Metricon is Next Week

Posted August 4th, 2010 by

…and I’m excited.  I’ll be talking on “Meta-Metrics: Building a Scorecard for the Evaluation of Security Management and Control Frameworks” which is an Idea I’ve been mulling over on how to “build a better rat race” or at least to consciously build security management frameworks in a coherent manner. Obviously I’ll put up slides afterwords.

Agenda is here, I think there is still time to sign up and come as long as you’re not going to be a wallflower.  =)

Similar Posts:

Posted in Uncategorized | 1 Comment »

A New Take on Continuous Controls Monitoring

Posted June 10th, 2010 by

Some days I feel like all this “continuous monitoring” talk around the beltway is just really a codeword for “buy our junk”, much like the old standby “defense in depth”, only instead of firewalls and IDS, it’s desktop and server configuration management.  Even better that it works for both products and services.  The BSOFH in me likes having a phrase like “Near Real-Time Continuous Compliance Monitoring” which can mean anything from “tying thermite grenades to the racks in case of being captured” to “I think I’ll make a ham sandwich for lunch and charge you for the privilege”.

Anyway, our IKANHAZFIZMA lolcats have finally found a control worth monitoring:  the world’s supply of overstuffed cheeseburgers.  This continuous monitoring thing is serious business, just like the Internets.

kontinuus monitoring i kan get behind!

Similar Posts:

Posted in Uncategorized | 1 Comment »

Federal Computer Week and S.773

Posted September 20th, 2009 by

A phenomenal cartoon that reflects the true depth of discussion on S.773.  You may now return to your regularly-scheduled hacking.

Hat tip to Dan Philpott.

Similar Posts:

Posted in Uncategorized | No Comments »

CISOin’ Ain’t Easy, But It’s a Living

Posted October 28th, 2008 by

This is an article in Federal Computer week that’s fairly obvious to anybody who’s ever been any kind of security manager in Government:  it’s a hard job.  Realistically, you have to have such a wide range of skills that it’s hard to find people who can do it all.  It’s even worse if you have a couple subpar managers working under you.

I’ve said it a million times, I’ll say it again, in the public sector, a CISO spends 80% of their time doing basic project management and personnel management, and only 20% doing anything that could remotely be called “security”.

Similar Posts:

Posted in Uncategorized | 2 Comments »

Oh Lookie, Somebody’s Doing What I Said To Do….

Posted September 10th, 2008 by

Not to turn my blog into a place for twitter-short posts, but check out this announcement  by Cisco WebEx about their security management, audits, and SAS-70 stukas.

Fruck, it’s almost like somebody’s reading my posts on cloud computing and the Government.  This is good as long as WebEx can execute.  =)

Similar Posts:

Posted in Outsourcing, Uncategorized, What Works | No Comments »

Draft of SP 800-37 R1 is Out for Public Review

Posted August 19th, 2008 by

Go check it out (caveat: .pdf file) and send your comments to

I’ve just given it a glance and here are some things that I’ve noticed:

  • Section on security in SDLC
  • Incorporates some of the concepts in SP 800-39 about enterprise-wide risk
  • Section on common controls
  • The process has remained pretty much the same but now references all the other core documents

Where I see this revision’s weaknesses:

  • Still possible to view the C&A process as happening at the end of the SDLC as a gateway activity.  This is the path to failure–you have to start at the initiation of a project.  In other words, I don’t think the SDLC thing is obvious enough for the constituency.  C&A should be all about security in the SDLC, and I  think we’ve done ourselves a disservice by trying to separate the two.
  • Unity:  Yes, we have all the pieces there, but the document doesn’t flow as a whole yet.  BFD, I’ll get over it soon enough.
  • It all goes back to metrics:  If completed C&A is going to be one of the core metrics that you use (or OMB uses), then it should be THE core document with everything else being a stub of of it.  We have a start, but I don’t think it’s as fleshed-out as it needs to be.

Side-note for NIST:  C&A is the implementation of the System Security Engineering Process, some of that SSE has a place in 800-37.

The origingal announcement from NIST is this:

NIST, in cooperation with the Office of the Director of National Intelligence (ODNI), the Department of Defense (DOD), and the Committee on National Security Systems (CNSS), announces the completion of an interagency project to develop a common process to authorize federal information systems for operation. The initial public draft of NIST Special Publication 800-37, Revision 1, Guide for Security Authorization of Federal Information Systems: A Security Lifecycle Approach, is now available for a six-week public comment period. The publication contains the proposed new security authorization process for the federal government (currently commonly referred to as certification and accreditation, or C&A). The new process is consistent with the requirements of the Federal Information Security Management Act (FISMA) and the Office of Management and Budget (OMB) Circular A-130, Appendix III, promotes the concept of near real-time risk management based on continuous monitoring of federal information systems, and more closely couples information security requirements to the Federal Enterprise Architecture (FEA) and System Development Life Cycle (SDLC). The historic nature of the partnership among the Civil, Defense, and Intelligence Communities and the rapid convergence of information security standards and guidelines for the federal government will have a significant impact on the federal government’s ability to protect its information systems and networks. The convergence of security standards and guidelines is forging ahead with the development of a series of new CNSS policies and instructions that closely parallel the NIST security standards and guidelines developed in response to FISMA. The CNSS policies and instructions which address the specific areas of security categorization, security control specification, security control assessment, risk management, and security authorization, coupled with the current NIST publications will provide a more unified information security framework for the federal government and its contracting base. The unified approach to information security is brought together in part by the update to NIST Special Publication 800-37, Revision 1, which provides a common security authorization process and references the NIST and CNSS publications for the national security and non national security communities, respectively. The convergence activities mentioned above along with tighter integration of security requirements into the FEA and SDLC processes will promote more consistent and cost-effective information security and trusted information sharing across the federal government. Comments on the IPD of SP 800-37, Revision 1 should be provided by September 30, 2008 and forwarded to the Computer Security Division, Information Technology Laboratory at NIST or submitted via email to: .

Similar Posts:

Posted in Uncategorized | 1 Comment »

Visitor Geolocationing Widget: