Posts RSS
Subscribe via Email
Note to the Data People: Give us Some Raw InfoSec Data
Posted August 24th, 2009 by rybolov
If you're new here and would like to see more of what I'm saying, you may want to subscribe to my RSS feed (I can even email my blog posts to you when I publish a new one) or have a look at my papers and presentations page for downloads of stuff that you can share or "borrow heavily from". You also might find my guidelines for posting comments interesting, especially if you're a government employee. If you want to see me blog about anything in particular, drop me a private email on how you think I'm completely full of myself, extend me an invitation to speak at your next security meeting/event, or just to ship a huge bag of money in my direction, you can do that through my contact page. Thanks for visiting and happy hacking!
We have all these data wonks running around now in the information security field thanks to a couple of people (Jaquith, Shostack, Stewart, and our friends at Verizon Business) who brought us some books and some data.
Well, earlier this year, the Government started a website called Data.gov. This is much awesomeness, Viva Las Transpareny! However, it’s missing something very relevant to my interests: information security management data.
So, I want people to go to data.gov’s “request a dataset” page and request the following:
Complete responses from the Departments and Agencies to the FISMA reporting requirements for FY2004-2009 based on OMB Memoranda 04-25, 05-15, 06-20, 07-19, 08-21, and 09-29.
Raw incident data for years 2005-2007 as reported to OMB and summarized in their report to Congress on FY2007 FISMA performance and published at http://www.whitehouse.gov/omb/inforeg/reports/2007_fisma_report.pdf
Raw incident data for years 2007 and later in any type and format similar to the Verizon Data Breach Incident Report available at http://www.verizonbusiness.com/resources/security/reports/2009_databreach_rp.pdf
This information is necessary for researchers to study the effectiveness of information security management techniques and regulatory schemes and for industry to propose changes to national-level information security management frameworks and legislation such as FISMA. This information for the most part has been released in a summary format to Congress and the release of the complete dataset on data.gov would greatly aid the information security community.
It might be a fool’s errand at this point, but it doesn’t hurt to ask, and it only takes a couple of minutes to do. =)
Posted in Public Policy | 
6 Comments »
Tags: datadotgov • fisma • infosharing • management • metrics • omb • security
August 25th, 2009 at 11:04 am
Slightly revised the post to include data for FY09 and OMB Memo 09-29.
August 25th, 2009 at 12:08 pm
The data RAND collected for NCSS would be nice, too.
http://www.ojp.usdoj.gov/bjs/abstract/cb05.htm
August 25th, 2009 at 5:25 pm
[...] Note to the Data People: Give us Some Raw InfoSec Data | The Guerilla CISO http://www.guerilla-ciso.com/archives/1281 – view page – cached We have all these data wonks running around now in the information security field thanks to a couple of people (Jaquith, Shostack, Stewart, and our friends at — From the page [...]
August 26th, 2009 at 12:44 pm
Awesome thanks for writing this up.
August 26th, 2009 at 2:26 pm
Viva Le Resitance! Interesting perspective on agency INFOSEC performance metrics.
September 15th, 2009 at 11:08 am
[...] on his Guerilla CISO blog, Rybolov suggests that we ask the Data.gov folks for infosec data using their Suggest a data set page. It sounds like a good idea to me! I took his request and built [...]