How do you dictate common sense?  That’s the real heart of the problem that people who build compliance frameworks have to struggle with.  You can’t force people to do the right thing when the right thing is not easily definable.

This is why I’m convinced that compliance just doesn’t work for what we are trying to get it to do in the information security world.  You run the risks of either leaving too many loopholes that people can get through too easily, or you end up dictating the solution for people with no flexibility.

About the only way where compliance makes sense is in a very limited scope in much the same way you would use a SLA with an external vendor.  In this case, the compliance rules or a similar SLA are a compensating control for the risk to the buyer.

• The Vendors are Already Jumping on the 07-11 Bandwagon
• In Search of a Better Catalog of Controls
• Core Belief #4 — Compliance is a Dead-End
• Workin’ for the ‘Counters: an Analysis of my Love-Hate Relationship with the CPAs
• Cloud Computing and the Government

JD Meier wrote today about not saving the worst parts until last, and it reminded me of Meals Ready to Eat (MREs).  I should probably lay claim to being the Northern Virginia Master of Obscurisms right now while I have your attention, but let me elaborate for a minute.

A case of MREs is 12 individual meals.  That means that one person can, by the book, live off one case of MREs for 4 days assuming that they eat 3 times/day.  That’s a little excessive, since most people can only eat 2/day because of time constraints.

Inside a case of MREs, there are 12 individual meals.  Some are decent, like spaghetti or tuna with noodles.  Some are not, like omelette with ham or corned beef hash.  Keep this in mind, we’ll be using this little kernel of knowledge later.

So imagine this:  You’re out in the woods for 2 weeks with just your 5-member team and your MREs.  Let’s do the math on what you’re eating:

5 people x 14 days x 2 meals per day = 140 individual MREs or roughly 12 cases.

Now inside each case of MREs there are 2 foul-tasting MREs (omelette and CBH), which means 24 of them total.  If the muldoons eat their favorite MREs first and work down the cases in order of most favorite to least favorite, then the last 3 days we are eating nothing but omelette and corned beef hash, and after being in the woods for 2 weeks, I just can’t bear it anymore.

Bad news does not get better with age.  Neither does the MRE selection!

Moral of this story:  Take the MRE that I throw at you and don’t read what the label says, it’s the luck of the draw.

Secondary moral of this story:  You can’t store up badness and expect to tackle it later.  You have to take it as it comes.

Tertiary moral of this story:  Don’t join the army or work in IT. =)

• Bad Security People
• Cult Crossovers Into Information Security
• When the News Breaks, We Fix it…
• Core Belief #3 — Learn Something from the Cavalry
• MOUT and Risk Management

Our government hasn’t had a ton of time to get their act together.  It’s only been 225 years, give or take, and in that time, we might have learned a thing or two.

So why is it that it took us this long before we could get one agency to recognize the clearances from another agency?  Even though OMB keeps trying to unify the clearance management systems, as a managed service provider I still have to convince every new client that I’m trustworthy because I have a DoD Top Secret.
So what’s the benefit?  Well, from my angle, one unified clearance system means economy of scale simply by avoiding a “Not Invented Here” attitude.  If I have 5 clients, 100 employees, and $5000 per person for a clearance, the savings add up really quickly if I just have to clear people once.

Now the strange thing is that by agencies having their own individual clearance system, we are creating an artificial scarcity of cleared people.  For somebody with a TS/SCI, starting salary in the DC area is around $80K/year, simply because of lack of supply.  That’s an indirect cost that we could avoid.

• Tangling with the Clearance Monsters
• Lines of Business, Relationships, and Trustability
• Feds to Embrace SaaS, End is Nigh for Security!
• Compensating Controls
• The Guerilla’s Guide to Piggybacking

OK, everybody take a deep breath and have a seat.  I’m going to tell you something that is either so obvious to you that you’ll pass out laughing or is so unethical to you that you are going to have an aneurysm and the cops will come beating down my door asking why you died looking at my blog.

So here it is:

When it comes to outsourcing, you cannot own all of the system, even if it’s in your contract.

Let me say that another way:  although you require the contractor to be compliant with FISMA and NIST standards and guidelines and your information security policy and anything else you feel necessary to bind them to, there will be a part of the contract that you are paying money for as a service that will be out of your Certification and Accreditation boundary and that you will not be able to control.

Calmed down yet?  Let me explain what I mean.

For example, consider the circuits that the telcos run to your facilities.  You don’t want to manage them both from a capabilities standpoint and from a risk management standpoint.  If you go and try to manage “your” circuits, and they break, then you have no recourse with the vendor–you have accepted the risk in their eyes.
Quite a few agencies nowadays use MPLS.  You don’t even need to know what the acronym means.  You just need to know that it’s a virtual private Internet that is owned and operated by the telcos.  You can take all your facilities, give them circuits to the MPLS cloud, and you have all the good redundancy of paths that the Internet provides, but in a more-controlled environment.  Deep down inside, you don’t really care how the cloud gets managed, you care that data that enters one end eventually makes it out the other end.
Now you’re contracting for server collocation with a vendor who provides you rackspace in their data center.  They have 20 different agencies with equipment in the data center.  The vendor maintains a common controls package that you now have to rely on for assurance.

