IT Policies: The Federal Information Security Management Act (FISMA)
The National Institute of Standards and Technology (NIST) created a series of Special Publications (SP) providing guidance to federal agencies for securing IT implementations. This FISMA activity is referred to as "certification and accreditation" or C&A. A key document for a C&A is NIST SP 800-53a, which contains a standardized set (17) of security controls families (requirements) related to information systems. In addition, several other documents are useful during a C&A engagement as the Federal Information Processing Standard (FIPS) 199 Risk Categories, NIST SP 800-60 for categorizing information data systems, NIST SP 800-30 for guidance for risk assessments, and NIST SP 800-34 for guidance on developing IT contingency plans. FISMA, FIPS 200, SP 800-53 - The Federal Information Security Management Act of 2002 called on the National Institute of Standards and Technology (NIST) to create standards for federal agencies. The Federal Information Processing Standards Publication 200, titled Minimum Security Requirements for Federal Information and Information Systems, is mandatory for all federal agencies. SP 800-53 is Special Publication 800-53, Recommended Security Controls for Federal Information Systems. Together these two publications constitute the foundation of security policy for all federal agencies other than national security information and information systems, which are instead covered by NISPOM and DCID.
The NIST Computer Security Division has proposed the following nine-step process for increasing the security of federal agency IT systems: categorize your information and information systems, select the appropriate minimum or baseline security controls, refine the security controls using a risk assessment, document the security controls in the system security plan, implement the security controls in the information system, assess the effectiveness of the security controls, determine agency-level risk to the mission of business case, authorize the information system for processing, and monitor the security controls on a continuous basis.
PKI Procedures: Audit Procedures for a Secure Root Key Generation Signing Ceremony
Complete trust is crucial to any PKI and the root key pair that is generated when the PKI starts up is what establishes that trust. The initial generation of the root key pair creates the root certification authority certificate. The root certificate is used to sign subordinate authority certificates, subscriber, and device certificates through a chain leading back to the root CAcertificate. If the underlying root key cannot be completely trusted, there is no trust in the PKI system or what it assures. The root key generation audit template script includes forms for auditors who witness the root key, organizes the event in a structured build to meet your requirements, based on your own certificate policy. The services of eValid8 accredited auditors ensure the root key generation event and script are professional, legible, and repeatable. An additional template for physical security and logical security requirements are available to ensure security safeguards are applied during the root key generation ceremony. The physical security template includes a checklist of security safeguards that ensure your PKI is trustworthy.
|