How to Get a Security Assessment the NIST Way

Posted October 22nd, 2007 by

Those cheeky devils over at NIST have an interesting read out in draft form:  NISTIR 7328 (.pdf caveat).  It’s a draft Interagency Report, but in reality it’s a how-to on being assessed and being the assessor.

I’ve given it a glance and it’s all the things that successful Security Test and Evaluation teams have been doing all along.  I know there’s some kind of “take-away” (my MBA phrase for today) that works out in the private sector.

Similar Posts:

Posted in FISMA, NIST, Risk Management, What Works | No Comments »

Another 2-Day C&A Seminar

Posted October 19th, 2007 by

Hello Everybody

I’ll be teaching again with Potomac Forum at the end of the month.  This will be a 2-day Certification and Accreditation seminar.

Similar Posts:

Posted in FISMA, Speaking | 1 Comment »

Security Managers with PMP

Posted October 19th, 2007 by

I’ve been toying with the idea for about 6 months, but I think I’ve decided to go for a PMP.

See, one of my little foibles is that if you act long enough like you can’t manage a project, I eventually get impatient and end up taking it over. So I figured that since I’ve led a bazillion projects, I might as well get credit for it. =)

Anyway, I’m interested in a quick straw poll on how many security folks are out there doing PM jobs.  It seems like we get pulled into PM stuff more and more because more often than not, we know how things are supposed to work.

Similar Posts:

Posted in The Guerilla CISO | 4 Comments »

Some Words on Steinnon

Posted October 18th, 2007 by

OK, this post will be big today. For starters, I use Fortinet products, they’re the heart of my key infrastructure and I’m pretty happy with them.

  1. It’s GAO, OMB, and the House Committee on Government Oversight and Reform, not GSA.
  2. This blog posting is very unprofessional of you, sir. I would expect more from a Chief Marketing Officer. Will your CEO read about how you treat your customers?
  3. Obviously you do not understand your customer base and you are unable to understand their pain points. That is not being a good partner. The appropriate answer is “let’s grab a conference room and talk this over, I want to fix this for you.”
  4. You just provided that individual with his migration plan from your gear onto somebody else’s.
  5. You need to get out walking more and get some better shoes.
  6. Yes, the CIO and his CISO bear most of the responsibility, but if they fail, you fail. Until you understand that, you have much to learn about the Government.

What neither Richard nor his CIO “friend” realize is that it takes a partnership between the Government and the vendors to make it work. Yes, the agencies receive a FISMA grade, but really that failing grade represents the efforts of both the Government and industry. You need to understand that before you go hating on the agencies for low grades.

We all get frustrated dealing with each other. It’s hard for contractors and vendors to understand the Government unless they’ve worked as a GS-scale or SES. I know the contractor side, I know some of the Government side, but I don’t claim to know it all.

But to go out in public and criticize your customers is unthinkable, especially in DC, and especially from a Chief Marketing Officer. You don’t make any permanent enemies here if you can help it, you never know who will end up in charge after the next reorganization.

On the other hand, the purpose of the FISMA grades is to give people a reason to have these conversations. The Government needs to be going to its vendors and saying that they cost too much and don’t fix their problems. That’s supposed to happen, only Richard didn’t handle it well. Don’t tell me this is the first time something like this has ever happened to him.

I just expect more from a vendor and their head of marketing. Thank you for level-setting my expectations for your company, Richard.

Similar Posts:

Posted in FISMA, Rants | 6 Comments »

Wednesday Zombie Post–The Guy’s Guide to Zombies

Posted October 17th, 2007 by

No, really, they’re entitled to have good jobs, and they only think about eating brains 52% of the time. What’s not to like?

Similar Posts:

Posted in Zombies | No Comments »

Buy a Costume, Get Security Suite Free!

Posted October 11th, 2007 by

“See, that security thang, it ain’t so hard.” I guess endpoint security is a complete and utter commodity now. =)   I can feel the cyanide bullet C&D letter coming in the mail any minute now.

From: ZoneAlarm <>
To: rybolov
Sent: Wednesday, October 10, 2007 5:42:47 PM
Subject: Buy a Costume, Get Security Suite Free!

ZoneAlarm by Check Point

ZoneAlarm® Internet Security Suite FREE! has 100s of Halloween costumes:

We also have over 100 other special offers available from partners such as Lancôme, Blockbuster and American Express.

Find a costume now — get started now!


Similar Posts:

Posted in Odds-n-Sods | 1 Comment »

« Previous Entries Next Entries »

Visitor Geolocationing Widget: