Federal Information System Controls Audit Manual April 13, 2016 (FISCAM) 1
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Federal Information System Controls Audit Manual
April 13, 2016
(FISCAM)
1
Sherry Doub, CISA, CRMA, MSCIS
• Currently with KPMG, Federal Advisory, Federal Attestation (KPMG Virtual Advisory Team)
• Jacksonville Beach native
• Past employment with Banking and Insurance industry corporations in Jacksonville
• Bachelors level Instructor
– Jones College, private institutions (CIS) and ITT Technical Institute (Information Systems Risk Management)
2
RMF and FISCAM
Risk Management Framework and
Federal Information Systems Controls Audit Manual
3
Risk Management Framework
• The Risk Management Framework (RMF) is the “common information security framework” for the federal government and its contractors. The stated goals of RMF are: – To improve information security – To strengthen risk management processes – To encourage reciprocity and uniformity among federal agencies
• The NIST risk management framework is governed by a handful of documents known as special publications, including SP 800-37, SP 800-39 and the security controls known as SP 800-53, to which defense agencies will adopt in implementing cybersecurity safeguards.
4
DIACAP
• The DoD Information Assurance Certification and Accreditation Process (DIACAP) is a United States Department of Defense (DoD) control environment evaluation process which certify and accredit system control environment that government agencies and departments apply risk management to information systems (IS).
• The challenges of having few controls implemented, makes a system to be highly vulnerable to attack and where too many controls are put in place, valuable resources are wasted with no tangible benefits. These two extreme scenarios leaves system owners with several challenges, specifically: – Is there any established process for defining “adequate” security for each
system? – How many controls should be considered and specifically what should those
controls should be? – Is there any standard list of controls to choose from? – Who, within the organization, is ultimately accountable for any breaches of or
in the system?
5
While the DoD used DIACAP, the rest of the
Federal Government and the Intelligence
Community used completely different C&A
processes and control sets, making
interconnectivity between these systems
virtually impossible without a lengthy
discovery and translation process.
6
DIACAP
• The DoD Information Assurance Certification and Accreditation Process (DIACAP) is a US Department of Defense (DoD) control environment evaluation process that means to ensure that companies and organizations apply risk management to information systems (IS). DIACAP defines a DoD-wide formal and standard set of activities, general tasks and a management structure process for the certification and accreditation of information systems and maintains the information assurance posture throughout the system life cycle.
• NOTE: As of March 12, 2014 (though the official transition will take place
as of May 2015), the DIACAP is to be replaced by the "Risk Management Framework (RMF) for DoD Information Technology (IT)" Although re-accreditations continue through late 2016, systems that have not yet started accreditation by May 2015 will transition to RMF processes.[1] The DoD RMF aligns with the National Institute of Standards and Technology (NIST) Risk Management Framework (RMF).[2][3]
7
Comparison
• Standard Controls: With the move to RMF, federal agencies will all move to the NIST SP 800-53 Rev 4 control set to standardize the controls used by the Federal Government agencies.
• Continuous Monitoring & Authorization: the focus moves away from paperwork. Emphasis is more on continuous monitoring of the system for security relevant events.
8
Comparison
• Stronger Integration with SDLC: Security is strongest when it’s “baked” into a system while that system is still being developed.
• Renewed Focus on Reciprocity: If all systems are categorized, analyzed, secured, assessed and authorized using the same guidelines and standards
• Real Time Reporting: Through the RMF process
9
Comparison
• Improved System Categorization: The three main objectives of information security is Confidentiality, Integrity and Availability (CIA). Currently, there are several processes in place resulting in confusion about how to exactly categorize systems. RMF will adopt a new system using the actual CIA objectives. Under this mechanism, each of the three objectives is rated High (H), Moderate (M) or Low (L) for each system.
10
6 Steps
• RMF effectively transforms traditional DIACAP (Certification and Accreditation) programs into a six-step life cycle process consisting of: – Categorization of information systems
– Selection of security controls
– Implementation of security controls
– Assessment of security controls
– Authorization of information systems
– Monitoring of security controls
11
Guidance
• Complete specification of security controls (requirements) and system categorization methodology, are now provided NIST SP 800-53 (Security and Privacy Controls for Federal IS) and CNSSI 1253 (Security Categorization and Control Selection ).
• CNSSI – Committee on National Security System issuances
• NIST – National Institute of Standards and Technology (follows ITIL research)
12
What is NIST SP 800-53? • National Institute of Standards and Technology (NIST) Special
Publication (SP) 800-53, "Security and Privacy Controls for Federal Information Systems and Organizations," provides a catalog of security controls for all U.S. federal information systems except those related to national security.
What is NIST SP 800-53?
