Yes, audit risks are real risks, they’re just risks to the individuals building the controls.  This might or might not coincide with the risks to the data, IT system, or the business mission.

Takes me back to the question Curphey asked years ago:  Do you think people care about compliance, or do they care more about not being caught out of compliance?  It’s a very simple question, but I keep circling around to it from different angles.

• Dictating Common Sense
• It’s All About Common Controls!
• Random Thoughts on “The FISMA Challenge” in eHealthcare
• Core Belief #4 — Compliance is a Dead-End
• Remembering Accreditation

OK, so I bought an Outcast Fish Cat 10 IR pontoon boat last week.  The killer was that I was still too sick on Saturday to take it out, so it’s been sitting fully assembled in my living room for over a week now.

But I need a name for this beast so that I can christen it with champagne.  I’m opening name suggestions up to the Internet as a whole.

Some frontrunners for names so far:

• USS Insecure
• HMS Bug Bounty
• Boyancy Compliance
• The FISMA Floater
• Cross-Lake Scripting

• My 2 Obsessions this Week
• Friday Flyfish Post
• Thoughts on Keyboards
• Almost Time to Fish the Potomac
• Friday Flyfishing Post: A Tale of 2 Bass Flies

OK, so the Government Accountability and Office delivered their testimony to Congress on the Government’s dismal state of security.  You can get the testimony here and check out some responses here and here.

My favorite 2 quotes: 

“Federal agencies continue to report progress in implementing key information security activities. The President’s proposed fiscal year 2009 budget for IT states that the federal government continues to improve information security performance relative to the certification and accreditation of systems and the testing of security controls and contingency plans.”

Followed by:

“An underlying cause for these weaknesses is that agencies have not fully or effectively implemented agencywide information security programs.”

Maybe I’m a bear of very little brain, but these sound like GAO is  contradicting itself.  How can things be getting better when they don’t exist?  Truth be told, from a government-wide view, you have to rely on metrics to give you a picture of how things are going, but at the end of the day, they’re still just that, indicators.  Of course, I haven’t worked with all 24 agencies, so maybe my worldview is pretty myopic.

Now, I don’t know about all of you, but I have yet to see an infosec program where there actually was excessive resources to get the job done.  As a result, in the sane world we have to prioritize:  is it worth my time and money to implement a better automated vulnerability scanning tool or mandatory drug testing for IT staff?

But here’s the rub:  in a compliancy-driven information security model, there is no way to priotitize what you need to get done.  It all bears the same weight.  In the world of GAO, if you can not prove that a control exists, you have not implemented a security program.

We’ve talked metrics before, and this has always been one of my problems with the way the Government is doing FISMA reporting right now:  if your metrics are not actionable–that is, you do not use the results to make changes–all you are doing is security management through shame.

Now the things that are happening, I see this is some fairly good analysis of the numbers behind the numbers behind the numbers and what we’re going to see over the next couple of years:

• The Information Systems Security Line of Business:  I think this is a good thing, but it has some issues that the Government needs to resolve before it becomes more than just a pet project.

• Federal Desktop Core Configuration:  Fantastic idea, but the implementation is harder than OMB thinks it will be–you can’t just shake the magic FISMA wand at your LAN and think that the legacy applications will still work.  Now for those of you who think FDCC is just the end, wait for the Router Core Configuration and Server Core Configuration.

• SmartBUY:  Centralized COTS buying.  This is pretty happy, although it’s tangentially related to security, it’s more of an overall IT management strategy.

• Trusted Internet Connections initiative:  I like this, I really do, but implementation is a bear.

• Clarify requirements for testing and evaluating security controls:  Auditors need to say this:  “We could have done a better auditing job but the standard was lacking”.  Yes, the standards for gathering metrics suck, but they’re getting better as we go.  My opinion is that in order to evaluate security controls, you need to have a definitive set of security controls in the first place, but if you’re doing that, you’re looking at compliance and “audit risk” not mission risk and risk to IT investments.

• Enhance FISMA reporting requirements:  The standardes have been evolving for 5 years and will continue to evolve.  So far we’ve been gathering metrics for the sake of gathering them, now it’s time to figure out specifically what we want to know and tailor the metrics to that question.

• Consider conducting FISMA-mandated annual independent evaluations in accordance with audit standards or a common approach and framework:  Um, I thought we already had this.  Maybe I’m just slow-thinking today.

So, the Guerilla CISO’s takeaways from this conversation:

• If you look at the metrics and see that they are improving, what more do you want?
• Government needs to learn how to prioritize.  Their metrics should support this goal.
• It’s the job of an auditor to always find something and to always CYA by spreading stories of woe and gloom.  Anticipate that this will happen and don’t be outraged when it does.

