It’s out. Check it out in the OMB Memo. I’ll most likely have something pithy to say when I look at it a little bit more, but it looks like it’s mostly the same as last year.
Anyway, you can get it here, it’s OMB Memo 08-21.
Posted in FISMA | 
No Comments »
Tags: fisma • omb
It’s even funnier when you know about the Frankenchrist album trial just a couple of years later.
Posted in Odds-n-Sods | 3 Comments »
Tags: subversion
Hot on the heels of Security Assessments as Fraud, Waste, and Abuse comes this heartwarming lolcat.
Posted in IKANHAZFIZMA | No Comments »
Tags: auditor • compliance • fisma • government • infosec • itsatrap • lolcats • management • moneymoneymoney • scalability • security
I’m going to put on my Government Security Heretic Hat for awhile here, bear me out. By my estimate, half of the security assessments received by the Government have some kind of fraud, waste, and abuse.
What makes me say this is the amount of redundancy in some testing that I’ve seen without any value added.
The way to avoid this redundancy is the concept of common/shared controls. The whole idea is that you take whatever security controls you have across the board and put them into one bucket. You test that bucket once and then whenever something shares controls with that bucket, you look at the shared control bucket and make sure that the assessment is still relevant and accurate.
So, what makes a security assessment not fraud, waste, and abuse? It’s a good assessment if it does the following:
Now the problem is that the typical auditor has a hard time stopping–they have an ethical obligation to investigate anything that their “professional skepticism” tells them is out of place, just like cops have an ethical obligation to investigate anything that they think is a crime.
The Solution? Don’t use auditors! The public accounting model that we adopted for information security does not scale the way that we need it to for ST&E, and we need to understand this in order to fix security in the Government.
What we need to be doing is Security Test and Evaluation which is focused on risk, not on compliance using a checklist of control objectives. Usually if you know enough to say “Wow, your patch management process is whacked, you’re at a high risk!” then that’s enough to stop testing patch management controls. This is one of the beefs I have with 800-53A in the hands of less-than-clueful people: they will test until exhaustion.
There isn’t a whole lot of difference between ST&E and an audit, just the purpose. Audits are by nature confrontational because you’re trying to prove that fraud, waste, and abuse hasn’t occured. ST&E is helping the project team find things that they haven’t thought of before and eventually get the large problems funded and fixed.
The Little Frauds Harrigan & Hart’s Songs & Sketches Photo by Boston Public Library
Posted in FISMA, NIST, Risk Management, What Doesn't Work | 8 Comments »
Tags: auditor • cashcows • catalogofcontrols • compliance • fisma • government • infosec • itsatrap • management • moneymoneymoney • risk • scalability • security
You were thinking this was part of the rainbow series, along with the orange book, the red book, and the fuchsia book, weren’t you?
Well, no, security dweebs, we’re on a public policy kick, probably will be until the end of the year (more on that to follow, stay tuned), so you wouldn’t be so lucky.
The Plum Book’s official title is Government Policy and Supporting Positions and basically it’s a huge staffing chart for the Senior Executive Service–the political appointees. Congress publishes the Plum Book after each presidential election, so for those of us who remember our civics lessons in high school, that would be every 4 years, and the last one was published in 2004.
In fact, you can see the last edition here. Caveat: it’s dry, like the uber-trocken Franken white wine that grows in the fields around where I used to live in Germany–so dry that it sucks the moisture right out of you.
Plum Pickin photo by Secret Tenerife
Now why do we care about the Plum Book? Well, that’s a good question. Have a look at some of the staffing plans in the plum book, and you’ll see something missing: Agency CISOs.
Now, I’m not a rocket scientist on org charts, but it seems to me that unless you put CISOs up to where they’re answerable to the agency head, they’re just a cost center inside the IT department with no visibility to the decision-makers. Once again, we’ve crippled our security staffs like the old-school way of doing things.
On another note, taking a quick straw poll of the agency CISOs that I know, I think about half of them are political appointees, and half of them are GS-15s. So what’s the difference?
Well, political appointees (SES) are appointed by the President. They make a better target because they have much more visibility from the higher-ups they are more political in nature.
GS-scale employees are civil service careerists. Usually these are the guys who have moved up the ranks in the various agencies and know quite a bit of things.
Which is better? Well, if you want survivability, then GS-scale is the way to go. If you want to make the most difference, SES is the ticket.
Most of us will never get the choice. =)
Posted in Odds-n-Sods, Rants | 3 Comments »
Tags: fisma • government • infosec • management • scalability • security
With as much overengineering that people do for low-criticality systems, I’m surprised nobody’s mentioned this idea yet for high-criticality data: snipers on the roof. Now that “the cat’s out of the bag”, I figure this will be in the next 800-53 revision.
Posted in IKANHAZFIZMA | 1 Comment »
Tags: 800-53 • catalogofcontrols • fisma • government • infosec • lolcats • security
« Previous Entries Next Entries »
Posts RSS
Subscribe via Email