I feel inclined to talk about something that the Guerrilla CISO discussed earlier.
I found this post at ISC2 annoying in that it is the same in a long line of "look at all these problems with FISMA" writings. We get it, its new (relatively, for the government) and there are problems.
But just like all the other posts, no solutions are offered. I don't have all the answers either, but now, I will be more aware of when I am spewing and when I am trying to be helpful.
So, let's go there. The reporting and measurement of system risks is nebulous, at best. Specific training for Accrediting Authorities (AA) and their delegates would be the first thing to do. The topics would look something like:
So once all that is done, it must be uniformly applied (directly to the forehead, haha). More simply quarterly or semi-annual summits/counsels/conferences with the AAs with case studies, panels and open forums to discuss emerging threats, emerging countermeasures, what risks should be accepted, etc. Keeping it as simple and high level as possible, given that some of the AAs have little to no IT background.
This may already be happening and I am not aware of it. Please let me know if it is or isn't or anything you would want to see as possible solutions. It would be up to NIST or OMB to institute something like this, since FISMA gives them that authority. Or I accept Cash, Check, Wire Transfer, Money Orders and Google Checkout.
I found this post at ISC2 annoying in that it is the same in a long line of "look at all these problems with FISMA" writings. We get it, its new (relatively, for the government) and there are problems.
But just like all the other posts, no solutions are offered. I don't have all the answers either, but now, I will be more aware of when I am spewing and when I am trying to be helpful.
So, let's go there. The reporting and measurement of system risks is nebulous, at best. Specific training for Accrediting Authorities (AA) and their delegates would be the first thing to do. The topics would look something like:
- Introduction to Risk Management
- What is Risk?
- How do I know my risks?
- How to conduct a Risk Assessment
- What are threats?
- What are vulnerabilities?
- Determining likelihood
- Determining impact
- Generate Risk
- Risk Management (MEAT, I just made up this acronym)
- Mitigation (Compensating or additional controls)
- Elimination (Remediate underlying vulnerabilities)
- Acceptance (Justification for Operational Necessity)
- Transfer (Delegate up or down, buy insurance)
- Balancing Success and Usability with Security and Assurance
- Or How not to add too many countermeasures and controls to make the system costly to run.
- Measurement and Reporting of Residual Risk
So once all that is done, it must be uniformly applied (directly to the forehead, haha). More simply quarterly or semi-annual summits/counsels/conferences with the AAs with case studies, panels and open forums to discuss emerging threats, emerging countermeasures, what risks should be accepted, etc. Keeping it as simple and high level as possible, given that some of the AAs have little to no IT background.
This may already be happening and I am not aware of it. Please let me know if it is or isn't or anything you would want to see as possible solutions. It would be up to NIST or OMB to institute something like this, since FISMA gives them that authority. Or I accept Cash, Check, Wire Transfer, Money Orders and Google Checkout.
1 comment:
Hi Chris
I'm putting up a presentation "real soon now" about why people outside the beltway should care about and one of my ideas for a follow-on is a slide deck aimed at new DAAs.
Supposedly NIST is working on a handbook for DAAs, but I've heard hints about it for about a year now with nothing tangible to show.
Post a Comment