Dear NIST People,
I have this semi-random digital scribbling thingie called a blog. You might have heard of them. Hey, you might have even at one point heard of mine. =)
On my blog I let it be known that I am what the rest of the world would call a “NIST Cheerleader”. I watch your every move. I comment on your new publications. I teach your framework every quarter. From time to time, I criticize, but only because I have a foot in the theory of information security that you live and a foot in the implementation with agencies who know where the theory and models break.
The best thing that you have given us is not the risk management framework, it was SP 800-30, “Risk Management Guide for Information Systems”. It’s small, to-the-point, and scalable from a single server to an entire IT enterprise. Sure, the quants hate it, but for the quals and Government, it’s good enough. I know private-sector organizations that use it. One of my friends and blog readers/commenters was the guy who taught a group of people how to do risk assessment, then these same people went on to help you write the book.
I heard that you were in the process of revising SP 800-30. While this is much needed to catch up/modernize, I want to make sure that 800-30 does not follow the “live by the catalog, die by the catalog” path that we seem to be following lately. In other words, please don’t change risk assessment process to the following:
- Determine boundary
- Determine criticality
- Conduct a gap assessment against a catalog of controls (SP 800-53/800-53A)
- Attach a priority to mitigation
- Perform risk avoidance because compliance models are yes/no frameworks
At Your Own Risk Photo by Mykl Roventine.
The reason that I am writing this is to let you know that I have noticed a disturbing trend in how now that we have a catalog of controls, the risk management framework is focusing more and more heavily on the catalog as the vehicle for determine an adequate level of security. Some of this is good, some of this is not.
Why am I so concerned about this? Well, inside the Government we have 2 conflicting ideas on information security: compliance v/s risk management. While we are fairly decent Government-wide at compliance management, the problem that we have is in risk management because risk management is only as good as the people who perform the risk assessment. Not that we don’t have competent people, but the unknowns are what will make or break your security program, and the only way that you can known the unknowns is to get multiple assessments aimed at risks outside of the control catalog.
However, if you change the risk assessment process to a “catalog of controls gap analysis” process, then we’ve completely lost risk management in favor of compliance management. To me, this is a disturbing trend that needs to be stopped.
Thank you for your time