Review and update security plans and control documentation
15
Approval: Management Review
16
Prepare for external audits
17
Participate in external audits
18
Address audit findings
19
Revise procedures as necessary based on audit findings
20
Approval: Revised Procedures
Identify and classify information systems
This task involves identifying and classifying the information systems used within the organization. It is important to understand the different types of systems and their roles in order to effectively assess and manage their security. The desired result is a comprehensive list of all information systems and their classifications. To complete this task, you will need knowledge of the organization's infrastructure and systems, as well as access to relevant documentation or resources. Possible challenges include outdated or incomplete documentation. In such cases, consult with system owners or conduct interviews to obtain the necessary information.
1
Highly Sensitive
2
Sensitive
3
Public
1
Application
2
Database
3
Server
Create a system security plan
The system security plan (SSP) is a key document that outlines the security controls and requirements for an information system. It serves as a roadmap for implementing and managing security measures. The desired result is a comprehensive and up-to-date SSP for each system. To create the SSP, you will need knowledge of the system's architecture, the security controls that need to be implemented, and any relevant policies or regulations. Be sure to consult with system owners and security experts during the creation process. Possible challenges include coordinating inputs from multiple stakeholders and ensuring alignment with organizational policies and guidelines.
Identify, assess and prioritize risks
This task involves identifying, assessing, and prioritizing risks to the information systems. It is important to understand the potential threats and vulnerabilities in order to implement appropriate security controls. The desired result is a comprehensive risk assessment report and a prioritized list of risks. To complete this task, you will need knowledge of the organization's systems, potential threats, and vulnerabilities. You may also need to conduct interviews or collaborate with subject matter experts to gather relevant information. Possible challenges include incomplete or outdated risk assessment methodologies. In such cases, consult with industry best practices or seek guidance from security experts.
1
Malware
2
Unauthorized Access
3
Data Breach
4
Physical Theft
5
System Failure
1
Weak Passwords
2
Outdated Software
3
Lack of User Training
4
Insider Threats
5
Poor Physical Security
1
Encryption
2
Access Control
3
Monitoring
Design and implement necessary security controls
This task involves designing and implementing necessary security controls based on the identified risks. The security controls should be aligned with the organization's policies and regulations. The desired result is a set of implemented security controls that mitigate the identified risks. To complete this task, you will need knowledge of the system's architecture, the identified risks, and applicable security control frameworks. Consult with system owners and security experts to ensure the selected controls are appropriate. Possible challenges include resource constraints and potential conflicts with existing controls or processes.
1
Firewall
2
Intrusion Detection System
3
Access Control List
4
Data Encryption
5
Backup and Recovery
Document security controls
This task involves documenting the implemented security controls for each information system. Documentation is important for ensuring consistency and providing a reference for future audits and assessments. The desired result is a comprehensive and up-to-date documentation of security controls. To complete this task, you will need knowledge of the implemented controls, the system architecture, and applicable documentation standards. Review existing documentation and consult with system owners and security experts to ensure accuracy and completeness. Possible challenges include maintaining documentation consistency across multiple systems and keeping documentation up-to-date as control configurations change.
Approval: Security Control Documentation
Will be submitted for approval:
Document security controls
Will be submitted
Test and evaluate security control effectiveness
This task involves testing and evaluating the effectiveness of the implemented security controls. It is important to validate that the controls are functioning as intended and are effectively mitigating the identified risks. The desired result is a test report that assesses the effectiveness of the controls and identifies any issues or vulnerabilities. To complete this task, you will need knowledge of the implemented controls, testing methodologies, and applicable regulations or standards. Conduct thorough testing, document the results, and consult with system owners and security experts to analyze the findings. Possible challenges include resource constraints for comprehensive testing and addressing issues identified during testing.
Develop plan to remediate identified weaknesses
This task involves developing a plan to remediate the weaknesses and vulnerabilities identified during the security control testing. The plan should outline the steps required to address the weaknesses and improve the effectiveness of the controls. The desired result is a comprehensive remediation plan with assigned responsibilities and timelines. To complete this task, you will need knowledge of the identified weaknesses, available resources, and remediation best practices. Collaborate with system owners, security experts, and relevant stakeholders to design an effective plan. Possible challenges include conflicting priorities, resource limitations, and the need for approval or coordination with multiple teams.
1
Patch or Update Software
2
Strengthen Access Controls
3
Provide User Training
4
Improve Physical Security
5
Enhance Monitoring Mechanisms
Implement remediation plan
This task involves implementing the remediation plan developed to address the weaknesses and vulnerabilities identified during the security control testing. The plan should be executed in a timely manner and in accordance with established procedures. The desired result is the successful implementation of the remediation actions outlined in the plan. To complete this task, you will need knowledge of the remediation plan, available resources, and the system's infrastructure. Coordinate with relevant stakeholders, conduct necessary configuration changes or updates, and ensure the plan is executed effectively. Possible challenges include resource constraints, potential disruptions to system operations, and coordinating activities across multiple teams.
Re-test remediated controls
This task involves re-testing the security controls that have been remediated to ensure their effectiveness and validate that the weaknesses or vulnerabilities have been addressed. It is important to validate the remediation actions before moving to the next phase of the compliance process. The desired result is a test report that confirms the effectiveness of the remediated controls and documents any remaining issues. To complete this task, you will need knowledge of the remediation plan, the system's architecture, and testing methodologies. Conduct thorough testing, document the results, and consult with system owners and security experts to validate the effectiveness of the remediation actions. Possible challenges include addressing any remaining issues identified during testing and coordinating re-testing activities with system owners and stakeholders.
