FISMA Assessments
The Federal Information Security Management Act (FISMA) of 2002 establishes security guidelines that federal agencies or those entities which have outsourced agency business, must adhere to. A-lign’s performance of FISMA benchmark audit assists agencies and outsourcers in ensuring it can meet the FISMA standards.
In today’s regulatory environment, stakeholders want to ensure that companies are compliant with regulatory and best practice standards such as standards related to the Payment Card Industry, International Organization for Standardization (ISO) 27002, Healthcare Information Portability and Accountability Act (HIPAA), and Federal Information Security Management Act (FISMA).
We will ensure that your business operations are aligned to comply with FISMA regulatory standards.
FISMA Assessment Scope Determination
Aligning your compliance needs with your business operations takes a unique blend of experience and execution. Understanding the scope of the FISMA compliance request is often the hardest part of the engagement.
Our experience in performing FISMA compliance assessments will be invaluable in the scope determination phase. A-lign™ will work with client personnel and if applicable, client’s customer personnel to determine the scope of the FISMA compliance project and identify applicable sections of the compliance standard that apply to the project.
Preparation for Fieldwork and Testing Procedures
We understand that our clients’ time is extremely valuable. We will deliver an information request list and request that documentation be gathered prior to our onsite fieldwork. The information request list is typically sent four weeks prior to fieldwork. As necessary, we can conduct meetings to discuss our requests and ensure that the client fully understands each requested item. By gathering the documentation prior to our arrival, the client can ensure the lowest possible FISMA audit fee and increase the efficiency of their personnel.
Your A-lign™ point of contact for the FISMA audit is always available to answer questions regarding our information request list. We encourage our clients to utilize our secure A-lign™ ClientConnect to upload documentation to fulfill the information request. This allows our team to review the responses for completeness and begin our FISMA audit testing even before onsite fieldwork.
We will submit to the client, at least two weeks prior to onsite fieldwork, a project plan that outlines the areas we will be auditing each day of our audit testing. The project plan is reviewed by the client to ensure that no scheduling conflicts exist.
FISMA Assessment Fieldwork and Testing Procedures
Onsite fieldwork and testing procedures are the most time intensive part of the project for both the client and our team. The client’s completion of the information request list prior to our onsite visit greatly impacts the efficiency of the fieldwork and testing procedures phase. Our approach for testing includes both onsite and offsite testing. This method allows our team to limit our intrusion into the daily operation of our clients. Onsite fieldwork will consist of FISMA audit team members performing interviews, observation of processes and sampling testing for the in-scope areas.
- By utilizing A-lign™ ClientConnect, offsite testing can be performed using the numerous means of electronic communication available.
- By performing a portion of the testing offsite, we are able to provide our clients with an extremely competitive pricing model for the project.
We will perform a gap analysis to identify results of tests that were not in compliance with the standard. We will work with client personnel to draft recommendations to remedy the gaps. This is a crucial step in our process to ensure that all client personnel are in agreement with recommendations and findings before presentation to senior management.
Remediation Assistance
As the client remediates the identified gaps, A-lign™ will work hand in hand with the client to be a partner through the process. At no additional cost to the client, A-lign™ will approve the remediation effort and retest the control to ensure it was implemented and operating effectively.
FISMA Audit Reporting
The reporting format can vary based upon the client’s needs for the report and the audience the report is intended for. If the company is going to utilize the report for internal purposes only, then a non-attest consulting report for the company’s internal purposes only would be the suggested format. If the client’s customer would like the client to provide a report directed at them, an agreed upon procedures report would provide clients with a form of attestation and allow the report to be shared with identified customers.
If multiple customers wish to have a report in the form of a service auditor’s report, the control objectives and criteria could be specified by the client’s customer and the control objectives could mirror the control objectives specified in a regulation.
For a free phone consultation or to learn more information about the FISMA assessment, please submit the short form to the right, or call 1-888-702-5446 today.