Article By Lon J. Berman, CISSP In the last issue of RMF Today and Tomorrow, we walked through the System Categorization process step-bystep. Now that we’ve categorized our system, let’s take a look at the steps for creating a Security Control Baseline. Step 1: Create Initial Control Set Your System Categorization defines the initial set of…
By Kathryn M. Farrish, CISSP Security Technical Implementation Guides (STIGs) are published periodically by the Defense Information Systems Agency (DISA). STIGs contain very detailed lists of security settings for commonly used IT system components, such as operating systems, database management systems, web servers, network devices, etc. Compliance with applicable STIGs is one of the key…
Article by Annette Leonard The Defense Information Systems Agency (DISA) is responsible for developing security guidance for configuring DoD information systems. An extensive collection of Security Technical Implementation Guides (STIGs) is published at http:// iase.disa.mil/stigs/Pages/index.aspx. STIGs contain detailed configuration guidance (settings) for commonly-used software products and other system components. Most of these documents are updated…
Article by Kathryn Farrish, CISSP Imagine this dialog between Edward, a System Owner, and Christine, his Information System Security Manager (ISSM): Edward (System Owner):“Now that we’ve completed our System Categorization, have you built the Security Control Baseline for our system?” Christine (ISSM): “Yes, sir, I have. Our system has been categorized as “Moderate -Moderate-Moderate (M-M-M)”.…
By Kathryn M. Farrish, CISSP Common Controls are security controls whose implementation results in a security capability that is inheritable by multiple information systems (IS). For example, the information systems hosted in a data center will typically inherit numerous security controls from the hosting provider, such as: Physical and environmental security controls Network boundary defense security controls Other inheritance scenarios include agency or departmental-level policies…
By Lon J. Berman, CISSP The story is told of an intern who is asked by his boss to pick up some items from the supply room in the basement. The young man is not sure how to get down there, but, seeing an open door, assumes it is the stairway and steps through. Unfortunately the door turns out to be an…
TrainPlus! POST TRAINING SUPPORT RMF education doesn’t just stop when the training class is over. That’s why we offer TrainPlus!, a RMF Q&A follow-up session. Designed specifically for students who’ve previously attended an IT Dojo RMF training class, TrainPlus! is delivered via a monthly, 60-minute, conference call at no charge. Whether the training experience has been online, onsite or…
We have just added a course date for the Information Security Continuous Monitoring training that is coming up this fall (September 22 – 24, 2015). Information Security Continuous Monitoring (three days) covers roles and responsibilities, establishment and implementation of the ISCM strategy, analysis and reporting of findings, and program review in accordance with NIST Special Publication…