The Federal Information Security Management Act (FISMA) contains provisions for how government agencies must audit and report on their information systems, including servers which contain unstructured and semi-structured data. In 2010, the Office of Management and Budget (OMB) released a memo (M-10-15) detailing the reporting requirements for government agencies with regard to FISMA. This memo lays out specific instructions for reporting, including instructions for an agency’s “privacy management systems.” Varonis solutions directly address many of these requirements. The OMB requires that agencies “need to be able to continuously monitor security-related information from across the enterprise in a management and actionable way.” In order to accomplish this, the OMB states that agencies need to automate security-related information, develop automated risk models, and apply those models to vulnerabilities and threats identified by security management tools. Varonis can greatly assist an organization is meeting these goals.
FISMA requires that government agencies develop an automated risk model that provides “greater visibility and focus on their most significant vulnerabilities at any time.” These requirements apply to all information systems within an agency, including file servers containing unstructured and semi-structured data. Varonis can help an agency meet specific FISMA reporting requirements in the following ways:
|Adequate Security||Security is commensurate with the risk and magnitude of the harm resulting from the loss, misuse, or unauthorized access to or modification of information. Systems must provide appropriate confidentiality, integrity, and availability through operational and technical controls.||By providing complete visibility into permissions and file events, as well as where sensitive content resides, Varonis can identify where sensitive content is over-exposed, where unauthorized access is taking place, and how to remediate excess access.|
|General Support System||An interconnected set of information resources under the same direct management control which shares common functionality.||Varonis provides administrators the ability manage unstructured data on Windows, UNIX, NetApp, and EMC Celerra file servers as well as SharePoint repositories all within a single management interface.|
|Information Security||Protecting information and information systems from unauthorized access, use, disclosure, disruption, modification or destruction in order to provide integrity, confidentiality, and availability.||Varonis provides actionable intelligence on exactly who can access and who is accessing content so that information canbe properly protected.|
|Significant Deficiency||A significant deficiency is a weakness in an agency’s overall information systems security program or management control structure, or within one or more information systems. As required in FISMA, agencies are to report any significant deficiency in policy, procedure, or practice.||By identifying sensitive content as well as where content is over-exposed, Varonis provides visibility into where unstructured and semi-structures information systems may contain significant deficiencies so that they can be properly reported and corrected.|
|System Assessment||A comprehensive assessment of the management and operation and technical security controls in an information system to determine the extent to which controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements of the system.||Varonis DatAdvantage and DataPrivilege provide complete auditing of file system events, process reviews and workflow controls, which help agencies implement information security policies and demonstrate that policies are operating as intended.|