The Federal Information Security Management Act, known as FISMA, is typically thought to apply only to government organizations. However, contractors and vendors that provide services to, manage systems on behalf of, or maintain close relationships with a government agency may be held to similar standards.
That can be a problem because FISMA regulations are confusing at best and more commonly just plain overwhelming. Not surprisingly, a cottage industry has sprung up of expensive contractors who promise FISMA help.
Here's what they don't want you to know: Staying on the right side of FISMA auditors is a matter of common sense and solid security best practices. You're probably already doing much of what's required if you're complying with other security requirements, like PCI for payment accounts data security.
What follows are 10 commonsense steps you can take to prepare for a FISMA audit. While basic FISMA compliance won't always meet every government organization's security requirements--for example, you may be required to implement stricter data control requirements or a more involved change control process--you will have a sturdy base to build on.
1. Don't let details overwhelm you.
When FISMA was drafted eight years ago, its six tenets were nothing less than groundbreaking. Where information security had long been an afterthought in most government agencies, it was brought to the forefront and made a requirement.
While these items are broad, their intent can be distilled: Agencies and their contractors need to build frameworks to address information security and risk management within their organizations. An accountable party must be tasked with information security, so that it won't fall by the wayside. And the government recognized, possibly for the first time, that the private sector has many benefits to offer in terms of protecting public information assets.
FISMA provides a bare-minimum starting point for organizations to build and take responsibility for their information security programs.
2. Protect the data.
Throughout FISMA, there's an emphasis on protecting information rather than systems. Systems and system security are important, of course, but in most cases, it's the data on these systems that has the most value.
Look at the data that's critical to your organization and the agency you work with. Work outward to the systems, segments, and people around that data. This will not only better align you with FISMA, it will give you a more cost-effective, risk-based security program.
Download the Mar. 22, 2010 issue of InformationWeek