Posted April 10th, 2009 by
rybolov
Some of my friends (and maybe myself) will be teaching the NIST Framework for FISMA in May and June with Potomac Forum. This really is an awesome program. Some highlights:
- Attendance is limited to Government employees only so that you can talk openly with your peers.
- Be part of a cohort that trains together over the course of a month.
- The course is 5 Fridays so that you can learn something then take it back to work the next week.
- We have a Government speaker ever week, from the NIST FISMA guys to agency CISOs and CIOs.
- No pitching, no marketing, no product placement (OK, maybe we’ll go through DoJ’s CSAM but only as an example of what kinds of tools are out there) , no BS.
See you all there!
Similar Posts:
Posted in NIST, Speaking | 1 Comment »
Tags: 800-30 • 800-37 • 800-53 • 800-53A • 800-60 • accreditation • C&A • catalogofcontrols • categorization • certification • compliance • fdcc • fips-199 • fips-200 • fisma • gettingtogreen • government • infosec • infosharing • NIST • privacy • publicpolicy • risk • S3474 • scap • security • securitylob • seminar • speaking • tools • training
Posted September 22nd, 2008 by
rybolov
The Potomac Forum crew is back at it again with a C&A seminar on the 15th and 16th. While 2 days isn’t long enough to earn your black belt at C&A-Foo, it is enough so that if you’re a solid program manager or technical lead, you’ll walk out being at least able to understand the core of the process.
As usual, some of the instructors should be familiar to my blog readers. =)
Similar Posts:
Posted in FISMA, Speaking | No Comments »
Tags: 800-37 • 800-53 • 800-53A • accreditation • C&A • catalogofcontrols • categorization • certification • compliance • datacentric • fips-199 • fisma • government • infosec • management • risk • security • speaking
Posted August 18th, 2008 by
rybolov
While I was slaving away last week, our friends over at NIST published a new version of SP 800-60. Go check it out at the NIST Pubs Page.
Now for those of you who don’t know what 800-60 is, go check out my 3-part special on the Business Reference Model (BRM), a primer on how SP 800-60 aligning FIPS-199 with the BRM, and a post on putting it all together with a catalog of controls.
And oh yeah, the obligatory press reference: Government Computer News.
Data Release Show photo by Discos Konfort.
So deep down inside, you have to be asking one question by now: “Why do we need SP 800-60?” Well, 800-60 does the following:
- Level-sets data criticality across the Government: Provides a frame of reference for determining criticality–ie, if my data is more important than this but less than this, then it’s a moderate for criticality.
- Counters the tendency to rate system criticality higher than it should be: Everybody wants to rate their system as high criticality because it’s the safe choice for their career.
- Protection prioritization: Helps us point out at a national level the systems that need more protection.
- Is regulations-based: The criticality ratings reflect laws and standards. For example, Privacy Act Data is rated higher for confidentiality.
All things considered, it’s a pretty decent systemfor Government use.
Now this is where I have a bit of heartburn with GRC tools and data classification in general in the private sector–they classify the wrong things. How the vendors (not all of them, there is a ton of variation in implementation) want you to categorize your data:
- HIPAA-regulated
- PCI-DSS-regulated
- SOX-regulated
- All other data types
How your CISO needs to categorize data to keep the business afloat:
- Data that gets you paid: If you’re a business, your #1 priority is getting money. This is your billing/AR/POS data that needs to keep going.
- Data that keeps you with a product to sale over the next week: usually ERP data, stuff that slows down the production line.
- Data that people want to rip off your customers: hey, almost all the regulated data (PCI-DSS, HIPAA, etc) fits in here.
- Data where people will rip you off: ie, your internal financial systems. Typically this is SOX country.
I guess really it comes down to the differences between compliance and risk, but in this case, one version will keep you from getting fined, the other will keep your business running.
Similar Posts:
Posted in FISMA, NIST | No Comments »
Tags: 800-60 • C&A • catalogofcontrols • categorization • compliance • datacentric • fips-199 • fisma • government • infosec • infosharing • management • pii • privacy • risk • security