• On the NIST website:
• NIST Special Publications > SP 800-53 Rev. 4: Apr 2013 http://csrc.nist.gov/publications/PubsSPs.html
Where is NIST
located?
13
What is FISCAM?
• FISCAM (version February 2, 2009) presents a methodology for performing information system control audits of Federal and other governmental entities in accordance with professional standards
• Control activities are consistent with the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53 for complying with the Federal Information Security Modernization Act of 2014 (FISMA).
• FISMA requires federal agencies to develop, document, and implement agency
• U.S. Government Accountability Office (GAO) and the President’s
– Council on Integrity and Efficiency (PCIE) -wide programs to ensure information security
• On the GAO website: www.gao.gov/special.pubs/fiscam.html
14
FISCAM General Control Areas
• Security Management • Access Controls • Configuration Management • Contingency Planning • Segregation of Duties • Business Process Controls • Interface Controls http://www.gao.gov/new.items/d09232g.pdf
15
INFORMATION SYSTEM CONTROLS OBJECTIVES GENERAL CONTROLS
Security Management Controls provide reasonable assurance that security management is effective, including effective: • security management program • periodic assessments and validation of risk, • security control policies and procedures, • security awareness training and other security-
related personnel issues, • periodic testing and evaluation of the effectiveness
of information security policies, procedures, and practices,
• remediation of information security weaknesses, and
• security over activities performed by external third parties.
16
INFORMATION SYSTEM CONTROLS OBJECTIVES GENERAL CONTROLS
Access Controls Controls provide reasonable assurance that access to computer resources (data, equipment, and facilities) is reasonable and restricted to authorized individuals, including effective • protection of information system boundaries, • identification and authentication mechanisms, • authorization controls, • protection of sensitive system resources, • audit and monitoring capability, including incident
handling, and • physical security controls.
17
INFORMATION SYSTEM CONTROLS OBJECTIVES GENERAL CONTROLS
Configuration Management Controls provide reasonable assurance that changes to information system resources are authorized and systems are configured and operated securely and as intended, including effective • configuration management policies, plans, and
procedures, • current configuration identification information, • proper authorization, testing, approval, and tracking
of all configuration changes, • routine monitoring of the configuration, • updating software on a timely basis to protect
against known vulnerabilities, and • documentation and approval of emergency changes
to the configuration.
18
INFORMATION SYSTEM CONTROLS OBJECTIVES GENERAL CONTROLS
Segregation of Duties Controls provide reasonable assurance that incompatible duties are effectively segregated, including effective • segregation of incompatible duties and
responsibilities and related policies, and • control of personnel activities through formal
operating procedures, supervision, and review.
19
INFORMATION SYSTEM CONTROLS OBJECTIVES GENERAL CONTROLS
Contingency Planning Controls provide reasonable assurance that contingency planning (1) protects information resources and minimizes the risk of unplanned interruptions and (2) provides for recovery of critical operations should interruptions occur, including effective • assessment of the criticality and sensitivity of
computerized operations and identification of supporting resources,
• steps taken to prevent and minimize potential damage and interruption,
• comprehensive contingency plan, and • periodic testing of the contingency plan, with
appropriate adjustments to the plan based on the testing.
20
INFORMATION SYSTEM CONTROLS OBJECTIVES GENERAL CONTROLS
BUSINESS PROCESS APPLICATION CONTROLS
• Completeness – controls provide reasonable assurance that all transactions that
occurred are input into the system, accepted for processing, processed once and
only once by the system, and properly included in output.
• Accuracy – controls provide reasonable assurance that transactions are properly
recorded, with correct amount/data, and on a timely basis (in the proper period); key
data elements input for transactions are accurate; data elements are processed
accurately by applications that produce reliable results; and output is accurate.
• Validity – controls provide reasonable assurance (1) that all recorded transactions
and actually occurred (are real), relate to the organization, are authentic, and were
properly approved in accordance with management’s authorization; and (2) that
output contains only valid data.
• Confidentiality – controls provide reasonable assurance that application data and
reports and other output are protected against unauthorized access.
• Availability – controls provide reasonable assurance that application data and reports
and other relevant business information are readily available to users when needed.
21
INFORMATION SYSTEM CONTROLS OBJECTIVES GENERAL CONTROLS
Four business process application control level categories • supporting critical elements, • critical activities, • potential control techniques, • and suggested audit procedures
• What is the difference between Application Controls
and General IT Controls?
