Chat now with support
Chat with Support

Foglight Experience Monitor 5.8.1 - Security and Compliance Field Guide

FISMA overview

The Federal Information Security Management Act (FISMA) was passed by the U.S. Congress and signed by the U.S. President, and is part of the Electronic Government Act of 2002. It requires “each federal agency to develop, document, and implement an agency-wide program to provide information security for the information and information system that support the operations an assets of the agency, including those provided or managed by another agency, contractor, or other source”.

A major component of FISMA implementation is the publication by the National Institute of Standards and Technology (NIST), entitled Recommended Security Controls for Federal Information Systems, listed as NIST Special Publication 800-53 (for additional information about this publication, see http://csrc.nist.gov/publications/PubsSPs.html). This document lists 17 general security categories against which an information security control program should be evaluated, so as to measure its level of compliance with an agency’s obligations under FISMA. Quest Software Inc. wishes to provide its customers with enough information regarding security aspects of Foglight Experience Monitor to enable them to perform their own evaluation of how FxM fits in with their desired FISMA compliance levels. For more information, see NIST 800-53 categories.

NIST 800-53 categories

This section presents the 17 categories listed in the NIST Special Publication 800-53 and describes how Foglight Experience Monitor addresses those that apply.

The secure employment of Foglight Experience Monitor forms only one part of an information security program. A statement in this appendix that a particular security category is “applicable” to Foglight Experience Monitor means only that FxM contains security features that are or may be relevant to some or all aspects of the security category in question. It does not necessarily mean that Foglight Experience Monitor fully meets all of the requirements described in that security category, or that the use of Foglight Experience Monitor by itself guarantees compliance with any particular information security standards or control programs. The selection, specification, and implementation of security controls in accordance with a customer-specific security program is ultimately dependent upon the manner in which the customer deploys, operates, and maintains all of its network and physical infrastructure, including the Foglight Experience Monitor.

The following table presents the NIST 800-53 categories and describes how Foglight Experience Monitor addresses those that apply.

Access Control (AC)

Yes

FxM enforces a role-based access control policy, based upon types of user accounts (administrative and regular users). This enforcement restricts what data can be accessed and which actions can be performed, as well as a separation of duties.

User authorization and privileges

Awareness and Training (AT)

No

This category does not apply to FxM, as it is the responsibility of the FxM customers to develop and review their own security awareness and training policy.

N/A

Audit and Accountability (AU)

Yes

FxM records a set of events in its audit file. This includes logging all changes to its configuration and any attempt at sniffing for open ports by an attacker.

Auditing

Certification, Accreditation, and Assessments (CA)

No

This category does not apply to FxM, as it is the responsibility of the FxM customers to develop and review their own security assessment, accreditation, and certification policy.

N/A

Configuration Management (CM)

Yes

The FxM appliance is configured to only provide services necessary for its operation, and makes unavailable the services that are not necessary.

The ports that FxM uses for communication are restricted and configurable only by administrators.

In addition, any changes to the FxM configuration are recorded in a log file.

Contingency Planning (CP)

No

This category does not apply to FxM, since it is the responsibility of the FxM customers to design and implement their own contingency plans. As defined by NIST (publication 800-34), disruptive events to IT systems include power outages, fire and equipment damage. They can be caused by natural disasters or terrorist actions.

N/A

Identification and Authentication (IA)

Yes

FxM enforces identification, authentication, and password policies, providing well defined rules for controlling how user names and passwords are created, as well as ensuring that only authorized users are able to log into the system.

User authentication and access control

Incident Response (IR)

No

This category does not apply to FxM, since it is the responsibility of the FxM customers to develop and review their own incident response policy and procedures.

N/A

Maintenance (MA)

Yes

FxM allows for remote maintenance by Quest technical support in agreement with the customer.

FxM also monitors developments and newly discovered security flaws in the systems on which it is based (such as, Fedora, SLES, Apache™), and provides security patches to its customers, when necessary.

Product updates

Media Protection (MP)

No

This category does not apply to FxM, since it is the responsibility of the FxM customers to develop and review their own media protection policy.

N/A

Physical and Environmental Protection (PE)

No

This category does not apply to FxM, since it is the responsibility of the FxM customers to develop and review their own physical and environmental policy.

N/A

Planning (PL)

No

This category does not apply to FxM, since it is the responsibility of the FxM customers to develop and review their own security planning policy.

N/A

Personnel Security (PS)

No

This category does not apply to FxM, since it is the responsibility of the FxM customers to enforce its personnel security policies, including personnel screening and employment termination.

N/A

Risk Assessment (RA)

No

This category does not apply to FxM, since it is the responsibility of the FxM customers to develop and review their own risk assessment policy.

N/A

System and Services Acquisition (SA)

No

This category does not apply to FxM, since it is the responsibility of the FxM customers to develop and review their own system and services acquisition policy.

N/A

System and Communications Protection (SC)

Yes

FxM protects customer’s sensitive data through the use of data encryption, using the AES-256 data encryption algorithm.

To secure network communication with its users, the FxM web server supports the use of SSL.

To support secure communication with Quest technical support, FxM allows for the establishment of SSH connections.

FxM’s encryption key is protected from unauthorized access. In addition, FxM provides for protection against DoS attacks through the use of a firewall and continuously monitors for potential attackers through a port scanner.

System and Information Integrity (SI)

Yes

FxM uses a firewall and a port scanner as intrusion detection tools.

FxM also verifies input given by users when they interact with the web interface, in order to protect against faulty user input.

Any changes made to FxM’s configuration are also recorded, in order to allow the system to roll back to a stable state, in case it gets corrupted.

FxM does not currently verify the correct operation of security functions. This feature is scheduled to be included in future releases.

 

Related Documents