Checklist will help organizations comply with FISMA

Mdulo Security, the Risk Assessment Compliance and Knowledge Management Company, is launching a new checklist for Risk Manager™ the company's Risk Assessment, Compliance and Knowledge Management System: the FISMA Checklist. The checklist was developed to help government-owned companies comply with the Federal Information Security Management Act (FISMA), a law issued by the American Congress regulating information security in government organizations.

FISMA
FISMA was passed by the U.S. Congress in 2002 with the purpose of defining a structure to guarantee the effectiveness of controls related to information security in federal government operations. The law requires federal agencies to implement comprehensive information security programs aimed at identifying and solving risks in the government's IT area, which includes government agencies such as the Department of Defense (DoD) and the Central Intelligence Agency (CIA).

The National Institute of Standards and Technology (NIST) is responsible for developing the American government's technical security standards and defining the controls to be implemented by government organizations. For this purpose, the NIST has developed a set of controls for compliance with FISMA, which are specified in the document "Recommended Security Controls for Federal Information Systems". "The new checklist for FISMA was developed based on the document issued by the NIST, and on the controls it contains - Access Control, Awareness and Training, Audit and Accountability, Configuration Management and Contingency Planning and others", says Alberto Bastos, founding partner of Mdulo Security.

In addition to controlling the activities performed by federal organizations, FISMA also requires these institutions to send annual reports to the Office of Management and Budget (OMB) stating the security situation of their IT Departments, with the assistance and supervision of independent internal and external auditors.

New Checklist
Using this new checklist, security managers of federal agencies will be able to check conformity with the controls determined by the NIST for compliance with FISMA. Additionally, use of the system will make it possible to generate of an action plan (as defined in the model "Plan of Action in Milestone" - POA&M"), directed toward increasing observance of the regulations imposed by the American Congress.

This way, managers can focus their actions on what actually generates more risk to information security, using the information on the checklist to collect information and recommend best practices for security maintenance and compliance with FISMA.

For a better understanding of how Risk Manager™ can help these professionals, here are some of the benefits of FISMA checklist:

• Automating the application of the controls and specifications established by the NIST
• Supplying managerial reports that allow assessment of the risk level to which the IT department is exposed
• Providing technical advice on implementation of the controls and minimization of security risks and failures
• A permanently-updated knowledge base allows the dissemination of knowledge throughout the organization
• Automating the issue of reports to support planning of security actions
• Providing an action plan and action priorities, as defined in the "Plan of Action and Milestone" model - POA&M