We knew this day was coming. On a long enough timeline, the survival rate for every algorithm drops to zero. Yes, I’m paraphrasing Tyler Durden. It’s slightly less amazing than finding a unicorn in the woods and I don’t think many will remember where they were and what they were doing on the day they…
Article By Lon J. Berman, CISSP In the last issue of RMF Today and Tomorrow, we walked through the System Categorization process step-bystep. Now that we’ve categorized our system, let’s take a look at the steps for creating a Security Control Baseline. Step 1: Create Initial Control Set Your System Categorization defines the initial set of…
With all the renewed furor over the government attempting to force Apple to backdoor iOS devices so the FBI can inspect the phone of the San Bernardino terrorists I found myself with a usual set of emotions. I have always been an advocate of limited government involvement in the lives of private citizens (i.e. approaching…
Before we start, please be sure to download ITdojo’s password entropy worksheet (MS Excel, OS X Numbers, LibreOffice Calc compatible). It’s a nice companion to this post and a useful tool later down the road. Password Entropy Calculator It’s mandated by policy. It’s a best practice for sure. And it’s nothing new to virtually all…
By Kathryn M. Farrish, CISSP Security Technical Implementation Guides (STIGs) are published periodically by the Defense Information Systems Agency (DISA). STIGs contain very detailed lists of security settings for commonly used IT system components, such as operating systems, database management systems, web servers, network devices, etc. Compliance with applicable STIGs is one of the key…
Article by Annette Leonard The Defense Information Systems Agency (DISA) is responsible for developing security guidance for configuring DoD information systems. An extensive collection of Security Technical Implementation Guides (STIGs) is published at http:// iase.disa.mil/stigs/Pages/index.aspx. STIGs contain detailed configuration guidance (settings) for commonly-used software products and other system components. Most of these documents are updated…
Article by Kathryn Farrish, CISSP Imagine this dialog between Edward, a System Owner, and Christine, his Information System Security Manager (ISSM): Edward (System Owner):“Now that we’ve completed our System Categorization, have you built the Security Control Baseline for our system?” Christine (ISSM): “Yes, sir, I have. Our system has been categorized as “Moderate -Moderate-Moderate (M-M-M)”.…
In this blog post Lon Berman, CISSP talks about the sub-steps of the first RMF step, System Categorization. Step 1: Identify Information Types The first and perhaps most important step in the system categorization process is the determination of the “information types” that are stored and processed by the system. So what exactly is an…
Why CASP Exists: A Slightly Cynical View (and no, this doesn’t mean I’m advocating the CISSP) In the world where DoD 8570.01-M (DoDD 8140) is relevant the CISSP has long been a staple for those seeking IAT Level III, IAM Level II/Level III and IASAE I and IASAE II roles. CompTIA’s CASP exam endeavors to…