In this blog post Lon Berman, CISSP talks about the sub-steps of the first RMF step, System Categorization. Step 1: Identify Information Types The first and perhaps most important step in the system categorization process is the determination of the “information types” that are stored and processed by the system. So what exactly is an…
When it comes to getting your CISSP certification, I have one important word for you: STUDY. Study in the car (preferably not while driving), study at work (taking care to not get fired), study at home, study everywhere you get a free moment. Study before training, study after training. You really cannot study too much…
By Annette Leonard Many information security incidents are newsworthy, especially when they involve compromise of personal, financial and/or medical information. Here is our “Top Ten” list of data breaches that have made the news over the past few years. While some of these compromises may have resulted from very sophisticated attack methods, others were traceable to basic lapses in good security practices—the very things the…
By Kathryn M. Farrish, CISSP Common Controls are security controls whose implementation results in a security capability that is inheritable by multiple information systems (IS). For example, the information systems hosted in a data center will typically inherit numerous security controls from the hosting provider, such as: Physical and environmental security controls Network boundary defense security controls Other inheritance scenarios include agency or departmental-level policies…
The most common question we get in regards to our RMF for DoD IT training course is this: How comprehensive is your RMF for DOD IT course? The reason I ask is that the Navy is still trying to wrap their head around RMF and how to integrate it both from an acquisitions and operational…
By Lon J. Berman, CISSP The story is told of an intern who is asked by his boss to pick up some items from the supply room in the basement. The young man is not sure how to get down there, but, seeing an open door, assumes it is the stairway and steps through. Unfortunately the door turns out to be an…
TrainPlus! POST TRAINING SUPPORT RMF education doesn’t just stop when the training class is over. That’s why we offer TrainPlus!, a RMF Q&A follow-up session. Designed specifically for students who’ve previously attended an IT Dojo RMF training class, TrainPlus! is delivered via a monthly, 60-minute, conference call at no charge. Whether the training experience has been online, onsite or…
As many of you are already aware, NIST offers free online Risk Management Framework training as a resource on their website. While this is a great resource containing excellent information and should be included in your learning plan, it is not enough when it comes to preparing yourself and your staff for the transition from DIACAP…
By Lon Berman, CISSP No longer just a technical issue, instead a strategic program to manage cybersecurity risk. Targeted cyber attacks are a strategic organizational problem. Cyber attackers are more sophisticated than ever before, and it has become vitally important to understand how to manage risk and implement a continuous monitoring program. More than just…
By Lon Berman of BAI, Inc. Now that RMF is official DoD policy, every DoD system owner needs to begin planning their “transition” from DIACAP. In order to plan and execute the transition, system owners need the answers to three basic questions: What does the transition process entail? When do I need to begin the…