Approval: Remediation Effectiveness
Will be submitted for approval:
Test and evaluate security control effectiveness
Will be submitted
Develop plan to remediate identified weaknesses
Will be submitted
Implement remediation plan
Will be submitted
Re-test remediated controls
Will be submitted
Develop continuous monitoring strategy
This task involves developing a continuous monitoring strategy to ensure ongoing compliance with security requirements. Continuous monitoring allows for the proactive identification and resolution of security issues or vulnerabilities. The desired result is a comprehensive strategy that outlines the monitoring processes, tools, and frequency. To complete this task, you will need knowledge of the organization's systems, relevant regulations or standards, and monitoring best practices. Collaborate with system owners, security experts, and relevant stakeholders to design an effective strategy. Possible challenges include resource constraints, defining appropriate monitoring metrics, and ensuring alignment with organizational goals or policies.
1
Security Event Log Monitoring
2
Vulnerability Scanning
3
Penetration Testing
1
Daily
2
Weekly
3
Monthly
4
Quarterly
5
Annually
Implement continuous monitoring strategy
This task involves implementing the continuous monitoring strategy developed to ensure ongoing compliance with security requirements. The strategy should be executed in a timely manner and in accordance with established procedures. The desired result is the successful implementation of the monitoring processes outlined in the strategy. To complete this task, you will need knowledge of the monitoring strategy, available resources, and the system's infrastructure. Coordinate with relevant stakeholders, configure monitoring tools or systems, and ensure the strategy is executed effectively. Possible challenges include resource constraints, potential disruptions to system operations, and coordinating activities across multiple teams.
Review and update security plans and control documentation
This task involves reviewing and updating the security plans and control documentation in accordance with changes to the system or security requirements. It is important to keep the documentation up-to-date and aligned with the current state of the information system. The desired result is comprehensive and accurate security plans and control documentation. To complete this task, you will need knowledge of the system, updates or changes that have occurred, and any relevant policies or regulations. Review existing documentation, consult with system owners and security experts, and document any necessary updates or changes. Possible challenges include coordinating updates across multiple systems, capturing all relevant changes, and ensuring consistency across documentation.
Approval: Management Review
Will be submitted for approval:
Develop continuous monitoring strategy
Will be submitted
Implement continuous monitoring strategy
Will be submitted
Review and update security plans and control documentation
Will be submitted
Prepare for external audits
This task involves preparing the necessary documentation, evidence, and processes for an external audit of the organization's compliance with FISMA requirements. External audits provide an independent assessment of the organization's security practices and can be used to identify areas for improvement. The desired result is a comprehensive audit preparation package that includes all required documentation and evidence. To complete this task, you will need knowledge of the external audit requirements, organization's systems, and relevant documentation standards. Coordinate with system owners, security experts, and internal audit teams to gather the necessary information and prepare the documentation package. Possible challenges include capturing all required evidence, addressing gaps identified during pre-audit assessments, and meeting audit deadlines.
Participate in external audits
This task involves actively participating in the external audit process to ensure a smooth and successful assessment of the organization's compliance with FISMA requirements. Participation may involve providing requested documentation, facilitating interviews or walkthroughs, and responding to auditor inquiries. The desired result is a successful external audit with minimal findings or deficiencies. To complete this task, you will need knowledge of the external audit process, organization's systems, and relevant documentation or evidence. Coordinate with system owners, security experts, and internal audit teams to ensure a coordinated and organized approach to the audit. Possible challenges include addressing auditor inquiries or findings, coordinating activities across multiple teams, and meeting audit deadlines.
Address audit findings
This task involves addressing the findings or deficiencies identified during the external audit. It is important to promptly and effectively address the identified issues in order to maintain compliance with FISMA requirements. The desired result is the successful resolution or mitigation of the audit findings. To complete this task, you will need knowledge of the audit findings, available resources, and remediation best practices. Collaborate with system owners, security experts, and relevant stakeholders to develop and execute remediation plans. Document the actions taken to address the findings and ensure their effectiveness. Possible challenges include resource constraints, conflicting priorities, and potential delays in obtaining approvals or coordinating remediation activities.
1
Patch or Update Software
2
Strengthen Access Controls
3
Provide User Training
4
Improve Physical Security
5
Enhance Monitoring Mechanisms
Revise procedures as necessary based on audit findings
This task involves revising procedures and processes based on the findings or deficiencies identified during the external audit. It is important to learn from the audit process and make improvements to prevent similar issues in the future. The desired result is revised procedures that address the audit findings and incorporate lessons learned. To complete this task, you will need knowledge of the audit findings, organization's systems, and applicable procedures or processes. Consult with system owners, security experts, and relevant stakeholders to identify necessary revisions and document the updated procedures. Possible challenges include capturing all necessary revisions, addressing potential conflicts with existing procedures, and ensuring compliance with organizational policies or guidelines.
Approval: Revised Procedures
Will be submitted for approval:
Prepare for external audits
Will be submitted
Participate in external audits
Will be submitted
Address audit findings
Will be submitted
Revise procedures as necessary based on audit findings