1 / 36

CA Tools and FISMA Reporting Systems

2. President's Management AgendaFISMA Requirement: Department-wide IT Security Program with Subordinate Component Program and System Security Plans (SSP). . Certification

carminda
Download Presentation

CA Tools and FISMA Reporting Systems

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

    2. 2

    3. 3 This slide is a little to busy.This slide is a little to busy.

    4. 4 Department-wide IT Security Program Organization

    5. 5

    6. 6

    7. Add animation to the steps.Add animation to the steps.

    8. 8 CSAM Tasks

    9. 9

    10. 10

    11. 11

    12. 12 CSAM Tasks

    13. 13

    14. 14

    15. 15

    16. 16

    17. 17

    18. 18 CSAM Tasks

    19. 19

    20. 20

    21. 21

    22. 22 CSAM Tasks

    23. 23 CSAM C&A Client Risk Assessment Methodology

    24. 24 CSAM Tasks

    25. 25 -We use this dashboard as our security report card for each Justice component. Using the CSAM Trusted Agent tool you can click on any ICON and drill down to identify the specific system, and control that is not meeting the performance goal. -Our performance goal is 96% completion for each of the 15 elements. The grade is a summary of our performance based on all the elements. RISK CONTROLS & POA&Ms -The Risk Control are based on the number of all the applicable controls for all systems evaluated in the past year. -The next element is the number of evaluated controls that were implemented. -The third factor is based on the number of controls that failed the evaluation but are on schedule for correction. C&A -For Certification and Accreditation we evaluate the % of all our systems with Approval to Operate. -We established “ATO quality” controls to ensure all of the NIST required ATO requirements were met or were aggressively managed to ensure we maintain high standards of security for systems with ATO. ACCESS CONTROLS are to ensure firewall and IDS configuration requirements are met. We also check to validate that all systems meet strong password requirements. For INCIDENT AND CONTINGENCY MANAGEMENT we validate reporting as described in our incident response plan. We also conduct an annual DOJ wide incident response and contingency plan exercise and document the results. TRAINING is key to our improvement. We track completion of annual awareness training for each Justice employee and contractor. We also track specific security training of IT professionals such as system administrators, security officers, incident responders and certification authorities and Approving Officials. -We use this dashboard as our security report card for each Justice component. Using the CSAM Trusted Agent tool you can click on any ICON and drill down to identify the specific system, and control that is not meeting the performance goal. -Our performance goal is 96% completion for each of the 15 elements. The grade is a summary of our performance based on all the elements. RISK CONTROLS & POA&Ms -The Risk Control are based on the number of all the applicable controls for all systems evaluated in the past year. -The next element is the number of evaluated controls that were implemented. -The third factor is based on the number of controls that failed the evaluation but are on schedule for correction. C&A -For Certification and Accreditation we evaluate the % of all our systems with Approval to Operate. -We established “ATO quality” controls to ensure all of the NIST required ATO requirements were met or were aggressively managed to ensure we maintain high standards of security for systems with ATO. ACCESS CONTROLS are to ensure firewall and IDS configuration requirements are met. We also check to validate that all systems meet strong password requirements. For INCIDENT AND CONTINGENCY MANAGEMENT we validate reporting as described in our incident response plan. We also conduct an annual DOJ wide incident response and contingency plan exercise and document the results. TRAINING is key to our improvement. We track completion of annual awareness training for each Justice employee and contractor. We also track specific security training of IT professionals such as system administrators, security officers, incident responders and certification authorities and Approving Officials.

    26. 26 Report Card Controls Evaluated_ReportcardControls Evaluated_Reportcard

    27. 27 POA&M Timeliness_Reportcard POA&M Timeliness_Reportcard

    28. 28 CSAM Tasks

    29. 29 Workflow Management Controls Evaluated_ReportcardControls Evaluated_Reportcard

    30. 30

    31. 31

    32. 32 CSAM Tasks

    33. 33

    34. 34

    35. 35

    36. 36

    37. Add animation to the steps.Add animation to the steps.

More Related