Re: FISMA Compliance.

[Jon Hanny <jehanny () GWU EDU>]

We developed an IT Risk Management program that follows the NIST 
SP800-53 Risk Management Framework for enterprise application systems. 
We modified the sample categorization questionnaire provided by NIST to 
be more appropriate for our organization, perform vulnerabilities 
assessments that generates a Plan of Action & Milestones document to 
track the remediation progress. We then generate a Residual Risk Report 
and authorization recommendation that we submit to the appropriate 
person to authorize each system to move into production.

The greatest challenge is getting people on board and the Project team 
to get us involved before the application is purchased. Getting 
executive buy in is essential. I wrote an article on this subject that I 
can forward off-line if you are interested.

Respectfully,

---------------------------------
Jon Hanny
CISSP, CRISC, GSLC
Application Security Specialist
Division of IT
The George Washington University
703-726-4469
jehanny () gwu edu
---------------------------------


On 2/1/2011 10:50 AM, Gerardo Burkle wrote:
> Good morning,
>
> I am trying to get my head wrap around FISMA compliance, procedures 
> and controls.
>
> Does anyone have a good plan implemented already that works well on 
> higher Ed?
>
> What were you mayor challenges to be FISMA compliance?
>
> So far, I just be studying what's on FIPs 199 & 200 and NIST 800-53, 
> 800-59, 800-60 & 800-37
>
> Any good resources, procedures and/or tips would be greatly appreciated.
>
> Respectfully,
>
> /Gerardo Burkle/
>
> /CISSP, CISA, GPEN, OSCP, C|EH///
>
> /Information Security Analyst./
>
> /University of Texas at San Antonio/
>
> /210-458-7209/