Monday, June 30, 2008

Start Your Security Assessments!

It is here. The 800-53A is now official.

I haven't looked it over yet, but I thought I would throw it out there.

Saturday, June 21, 2008

Rock Gods (Part 3)

Zeppelin Reunion (with Phil Collins)





Led Zeppelin - Live Aid 1985 Full Concert - (Part 1 of 3)

Friday, June 20, 2008

Guitar God

In lieu of real content in the face of starting a new job; I give you, more Eric Clapton.



Eric Clapton - Don't Think Twice It's All Right

Tuesday, June 3, 2008

Extracting my foot from my mouth

Apparently I spoke a little too soon.

There IS a forum for federal security managers to attend on a regular basis. Here is the link:

http://csrc.nist.gov/groups/SMA/forum/index.html

I have not attended, I simply found it while looking for something else. If you can attest to its content or organizational qualities, I (among others) would find it of interest.

Monday, June 2, 2008

FISMA is about Risk Management

I feel inclined to talk about something that the Guerrilla CISO discussed earlier.

I found this post at ISC2 annoying in that it is the same in a long line of "look at all these problems with FISMA" writings. We get it, its new (relatively, for the government) and there are problems.

But just like all the other posts, no solutions are offered. I don't have all the answers either, but now, I will be more aware of when I am spewing and when I am trying to be helpful.

So, let's go there. The reporting and measurement of system risks is nebulous, at best. Specific training for Accrediting Authorities (AA) and their delegates would be the first thing to do. The topics would look something like:
  • Introduction to Risk Management
    • What is Risk?
    • How do I know my risks?
  • How to conduct a Risk Assessment
    • What are threats?
    • What are vulnerabilities?
    • Determining likelihood
    • Determining impact
    • Generate Risk
  • Risk Management (MEAT, I just made up this acronym)
    • Mitigation (Compensating or additional controls)
    • Elimination (Remediate underlying vulnerabilities)
    • Acceptance (Justification for Operational Necessity)
    • Transfer (Delegate up or down, buy insurance)
  • Balancing Success and Usability with Security and Assurance
    • Or How not to add too many countermeasures and controls to make the system costly to run.
  • Measurement and Reporting of Residual Risk
I find that second last one to be the general issue and the root of many of breaches. Either the system has no budget so the AA has to except risks they may or may not be comfortable with. Or the system has too much budget and the Security Architect goes overboard. Lastly, not all risks are discovered at the time of accreditation and no new risk assessments are conducted.

So once all that is done, it must be uniformly applied (directly to the forehead, haha). More simply quarterly or semi-annual summits/counsels/conferences with the AAs with case studies, panels and open forums to discuss emerging threats, emerging countermeasures, what risks should be accepted, etc. Keeping it as simple and high level as possible, given that some of the AAs have little to no IT background.

This may already be happening and I am not aware of it. Please let me know if it is or isn't or anything you would want to see as possible solutions. It would be up to NIST or OMB to institute something like this, since FISMA gives them that authority. Or I accept Cash, Check, Wire Transfer, Money Orders and Google Checkout.

Sunday, June 1, 2008

Guitar Gods

Eric Clapton - Layla




Welcome to my feeble attempt at maintaining content.