This broad framework spans the IT
infrastructure, calling for the monitoring and analysis of data generated by
all systems, network appliances and security solutions across the
enterprise. Therefore, to be FISMA compliant, an enterprise must collect and
process a variety of different types of information across the
infrastructure.
Processing includes correlation, analysis and reporting of data. If analysis
fell to just a few IT security analysts, or even to an entire team, timely
response to important security or compliance risks would be nearly
impossible. For this reason, automation is essential to effectively support
FISMA.
The eIQ Solution
eIQ’s SecureVue security, risk and audit management platform combines
enterprise security management (ESM) and IT governance, risk and compliance
(GRC) to help organizations fully address FISMA. By collecting, archiving,
correlating, analyzing and reporting on log, vulnerability, configuration,
asset, performance and network behavioral anomaly data, SecureVue merges the
complex monitoring, testing and auditing demands of FISMA and other
standards into a single solution. The automated end-to-end correlation of
data—alongside built-in analytics—renders processing an easily manageable
task.
SecureVue’s comprehensive compliance library—containing over 5,000 technical
and functional controls—enables organizations to define, monitor and measure
FISMA compliance. The platform’s wizard-based policy mapping also allows
organizations to add and modify regulations and best practices to address a
broad range of unique business drivers, including internal practices,
service level agreements and business partner requirements.
The following FISMA monitoring support chart compares SecureVue’s integrated
platform against traditional security information management (SIM) and IT
GRC solutions:
Supported
Partial Support
Not Supported
For More Information
SecureVue
Solution
NIST FISMA
Website
OMB FY 2007 FISMA Reporting Instructions |
