Number of controls
The brief overview of the compliance process for the federal sector is shown in the visual graphic format shown below:
The special publication 800-53 gives the guidelines for the selection and specification of the security controls for systems that support the executive agencies of the federal government. The first control required is the SP 800-53-SC requirement honey client which seeks to identify malicious clients and web-based malicious codes (Gikas, 2010). It requires some isolation to ensure that some of the malicious codes that can be discovered in the information system during the search do not affect it. Another control in the compliance requirement is the SP 800-53-IR -4(4) incident handling or the information correlation (Hulitt & Vaughn, 2010). This control can observe the nature of the threat such as hostile attack by bringing together information from different sources. SP 800-IR-5 Incident monitoring is another control required in the compliance. It documents the organization’s information security system by maintaining the report concerning each incident, the status of the incident and other related information (Gikas, 2010). The IR-6 (1) incident reporting control is next control, where it requires the personnel to report suspected security incidents to the organizational incident response capability within the organization-defined time period. The control is used to address both the specific and incident reporting requirements with the organization as well as the formal reporting of incidents for the federal agencies and the subordinate organizations (Hulitt & Vaughn, 2010). The control is viable for reporting security incidences such as receipt of suspicious email communications that contain malicious codes, while it also reflects on the applicable federal laws, executive orders, and other forms of guidance.
Delegate your assignment to our experts and they will do the rest.
Framework to Facilitate Meeting of Compliance Regulations
The NIST framework is another can be used as a reference in complement to facilitate meeting of compliance regulations (Hulitt & Vaughn, 2010). This voluntary framework consists of the standards, guidelines, and the best practices used in the management of cyber security-related risks. It has a prioritized, flexible, and cost-effective approach that helps in the promotion and the protection of resilience of critical infrastructure and other sectors that may be relevant to the economy and the national security (Gikas, 2010). The framework standards are used by the federal agencies in categorizing information and information systems based in the objectives of provision of appropriate levels of security information according to the levels of risks posed. On the other hand, the guidelines recommend the types of information and information systems that can be included in each of the identified categories. The framework is also comprised of the minimum information security requirements including management, operational, and technical security controls for the information as well as the information systems included in each of the identified categories. The overall framework complements the FISMA framework in managing risks, ensuring confidentiality, availability and integrity of information and information systems.
Authorization and Accreditation Process of FISMA
The process of certification and accreditation is the process of implementation of any formal process. This is a systematic procedure of evaluation, description, testing, and authorization systems before and after the system is in operation (Gikas, 2010). The certification and accreditation is a two-step process that aids in the achievement of high levels of security of the information systems (Ross et al., 2005). Certification involves evaluation, testing, and examining of the security controls that would have been pre-determined based on the type of data and the specific type of the information system. The process of certification also involves the identification of the weaknesses and putting in place the mitigation strategies for the identified weaknesses.
On the other hand, the process of accreditation is carried out by accepting the residual risks associated with the continued operation of a system while granting the approval of operation for a specified period (Gikas, 2010). In IT governance, the process of authorization and accreditation is normally performed on the critical systems to ensure that the process of compliance with security has been technically evaluated. Systems that are accredited are the ones that have their security compliance technically evaluated for optimal performance in a specific environment and configuration.
Application of Risk Management Framework
The risk management framework is a viable tool that can help reduce vulnerabilities to the federal information systems through the FISMA process. The framework contains controls for detection and responding to the possible advanced malware. For instance, the FireEye multi-vector virtual execution engine is a mobile solution that detonates suspicious files and web objects within the virtual machines that are built for the purpose of monitoring security at the federal level (Gikas, 2010). The FireEye dectection and response solutions are fully integrated through the underlying technologies. It identifies the possible threats to information while it protects the information system software against sophisticated threats.
The FISMA controls are also made up of the central management that can provide the users with a single console that is viable in management of configurations, while it helps in correlating activities across the FireEye deployment to lead to the revelation of the multi-stage, multi-vector attack patterns. It also hastens the speed at which the reporting and audit process is carried out. On the other hand, the Incident Response (IR) teams are available on the retainer and have more frontline hours of experience in the detection of threats, while they analyze the threats at high speeds (Gikas, 2010). The teams help in configuring information system components as a proactive way of protecting the federal information systems. FISMA controls also come with the web gateway and data security tools that will essentially ensure that the federal information systems have high levels of detection and reporting or threats to information.
References
Gikas, C. (2010). A General Comparison of FISMA, HIPAA, ISO 27000 and PCI-DSS Standards. Information Security Journal: A Global Perspective , 19 (3), 132-141.
Hulitt, E., & Vaughn, R. B. (2010). Information system security compliance to FISMA standard: a quantitative measure. Telecommunication Systems , 45 (2-3), 139-152.
Ross, R., Katzke, S., & Toth, P. (2005, October). The new FISMA standards and guidelines changing the dynamic of information security for the federal government. In Military Communications Conference, 2005. MILCOM 2005. IEEE (pp. 864-870). IEEE.
