It’s a Series of Pipes

Posted June 22nd, 2007 by

…or at least that’s how Yahoo has Pipes to process blog feeds. I’m working on a combined feed for ISM-Community. This has to be the easiest point-n-click programming I’ve done in years.

Right now I have the following feeds:

Most of these are low-volume for reasons that any security person who isn’t busy all the time probably isn’t worth hiring or hearing what they have to say.

There are probably more that I don’t know about–it’s not that I selectively left anybody out just yet. The feed should be considered “Beta” quality and shortly (well, when we get around to doing it), we’ll add it to the ISM-Community site.

Drop me a line if you’re an ISM-Community groupie and want your feed added.

And remember, folks, it’s not a big truck. =)

Similar Posts:

Posted in ISM-Community, Technical, What Works | 1 Comment »

Call for Volunteers

Posted June 21st, 2007 by

I’m once again the pusher for the ISM-Community Risk Assessment Methodology and I’m looking for a few good geeks.

I figured I would send out the call here, too, since if I don’t advertise enough for volunteers, the whole thing falls on my shoulders. =)

Similar Posts:

Posted in ISM-Community, Risk Management, What Works | No Comments »

Rebuilding C&A

Posted June 13th, 2007 by

After commenting on Mike Rothman’s Security Incite and Alex Hutton’s, I’m about ready to explain how C&A works and doesn’t work.

Let’s roleplay, shall we?

You’re the US government. You have an IT budget of $65 ba-ba-ba-ba-billion (stuttering added for additional effect) every year (2007 budget). If you wanted to, you might be able to make an offer to buy Microsoft based on one year’s worth of budget.

So how do you manage security risks associated with such a huge amount of cash? Same way you would manage those IT systems in the non-security world:

  • Break it all down into bite-sized pieces
  • Have some sort of methodology to manage the pieces effectively
  • Delegate responsibility for each piece to somebody
  • Use metrics to track where you are going
  • Focus on risks to the business and the financial investment
  • Provide oversight on all of the pieces that you delegated
  • Evaluate each piece to see how well it is doing

Hmm, sounds exactly like what the government has done so far. It’s exactly like an agency’s investment (system) inventory/portfolio, OMB budget process, and the GAO metrics.

Now how would you manage each bite-sized piece? This is roughly the way a systems engineer would do it:

  • Define needs
  • Define requirements
  • Build a tentative design
  • Design review
  • Build the system
  • Test that the requirements are met
  • Flip the switch to take it live
  • Support anything that breaks

Hmm, that’s suspiciously like a system development life-cycle, isn’t it? There’s a reason we use project management and SDLC–in order to get from here to there, you need to have a plan or methodology to follow, and SDLC makes sense.

So then let’s do the same exercise and add in the security pieces of the puzzle.

  • Define needs: Determine how much thesystem and the information is worth–categorization (FIPS-199 and NIST SP 800-60)
  • Define requirements (FIPS-200 andNIST SP 800-53 along with a ton of tailoring)
  • Build a tentative design (first security plan draft)
  • Design review (security plan approval)
  • Build the system
  • Test that the needs and requirements are met (security test and evaluation)
  • Flip the switch to take it live (accreditation decision)
  • Support anything that breaks (continuous monitoring)

Guess what? That’s C&A in a nutshell. All this other junk is just that–junk. If you’re not managing security risk throughout the SDLC, what are you doing except for posturing for the other security people to see and arguing about triviata?

This picture (blatantly stolen from NIST SP 800-64, Security Considerations in the Information System Development Life Cycle) shows you how the core components of C&A fit in with the rest of the SDLC:

Security in the SDLC

My theory is that the majority of systems have already been built and are in O&M phase of their SDLC. What that means is that we are trying to do C&A for these systems too late to really change anything. It also means that for the most part we will be trying to do C&A on systems that have already been built, so, just like how people confused war communism with pure communism, we confuse the emergency state of C&A post-facto with the pure state of C&A.

Now let’s look at where C&A typically falls apart:

Keys to success at this game follow roughly along what ISM-Community has proposed as an ISM Top 10. Those ISM guys, they’re pretty smart. =)

Similar Posts:

Posted in FISMA, ISM-Community, NIST, Risk Management, What Doesn't Work, What Works | 2 Comments »

CISO’s Book of Death

Posted April 19th, 2007 by

Back in my army days, most good leaders carried around a book with info on their squad.  We jokingly called these our “Book of Death”.

Anyway, I aggregated all the spreadsheets I’ve used over the past year, sanitized them, genericized them, and put them up on the web.  Feel free to borrow heavily or let me know what maybe needs to be added or expanded.

Really, I’m just testing the waters to see if there is interest in taking something like this on as a full project or if it should remain a Mike Smith skunkworks project like it has been so far.

CISO’s Book of Death V0.1

Similar Posts:

Posted in Army, ISM-Community, Risk Management, What Works | 3 Comments »

All Quiet on the ISM-Community Front

Posted April 4th, 2007 by

You would think from looking at the Discussion Forums that ISM-Community is dying.  I can confirm that, like Mark Twain, the rumors of our death are greatly exaggerated.

Right now, and nobody else knows it, I’m working on a ton of skunkworks projects to support us, including the following:

  • Informational Brochure (OK, my wife is doing most of it, but I’m editing the content)
  • Nonprofit Bylaws
  • FISMA Top 10 SWAG
  • Definitive agenda for DC Chapter meeting
  • Various politicking

So really do these warrant a full-blown project?  Not really.  But they still need to get done.

Similar Posts:

Posted in ISM-Community | No Comments »

ISM-Community DC Chapter Meeting Announcement

Posted March 26th, 2007 by

The ISM-Community DC Chapter would like to cordially invite everyone to it’s first ever meeting.


  • ISM-Community DC Chapter
  • Michael Smith and Earl Crane, chapter leaders


  • Arrivals and Introductions
  • Concept of ISM-Community
  • Development of the ISM-Community FISMA Top 10
  • Future project ideas
  • Cookies and soda
  • Earn 2 CPEs!! for 2 hours of professional organization meeting


  • 3:00 to 5:00
  • Friday
  • April 20th, 2007


Administrativia:  Since it is a private club, there is a dress code at the City Club of Washington.  Jackets are not required, however jackets are still preferred.  Jeans, sneakers, shorts and collarless shirts are not allowed.

For More Information:

We would like to thank Potomac Forum for sponsoring this event.

Similar Posts:

Posted in ISM-Community | No Comments »

« Previous Entries Next Entries »

Visitor Geolocationing Widget: