I’m going to put on my Government Security Heretic Hat for awhile here, bear me out. By my estimate, half of the security assessments received by the Government have some kind of fraud, waste, and abuse.
What makes me say this is the amount of redundancy in some testing that I’ve seen without any value added.
The way to avoid this redundancy is the concept of common/shared controls. The whole idea is that you take whatever security controls you have across the board and put them into one bucket. You test that bucket once and then whenever something shares controls with that bucket, you look at the shared control bucket and make sure that the assessment is still relevant and accurate.
So, what makes a security assessment not fraud, waste, and abuse? It’s a good assessment if it does the following:
- Does not repeat a previous assessment.
- Discovers previously-undiscovered vulnerabilities, weaknesses, or findings.
- Has findings that get fed into a risk management plan (accepted, avoided, transferred, etc–think POA&M).
- Is not exhaustive when it doesn’t need to be.
- Provides value to the project team, system owner, and Authorizing Official to make key decisions.
Now the problem is that the typical auditor has a hard time stopping–they have an ethical obligation to investigate anything that their “professional skepticism” tells them is out of place, just like cops have an ethical obligation to investigate anything that they think is a crime.
The Solution? Don’t use auditors! The public accounting model that we adopted for information security does not scale the way that we need it to for ST&E, and we need to understand this in order to fix security in the Government.
What we need to be doing is Security Test and Evaluation which is focused on risk, not on compliance using a checklist of control objectives. Usually if you know enough to say “Wow, your patch management process is whacked, you’re at a high risk!” then that’s enough to stop testing patch management controls. This is one of the beefs I have with 800-53A in the hands of less-than-clueful people: they will test until exhaustion.
There isn’t a whole lot of difference between ST&E and an audit, just the purpose. Audits are by nature confrontational because you’re trying to prove that fraud, waste, and abuse hasn’t occured. ST&E is helping the project team find things that they haven’t thought of before and eventually get the large problems funded and fixed.
The Little Frauds Harrigan & Hart’s Songs & Sketches Photo by Boston Public Library
Posted in FISMA, NIST, Risk Management, What Doesn't Work | 8 Comments »
Tags: auditor • cashcows • catalogofcontrols • compliance • fisma • government • infosec • itsatrap • management • moneymoneymoney • risk • scalability • security