22
Application Controls vs. General IT Controls
Control Type Description Examples
Application Controls
Application controls (manual or automated) are procedures that operate at a business process level (application transactions)
Mathematical accuracy Accounts and traial
balance System access
restrictions Automated edit checks
(input data) Manual follow-up on
exception reports
General IT Controls GITCs are policies/procedures that relate to IT applications and support effective application functioning (mainframes, end-user computing, client server (UNIX), servers)
Program changes Access to programs and
data Segregation of duties Program development Computer operations BCP/COOP
23
Audit Methodology
1. Document an understanding of the entity-level system and relevant controls
2. Link IT applications to financial processes 3. Identify Information Technology Application Controls
(ITACs) and system generated reports (SGRs) 4. Link FISCAM GITCs to key ITACs and test relevant
GITCs 5. Test design and effectiveness of ITACS as they affect
the completeness and accuracy of the SGRs 6. Determine if any additional test of effectiveness is
required for GITCs that impact the completeness and accuracy of financial reporting
24
Audit Methodology
Within each relevant control activity, the auditor should identify control techniques implemented by the entity and determine whether the control techniques, as designed, are sufficient to achieve the control activity, considering IS risk and the audit objectives. The auditor may be able to determine whether control techniques are sufficient to achieve a particular control activity without evaluating and testing all of the control techniques. (Test of Design)
25
Audit Methodology
If sufficient, the auditor should determine whether the control techniques are implemented (placed in operation) and are operating effectively. Also, the auditor should evaluate the nature and extent of testing performed by the entity. Such information can assist in identifying key controls and in assessing risk, but the auditor should not rely on testing performed by the entity in lieu of appropriate auditor testing. (Test of Effectiveness)
26
GITCs- FISCAM vs. NIST vs. COBIT
FISCAM NIST
Security Management (SM & AS) Security Planning (PL)
Access Controls (AC & AS) Access Controls (AC)
Configuration Management (CM & AS) Configuration Management (CM)
Segregation of Duties (SD & AS) Access Controls (AC)
Contingency Planning (CP & AS) Contingency Planning (CP)
27
COBIT and NIST CyberSecurity (NIST SP800-53)
• ISACA’s COBIT 5 is included as an informative reference in the core of the NIST US Cybersecurity Framework, which launched in February of 2014 and is aimed at helping improve cybersecurity at critical infrastructure systems.
• “COBIT is now serving an important role supporting the nation’s cybersecurity direction,” said Meenu Gupta, CISA, CISM, president of Mittal Technologies and a member of ISACA’s Government and Regulatory Advocacy Committee. “Leaders from around the world collaborated to ensure COBIT 5 is timely, relevant, and practical for today’s enterprises, and NIST’s inclusion of it further demonstrates that COBIT can truly transform an enterprise’s cybersecurity initiatives.”
28
COBIT and NIST CyberSecurity (NIST SP800-53)
• “ISACA recognizes these needs and is committed to help advance the cybersecurity workforce, fill a global skills gap, and help enterprises worldwide protect their information and technology,” said Ron Hale, Ph.D., CISM, acting CEO of ISACA. “Our practical research, education, training and certification programs help cybersecurity professionals through every step of their careers, and help them develop the skills that companies critically need.”
• ISACA’s cybersecurity resources are available at www.isaca.org/cyber, and the COBIT framework can be downloaded free of charge atwww.isaca.org/cobit. The US Cybersecurity Framework is available here.
29
FISCAM mapping examples
• Security Management (SM)
– Information systems are inventoried, assets are categorized and systems are adequately backed up
– Security Awareness and Training is required
– The System Security Plan is updated every three years
– Management action plans address root cause
– Security Control Policies and Procedures are monitored.
30
FISCAM mapping examples
• Access Controls (AC)
– Terminated employees access timely disabled
– Audit logs are adequately monitored
– Annual user access recertification
– Password Configuration adequate
– Unique userid
– Use of tokens
31
FISCAM mapping examples
• Configuration Management (CM) – Change Approvals
– Code Repository/Versioning/Builds are verified
– Baseline and Operational Configuration of the hardware, software, and firmware
– Platform Patches
– Separate Environments
– Production Validation
– Application Vulnerability Scans
– Security Software
32
FISCAM mapping examples
• Contingency Planning (CP)
– Business Continuity Plan
– Disaster Plan
– Data and Program Backups at secure locatio
– Periodic review and testing of plans
33
FISCAM mapping examples
• Segregation of Duties (SD)
– Segregation of Duties Policy and Procedure
– Documented job descriptions
– Access Conflict Matrix
– Personnel Procedure Manuals
– Management reviews user activities
34
Any questions?
Thank you for attending the April ISACA Jacksonville Chapter meeting.
35
Related Documents
![Scientific Articles and Book Chapters2 zeolites. Proceedings of the ISES Solar World Conference 2017, 828-836, (doi: 10.18086/swc.2017.14.04.) [92] Ende, M., Effenberger, H., Miletich,](https://static.cupdf.com/doc/110x72/6077815d35bda24bf57d6e18/scientific-articles-and-book-chapters-2-zeolites-proceedings-of-the-ises-solar.jpg)
