It’s a Series of Pipes

Posted June 22nd, 2007 by rybolov

…or at least that’s how Yahoo has Pipes to process blog feeds. I’m working on a combined feed for ISM-Community. This has to be the easiest point-n-click programming I’ve done in years.

Right now I have the following feeds:

ISM-Community Blogs (one for each focus area)
Guerilla-CISO (This guy is a genius!) =)
Mark Curphey
SecurityBullshit.com (Curphey Cartoons)
Mano Paul
Alex Hutton
Jason Bevis

Most of these are low-volume for reasons that any security person who isn’t busy all the time probably isn’t worth hiring or hearing what they have to say.

There are probably more that I don’t know about–it’s not that I selectively left anybody out just yet. The feed should be considered “Beta” quality and shortly (well, when we get around to doing it), we’ll add it to the ISM-Community site.

Drop me a line if you’re an ISM-Community groupie and want your feed added.

And remember, folks, it’s not a big truck. =)

Call for Volunteers

Posted June 21st, 2007 by rybolov

I’m once again the pusher for the ISM-Community Risk Assessment Methodology and I’m looking for a few good geeks.

I figured I would send out the call here, too, since if I don’t advertise enough for volunteers, the whole thing falls on my shoulders. =)

Rebuilding C&A

Posted June 13th, 2007 by rybolov

After commenting on Mike Rothman’s Security Incite and Alex Hutton’s riskanalysis.is, I’m about ready to explain how C&A works and doesn’t work.

Let’s roleplay, shall we?

You’re the US government. You have an IT budget of $65 ba-ba-ba-ba-billion (stuttering added for additional effect) every year (2007 budget). If you wanted to, you might be able to make an offer to buy Microsoft based on one year’s worth of budget.

So how do you manage security risks associated with such a huge amount of cash? Same way you would manage those IT systems in the non-security world:

Break it all down into bite-sized pieces
Have some sort of methodology to manage the pieces effectively
Delegate responsibility for each piece to somebody
Use metrics to track where you are going
Focus on risks to the business and the financial investment
Provide oversight on all of the pieces that you delegated
Evaluate each piece to see how well it is doing

Hmm, sounds exactly like what the government has done so far. It’s exactly like an agency’s investment (system) inventory/portfolio, OMB budget process, and the GAO metrics.

Now how would you manage each bite-sized piece? This is roughly the way a systems engineer would do it:

Define needs
Define requirements
Build a tentative design
Design review
Build the system
Test that the requirements are met
Flip the switch to take it live
Support anything that breaks

Hmm, that’s suspiciously like a system development life-cycle, isn’t it? There’s a reason we use project management and SDLC–in order to get from here to there, you need to have a plan or methodology to follow, and SDLC makes sense.

So then let’s do the same exercise and add in the security pieces of the puzzle.

Define needs: Determine how much thesystem and the information is worth–categorization (FIPS-199 and NIST SP 800-60)
Define requirements (FIPS-200 andNIST SP 800-53 along with a ton of tailoring)
Build a tentative design (first security plan draft)
Design review (security plan approval)
Build the system
Test that the needs and requirements are met (security test and evaluation)
Flip the switch to take it live (accreditation decision)
Support anything that breaks (continuous monitoring)

Guess what? That’s C&A in a nutshell. All this other junk is just that–junk. If you’re not managing security risk throughout the SDLC, what are you doing except for posturing for the other security people to see and arguing about triviata?

This picture (blatantly stolen from NIST SP 800-64, Security Considerations in the Information System Development Life Cycle) shows you how the core components of C&A fit in with the rest of the SDLC:

My theory is that the majority of systems have already been built and are in O&M phase of their SDLC. What that means is that we are trying to do C&A for these systems too late to really change anything. It also means that for the most part we will be trying to do C&A on systems that have already been built, so, just like how people confused war communism with pure communism, we confuse the emergency state of C&A post-facto with the pure state of C&A.

Now let’s look at where C&A typically falls apart:

Confusing compliance (check the box) with risk management (are we providing “adequate security”?)
Focusing too much on the certification statement and accreditation decision, which should be a gate instead of the entire process
Not hiring smart people
Failure to associate technical and system-specific risks with the business case
Disassociation from the rest of the SDLC
Disassociation from reality (liarware)
Trying to certify and accredit systems in the implementation phase of the SDLC
Risk-adverse decision-making
Using C&A as quality assurance

Keys to success at this game follow roughly along what ISM-Community has proposed as an ISM Top 10. Those ISM guys, they’re pretty smart. =)

CISO’s Book of Death

Posted April 19th, 2007 by rybolov

Back in my army days, most good leaders carried around a book with info on their squad. We jokingly called these our “Book of Death”.

Anyway, I aggregated all the spreadsheets I’ve used over the past year, sanitized them, genericized them, and put them up on the web. Feel free to borrow heavily or let me know what maybe needs to be added or expanded.

Really, I’m just testing the waters to see if there is interest in taking something like this on as a full project or if it should remain a Mike Smith skunkworks project like it has been so far.

CISO’s Book of Death V0.1

All Quiet on the ISM-Community Front

Posted April 4th, 2007 by rybolov

You would think from looking at the Discussion Forums that ISM-Community is dying. I can confirm that, like Mark Twain, the rumors of our death are greatly exaggerated.

Right now, and nobody else knows it, I’m working on a ton of skunkworks projects to support us, including the following:

Informational Brochure (OK, my wife is doing most of it, but I’m editing the content)
Nonprofit Bylaws
FISMA Top 10 SWAG
Definitive agenda for DC Chapter meeting
Various politicking

So really do these warrant a full-blown project? Not really. But they still need to get done.

Similar Posts:

Posted in ISM-Community | No Comments »

ISM-Community DC Chapter Meeting Announcement

Posted March 26th, 2007 by rybolov

The ISM-Community DC Chapter would like to cordially invite everyone to it’s first ever meeting.

Who:

ISM-Community DC Chapter
Michael Smith and Earl Crane, chapter leaders

What:

Arrivals and Introductions
Concept of ISM-Community
Development of the ISM-Community FISMA Top 10
Future project ideas
Cookies and soda
Earn 2 CPEs!! for 2 hours of professional organization meeting

When:

3:00 to 5:00
Friday
April 20th, 2007

Where:

City Club of Washington at Columbia Square
Metro-Accessible at Metro Center station
http://www.city-washington.com/about/location.htm

Administrativia: Since it is a private club, there is a dress code at the City Club of Washington. Jackets are not required, however jackets are still preferred. Jeans, sneakers, shorts and collarless shirts are not allowed.

For More Information:

We would like to thank Potomac Forum for sponsoring this event.

Similar Posts:

Posted in ISM-Community | No Comments »

The Guerilla CISO

Feeds

Phone-Readable

Recent Comments

What’s Hot

Tags

Categories

Blogroll

Archives