Healthcare // Analytics
News
3/18/2010
12:25 PM
Adam Ely
Adam Ely
Features
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

10 Steps To Ace A FISMA Audit

Anyone working with a federal agency will face one of these sooner or later. The best way to sail through is to know what auditors are looking for.

InformationWeek Green - Mar. 22, 2010 InformationWeek Green
Download the entire Mar. 22, 2010 issue of InformationWeek, distributed in an all-digital format as part of our Green Initiative
(Registration required.)
We will plant a tree
for each of the first 5,000 downloads.

The Federal Information Security Management Act, known as FISMA, is typically thought to apply only to government organizations. However, contractors and vendors that provide services to, manage systems on behalf of, or maintain close relationships with a government agency may be held to similar standards.

That can be a problem because FISMA regulations are confusing at best and more commonly just plain overwhelming. Not surprisingly, a cottage industry has sprung up of expensive contractors who promise FISMA help.

Here's what they don't want you to know: Staying on the right side of FISMA auditors is a matter of common sense and solid security best practices. You're probably already doing much of what's required if you're complying with other security requirements, like PCI for payment accounts data security.

What follows are 10 commonsense steps you can take to prepare for a FISMA audit. While basic FISMA compliance won't always meet every government organization's security requirements--for example, you may be required to implement stricter data control requirements or a more involved change control process--you will have a sturdy base to build on.

1. Don't let details overwhelm you.

When FISMA was drafted eight years ago, its six tenets were nothing less than groundbreaking. Where information security had long been an afterthought in most government agencies, it was brought to the forefront and made a requirement.

While these items are broad, their intent can be distilled: Agencies and their contractors need to build frameworks to address information security and risk management within their organizations. An accountable party must be tasked with information security, so that it won't fall by the wayside. And the government recognized, possibly for the first time, that the private sector has many benefits to offer in terms of protecting public information assets.

FISMA provides a bare-minimum starting point for organizations to build and take responsibility for their information security programs.

2. Protect the data.

Throughout FISMA, there's an emphasis on protecting information rather than systems. Systems and system security are important, of course, but in most cases, it's the data on these systems that has the most value.

Look at the data that's critical to your organization and the agency you work with. Work outward to the systems, segments, and people around that data. This will not only better align you with FISMA, it will give you a more cost-effective, risk-based security program.

To read the rest of the article,
Download the Mar. 22, 2010 issue of InformationWeek

Become a subscriber: $99 per person per month, multiseat discounts available. Subscribe and get our full report on acing a FISMA audit

What you'll find:
  • More on who should be responsible for data security
  • A deeper discussion of acceptable risks
  • More on automating reporting
  • Links to sites that provide guidance on FISMA compliance
Get This And All Our Reports

Comment  | 
Print  | 
More Insights
Big Love for Big Data? The Remedy for Healthcare Quality Improvements
Big Love for Big Data? The Remedy for Healthcare Quality Improvements
Healthcare data is nothing new, but yet, why do healthcare improvements from quantifiable data seem almost rare today? Healthcare administrators have a wealth of data accessible to them but aren't sure how much of that data is usable or even correct.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Tech Digest, Dec. 9, 2014
Apps will make or break the tablet as a work device, but don't shortchange critical factors related to hardware, security, peripherals, and integration.
Video
Slideshows
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
Join us for a roundup of the top stories on InformationWeek.com for the week of December 14, 2014. Be here for the show and for the incredible Friday Afternoon Conversation that runs beside the program.
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.