Managing security in a large corporation can be daunting, which is why the U.S. government has made a concerted
effort to standardize best security practices. The Federal Information Security Management Act (FISMA) not only mandates the processes for information systems used by federal agencies and by contractors working with the government, but also provides an excellent security baseline for any large organization.
From an information security perspective, the first step in implementing FISMA guidelines involves gaining an understanding of the processes FISMA mandates, Then, practitioners typically rely on NIST publications, which guide security personnel through the baseline security requirements, detailing the more specific technical and operational controls needed to meet those requirements. Managing the compliance process can quickly become a challenge, however, because working with multiple parties on a broad range of controls overwhelms the typical spreadsheet and manual tracking process.
OpenFISMA can help: it automates the compliance process by using a platform-independent OSS Web application framework (Apache, MySQL, PHP) to manage the workflow. OpenFISMA also guides requirements-gathering activities, such as verifying compliance with requirements, security assessments and vulnerability remediation.
To better understand how OpenFISMA can improve security, one example is the processes associated with a plan of actions and milestones (POA&M), which are the activities used for tracking and fixing security vulnerabilities. OpenFISMA provides a Web-based centralized repository to manage and track vulnerability reporting and remediation activities. Users log in to their role-based accounts to work through or oversee the compliance processes. Typical users would be the security officer (CSO or CISO), technical operations staff and the independent verifiers.
OpenFISMA's business rules provide guidance for the submission of remediation evidence and sign-off for the work performed. The user controls protect the integrity of the audit information from unauthorized access, modification and deletion. Timestamps support the ability to audit and account for each of the steps, and a reporting engine helps track performance against stated completion goals.
Implementing government standards for security can be a huge task, but OpenFISMA provides structure and automation to help manage the process.
About the author:
Scott Sidel is an ISSO with Lockheed Martin. For more recommendations from the author, check out Scott Sidel's Downloads.