Florida Information Technology Resource Security Policies and Standards identified in 71A-1.001-.010, F.A.C. documented a framework of NIST information security best practices for state agencies in order to safeguard the confidentiality, integrity, and availability of Florida government data and information technology resources.
- It defines minimum standards to be used by state agencies to categorize information and information technology resources based on the objectives of providing appropriate levels of information security according to risk levels.
- It defines minimum management, operational and technical security controls to be used by state agencies to secure information and information technology resources.
- State agencies shall use these standards as the minimum security requirements for information and information technology resources.
The process to comply with Florida Information Technology Resource Security Policies and Standards LOW, MODERATE, and HIGHlevel system security is documented in the NIST Risk Management Framework (RMF)
All business processes operate with some level of risk and one of the most effective ways to protect these business processes is through the implementation of effective internal security controls, risk evaluation, and risk management.An effective approach is to use the following NIST SP800-37 Risk Management Frameworksix-steps:
An important component of the RMF is STEP 4: ASSESS.During this step, the user assesses the planned or implemented security controls, using appropriate procedures identified in SP800-53A, to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system. An assessment procedure consists of a set of assessment objectives, each with an associated set of potential assessment methods and assessment objects. An assessment objective includes a set of determination statements related to the particular security control under assessment. The determination statements are linked to the content of the security control to ensure traceability of assessment results back to the fundamental control requirements. The application of an assessment procedure to a security control produces assessment findings. These findings reflect, or are subsequently used, to help determine the overall effectiveness of the security control.STEP 6: MONITOR.Is maintaining ongoing awareness of information security, vulnerabilities, and threats to support organizational risk management decisions.
To help with implementation and auditing, the ISACA Tallahassee Chapter will present a Brown Bag session on February 17, 2015 that will provide an overview of Step 4 and Step 6 with a brief overview of STEP 5: AUTHORIZE.