FedRAMP: It’s Here but Not Yet Here

Posted December 12th, 2011 by

Contrary to what you might hear this week in the trade press, FedRAMP is not fully unveiled although there was some much-awaited progress. There was a memo that came out from the administration (PDF caveat).  Basically what it does is lay down the authority and responsibility for the Program Management Office and set some timelines.  This is good, and we needed it a year and a half ago.

However, people need to stop talking about how FedRAMP has solved all their problems because the entire program isn’t here yet.  Until you have a process document and a catalog of controls to evaluate, you don’t know how the program is going to help or hinder you, so all the press about it is speculation.



Similar Posts:

Posted in DISA, FISMA, NIST, Outsourcing, Risk Management | No Comments »
Tags:

DHS is Looking for a CISO

Posted November 4th, 2011 by

Job announcement is here.  Share with anybody you think can do it.



Similar Posts:

Posted in FISMA, NIST, Odds-n-Sods | 2 Comments »
Tags:

Happy New Year

Posted January 1st, 2011 by

Believe it or not, this is a friend’s cat named Little Phat Man, and we cat-sat him over Christmas.  Mrs Rybolov took the photo.  I’ve been trying to get Phat into a lolcat for a long time.

ikanhazfizma wishes you



Similar Posts:

Posted in IKANHAZFIZMA | 1 Comment »
Tags:

Coming Soon to a Cloud Near You…

Posted November 22nd, 2010 by

Considering that it’s a secondary source and therefore subject to being corrected later in an official announcement, but this is pretty big.  Requiring the Departments and Agencies to consider cloud solutions both scares me (security, governance, and a multitude of other things about rushing into mandated solutions) and excites me (now cloud solutions are formally accepted as viable).

However, before you run around either proclaiming that “this is the death of serverhuggers” or “the end is nigh, all is lost” or even “I for one welcome our fluffy white overlords”, please consider the following:

  • A “secure, reliable, cost-effective cloud option” is a very loaded statement very open to interpretation
  • They already have to consider open source solutions
  • They already have to consider in-sourcing
  • They already have to consider outsourcing
  • “Cloud” more often than not includes private clouds or community clouds
  • Isn’t this just another way to say “quit reinventing the wheel”?
  • Some Government cloud initiatives are actually IT modernization initiatives riding the bandwagon-du-jour
  • Switching from Boeing, Northrup, and SAIC beltway bandit overlords to Google, Amazon, and SalesForce cloud overlords still mean that you have overlords


Similar Posts:

Posted in Outsourcing, Rants | 2 Comments »
Tags:

Split-Horizon Assessments and the Oversight Effect

Posted July 7th, 2010 by

Going Off the Deep End

So I was thinking the other day (this is the part where people who know me in person usually go “oh cr*p”), partially spurred by a conversation I had with @csoandy and @secbarbie a couple of months ago.  I’ll get the idea out there: as an industry we need to embrace the concept of split-horizon assessments.

Two Purposes for Assessments

Because this is an insane approach that I’m just feeling out, let me go on a solo riff and explain what I’m talking about.  You see, I have two distinct purposes for getting a security assessment, both of which are in contention with each other:

  • I want to fix my security by asking for money to fix the things that need attention.  When I get an assessment for this purpose, enumeration of my badness/suckness is good.  If I have a set of results that say that everything is great, then there’s no need for me to be given any more resources (time, money, people, gear).  Short-term, I’m fine, but what about my infrastructure-type long-term projects?  The net effect of a highly-scored annual assessment just might kill my program in 2 years as my funding and people are shifted elsewhere, especially in a .
  • I want to keep my job and help my {company|agency|group} stay out of trouble by showing my zero-defects face and by demonstrating my due-diligence in protecting what has been given to me.  While the assessor has helped me short-term by identifying my problems and being a total hardass, if I’m not around in 6 months to adopt the recommendations into my security program, has the assessor actually helped me?

And this is the dilemma for just about every security manager out there.  One of the strategies is to alternate assessment types, but then your management wonder just what the heck it is you’re doing because you’re on top one year, then on the bottom the next.

Split Rock Lighthouse and Horizon photo by puliarf.

Assessor Window-Shopping

Now for the dirty little secret of the testing business:  there are really good testers who are the ninjas of the InfoSec world and there are really bad testers who don’t even validate their unlicensed Nessus scan.  I know, you’re shocked and it’s so blindingly obvious that Bruce Schneier will blog it 3 years from now.  =)

But there’s the part that you didn’t know:  security managers pick their assessor depending on the political mood inside their organization.  This is nowhere near a science, from what I’ve seen it involves a lot of navel-gazing on the part of the security team to see which is the lesser evil: having everybody think you’re incompetent or never getting anything new ever again?

Building a Better Rat Race

In order to accomplish both of the goals that I’ve listed, what I really need is a split-horizon assessment.  In other words, I need 2 reports from one assessment with different views for different audiences.  I know this sounds highly cynical, but it’s something we’ve been doing for some time now but just informally.  Might as well make it formal.

So are you sold on this concept yet?  In true form, I have an idea on how to get to a world of split-horizon assessments.  You can take any catalog of controls and divide it into “gotta have it” and “nice to have” (I almost divide these along the lines of “vulnerability mitigation” and “sustainable security program” or the “CISO” and “OMB and Congress”) buckets.  Then in your compliance assessment standard, require 2 reports for each assessment.  One is reported to the regulating authority and the other stays with the organization.

Indecision Strikes

I don’t know if I’ve solved the problemspace or not, but I’m looking for feedback “from the Peanut Gallery” so leave some comments.



Similar Posts:

Posted in Rants, What Doesn't Work, What Works | 7 Comments »
Tags:

A Stable InfoSec Program?

Posted June 17th, 2010 by

If it wasn’t frustrating dealing with the huge conflict-of-interest that follows the Government’s InfoSec pocketbook, it would be absolutely hilarious to watch the myriad interactions between all the competing interests at work, all with their grand plan on how to “fix” something that, in their opinion, is grossly broken.  Not that their idea is any better or will be executed better, it’s that it’s something new and gives them soundbites.

I’ll even admit to having my own opinions from time to time, although I’m not in it for the filthy lucre, just trying to help.  =)

stable foundashun 4 my infosec program? lots of "it depends"



Similar Posts:

Posted in IKANHAZFIZMA | 1 Comment »
Tags:

« Previous Entries


Visitor Geolocationing Widget: