Security & Privacy Framework Development
A client supporting the U.S. Department of Health & Human Services needed to reorganize its IT infrastructure to comply with the Federal Information Security Management Act (FISMA), a law that requires all government agencies and the companies with which they conduct business to develop, document, and implement specific data security frameworks to protect sensitive information. Considering FISMA’s stringent, paperwork-intensive information security requirements, the client chose pureIntegration to help it navigate the process and develop a strategy to achieve federal compliance.
pureIntegration utilized its extensive network and application management experience to assess, plan, and support the development of a broad National Institute of Standards Technology (NIST) Security Control framework mapping that was performed in two layers. A high-level mapping compared the security control components of an Information Technology Infrastructure Library (ITIL) with the components of a governance framework (COBIT) that showed the coverage of IT governance focus areas. The framework provided the client with a comprehensive approach to IT governance and service management that included the following:
- Publication of a comprehensive IT security policy
- Analysis of risk management, information security governance and common security controls
- Development and execution of certification and accreditation processes and strategic planning for long-term improvements of IT security
- Construction and acceptance of a risk management plan of action & milestones (POA&M)
- Formation of value-based IT strategic financial models that support business strategies
- Formation of an executive-level Information Security Advisory Council
The Business Benefits
pureIntegration helped the client establish a framework for comprehensive IT governance and bring its systems into compliance with federal law. This not only improved the client’s image among third parties and regulators, but it also helped the IT department redefine itself as a businessfocused and goal-oriented function of the company. By aligning with the needs of management, the IT team was able to accept clear ownership of its function and responsibilities and validate its value among all of the company’s stakeholders.