“…so that I can tell you which security things you do not have to do.”

There are so many rules that security people deal with on a daily basis, the best part about taking a risk-based approach to security is that you know where you can ignore/cheat/circumvent/write “N/A” on it. That’s why I like the engineers to let me know when they’re starting a big project.

If you’re stuck at denying projects at the last point possible–at the point of implementation–then you’re way too late. Security involvement in projects should be before they even get funded (ie, during feasibility studies and requirements definition) so that we can get in our abbreviated list of needs and requirements.

Just like salmon, good security managers know how to “swim upstream to spawn”.

• When Acceptable Risk is Not Acceptable
• Core Belief #4 — Compliance is a Dead-End
• SP 800-53A Now Finally Final
• White Professional Male Turned CISSP Seeks Mega-Sized Security Management Model
• In Which Our Protagonist Discovers We Need More Good Public Policy People Who Understand Security

Going back through my email makes me laugh.  As crazy as I probably seem to my blog readers, there are things that I can’t really share with the world.  This is not one of them, but it could be offensive to some people, so rest assured I’m joking, people.   =)

PS-9 Stalinistic Purge of the IT Department
Control:
The organization: (i) conducts periodic arrests and interrogations on any member of its staff deemed to have “significant security responsibility”; and (ii) asks personnel being interrogated to name three (3) of their accomplices.

Supplemental Guidance:
Geeks are like peasant-workers.  You have to intimidate them at periodic intervals so that they don’t think they can take over the business functions of your organization.

Control Enhancements:
(1) The organization establishes a “show trial” system to publicly humiliate personnel being interrogated as a deterrent to other personnel who might be considering challenging the management structure.
(2) The organization hoists the heads of those found guilty of “crimes against the organization” on a pike at the entrance to the organizations headquarters or data center.

Low: PS-9  Moderate: PS-9(1)  High: PS-9(1)(2)

• Guerilla CISO Tip: Get Inside the Data Center
• How I Do the “FISMA Thang”
• More Security Controls You Won’t See in SP 800-53
• Yet More Security Controls You Won’t See in SP 800-53
• How Much Security Should the Outsourcer Do?

Goodie, more security vendor spam today. Do people really think that spamming security people with security products actually works?  I almost always get spam on two types of products:  compliance tools and hard drive encryption solutions.  Makes me think that maybe this segment of the marketplace isn’t the most honest around, which poses problems in an industry based on personal integrity.

Dear Rybolov,

This message is meant for your information security and compliance team, and discusses enterprise strategies for encrypting laptop hard drives and controlling usage of removable storage devices, including USB drives, iPods, PDAs and smartphones. Please feel free to forward it as appropriate.

Increased usage of laptops and devices has extended the security perimeter of your organization. They allow sensitive information to leak out, unauthorized files to flow in, and are very often misplaced, lost or stolen. The good news is there are now solutions available for enterprises to centrally manage, control and encrypt these devices.

My name is <withheld> with <withheld>, an IT security firm specializing in data lifecycle security. Recently, some of the largest financial, healthcare, and government organizations in the U.S. have implemented solutions for encrypting hard drives and controlling removable storage devices.

Please review our website for more information: <withheld>. I am also able to schedule technical demonstrations for the appropriate individuals on your security team.

Thank you for your attention to this matter and I look forward to hearing from you soon.

Sincerely,

<withheld>

• Yet More Security Controls You Won’t See in SP 800-53
• My Stalking Spammers
• Even Better Spam
• Massively Scaled Security Solutions for Massively Scaled IT
• More Security Controls You Won’t See in SP 800-53

Finally had one today. It was great. The generators kicked on. The building-wide UPS worked. The NOC and SOC still had power. The other working areas ran out of AC, power, and people before I got there.  No problem, the engineers can go elsewhere to work as long as the operations people still have what they need.

Before you ask, no I didn’t create the problem as a BOFH DR test, and the outage did not occur immediately after a line like “so, what does this big, shiny, red button labeled ‘EPO’ really do?”.  =)

• SP 800-53A Now Finally Final
• Sprinkling on the Magic FISMA Fairy Dust
• Everybody Else Is Doing It So Why Can’t We?
• DILLIGAF!!!
• Pre-Hardened Government OS

I just posted my most recent update to my CISO’s “Book of Death” as a file on ISM-Community. It’s just a collection of spreadsheets I’ve used over the past year or so.

As usual, you can throw me questions, comments, or war stories. I especially like to hear where and how you’re using any of the spreadsheets or what doesn’t work for you, and I added a front sheet in this version with contact information for me so you could reach me.

Original “Book of Death” is here.

• My System Environment
• ISM-Community DC Chapter
• CISO’s Book of Death
• The Guerilla CISO
• My Blog is Dead, Long Live My Blog!

About 6 months ago, I had a fantastic run-in with the cleaning crew in my building.  I was doing an early-morning data center visit to see what kind of activity was going on.  While I was going through the mantrap, the cleaning crew was coming out.  Some immediate observations:

• What are they doing unescorted in the data center?
• Who let them in?
• Holy Cr*p, they have a mop bucket full of water!!!!!11111oneoneone

Whenever I deal with the cleaning crew, I always feel linguistically-challenged.  If they spoke Russian, then we could deal, but I am blissfully ignorant when it comes to Spanish (see, I have a mild chink in my armor =)    ).

Anyway, I tried to explain to them that the electricity runs under the floor and how it’s just not safe for them to be mopping the floor with a wet mop, but the language barrier killed it.  In the end, I gave up and told their supervisor just that they shouldn’t go in the data center.

Then I tracked down the guy who let them in unescorted.  Some choice words were exchanged, I’ll leave it at that. =)

• Even Better Spam
• In This Corner, the Business Reference Model
• Everybody Else Is Doing It So Why Can’t We?
• Could the Titanic have changed course?
• How I Became the Owner of Two Rogue WiFi APs