Actually this is all a little bit strange to comprehend, I’m not sure I get it all, but here goes…

So my friend Michael Santarcangelo sold his palatial estate, put his wordly posessions in storage somewhere in upstate NY state, and packed up his family in an RV and is travelling around the US giving a series of seminars on “Communicating the Value of Security”.  I’ve met Michael, and he’s not a patchouli-smelling hippie looking for inner truth or some kind of weird traveling salesman, he’s just a really smart guy who’s passionate about what he does.

And he’s coming to Northern Virginia on the 25th to bring you BBQ, pool, and a seminar on how to communicate with non-security folks.  There’s a trivial cost to pay for the food.  It’s also a family event, and there’s no extra cost for your family to come along, although when Michael sees how much my teenage daughters eat, he’ll probably charge me at least an extra $50 bucks.

Get the full set of information here.  Sign up and give it a try.

• Privacy Camp DC on June 20th
• Certification and Accreditation Seminar, March 30th and 31st
• Metricon 5 Wrapup
• Introducing the NoVa InfoSec Portal
• C&A Seminar in August, Instructor-to-Coolness Ratio Goes Up!

This super secret security control is from the unpublished control catalog of an agency we would be foolish to name here.  Oh, darn, you talked me into it, the agency is the Director of National Intelligence – Extralegal Ventures to Rectify Information Technology Hacks, Incursions and Numbskulls Gabbing (DNI-EVRYTHING):

PS-1337 PERSONNEL SANITIZATION AND DISPOSAL

Control:
The organization sanitizes information system personnel prior to disposal or release for burial.

Supplemental Guidance:
Sanitization is the process used to remove information from information system personnel such that there is reasonable assurance, in proportion to the confidentiality of the information, that the information cannot be retrieved, recovered or extraordinarily renditioned. Sanitization techniques, including clearing, purging, and destroying personnel information, prevent the disclosure of organizational information to unauthorized individuals when personnel are disposed. The organization uses its discretion on sanitization techniques and procedures for personnel containing information deemed to be in the public domain or publicly releasable, or deemed to have no adverse impact on the organization or individuals if released for reuse or disposed. The Black Operations For the Homeland (BOFH) provides personnel sanitization guidance and maintains a listing of approved sanitization procedures in their publication “Leave No Incriminating Evidence (or Where Jimmy Hoffa Went) Directive and BBQ Cookbook”.

Control Enhancements:
(1) The organization tracks, documents, and verifies personnel sanitization and disposal actions.
(2) The organization periodically tests sanitization equipment and procedures to verify correct performance.
(3) The organization employs personnel sanitizers (‘cleaners’) who bear an uncanny resemblance to either Harvey Keitel or Jean Reno to perform ad hoc personnel sanitization procedures.
(4) Lbh fubhyq arire gehfg EBG13 rapelcgvba be chg lbhe snvgu va pbafcvenpl gurbevrf. (ROT13 Super-Encrypted)

LOW: Not Selected  MOD: PS-1337(1)(2)  HIGH: PS-1337(1)(2)(3)  MAJESTIC12: PS-1337(1)(2)(3)(4)

• Workin’ for the ‘Counters: an Analysis of my Love-Hate Relationship with the CPAs
• Transparency in Government: Just Give us the Data!
• Introducing the NoVa InfoSec Portal
• Communicating the Value of Security Seminar Preview
• Yet More Security Controls You Won’t See in SP 800-53

Nice, somebody added up all the security events in Northern Virginia and put them in one place. Not only is this a good idea, but I have no less than half a dozen events happening every month within 2 miles of where I live.  I now have a busy social calendar and I have to manage my “copious amounts of free time”.

Things haven’t been this happening since the Army of the Potomac invaded.

• Learning GovieSpeak: The Plum Book
• Federal CIO Council’s Guidelines on Security and Social Media
• Communicating the Value of Security Seminar Preview
• Jeff Jones and Flameproof Underwear
• Super Secret Security Control You Were Never Meant To See

The US Army occassionally does things right.

Well, one of the things that they do right is training. Our training process for squad and above is mostly focused around the Observer-Controller (OC) and their value proposition (my MBA word for the day, TYVM). Whenever you are training, there is an OC tagging right along with you to assess what and why you are doing something and then make recommendations at the end.

 

Observer-Controllers hard at work, photo by David Axe

What an OC brings with them (aside from their 31337 BBQ Ski11z):

• Experience of having seen the same task done hundreds of times with various groups.
• A strong understanding of the doctrinally-correct way to do a task.
• Techniques to fill out where doctrine is not specific enough.
• Sometimes they have pre-written standard operating procedures that they will share with you.

What an OC will never do:

• Use you resources to support themselves.
• Own the solution space for you.
• Criticize you in front of your troops.
• Interfere with your ability to do your mission.

Hmmm, sounds like the things that a good auditor does.

Auditors are in a fantastic position to help the auditee because of the wide range of experience in how other companies have been doing the exact same thing that you are doing.  Point is, there is a level of collusion that needs to happen between the auditor and the auditee, and the extent of that collusion is really what we’re talking about when we start looking at Separation of Duties and similar things.

Over the years, auditors and auditees have had the nature of their relationship change numerous times. Around the time of Sarbanes-Oxley, the pendulum swung wildly the way of “no relationship no how” and now it’s slowly moving back to somewhere normal. Here’s a podcast with Michael Oxley talking about how auditors need to collude better with the auditee.  Disclaimer:  this is part of a series that is produced by my firm, but I had no part in this, Mkay?

Here in DC, we have a saying (Ok, I made it up my own self):  “Collusion is not just a technique, it’s THE technique.”  =)

• Split-Horizon Assessments and the Oversight Effect
• A Niche to a Niche is Still Hard to Staff
• FISMA Report Card News, Formulas, and 3 Myths
• Cloud Computing and the Government
• Some Comments on SP 800-39