Skip to main content
Case studies

FISMA Case Study

FISMA Case Study

Requirement

Assist a major clinical research company (client) based in North America in becoming compliant with the Federal Information Security Modernization Act (FISMA) as required for reporting to the Department of Health and Human Services (HHS).

Issues

The client had no prior experience with federal compliance reporting, along with never having performed any type of meaningful compliance assessment. Their last assessment was a SAS 70 audit performed in 2007, which only covered a specific I.T. function within their broader information security platform.

Additional issues for the client

Inadequate Security Documentation: The client had little to no security documentation in place in terms of policies and procedures Additionally, the documentation that did exist was old, poorly-written and not relevant to the current NIST Framework for which FISMA compliance was dependent upon.

No Compliance Officer: The client had no official compliance officer, as such, no real ownership existed in terms of managing the entire FISMA project. As a result, the Director of I.T. was tasked with FISMA oversight, but had no experience with regulatory compliance.

Non-Existent Compliance Culture: Growth and profits were first on the list, which meant little to no effort was ever given to security and compliance. Additionally, only a handful of existing employees had ever been through an actual compliance assessment.

Solution

Centris deployed a team of experts specializing in federal compliance that successfully accomplished the following:

  • Successfully defined project scope and client participation.
  • Identified all control gaps and recommendations for remediation.
  • Set up demo web sessions with software vendors for critical security tools.
  • Completely reviewed all InfoSec documentation and began authoring new policies and procedures.
  • Established contact and working relationships with all in-scope third-party vendors (i.e., managed security services providers).

Outcome

  • Complete development of all required information security policies and procedures.
  • Successful remediation of all in-scope required controls.
  • Successfully issued a Security Assessment Report (SAR) and System Security Plan (SSP) to the client, allowing them to showcase compliance to federal agencies as necessary.
  • Implementation of a mature compliance framework where personnel are aware of roles and responsibilities.
  • The ability to successfully obtain additional federal and private sector contracts with FISMA compliance.

Duration: 7 Months

Get the case study

Download the case study
Why Centris
As an internationally recognized business consulting firm, our highly trained employees work in every conceivable industry/sector in the global business arena. Centris has the knowledge and expertise you need for solving the challenges you’re facing. Our professionals are at the forefront of many of today’s most pressing risk, privacy, cybersecurity and compliance issues affecting organizations. We have a deep bench of talented professionals ready to go to work for you.
Ready to talk?