Wave Systems Corp. (fka WAVXQ)

[solas]

Helpful- FISMA... (bolds are mine) -R

http://www.dell4fed.com/tpl_article.php?ri=813&si=56


Improving Your Agency’s FISMA Grade
Dell Public
March 2005

Introduction
Although the Federal Information Security Management Act of 2002 is almost three years old, government agencies are still working to comply. In fact, a recent survey of federal CISOs showed achieving FISMA compliance to be their number two concern behind patch management.1 And it’s no wonder why they’re concerned – the last round of FISMA grades had 14 of 24 federal agencies scoring below a C (eight of those failed outright).2

So why is FISMA adherence proving so difficult? One senior compliance strategist thinks it has to do with a lack of solid inventory, confusion on the part of agencies, a lack of bandwidth and reluctance to share data.3 IT professionals would likely argue that, because of all the paperwork involved with FISMA, noncompliance is due to the bandwidth issue more than anything else. When surveyed recently, federal CISOs who control a budget of less than $500,000 reported spending “45 percent of their time on FISMA compliance and only 15 percent of their time on network security monitoring and inventory control.”4

With the paperwork not likely to decrease in the near future and budgets as they are, there are a few key areas where your agency can focus to help improve your FISMA grade.



Inventory
If you don’t know what you have on your network, you won’t know what you need to protect. So one important step is to take complete inventory of your infrastructure. Catalog your business systems, grouping technologies by functions.5 Once you know the equipment and operating systems you are running, you can properly assess risk and define technical configuration standards for each one.

Since bandwidth can be a major roadblock for most CISOs, your agency may want to call upon a third party to assist with inventory and risk assessment. Dell Services’ security specialists will thoroughly analyze your organization’s entire IT infrastructure and offer security solutions that are based on NSA standards and designed to mitigate an array of security risks.



Implementation
If knowing your inventory is step one, step two is knowing what security solutions to put in place. Dell can help you here by recommending safety products and features on four levels for comprehensive information security:

1. Physical

Configuration-Change and Chassis-Intrusion Alerts provide notification to the end-user and/or the IT Administrator when system configurations have been altered or a chassis has been opened.

Cable Lock Slots and Chassis Lock Loops allow the user to secure the system and protect system components.

Cable Locks can be used to help secure both notebooks and desktop systems using the standard cable lock slot.

Custom Chassis Locks bolt the chassis cover closed to protect internal components, secure the system itself with an attachable cable, and help protect system peripherals from theft with a cable locking mechanism.

Asset Tags help keep track of your organization’s Dell systems. Dell’s Custom Factory Integration service can provide standard or customized asset tags.
2. User

Dell™ OptiPlex™ desktops, Dell Precision™ workstations and Dell Latitude™ notebooks come with a number of BIOS-enabled security features that help protect your system during the pre-boot process, even before operating system-based password protection is in place.

System Passwords require the user to enter a password in order to boot the system and enable the keyboard and mouse.

System Set-up Passwords require the user or administrator to enter a password in order to make any changes to the system set-up options.

Hard Drive Passwords require user to enter a password to access the hard drive.

Smartcard and/or Biometric Authentication securely authorizes users accessing systems and connecting to the network. Dell’s built-in smartcard slot on Latitude™ notebooks (D410, D610 & D810) as well as its smart card keyboard for desktops provide integrated authentication.
3. System

Anti-virus and Client Protection software fortifies the individual system and the infrastructure, because many of today’s attacks use the desktop or notebook as a launch point
4. Network

Firewalls allow you to filter content, manage Virtual Private Networks (VPNs), monitor network resource requests, and share Internet access. Dell offers firewalls in a variety of choices, including the Secure Computing™ Sidewinder Firewall™ on Dell PowerEdge™ servers. In addition, Dell carries firewall solutions from Netscreen, Watchguard and others.

Intrusion Prevention Systems (IPS) provides a second line of network defense and needed protection for the core of the network. The Unity One™ IPS by Tipping Point™ available from Dell provides the visibility of an IDS with the added power to block harmful traffic that may be trying to pass through the core of the network.

LegacySelect, a standard feature on Dell OptiPlex™ desktops, can help agencies transition from less-secure legacy technologies by giving them the ability to lock down system drives, slots and ports to help protect the system and network.

Server Network Interface Cards (NICs), such as the Intel® Pro 100S, are available on Dell PowerEdge™ servers and help protect sensitive data traveling on the LAN with standards-based security features.

Secure Socket Layer Accelerators, like Broadcom’s CryptoNetX™ SSL800 adapter, are also available on Dell PowerEdge servers and help accelerate the SSL protocol by allowing the server to support large numbers of clients using secure communications while helping maintain high performance.

Virtual Private Networking (VPN) is a method to allow authorized users to have secure, authenticated remote access to your LAN via public networks, such as the Internet. Dell PowerEdge servers are an ideal platform on which to run a network operating system that incorporates VPN functionality, such as Microsoft® Windows® Server 2003.
In addition to securing information on each of these levels, it is also imperative that you help ensure that data is not passed on when systems are retired. For this, Dell offers Disk Overwriting, which helps protect confidential information and assets by overwriting data based on the Department of Defense 5220-22-M 3 time overwrite standard.




NIST SP 800-53
Finally, if there is any confusion on what is required and what type of security you should have in place, you should visit the National Institute of Standards and Technology web site and view the January 2005 draft of Special Publication 800-53, Recommended Security Controls for Federal Information Systems. It outlines what is expected of your agency and the detailed steps to take to achieve those expectations.

For more information on security and how Dell can help you improve your FISMA score, visit the Security Solution for Federal Government.



--------------------------------------------------------------------------------

1 Olsen, Florence. “Security Bosses Feel Patch Pain.” November 22, 2004. FCW.com.
2 Lawlor, Maryann. “Congress Scrutinizes Information Security Efforts.” August 2004. SIGNAL.
3 Briggs, Linda and Mann, David. “Q&A: Why Agencies Find FISMA Compliance Tough.” ComplianceNOW.
4 Olsen, Florence. “Security Bosses Feel Patch Pain.” November 22, 2004. FCW.com.
5 Briggs, Linda and Mann, David. “Q&A: Why Agencies Find FISMA Compliance Tough.” ComplianceNOW.

Ad Number: 59949874


Enter your e-mail:



Average Resource Rating




Rate this resource

Helpful Links




Download Adobe Acrobat
Help
Feedback
Register for the Solutions Center