Or you have contracted a vendor for end-user support, ie, on-site IT technicians.  These people need to be able to share trouble-ticket information with both people inside their company and the government agency that they support and to interface the trouble-ticket system with their billing, staffing, and cost systems.  Looking at all the requirements for a trouble-ticket system like this, about the only viable way to do it right is to have it on the vendor’s network and accessible from the government LAN/WAN.

I’ve talked to numerous people on how to manage these shared environments.  One Big 4 auditing firm told me that what I needed to do was to determine which agency had the majority of their data on the shared system.  They then would “own” the system with management of the system being a collaborative effort between all the agencies.

I had to wonder, what kind of crack was this guy smoking?  Seriously, most of the time I can’t get people in the same agency to agree with each other, much less people from different agencies with different missions and different risk cultures.  There is bound to be disagreement over how the system is run, with the end result is that the system will not be provided adequate security because it is bogged down in bureaucracy.

Yes, this is what the Lines of Business initiative will provide once it’s working, but even then, you have the same considerations.  Who really owns the various components of the system?

The thing to remember is that the vendors use shared systems because they work–this is the model that commercial providers use whether they tell you or not.  They also provide a significant cost savings to the government through economy of scale.  Inside our NOC, if we have 5 clients, wouldn’t it be nice (not to mention cheaper) to watch one screen instead of 5?  Let’s see, $14000 times 4 equals a nice chunk of currency that I just saved and can carry through to the client.  Beyond 5, and my business doesn’t scale–I can’t have 20 screens to watch, and I can’t afford to hire enough people to watch them all.  This goes the same for data centers, trouble ticket queues, security incident and event monitoring infrastructure, network monitoring systems–the list goes on and on.

I have basic architectural principles I use everyday at work as a managed services provider.  One of the most key principles is segregation of impact: that one client cannot be allowed to affect the service that I provide to another client.  I don’t let all 20 of them make decisions that affect you, and in exchange, I don’t let you affect them.  It’s really how people have coexisted with each other for bazillions of years, only now we’re talking IT security, which gets everybody’s heart pumping.

Part of this principle of segregation of impact means that I have some parts of my service offerings that I can’t give to the government from a boundary perspective.  Because if I do that, then I will have clients managing each other’s space.  It’s not only wrong from a service provider’s standpoint, but somewhere in there, I’ve double-charged the government for services.

The second principle that I use is that of transparency.  I tell you how I do it.  I manage the shared systems just like they are a government system, only I own them.  Our security policy executive statement states that we will meet or exceed government security requirements, keeping in mind that we are not a government agency, so some of the requirements don’t apply to us (reporting to OMB and the government style of CPIC in particular).  However, I do security planning, risk management, contingency planning, all the key points that the government does.

On the government side, what they get is a fairly simple risk management decision:  do we do it ourselfves with whatever costs it entails, do we keep the cost savings of the shared systems and give up some control, or do we want to pay more for something that we now “own”?  That really is the best of both worlds, because the government can determine which option they want based on cost/benefit/risk comparisons.

By providing transparency, I make that decision much easier.

The third principle is transference.  By providing a shared service attached to a service-level agreement (this works very well for the telco examples), the government has effectively transfered the risk to me as a vendor.  The problem is that SLAs for a very complicated outsourcing engagement are harder to define due to the complexity of the solution.  The other caveat is that the government still bears ultimate responsibility when things go wrong, so you still have a certain amount of residual risk.

Notice what I didn’t explicitly say here, but I did describe it in detail… we use compensating controls to manage the risk of the shared infrastructure from the perspective of the government.  That’s the only viable way to manage the risk of outsourcing.

The lastest revision of Special Publication 800-53 talks about this in section 2.4.  Sadly, though, most people don’t read that part.  They usually get to the catalog of controls and start making a checklist out of it.  However, if you are doing any kind of outsourcing in the US government, you need to read and re-read that section.

• Lines of Business, Relationships, and Trustability
• How Much Security Should the Outsourcer Do?
• Always Behind
• Effective Inventory Management
• Feds to Embrace SaaS, End is Nigh for Security!

OK, this is cute.  Demotivator poster on the Aqua Teen Hunger Force Bomb Scare.  “If it’s not an American flag, it’s probably a bomb”.

• Julie Amero Backlash Reaches Mass Media
• My Stalking Spammers
• Enterprise !== Managed Service Provider
• More Vendor Craziness
• My Favorite Conspiracy Theory

Over the next week, I will be doing a blog theme on outsourcing in the US Government and my thoughts on how to effectively manage the security concerns associated with it.  This, of course, dashed with the usual dry wit that people have come to appreciate, or not, as the case may be. =)

For non-government outsourcing, I recommend keeping an eye on the ISM-Community outsourcing forum.  You can even read about myself and kimonos there.

• You Didn’t Outsource Your Responsibilities
• Keys to the Outsourcing Kingdom
• How Much Security Should the Outsourcer Do?
• Compensating Controls
• C&A Seminar, October 15th and 16th