Wednesday, February 22, 2012

451 Research: A Peek Into the Psychographics of the CISO

Click for Larger Image.
The 451 Enterprise Security Practice (ESP) really did a great job with this report. It's not going to change your life, but it certainly draws attention to changes in spending. There are market pivots taking place now to address changing architectures and risk. Several things caught my attention. Here are three short comments.

The Power of One. Security Awareness. 
This is the number one concern among CISOs. It should be. It must be. Hands down. No question.

DLP: Your Last Line of Defense. 
You've been compromised because you refused to spend the time/resources [1] hiring the right person, [2] hiring the right auditing firm, [3] buying the right equipment, [4] listening to your team, [5] etc... Perhaps you did everything right and were still compromised. Either way, your DLP system might be the last control that either prevents or alerts you right away that something isn't right.

Missing: Compliance and Audit for the Midsize Enterprise
Because I don't have a compliance guy. Because it's too hard. Because it's too expensive. Because it's too disruptive. The solutions are rapidly evolving. I'm in the mix hearing from the different vendors how they plan on addressing these concerns. None of them are perfect, but they are getting better.

See the full report here (451 access required): Enterprise Security: A Peek Into the Psychographics of the CISO (Security Quarterly: February 21, 2012)

Tuesday, February 21, 2012

The NeverEnding Story: C&A

Are you old enough to remember The NeverEnding Story (1984) - IMDb? There are so many puns here about C&A... from the story line to the title. :)

Someone recently asked for a list of links to learn more about the C&A processes. This list was created by Jeffrey Widom. (Thank you Jeffrey.) 

Jeffrey Widom's Top Ten List — IA Resources Online

10. DoD IA Training 
Online training provided by the Defense Information Systems Agency; includes a brief DIACAP overview.
9. DSS
Defense Security Service web site for the National Industrial Security Program. This information mostly concerns contractors handling clearances, classified documents, and/or classified computer systems on their premises.
8. DISA (NIPRnet/SIPRnet) 
Defense Information System Agency web site for Secret Internet Protocol Router Network (SIPRNet) and
Non-classified Internet Protocol Router Network (NIPRNet) connection approval processes.
7. CNSS 
Web site for the Committee on National Security Systems, including numerous publications. CNSS Instruction 4009, the National Information Assurance Glossary, was recently revised and is available for download. CNSS Instruction 1253 provides requirements for National Security Systems.
6. OMB Memoranda 
Web site for Office of Management and Budget (OMB) Memoranda, including those that address security, privacy and  FISMA requirements.
5. STIGs 
Defense Information Systems Agency web site for Security Technical Implementation Guides (STIGs), Security Checklists, and Security Readiness Review (SRR) scripts.  STIGs contain detailed configuration guidance for operating systems, databases, web servers, wireless systems, etc., and are mandatory for all DoD information systems. SRR scripts are automated tools that assist in validating STIG compliance.
4. DIACAP Knowledge Service 
Official Department of Defense web site for DIACAP. Common Access Card (or commercial certificate and DoD employee sponsor) required for access.
3. DoD Directives
Official Department of Defense web site for DoD Issuances including Directives, Instructions, Publications, Administrative Instructions, and Directive-Type Instructions. 
Official NIST web site for Federal Information Processing Standards (FIPS). FIPS Publications are issued by NIST after approval by the Secretary of Commerce pursuant to Section 5131 of the Information Technology Reform Act of 1996 (Public Law 104-106) and the Federal Information Security Management Act of 2002 (Public Law 107-347). 
1. NIST Special Publications
Official NIST web site for Special Publications. Special Publications in the 800 series present documents of general interest to the computer security community. Special Publications include documentation of the new Risk Management Framework (RMF) that will (hopefully) become the standard for all federal information systems.

Tuesday, February 7, 2012

Cloud Security Alliance: Consensus Assessment Initiative Questionnaire

Last year I reviewed the Cloud Security Alliance Consensus Assessment Initiative Questionnaire (CSA-CAIQ). I've posted the enhanced version of that effort which includes a database import tab on the CAC Google Site.

There are two reasons for this post. 
The first is that I'm reminded of the importance of context and seamless integration. When I reviewed the materials, I approached it from the singular perspective of the CSA-CAIQ spreadsheet contents, trusting full alignment with the associated Cloud Controls Matrix (CCM). The end result is slight and subtle misalignment between the intent of the controls and the questions used to determine compliance. This is one of the challenges with parallel efforts. This can and will be fixed in the coming months... that's not the point. The point - and Lession Learned - is trust but verify. I should have spot checked the questions to make sure they line up accurately with the intent of the control. Don't tell me you've never done this...

The second reason for this post is the fast pace of changing control requirements and the mild frustration of accurate mapping. I want to discuss a review I performed covering the alignment between FedRAMP and the CSA-Cloud Controls Matrix. Because of work I'm doing with Federal right now, I chose the FedRAMP baseline controls. Here is a list of differences between FedRAMP LOW, FedRAMP MOD, and the control alignment in the current version of the Cloud Controls Matrix. Note that the control alignment in the CSA-CCM is assumes FedRAMP MOD, which may or may not be appropriate for your organization.

Now there are two lessons. 
The first lesson remember or learn... is how important it is to understand the standard, your data, your risk, and how to review the standard's source to know what controls apply to your situation. Know the difference between LOW and MOD. Barring required compliance mandates, the goal isn't to blindly implement controls. The goal is the implement controls commensurate to the value of the data.

The second lesson? Trust but verify. It was probably accurate when the matrix was posted... but things change. Standards evolve and finalize.

Missing Controls: 
These controls exist in FedRAMP MOD (and LOW*) baseline but do not exist in the CSA-CCM.

AC-7*; AC-10; SC-15*; SC-30; SC-32

Extra Controls: 
These controls exist in the CSA-CCM but do not exist in the FedRAMP MOD baseline. All of the controls in the LOW baseline exist in the MOD baseline... The MOD (moderate) baseline is the more restrictive set. Put differently, these are suggested in the CSA-CCM as required FedRAMP controls but they are not.

AT-5, PM-1, PM-5, CM-04, AU-13, PE-19, SC-28(1), MP-8, PM-9, PE-2(1), PM-2, PM-3, PM-4, PM-6, PM-7, PM-8, PM-10, PM-11, AC-18(3), AC-18(4), AC-18(5), SC-16, AC-21, AU-14, SC-24, SC-3, PL-2(2), SA-13, PE-14(1), PE-11(1), SC-18(4) 

[UPDATE]: The extended team is in the planning stages for CSA-CCM v1.3.