Top Ten—Data Breaches that Made the News

By Annette Leonard Many information security incidents are newsworthy, especially when they involve compromise of personal, financial and/or medical information. Here is our “Top Ten” list of data breaches that have made the news over the past few years. While some of these compromises may have resulted from very sophisticated attack methods, others were traceable to basic lapses in good security practices—the very things the…

Common Controls and Inheritance

By Kathryn M. Farrish, CISSP Common Controls are security controls whose implementation results in a security capability that is inheritable  by multiple information systems (IS). For example, the information systems hosted in a data center will typically inherit numerous security controls from the hosting provider, such as: Physical and environmental security controls Network boundary defense security controls Other inheritance scenarios include agency or departmental-level policies…

Security Control Spotlight—Privacy Overlay

By Lon J. Berman, CISSP According to NIST Special Publication (SP) 800-53, an overlay is a “fully specified set of security controls, control enhancements and supplemental guidance derived from the application of tailoring guidance to security control baselines”. The intent is to streamline the process of developing a security control set for specific communities of interest. The Committee on National Security Systems (CNSS) website, www.cnss.gov,…

Top 10 Things that Will Be Staying the Same with RMF

By Lon J. Berman, CISSP BAI Consulting As DoD begins its transition from DIACAP to Risk Management Framework for DoD IT, everyone is naturally focused on all the things that will be changing—everything from terminology to documentation to security controls. Thankfully, not everything is changing! We thought it would be interesting to take a look…

RMF Documents and Resources

For your convenience, ITdojo has assembled the following collection of RMF-related government publications. Please note these are UNCLASSIFIED documents with no restrictions on usage or distribution. Laws and Executive Branch Policies Federal Information Security Management Act (FISMA)  OMB Circular A-130 Appendix III (Security of Federal Information Systems)  Federal Information Processing Standard (FIPS) Publications FIPS 199…

Top Ten—What’s “new” in RMF for DoD IT?

By Lon J. Berman, CISSP BAI Consulting Now that DoD has “officially” begun its adoption of RMF, let’s take a look at some of the things that are “new”! 10. Cybersecurity. The word “Cybersecurity” has been part of the government IT security discussion for several years, going back to a Presidential Directive in 2008. DoD has now adopted the term Cybersecurity in…

Continuous Monitoring—It’s Not (Just) About The Tools

by Annette Leonard BAI Consulting Continuous Monitoring has long been recognized as a critical element in maintaining a strong security posture for any IT system.  In spite of this, the risk management processes used in most federal agencies have traditionally been centered around mountains of paperwork, along with “point-in-time” assessments and approvals.  With the ascension…