Q&A About Federal Cyber Security Frameworks

1What is FISMA?
The Federal Information Security Management Act (FISMA) states that federal agencies must maintain information security programs that include risk assessments, policy, technology, and training. If your business works with data provided by the government under contract, you may be subject to FISMA compliance.
2What is NIST and how does it fit in?
The National Institute of Standards and Technology (NIST) has developed standards and guidelines that are used to assess FISMA compliance.
3And the others, GLBA and SOX?
Gramm-Leach Bliley Act (GLBA)
You need to be concerned about GLBA if you collect or hold consumer's personal financial information. This is sometimes known as the Safeguards Rule.

Sarbanes-Oxley (SOX)
From an IT perspective, SOX requires oversight of access to sensitive files. Role-based access control is key to solving SOX compliance issues.

Federal Information Security Management Act (FISMA)

FISMA requires that Federal agencies comply with guidelines for IT systems security. Failing a FISMA inspection may result in increased oversight from the next organizationally higher agency, negative publicity, and it leaves the failing agency vulnerable to data breaches.

For IT systems that support operations and assets, FISMA requires that Federal agencies develop, document, and implement a program to provide for their security. This applies to both the agency’s systems and those that belong to other agencies, contractors, and others as they apply to the agency’s support of their mission. Sera-Brynn has the experience required to accomplish this and is ready to help your agency meet FISMA requirements in the most cost effective manner possible.

Gramm-Leach-Bliley Act (GLBA)

GLBA applies to a broad range of financial institutions such as, but not limited to, banks, securities firms, insurance companies, and accounting firms. Section 501(b) of GLBA addresses the information security requirements and states that the regulatory agencies and authorities that govern financial institutions will establish administrative, technical, and physical safeguards to insure security, protect against threats or hazards and protect against unauthorized access of critical information.

If a financial institution is found to be not in compliance with GLBA, it can result in severe penalties in the form of fines from the Federal Trade Commission (FTC) or Office of the Comptroller of Currency (OCC) and possibly class-action lawsuits from customers. Specifically, non-compliance civil penalties can be as high as $100,000 per violation. The financial organization’s senior leadership can be subject to, and personally liable for, a civil penalty of up to $10,000 and/or imprisonment for up to five years. Sera-Brynn can help you mitigate this risk and ensure your financial institution is in full compliance with GLBA.

Sarbanes-Oxley (SOX)

The goal of a SOX IT (404) audit is to assure the business (usually the CEO and CFO), and the audit committee, that financial data residing on its IT systems is accurate and reliable as it’s being reported to the SEC. SOX compliance is similar to other IT audit programs except that a SOX IT audit focuses on the availability, integrity and reliability of systems as a whole vice specific devices. We understand the importance of the documentation that comes from a SOX audit as it feeds into the attestation assuring your company’s IT systems and the information that resides on them are reliable, verifiable, and secure.

Why Sera-Brynn?

Sera-Brynn’s security engineers hail from the government and DoD information assurance communities and we take a sensible approach to FISMA compliance. With literally thousands of pages, understanding NIST can be challenging. We simplify and tailor the approach to your business requirements, and we've already cross-walked NIST with PCI, HIPAA, and others so you aren't duplicating effort.