The BSOFH On Dorky, Auditor-Friendly Policies

Posted January 16th, 2008 by

Roger writes about his workplace instituting a bag-check on a Friday afternoon. My first though was “Gack, that’s part of the FISMA guidance? Somebody definitely was reading between the lines,” followed by, “I wonder how much miscarriage of security is conducted by people who claim to be the long-lost intellectual progeny of Ron and Marianne (Ron Ross and Marianne Swanson from NIST, work with me here)”. Then I remembered my own security strangeness and laughed….

So a couple of years ago I was in a meeting between my physical security guy and an auditor from the government. I got there a couple of minutes late so I didn’t get introduced. No biggie, my guy had everything in control and had done most of the work with this auditor already. A tip-off should have been that I was the only guy in the room wearing a suit, thereby identifying myself as some kind of manager, but alas for our auditor wasn’t that bright.

But then a problem sprung up: it all revolves around physical access policy and procedure. I had a procedure that said that all employees, contractors, and visitors will badge in EVERY time they enter the building. OK, some of you should be saying a big “DUH!” at this point, and you would be right. Anyway, the auditor didn’t like that. They wanted a specific policy line that says “When you come into the building after a fire drill, you should all badge back in.”

I watched my physical security guy try to rationalize the finding away. “We already say that here in the general procedure,” he said. He drew a Ven diagram on the white board–“See, fire drill is part of ‘every'”. The auditor just wasn’t buying it.

As a last-ditch attempt, I stepped in with the classic contractor phrase: “Where does this requirement come from?” The auditor looked at me and not taking the hint that A) I know what I’m doing, B) I teach this stuff and C) I’m the guy in the suit, you would think I was important in some way; replied “Well, it comes from NIST. You see, they have this book of requirements called 800-53 and it says that you have to have a process to badge back in after a fire drill.”

At that point, I realized the situation. Life had handed me a bozo and it was easier to write a one-line correction than it was to try to educate them on the error of their ways and ask them to show me where it says that in SP 800-53.

So my advice to Roger: One afternoon checking bags (yay, my favorite activity to do in my “spare time”!) is sometimes easier than trying to educate your auditor.

And watch out for bozos. They’ll wear you down to a nub. =)



Similar Posts:

Posted in BSOFH, FISMA, What Doesn't Work | 5 Comments »

Simple Thoughts on Simple Rocks

Posted September 18th, 2007 by

I’ve thrown rocks at children. Many children, in fact. I’m not too proud of it, but it’s something you do when you’re in Afghanistan.

In fact, contrary to what you hear about opium poppies being the #1 crop in Afghanistan, truth is it’s the #1 cash crop. There is a crop that is more prolific even than the poppies, and that crop is rocks.

Now when we would roll up into a village, we were the neatest thing to happen there since Genghis Khan. Some of these villages were so remote, they asked us if we were the Russians because last that they heard, the Russians were the invaders.

Being interesting to the locals means that you get flooded with kids. They come from everywhere. You can stop your patrol out in the middle of the desert with nobody in sight for 3 kilometers, and within 10 minutes you will be surrounded by kids. They all ask for the same thing: pens. They need them for school. The ones with more advanced English skills would say something like “I am student, give me pen”.

On one of the first long patrols that I was on, we went to one village and the kids gathered around. The adults in the village threw rocks at them to chase them away.

Needless to say, I was utterly shocked the first time I saw it. But after a couple of weeks when the initial shock wore off, I started to notice something: when the adults would pick up a rock, the kids would smile and start to do little dekes left and right as if to say “am I gonna go this way or am I gonna go the other way?”

Then it dawned on me: throwing rocks at kids is a national sport. Not much else to do out in the desert except rock-throwing.

After a month of being in-country, I started throwing my own rocks at the kids. I would throw it slow–lobbing more than anything–just to let them know that they needed to stand back a little bit.

There’s a point to this little story, and that point is that after you’ve been in Afghanistan for long enough, a rock is the solution to any problem that you have.

Case in point: you park the truck on a fairly steep slope. You’re worried that it might roll away in the middle of the night. Solution? Put a head-sized rock under the tires.

Case in point: some guy dies and you need to bury him. It’s a massive PITA to dig a grave, so what do the locals do? That’s right, they build a rock pile right there.

Case in point: You’re bored and have nothing to do. Stack rocks up to build towers. The original theory as explained to me is that the locals don’t have HBO at home, so they stack rocks.

Case in point: You need protection from bullets. Instead of digging, stack up some rocks and build a fighting position. The bonus is that it blends in with all the other rocks on the hillside.

The ultimate act of rocks-as-solutions was one of the last patrols I did. We were in an irrigated area and needed to cross a ditch. There was a bridge but it was too narrow. So we took some large rocks, dropped them into the ditch, and put one side of the truck on the bridge and the other side on the new rock bridge.

I’m still trying to figure out what IT security problems I can fix with a rock, other than the obvious “You want to do what? Film marketing material in the data center? *smack smack smack* You sure about that?” or “My level of pain is equal to your level of pain.”

And as far as the kids and pens for them, after a month of being there, we started writing back home asking for school supplies and we handed out pens, paper, and soccer balls everywhere we went. I even made a habit out of giving beanie babies to the girls and gum to the boys.

See? I’m not a total jerk. =)



Similar Posts:

Posted in Army, BSOFH, Odds-n-Sods | 3 Comments »

Yet More Security Controls You Won’t See in SP 800-53

Posted September 12th, 2007 by

MP-52 Self-Destructing RFID Implants
Control:
The organization equips all employee-integrated storage media with self-igniting RFID devices so that they can be tracked throughout any government facility and destroyed upon command.

Supplemental Guidance:
All CISOs know that the information inside their employees’ heads is the real culprit.  When they get a new job, they take that information–all learned on the taxpayers’ dime–with them.  This is a much bigger security risk than the data on a USB drive could ever be.  Instead of denying the obvious truth, why don’t we implement security controls to minimize the impact of out-of-control employees?

Control Enhancements:
(1) The organization destroys the information inside an employee’s head when the employee leaves the organization, much like hard drives need to be degaussed before they are sent for maintenance.
Low: MP-52 Moderate: MP-52(1) High: MP-52(1)



Similar Posts:

Posted in BSOFH, FISMA, NIST, The Guerilla CISO | 3 Comments »

Next Entries »


Visitor Geolocationing Widget: