I’ve been lacking on the Friday Flyfish pictures–it’s been too cold to even think about fish! I’ll start adding more from a sunnier time and place.

• Friday Flyfishing Post
• Friday Flyfish Post
• Friday Flyfishing Post: A Tale of 2 Bass Flies
• Friday Flyfishing Post–Trout Bums and Fish Porn
• Friday Flyfish Post

I was downtown teaching at the City Club of Washington.  It was my favorite day of the series: Security Test and Evaluation and Risk Management (SPs 800-42, 800-53A, and 800-30).

Earl Crane of ISM-Community fame came jumped in at the last minute (I called him the day before) and gave a good hour worth of presentation on Google hacking and the government.

One thing about the Potomac Forum FISMA Fellows program that is very important to understand:  It’s only for government employees.  The only contractors present are the instructors.  That means two things:

1. We can teach at a very surprising level of depth because we’re not training our competitors.  It leaves the instructors with a bit of a bad aftertaste when you’ve trained somebody to “eat your lunch”.  By restricting the participants to government only, I can teach people exactly how I do things and give them examples to take home in a binder.
2. Students can talk about particular scenarios in their agency without worrying that the information will go anywhere that it’s not supposed to.  There isn’t any press allowed, and no contractors trying to profit from your misfortune (I’m the world’s worst salesman).

Notice the need in there?  Each government agency is siloed into their own little information security management world and there isn’t really a community of peers among the practitioners.  That’s the niche that the FISMA Fellows program is addressing.

Secretly (Maybe not so secretly because it’s now public knowledge), I love it when people come to my classes and then go back to their agency where they become the “this is how you do it right” gadfly.  From time to time I wonder how many people hate me, even though they haven’t met me, simply because I taught their employees how to be a royal PITA.  The smart ones don’t hate me–they keep sending more people to be trained.

• Speaking Again
• FISMA Fellows Spring Cohort
• NIST Framework for FISMA Dates Announced
• C&A Seminar in August, Instructor-to-Coolness Ratio Goes Up!
• C&A Seminar, October 15th and 16th

We did a very preliminary Pandemic Flu Exercise today.  Normally, I wouldn’t be too much worried about things like this when it comes to IT security during a pandemic–we just close out the lights and if the servers die, we’ll fix them after the dust has cleared.

But my organization has a difference from the average IT service provider:  we support the first responders from the US Government who need their IT systems up and running in order to get the knowledge shared and the cure to the right places when it’s needed.  It’s such a different business driver from normal that I had to pause and think it over the first time I heard it.

So today we did a partial VPN and telework test from another facility.  All told, it involved about 30 people.  In a couple of weeks, it’s “Global Work-From-Home Day”.  One lesson learned:  It’s the little things that will get you, like laptop screen real estate and network cables.

Now those of you who know me realize that I’m not that squeamish.  However, I did have a 30-second bout of panic when I thought about mass death where everyone in my apartment complex dies out in a pandemic flu.  Then I got over it. =)

Like I told my boss, it’s just like the consolidate and reorganize task that the infantryman trains on–restaff key positions and weapons systems, deal with the wounded and dead, communicate to higher, and continue the mission.  Now that I can handle.

• In This Corner, the Business Reference Model
• Lines of Business, Relationships, and Trustability
• Core Belief #3 — Learn Something from the Cavalry
• DDoS Planning: Business Continuity with a Twist
• Some Comments on SP 800-39

You would think from looking at the Discussion Forums that ISM-Community is dying.  I can confirm that, like Mark Twain, the rumors of our death are greatly exaggerated.

Right now, and nobody else knows it, I’m working on a ton of skunkworks projects to support us, including the following:

• Informational Brochure (OK, my wife is doing most of it, but I’m editing the content)
• Nonprofit Bylaws
• FISMA Top 10 SWAG
• Definitive agenda for DC Chapter meeting
• Various politicking

So really do these warrant a full-blown project?  Not really.  But they still need to get done.

• ISM-Community DC Chapter
• It’s a Series of Pipes
• CISO’s “Book of Death” for June 22nd
• ISM-Community DC Chapter Meeting Announcement
• CISO’s Book of Death

While nobody was looking (not even myself, but that’s a topic for another day), I squeezed in a new blog.  I’m now the Linux blogger for CSOOnline.  I’ll have at least one good post on security and Linux each week, and I figure that I’ll add in the content here somewhere.

• Save a Kitten, Write SCAP Content
• Guerilla CISO Tip: Get Inside the Data Center
• Backtrack 3 USB Slides
• FIPS and the Linux Kernel
• Sir Bruce Mentions FDCC, World Goes Nuts

With all the different security blog factions being created, dissolved, and declaring jihad on each other this week, I’ve come to a conclusion:  I need a security blog scorecard to keep track of them.

So for example, each  of the following syndicates and their antithesis seem to be forming:

• PCI Compliance
• Risk Management
• The P-CSO
• NAC-Lovers
• Alliances around a specific tool set

• It’s Time for an Exit Strategy
• Stands Alone
• Moving
• The Wee Bonny Has a Blog
• Workin’ for the ‘Counters: an Analysis of my Love-Hate Relationship with the CPAs