• Comments on the Annual OMB Security Report to Congress
• GAO’s 5 Steps to “Fix” FISMA
• 20 Critical Security Controls: What They Did Right and What They Did Wrong
• More GAO Testimony
• Cage Match: OMB Report V/S GAO Report, Only One Comes Out Alive

Yes, I’ve been sporadic over the past month or so.  Let’s just say that changing jobs, new commute patterns, buying a boat (more on that in a minute), having a case of “The Winter Blahs”, my aquatic biodiversity hardships (ie, not having fished since October), and being horribly sick have all conspired against blogging.

Well, that’s all over now, it’s time to start spreading my own brand of cynical infosec cheer around.

• Where Have I Been?
• On Why I Blog… FUD is the Reason for the Writin’
• Give Me Your Free-Form Comments
• Auditors, Frameworks, and Philosophy
• Marketers and Security People

I’m mulling over some ideas this week.  It’s probably the death-by-CBT that being a new hire has become over the past 5 years.

I work with a ton of accountants in my new job.  Obviously, they’re CPAs and Uber-CPAs, and for the most part, they’re proud of the valuable service that accountants bring to their community and to the US economy as a whole.  $Diety bless them, there is no way I have the patience to do what they do on a daily basis, and from what I gather, they feel the same way about what I do.  However, while learning the history of the accounting profession, I can’t help but notice a couple of things:

• CPAs have some strange ideas and a rich history, cross-training has some merit.
• Accountants are obsessed with compliance.  More on this later.
• Attestation that a company has not cooked the books and is headed into a downward Enron/Worldcom/Hindenburg-esque firey crash is a good thing.
• Accountants highly value attestation.
• Accountants are typically weak on planning and project management (yes, making a generalization here).
• Accountants understand risk, but only qualitative dollar risks that can be measured via actuarial means.
• Accountants perform unnatural acts with spreadsheets.
• I have to be very careful when I mention the word “controls” because somewhere in there an interpreter is needed.

And then somewhere around day 3 of CBT-Hell, it dawned on me:  we’re taking the models for accounting and applying them en-mass to information security management.  Explains quite a bit of things, doesn’t it?

Stop and think about the Federal government.  Who is really in charge of security?  Not NIST, they just write standards.  The correct answer is the Office of Management and Budget (OMB) and the Goverment Accountability Office (GAO).  In other words, the accountants and the auditors.  It’s one of those things that make you go “hmmmm”.

Now, some of this is a necessary evil.  Any good CISO will tell you that whoever controls the money controls the security, just ask a security manager who has had their budget taken away.  As a profession, we’re tied to the economics of security just as tightly as the accountants are tied to the security of IT systems to maintain integrity of accounting systems.  It’s scary when you think about it, although I don’t know if it’s scarier for them or for us. =)

There’s an obvious reason why we adopted the accounting models for security:  expediency.  In the typical CIO’s option of build-buy-outsource, we outsourced the creation and maintenance of our governance model to the accountants.  And just like outsourcing to a managed service provider who has in turn offshored some of their operations, we might not be getting what we planned at the very beginning.

But now we’re getting to the limitations of using that model:

• For the most part, we are an industry driven by vulnerabilities and risk management.
• Accounting is driven by law and oversight boards.
• What laws we have are very broad because the laws cannot keep pace with the technology.
• Information security is not reported to oversight agencies/boards/whatever to the same level of granularity as is financial information.  Imagine reporting your WSUS stats on your SEC filing.
• Even the accountants are starting to agree on a more risk-based model than a compliance model.  The latest guidance from the SEC on SoX 404 called AS-5 is a step in this direction.
• IT has a higher level of acceptable risk on both an organizational and personal level than accounting.
• The accounting model is focused on audit and oversight.  Typically this is at the end of development and/or annually.
• True success in information security management needs a full-SDLC approach.

So this is what I’m mulling over:  we maybe have a need for some better tailoring of what we’re doing.  What I really want is a large-scale method for security management that cuts out the parts of the accounting model that don’t work.

Not that I have an answer today, but it’s something I’m using my spare brain cycles to figure out.  Who knows, maybe I’ll come full-circle and reinvent the current state. =)

• In Search of a Better Catalog of Controls
• Workin’ for the ‘Counters: an Analysis of my Love-Hate Relationship with the CPAs
• Ack! With the Mandates!
• An Open Letter to NIST About SP 800-30
• It’s a Problem of Scale!