Key Secrets to Be in the Good Graces of the FISMA Auditors
Yes, it is a given, if you are in the data center world and want to hang around for many more years with a spotless reputation, then you will be audited. What may appear as a challenge to some, is actually also an opportunity to set yourself apart in the industry as a company that values customer data and ensures it privacy. The Federal Information Security Management Act (FISMA) is applicable to all government agencies, and also to data centers that have a close relationship with government organizations.
So, what does it take to be FISMA compliant, apart from a great deal of common sense?
- Protect the data: Though systems and people form an integral part of the data center environment, the key is to work with the government agencies to identify the critical data, and then developing a plan for protecting it.
- Operate knowing that some level of risk is acceptable: The FISMA guidelines mention that the hosts must find the most cost-effective manner in being compliant, which means that some prudence needs to be exercised when fulfilling the federal guidelines
- Have someone with the responsibility and authority to manage data security: There should always be one person who owns the details in such a complex system.
- Documentation is key: This is the truth, or the facts behind any compliance system. What is not written does not exist when it comes to the audit checks. Therefore, key artifacts such as budgets, plans and reports must be maintained in a timely and organized fashion.
- Continuous Monitoring: FISMA mandates monitoring of security controls, configuration changes, reporting activities and other system changes. It is important to bring in the right tools to aid the monitoring process with logging and reporting in the desired formats.
- Annual testing of controls: The guidelines require that organization's test their compliance controls on an annual basis. They should be in a position to provide evidence of their tests and also show improvements and corrections over tests that have not been satisfactory.
Being FISMA compliant is a lot easier once the overwhelming details are simplified. If your enterprise is regulated by FISMA. do not take FISMA compliance lightly. Talk to the leaders in the arena to get the right directions for success.