Governance and cybersecurity risk management are fundamental to an effective information security program
FISMA Evaluation
Challenge
Implementing an information security program is a unique challenge for Federal agencies due to the inherent complexities of technology and the evolving landscape of security. However, the Federal Information Security Management Act (FISMA)[1] law has created an urgency and necessity for agencies to implement effective information security programs. Since its inception, agencies have struggled to meet the standards set by FISMA. In order to enable agencies to improve information security program implementation, FISMA standards shifted to focus on effective risk management practices, and in particular on integrating cybersecurity risk management into Federal enterprise risk management (ERM) programs.
Williams Adley was hired by an Office of Inspector General (OIG) seeking assistance in supporting their Agency in maturing their information security program. The Agency was having difficulty balancing operations and meeting the stringent information security program best practices established by FISMA. Our audit team’s challenge was to clarify FISMA requirements and then effectively complete the annual FISMA evaluations so the Agency could begin to implement an effective information security program.
Solution
The Williams Adley audit team’s solution to assist the Agency’s OIG in improving the Agency’s program was to conduct effective FISMA audits and to deliver recommendations aimed at the root causes of the weaknesses identified. Careful consideration determined that two key root causes were the lack of appropriate governance over the program implementation and the lack of sound cybersecurity risk management policies and practices integrated within the Agency’s ERM program.
To implement our solution, Williams Adley relied on its understanding of National Institute of Standards and Technology (NIST) guidance[2] regarding effective cybersecurity risk management practices, as well as the integration of this guidance into ERM programs. Williams Adley also leveraged root cause analysis techniques and the philosophy that people are the most important factor when implementing effective practices. These two steps then enabled the Williams Adley audit team to provide targeted solutions via the audit recommendation and reporting processes.
However, the Williams Adley audit team understood it would take several years for the agency to mature its information security program. Accordingly, over the years, the team met frequently with the OIG and the auditee and provided numerous briefs and documentation (including Notices of Findings and Recommendations [NFRs] and annual reports) that explained the recurring issues identified, best practices of cybersecurity risk management, and detailed recommendations to the agency to improve their information security program one step at a time. The recommendations focused on a two-pronged approach to developing the program. Firstly, and most importantly, recommendations were made to empower process owners and those charged with governance (e.g., the Chief Information Officer and Chief Information Security Officer) to report on cybersecurity risk and its potential adverse effect on the agency via the ERM program. Secondly, recommendations were made for the agency to develop sound cybersecurity risk management strategies, plans, policies, and procedures so process owners could communicate with those completing the risk management processes and provide effective guidance.
Impact
Williams Adley’s efforts resulted in a positive impact for the OIG and the Agency under audit. Our solution resulted in the following two key achievements:
Our solution resulted in measurable improvements to the Agency’s maturity rating on the annual FISMA evaluations through the development of stronger leadership and sound policies and procedures to guide the program.
Our recommendations and FISMA reports enhanced the Agency’s understanding of effective cybersecurity risk management and its key role in implementing effective operations and mission achievement.
Going forward, if the Agency continues to implement our solution, the Agency will not only meet the requirements established by FISMA but will also have more assurance that its cybersecurity risks are managed sufficiently, which will continue to promote mission achievement.
Footnotes:
Updated as the Federal Information Security Modernization Act of 2014.
NIST Special Publication 800-37, 39, 53, 137, NIST Interagency or Internal Report (NISTIR) 8286.