10 Steps To Ace A FISMA Audit - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Healthcare // Analytics
12:25 PM
Adam Ely
Adam Ely
Connect Directly

10 Steps To Ace A FISMA Audit

Anyone working with a federal agency will face one of these sooner or later. The best way to sail through is to know what auditors are looking for.

InformationWeek Green - Mar. 22, 2010 InformationWeek Green
Download the entire Mar. 22, 2010 issue of InformationWeek, distributed in an all-digital format as part of our Green Initiative
(Registration required.)
We will plant a tree
for each of the first 5,000 downloads.

The Federal Information Security Management Act, known as FISMA, is typically thought to apply only to government organizations. However, contractors and vendors that provide services to, manage systems on behalf of, or maintain close relationships with a government agency may be held to similar standards.

That can be a problem because FISMA regulations are confusing at best and more commonly just plain overwhelming. Not surprisingly, a cottage industry has sprung up of expensive contractors who promise FISMA help.

Here's what they don't want you to know: Staying on the right side of FISMA auditors is a matter of common sense and solid security best practices. You're probably already doing much of what's required if you're complying with other security requirements, like PCI for payment accounts data security.

What follows are 10 commonsense steps you can take to prepare for a FISMA audit. While basic FISMA compliance won't always meet every government organization's security requirements--for example, you may be required to implement stricter data control requirements or a more involved change control process--you will have a sturdy base to build on.

1. Don't let details overwhelm you.

When FISMA was drafted eight years ago, its six tenets were nothing less than groundbreaking. Where information security had long been an afterthought in most government agencies, it was brought to the forefront and made a requirement.

While these items are broad, their intent can be distilled: Agencies and their contractors need to build frameworks to address information security and risk management within their organizations. An accountable party must be tasked with information security, so that it won't fall by the wayside. And the government recognized, possibly for the first time, that the private sector has many benefits to offer in terms of protecting public information assets.

FISMA provides a bare-minimum starting point for organizations to build and take responsibility for their information security programs.

2. Protect the data.

Throughout FISMA, there's an emphasis on protecting information rather than systems. Systems and system security are important, of course, but in most cases, it's the data on these systems that has the most value.

Look at the data that's critical to your organization and the agency you work with. Work outward to the systems, segments, and people around that data. This will not only better align you with FISMA, it will give you a more cost-effective, risk-based security program.

To read the rest of the article,
Download the Mar. 22, 2010 issue of InformationWeek

Become a subscriber: $99 per person per month, multiseat discounts available. Subscribe and get our full report on acing a FISMA audit

What you'll find:
  • More on who should be responsible for data security
  • A deeper discussion of acceptable risks
  • More on automating reporting
  • Links to sites that provide guidance on FISMA compliance
Get This And All Our Reports

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
InformationWeek Is Getting an Upgrade!

Find out more about our plans to improve the look, functionality, and performance of the InformationWeek site in the coming months.

10 Things Your Artificial Intelligence Initiative Needs to Succeed
Lisa Morgan, Freelance Writer,  4/20/2021
Tech Spending Climbs as Digital Business Initiatives Grow
Jessica Davis, Senior Editor, Enterprise Apps,  4/22/2021
Optimizing the CIO and CFO Relationship
Mary E. Shacklett, Technology commentator and President of Transworld Data,  4/13/2021
White Papers
Register for InformationWeek Newsletters
Current Issue
Planning Your Digital Transformation Roadmap
Download this report to learn about the latest technologies and best practices or ensuring a successful transition from outdated business transformation tactics.
Flash Poll