Security Compliance An Issue For Government And Businesses

Compliance with the Federal Information Security Management Act, or FISMA, is one of the most daunting challenges that government chief information security officers face this year. Part of the 2002 E-Government Act, FISMA requires each federal agency to develop, document, and implement comprehensive information-security policies and practices to deal with security threats that concern government entities and businesses alike.

Knowing that federal IT security managers are devoting an increasing amount of time and resources to comply with FISMA, systems and security management vendor NetIQ Corp. on Monday introduced FISMA-specific templates for its Security Compliance software suite. The four templates tackle access control, audit and accountability, configuration management, and identification and authentication, automating the IT security-auditing process for federal agencies now required to submit security-related systems assessments annually to the White House's Office of Management and Budget. The templates produce reports for security managers that indicate their IT systems' level of compliance and ways in which they can improve their compliance scores.

NetIQ based the templates upon the National Institute of Standards and Technology's, or NIST's, SP800-53 guidelines. Finalized in February, SP800-53 outlines the management, operational, and technical safeguards necessary to comply with FISMA. These policy templates expand NetIQ's library of existing policy templates, which already cover the Sarbanes-Oxley Act, Gramm-Leach-Bliley Act, Health Insurance Portability and Accountability Act, ISO1779, and Center for Internet Security benchmarks.

NetIQ's template technology replaces more laborious security auditing processes, says Bill Bergman, data security manager for Omnicare Clinical Research, a provider of new drug development and marketing services to pharmaceutical companies. Although Omnicare won't use the new FISMA templates, the company recently implemented NetIQ's Vulnerability Manager and Security Manager software to help comply with Sarbanes-Oxley and HIPAA.

The templates provided by the Vulnerability Manager and Security Manager products pre-define the way a server should be configured to comply with, for example, Sarbanes-Oxley's minimum requirements and point out any configurations that are out of compliance. "It takes the burden of building these templates off of us," Bergman says. Previously, "we had to log on and go through the various settings on each machine to check compliance."

FISMA is structurally similar to Sarbanes-Oxley in that organizations are required to ensure that appropriate security controls are in place, that IT configurations are secured, and that IT organizations adhere to best practices, says Greg Davoll, NetIQ group product manager of security management solutions. "The sense of urgency is great around FISMA because the agencies understand that this isn't going away, and there's an expectation their compliance will improve over time," he adds.

This sense of urgency is apparently resonating with federal chief information security officers. The top three security concerns of federal CISOs include network compromise, patch management, and FISMA compliance, according to an August report issued by systems integrator Intelligent Decisions Inc. The report also found that federal CISOs this year are spending 23% more time on FISMA compliance reporting than they were a year ago. Agencies including the Homeland Security Department have already come under fire from the Government Accountability Office, Congress' investigative arm, for their inability to protect their data and IT systems.