If you are involved in the Federal Government or servicing the Federal Government you will want to get up to speed on the latest revision of the security control set contained in NIST Special Publication 800-53 Rev 3. 

Hear from Dr. Ron Ross directly concerning the new changes and how they will come into play in the comming year. 

I will probably not be speaking at this seminar directly but am involved in the development of the material.  I’m working hard to make sure the material is relevant and allows you to take the material back and put it in practice immedately. 

The details are as follows:

New NIST Security Controls:
NIST Special Publication 800-53 Rev 3
 Training Workshop for Government & Industry
 
Recommended Security Controls for Federal Information Systems and Organizations
Implementing The New NIST Unified Controls for the Civilian, DoD
and Intelligence Agencies 
 
September 15, 2009 

 Willard InterContinental Hotel
Washington, D.C.

 Analysis and Discussion of the New Revision 3 of the NIST Special Publication 800-53: Recommended Security Controls for Federal Information Systems and Organizations
(The new 800-53 R3 Integrates  Intelligence, DoD and Civilian Government Controls)

 Keynote Speaker and Overview NIST SP 800-53 r3
Dr Ron Ross
Project Leader,
Joint Task Force Transformation
Initiative Interagency Working Group and
Leader, FISMA Team
Computer Security Division
NIST
—
Learn about Civilian, DoD and Intelligence Community Collaboration on New ControlsWhat is new
What has changed
What YOU need to know
to implement the new controls
and why 

 

  What you will learn

• The background and need for a Unified Information Security Framework
• The organizational responsibilities set forth in NIST 800-53 Revision 3
• How new, changed and withdrawn security controls in NIST SP 800-53 Revision 3 will affect your organization
• How to select and apply NIST 800-53 controls across the enterprise, in external environments, and in legacy systems
• How to tailor and scope security controls for your environment
• How security controls fit into an organizational perspective on risk management
• How to use the new recommended “Priority Code” assigned to all NIST SP 800-53 security controls
• How to implement the new Program Management controls
• Perspectives from both the Defense and Intelligence Communities. 

Practical Training from the Recognized Leader in
Government IT Security and FISMA Training
Our 6th Year of C&A, FISMA and Government
Security Training 

I’ve been a bit lax with the blog lately and for that I’m sorry.  The reason will be clear in a few weeks when I hope to be able to make an announcement.  For now though I’d like to just provide my apologies.

This post started out as my commentary on two recent articles that appeared in CSO Magazine concerning the data breach at Heartland Payment Systems (“Heartland CEO on Data Breach: QSAs Let Us Down” and “SQL Injection Attacks Lead to Heartland, Hannaford Breaches.”) 

Now what I do to write these posts is basically sit down and let it just flow out of me.  I then go back and do a little clean up as needed.  Sometimes the clean up needed is so much I just trash the post.  Other times I realize that a concept that came up late post is really what the post should have been about in the first place.  That is the case this time.  So I’ve basically thrown out three quarters of the pontificating (which you really didn’t want to hear anyway) and focused on the analogy that information security is much like professional cooking. As I put this together I glanced down at the word count and realized that this was growing to be much more than the simple post that I initially envisioned.  So what I’ll do is break it up into a few parts to try and get my point across.  Let me know if I was successful. 

How did I come up with this analogy?  Well it was mainly sparked by a comment made by Heartland CEO Robert Carr in the first article mentioned above.  That comment was:

“The audits done by our QSAs (Qualified Security Assessors) were of no value whatsoever. To the extent that they were telling us we were secure beforehand, that we were PCI compliant, was a major problem. The QSAs in our shop didn’t even know this was a common attack vector being used against other companies. We learned that 300 other companies had been attacked by the same malware. I thought, ‘You’ve got to be kidding me.’ That people would know the exact attack vector and not tell major players in the industry is unthinkable to me. I still can’t reconcile that.”

In this first part I’m going to set up the analogy and then dive into it within the subsequent posts. 

While I’ve been critical of some of the statements that Mr. Carr has made in the past I basically think that he has done a great job in responding to the crisis his company is in.  True he may have been forced into this response by circumstances but I’m not going to look a gift horse in the mouth.  A CEO of a major corporation has finally come to realize the importance of information security in the daily operations of his company.  However you look at it that is a good thing.  That he has become proactive in advancing our cause is an even better thing. 

What concerns me though is Mr. Carr’s statement.  He may be doing the right thing but I don’t want him to do it for the wrong reason because in the end it won’t help us out, it may even hurt us. 

You see Mr. Carr’s statement smacks of “missing the forest for the trees.”  He seems to understand that he must do something but doesn’t really understand the real reason behind it.  So this is my effort to try and shed some light onto the subject.  Will Mr. Carr ever read this?  Who knows but that really isn’t important as long as this helps someone.  So if this makes sense and you want to use it go right ahead.  (Just give me credit in some way.)

Let me take a stab at reconciling the issue.  The QSAs didn’t necessarily fail.  They audited to a known and accepted standard.  PCI DSS didn’t even necessarily fail; it is what it is a standard.  What failed you was the commonly held assumption that compliance equals security. 

When push comes to shove, SQL injection has been around for a long time so the fact that systems are still regularly found to have input validation issues is surprising.  Since we can’t blame the QSAs should we blame the developers?  We could but again we’d be missing the forest for the trees.  These are but symptoms of the problem.  How do we get at the problem?  In trying to get a handle on this I’ll try my hand at a little analogy.  That being that Information Security is a lot like professional cooking.  I’ll illustrate this by first focusing on how recipes are a lot like standards (Part Two) and then I’ll move on to broaden the image by relating what we do in information security to working in a professional kitchen.

Tags: Compliance, CSO Magazine, Data Breach, developers, Heartland Payment Systems, information risk management, insider threat, PCI, PCI DSS, professional cooking, professional kitchen, QSA, recipes, risk management, Robert Carr, SQL Injection, standards

Get involved in the National Dialogue on the Quadrennial Homeland Security Review.  Go to http://www.homelandsecuritydialogue.org/

I wanted everyone to know that the audio version of “Into the Breach: Protect your Business by Managing People, Information, and Risk” has just been released.  I reviewed the hardcopy version back in March and was just sent the brand new audio version.  If you are anything like me there is always too much to read so it is nice to have a version that I can listen to on the way to the airport or during other times where reading it isn’t an option.  The audio version has a smooth clean professional feel to it.  Michael Santarcangelo reads the book himself and unlike most authors, Michael is a professional speaker.  That means the awkward pauses or monotone cadence that is often present in author read books aren’t there.  Michael comes across as if he is sitting next to you explaining the process.  The audio version is very well done and an excellent complement to the written version. 

Check out a snippet of the audio version of the book at:
http://www.securitycatalyst.com/innovation/security-catalyst-podcast/

Just wanted everyone to know that I’ll be teaching a new seminar on Cybersecurity July 16th at the Willard InterContinental in Washington DC.  The class is aimed at government executives, managers, and system owners rather than folk in the security industry (though I’d love to see you guys and gals there as well.)

We’ll be defining Cybersecurity, discussing the various threats, discussing the pertinent federal regulations, and discussing the Cyberspace Policy Report that was just released by the White House. 

If you work for or support government and know someone who may benefit from this seminar please forward them the following link:

Cybersecurity for New Government Executives, Managers, and System Owners  (www.potomacforum.org/?view=308)

I look forward to seeing you there!