Top Ten—Data Breaches that Made the News

By Annette Leonard Many information security incidents are newsworthy, especially when they involve compromise of personal, financial and/or medical information. Here is our “Top Ten” list of data breaches that have made the news over the past few years. While some of these compromises may have resulted from very sophisticated attack methods, others were traceable to basic lapses in good security practices—the very things the…

Common Controls and Inheritance

By Kathryn M. Farrish, CISSP Common Controls are security controls whose implementation results in a security capability that is inheritable  by multiple information systems (IS). For example, the information systems hosted in a data center will typically inherit numerous security controls from the hosting provider, such as: Physical and environmental security controls Network boundary defense security controls Other inheritance scenarios include agency or departmental-level policies…

Security Control Spotlight—Privacy Overlay

By Lon J. Berman, CISSP According to NIST Special Publication (SP) 800-53, an overlay is a “fully specified set of security controls, control enhancements and supplemental guidance derived from the application of tailoring guidance to security control baselines”. The intent is to streamline the process of developing a security control set for specific communities of interest. The Committee on National Security Systems (CNSS) website, www.cnss.gov,…

System Categorization-Take the Time to Get it Right

By Lon J. Berman, CISSP The story is told of an intern who is asked by his boss to pick up some items from the supply room in the basement. The young man is not sure how to get down there, but, seeing an open door, assumes it is the stairway and steps through. Unfortunately the door turns out to be an…

DIACAP Says “So Long”

On March 12, 2014 the DoD released a new policy that makes it official that the DoD Information Assurance Certification and Accreditation Process (DIACAP) is being put to bed in favor of a “new” Risk Management Framework (RMF).  The news is not a revelation as it has been in the works for a few years…

DoD Transition to RMF Imminent—Will You Be Ready?

By Lon J. Berman, CISSP For quite some time, it’s been well known that DoD would be making a transition from the legacy DIACAP Certification and Accreditation (C&A) Program to the Risk Management Framework (RMF). This transition is part of a broader effort to bring all Executive Branch departments and agencies … including DoD, the intelligence community and all “civil” departments/agencies … into a…