Thursday, April 26, 2012

Getting Comfortable... ??

Now more than ever it's important to improve your technical, professional, and soft skills. The landscape is more competitive than ever, and the technologies shaping our world are evolving more quickly than at any other point in history.  This isn't a time to get comfortable with your knowledge set. Take the time to invest in yourself and reap the benefits.

Watch a Video!
Quickest way to get up to speed on a number of technologies? YouTube. Check it out! Seriously. For example, check out Chad Sakac's videos at

Attend a Webcast!
Maybe you missed one? Want to check out topics that have presented before? Check out

Try Hands on Labs!
Hands on Labs are growing in popularity because they can be managed easier with cloud platforms and reset instantly, allowing the resources used for someone else to be released as a baby-powder fresh clean slate for your learning pleasure.

Grab a book!
This is the list of books I've been giving students for years. Full disclosure - two of these are mine. They were written to give IT professionals a kickstart with a different skillset.

Wednesday, April 11, 2012

SP800-53A(3) Mapped to HIPAA

I reviewed NIST SP 800-66(R1) An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule. I've posted the enhanced version of that effort which includes additional links to VMware, Cisco, EMC, and RSA healthcare portals.  Download the spreadsheet under the Documents tab.

I reverse mapped HIPAA to SP800-53A(3) controls based on SP800-66 guidance. 800-53A withdrawn controls were remapped to the specified replacement controls. Ping me if you have any questions. You need additional guidance in order to appropriately implement the HIPAA security rule. This is not enough to stand on its own - BUT it is an interesting look at the similarities in controls across authorities.

Tuesday, April 3, 2012

The Psychology of Acceptable Risk

Let's keep this simple.
Consider residual risk and acceptable risk. Controls are put in place to address known and unknown risk. Your remaining risk that isn't covered is called Residual Risk. If it's not small enough, you add more controls until it gets to the point you are willing to accept the residual. The threshold for the acceptable amount of risk is called Acceptable Risk. Now that that's covered, note the relationship between assurance and acceptable risk.
Assurance is the grounds for confidence that the set of intended security controls in an information system are effective in their application.
(NIST SP 800-37 and SP 800-53A)
What influences your risk tolerance? 
There are lots of interesting angles here. Think about this for a minute. What is it about an environment, a product or solution, that builds enough confidence that you are willing to accept the residual risk and place it into operation?

Can a vendor affect how much risk you are willing to accept?
I believe quite simply, the answer is yes. What other influential factors affect how you feel about a product or solution? Is it *right* that security can be subjective? Certainly, there are additional measures that build your confidence in a particular system such as third party reviews, configuration to *someone's* best practices, penetration testing, or borrowing trust from another system's ability to manage the new system's risk. We often tell others you have to meet a certain stringent, concrete standard to be considered secure. Well, yes, that's right, but there's also the influence of a vendor's history, reputation, communications, sales team, support, engineers, and more that drive your trust in a product or solution to meet your needs.

Where did this come from? 
I thought about this while walking the floor of RSA several weeks ago. It was interesting how much credibility I gave certain products because of their track record, despite any real experience with a particular platform. My biases crept into the picture, thinking about how company "X" *always* seems to deliver sub-par solutions, and company "y" always seems to deliver results. Even if testing of X demonstrated marked gains, my gut is to hesitate and prefer the trusted partner to "get it right".