Monday, June 2, 2008

FISMA is about Risk Management

I feel inclined to talk about something that the Guerrilla CISO discussed earlier.

I found this post at ISC2 annoying in that it is the same in a long line of "look at all these problems with FISMA" writings. We get it, its new (relatively, for the government) and there are problems.

But just like all the other posts, no solutions are offered. I don't have all the answers either, but now, I will be more aware of when I am spewing and when I am trying to be helpful.

So, let's go there. The reporting and measurement of system risks is nebulous, at best. Specific training for Accrediting Authorities (AA) and their delegates would be the first thing to do. The topics would look something like:
  • Introduction to Risk Management
    • What is Risk?
    • How do I know my risks?
  • How to conduct a Risk Assessment
    • What are threats?
    • What are vulnerabilities?
    • Determining likelihood
    • Determining impact
    • Generate Risk
  • Risk Management (MEAT, I just made up this acronym)
    • Mitigation (Compensating or additional controls)
    • Elimination (Remediate underlying vulnerabilities)
    • Acceptance (Justification for Operational Necessity)
    • Transfer (Delegate up or down, buy insurance)
  • Balancing Success and Usability with Security and Assurance
    • Or How not to add too many countermeasures and controls to make the system costly to run.
  • Measurement and Reporting of Residual Risk
I find that second last one to be the general issue and the root of many of breaches. Either the system has no budget so the AA has to except risks they may or may not be comfortable with. Or the system has too much budget and the Security Architect goes overboard. Lastly, not all risks are discovered at the time of accreditation and no new risk assessments are conducted.

So once all that is done, it must be uniformly applied (directly to the forehead, haha). More simply quarterly or semi-annual summits/counsels/conferences with the AAs with case studies, panels and open forums to discuss emerging threats, emerging countermeasures, what risks should be accepted, etc. Keeping it as simple and high level as possible, given that some of the AAs have little to no IT background.

This may already be happening and I am not aware of it. Please let me know if it is or isn't or anything you would want to see as possible solutions. It would be up to NIST or OMB to institute something like this, since FISMA gives them that authority. Or I accept Cash, Check, Wire Transfer, Money Orders and Google Checkout.

1 comment:

rybolov said...

Hi Chris

I'm putting up a presentation "real soon now" about why people outside the beltway should care about and one of my ideas for a follow-on is a slide deck aimed at new DAAs.

Supposedly NIST is working on a handbook for DAAs, but I've heard hints about it for about a year now with nothing tangible to show.