IG Metrics: Maturity Model and the New IG FISMA Assessment Approach - - PowerPoint PPT Presentation

▶

Dec 20, 2023 6 likes •87 views

IG Metrics: Maturity Model and the New IG FISMA Assessment Approach John Ippolito CISSP, PMP Consultant Mary Harmison CPA, Audit Manager Office of Inspector General Federal Trade Commission FISMA = FISMA Federal Information Security

SLIDE 1

IG Metrics: Maturity Model and the New IG FISMA Assessment Approach

John Ippolito CISSP, PMP Consultant Mary Harmison CPA, Audit Manager Office of Inspector General Federal Trade Commission

SLIDE 2

2016 2

Federal Information Security Modernization Act (FISMA) of 2014 Replaced Federal Information Security Management Act (FISMA)

3/15/

FISMA = FISMA

SLIDE 3

¥

2016 3

FISMA Independent Evaluations Combine Information Security Structured Processes with Control Effectiveness Metrics

3/15/

FISMA Requires Annual Independent Evaluation

SLIDE 4

“ pr s

2016

NIST 800-53 Definition of Effectiveness Security control effectiveness addresses the extent to which the controls are implemented correctly, operating as intended, and

ducing the desired outcome with respect to meeting the

ecurity requirements for the information system in its perational environment.”

3/15/

SLIDE 5

2016 5 3/15/ INFORMATION SECURITY AND PRIVACY ADVISORY BOARD IG Panel June 10, 2015

SLIDE 6

3/15/

¥

2016 6

5 level scale across 3 domains

ISCM Maturity Model for FY2015 FISMA

Scale/Domain People Processes T echnology 1 - Ad-hoc 2 - Defined 3 - Consistently Implemented 4 - Managed and Measurable 5 - Optimized

SLIDE 7

3/15/

¥ ¥ ¥ ¥

2016 7

Level 2

Assess the skills, knowledge, and resources needed to effectively implement an ISCM program. Develop a plan for closing any gaps identified.

Level 3

Implement plans to close any gaps in skills, knowledge, and resources required to successfully implement an ISCM program. Personnel possess the required knowledge, skills, and abilities to effectively implement the organization’s ISCM program.

Level 4

Consistently implement, monitor, and analyze qualitative and quantitative performance measures across the organization and collect, analyze, and report data on the effectiveness of the

rganization’s ISCM program.

Level 5

Ensure assigned personnel collectively possess a high skill level to perform and update ISCM activities on a near real-time basis to make any changes needed to address ISCM results based on

rganization risk tolerance, the threat environment, and business/mission requirements.

Educator’s Role

SLIDE 8

3/15/

¥ ¥ ¥

2016 8

Demonstrate training effectiveness of training material Demonstrate training effectiveness

¥ Elimination of training GAPS ¥ Adapts to change

IG Metrics: Maturity Model and the New IG FISMA Assessment Approach - - PowerPoint PPT Presentation

IG Metrics: Maturity Model and the New IG FISMA Assessment Approach

Federal Information Security Modernization Act (FISMA) of 2014 Replaced Federal Information Security Management Act (FISMA)

FISMA = FISMA

¥

FISMA Independent Evaluations Combine Information Security Structured Processes with Control Effectiveness Metrics

FISMA Requires Annual Independent Evaluation

“ pr s

NIST 800-53 Definition of Effectiveness Security control effectiveness addresses the extent to which the controls are implemented correctly, operating as intended, and

ecurity requirements for the information system in its perational environment.”

¥

5 level scale across 3 domains

ISCM Maturity Model for FY2015 FISMA

Level 2

Level 3

Level 4

Level 5

Educator’s Role

¥ ¥ ¥

Demonstrate training effectiveness of training material Demonstrate training effectiveness

Quantitative vs Qualitative measures

Address Evaluation Criteria