Learning From the Intelligence World

Posted June 6th, 2007 by

Back in the day when I was PFC Smith, they taught me in school that one of the definitions of good intelligence is that it had 3 qualities:

  • Timely–you get the information with enough time to act on it
  • Accurate–yes, it’s not an exact science, but as accurate as you can get and still be timely
  • Relevant–it answers the questions that the commanders need to make decisions

You can extend these 3 qualities really to just about any piece of information such as vulnerability reports, security metrics, audit findings, or vendor presentations.

Now an interesting piece of trivia: Inside the US Federal Government, security practitioners are charged with providing “adequate security”. I’ve listened to Hord Tipton and his travails with the Cobell v. (Kempthorne|Norton|Babbit) case and it was interesting to me because he had to prove that his organization provided “adequate security”, so there was much talk about the definition of what that entailed.

Really what I’m looking for is a good, concise definition of “adequate security” in keeping with the values of good intelligence.

  • Threat-specific–we protect against all likely types of attack
  • Cost-effective–we’re not spending money just to check a box in a compliance framework
  • Relevant–we support the business processes

Similar Posts:

Posted in Army, FISMA, What Works | 4 Comments »

4 Responses

  1.  Halon73 Says:

    This is further canon fodder for the case that we must transform how we do business. I have really been feeling the ground movement and hearing more about the need for a new direction. From my view I’m calling this direction “transformation”. What we will look like after that process I’m not sure but one thing that I am clear on now is that unless we step it up and put pressure on those organizations that claim to represent us to start taking action we risk loosing the opportunity that is before us now to be the leaders I know us to be.

    I recommend that the first step is to establish a central, and legally binding, authority that can issue standards on information security. This is step beyond what NIST provides through guidance. Ask yourself why we have one of the safest air transport systems in the world? I say it is through the certification processes that the FAA has that ensure that anyone who operates, pilots, or maintains aircraft not only performs those duties to the standards prescribed but is held legally and criminally responsible. Until folks have there feet held to the fire and liability assigned where it belongs I predict a continual dilution of our trade to the point, if left unchecked, that we will loose credibility and thus our ability to effect positive change.

    I find it sad that the industry needs an external governing agency to codify standards of conduct, practice, and ethics to ensure safe operations of information processing systems. But never the less I see the need to federally license information security professionals to both ensure safe operations and at the same time help us limit our liability while further defining what we are. The ultimate power is in the pen and the signature that goes with that pen should be the bond the Security Practitioner (SP) to the work they perform until that work is either performed by another SP or the system is decom’ed.

  2.  Halon73 Says:

    PS check this out:


    The more I think about it the more I like adopting 14 CFR Part 65 sytle system for us.

    If folks knew they were responsible for a system and could be put in jail I think it would have a WONK killing effect.

  3.  The Guerilla CISO » Blog Archive » Another Day, Another Vendor Says:

    […] Now for people who know what they are doing, the people that I refer to as “clueful”,  these tools are pretty good at keeping you on track.  The problem is that there is a shortage of clueful people, so they’re buying tools to compensate for the lack of skill.  The end result of this game is that you end up broke with no adequate security–not exactly what I would call “effective security”. […]

  4.  When the Feds Come Calling | The Guerilla CISO Says:

    […] of the concepts in security and the Government is that agencies are to provide “adequate security” for their information and information systems.  Have a look at FISMA and OMB Circular […]

Leave a Comment

Please note: Comment moderation is enabled and may delay your comment. There is no need to resubmit your comment.

Visitor Geolocationing Widget: