My agency has a history of failing its annual FISMA audit, despite efforts to bolster our programs. How can we...
better prepare for the audits and be sure to pass this time?
The Federal Information Security Management Act of 2002 (FISMA) was an early attempt to apply consistent security standards across federal government IT organizations. It uses a risk-based approach to protect information and information systems run by the federal government. FISMA received renewed attention in the wake of recent major government security incidents, such as the compromise of background investigation records at the Office of Personnel Management.
Agencies that consistently fail their FISMA audits should direct a significant amount of attention to their next audit cycle. The public's attention is justifiably focused on federal information security issues and agencies that run afoul of FISMA requirements are likely to find their leaders testifying on C-SPAN and receiving unwanted attention.
Of course, the most important way to prepare for a FISMA audit is to ensure the agency has a robust set of security controls that adequately manage risk. Assuming that that is the case, the next important step is to ensure auditors can easily verify the risk assessment process and the presence and effectiveness of security controls. Maintain an audit trail that clearly demonstrates the controls that are in place and how they are incorporated in the routine security activities. The more an agency can organize the documentation of its work, the better. If you clearly present evidence to an auditor that you are satisfying control objectives, they won't need to dig for evidence.
Ask the Expert:
Got a vexing problem for Mike Chapple or any of our other experts? Ask your enterprise-specific questions today. (All questions are anonymous.)
Check out our FISMA compliance handbook, learn about FISMA's role in the evolution to continuous monitoring and use these four key steps in planning for a successful security audit.
Dig Deeper on IT security audits and audit frameworks
Related Q&A from Mike Chapple
Choosing to encrypt confidential data with AES or DES encryption is an important cybersecurity matter. Learn about the important differences between ... Continue Reading
It's not possible to eradicate the risk of DoS attacks, but there are steps infosec pros can take to reduce their impact. Mike Chapple shares ... Continue Reading
The HHS OCR ruled that healthcare ransomware attacks are HIPAA violations, so these covered entities need to react according to the HHS's guidance. ... Continue Reading