FISMA in the private sector

FISMA in the private sector

More and more companies are getting requests for FISMA control assessments, says David Lawson, director, risk management and compliance, Acumen Solutions.

FISMA does for federal agencies what SOX does for public companies: it holds executives responsible for the security of their information and accountable to put into place security controls to meet minimum security requirements based on the privacy and mission impact of the data.

Lately, more and more commercial companies are getting requests for FISMA control assessments. This is because they may be handling or processing federal information. Beyond business with the government, there are many aspects of FISMA that would benefit private sector companies when adopting their own security posture.

First is the organizational responsibility. Security organizations are silos, and saddled with securing information, while getting none of the benefit of its use. It should be the business unit that formally accepts the risks as they will receive the increased benefits.

Second, there are operational benefits from information security pros protecting the underlying infrastructure as one general support unit. This enables them to reserve detailed analysis for mission critical, high impact information.

Third, via continuous monitoring of risk posture information, the business operating exec is empowered to drive the metrics and analytics of the cost-benefit of IT operations with regard to risk & compliance.

Finally, we have a highly mature systems life cycle focused on cost-effective risk management and reporting that can be easily integrated into our software development life cycle (SDLC), and can ultimately drive shorter times-to-value via efficiencies of standardization and operational efficiency.