FISCAM - Federal Information System Controls Audit Manual

GAO

NNT Change Tracker’s real-time, non-stop approach to compliance, configuration drift reporting, and breach detection present an ideal solution to demonstrating compliance with FISCAM requirements.

FISCAM is a manual developed by the Government Accountability Office intended to provide auditors with specific guidance for evaluating the confidence, integrity, and availability of information systems. FISCAM is consistent with the National Institute of Standards and Technology (NIST SP 800-53) guidelines for complying with the Federal Information Security Modernization Act of 2014 (FISMA).

FISCAM Overview

FISCAM focuses on 5 key areas: Security Management, Access Controls, Configuration Management, Contingency Planning, and Segregation of Duties.

Security Management

Controls provide reasonable assurance that security management is effective, including effective:

  • Remediation of information security weaknesses
  • Periodic assessments and validation of risk
  • Security awareness and security training
  • Security control policies & procedures

Access Controls

Controls provide reasonable assurance that access to computer resources is reasonable and restricted to authorized individuals, including effective:

  • Audit and monitoring capability, including incident handling
  • Protection of sensitive system resources
  • Authorization controls
  • Protection of information system boundaries

Configuration Management

Controls provide reasonable assurance that changes to information system resources are authorized and systems are configured and operated securely and as intended, including effective:

  • Configuration management policies, plans, and procedures
  • Proper authorization, testing, approval, and tracking of all configuration changes
  • Routine Monitoring of the configuration
  • Documentation and approval of emergency changes to the configuration
  • Segregation of Duties Controls provide reasonable assurance that incompatible duties are effectively segregated, including effective:
  • Segregation of incompatible duties and responsibilities
  • Control of personnel activities through formal operating procedures

Contingency Planning

Controls provide reasonable assurance that (1) contingency planning protects information resources and minimizes the risk of unplanned interruptions and (2) provides for recovery of critical operations should interruptions occur, including effective:

  • Assessment of criticality and sensitivity of computerized operations and identified of supporting resources
  • Steps taken to prevent and minimize potential damage
  • Comprehensive contingency plan
  • Testing of contingency plan with necessary adjustments based on testing

FISCAM Controls

The FISCAM is organized to facilitate effective and efficient IS control audits by incorporating the following controls:

  • A top-down, risk-based approach that considers materiality and significance in determining effective and efficient audit procedures
  • Evaluation of entity-wide controls and their effect on audit risk
  • Evaluation of general controls and their pervasive impact on business process application controls
  • Evaluation of security management at all levels (entity-wide, system, and business process application levels)
  • A control hierarchy (control categories, critical elements, and control activities) to assist in evaluating the significance of identified IS control weaknesses
  • Groupings of control categories consistent with the nature of the risk
  • Experience gained in GAO's performance and review of IS control audits, including field testing the concepts in this revised FISCAM

 

 

Register for a free trial and automate FISCAM compliance today!

NNT Products
USA Offices
New Net Technologies LLC
Naples
Suite #10115, 9128 Strada Place
Naples, Florida, 34108
Atlanta
201 17th Street, Suite 300
Atlanta, Georgia, 30363.

Tel: 1-888-898-0674
email [email protected]
UK Office
New Net Technologies LLC
Rivers Lodge
West Common
Harpenden
Hertfordshire
AL5 2JN

Tel: 01582 287310
email [email protected]
Connect
Google+ Linkedin Twitter - Change Tracker Facebook rss feed YouTube
CIS benchmarking SEWP Cybersecurity 500 Sans Institute
Copyright 2017, New Net Technologies LLC. All rights reserved. 
NNT and Change Tracker are registered trademarks of New Net Technologies LLC.
All other product, company names and trademarks are the property of their respective owners.