Common Controls and Inheritance

By Kathryn M. Farrish, CISSP Common Controls are security controls whose implementation results in a security capability that is inheritable  by multiple information systems (IS). For example, the information systems hosted in a data center will typically inherit numerous security controls from the hosting provider, such as: Physical and environmental security controls Network boundary defense security controls Other inheritance scenarios include agency or departmental-level policies…

FAQ: How Comprehensive is your RMF for DoD IT Course?

The most common question we get in regards to our RMF for DoD IT training course is this: How comprehensive is your RMF for DOD IT course? The reason I ask is that the Navy is still trying to wrap their head around RMF and how to integrate it both from an acquisitions and operational…

Security Control Spotlight—Privacy Overlay

By Lon J. Berman, CISSP According to NIST Special Publication (SP) 800-53, an overlay is a “fully specified set of security controls, control enhancements and supplemental guidance derived from the application of tailoring guidance to security control baselines”. The intent is to streamline the process of developing a security control set for specific communities of interest. The Committee on National Security Systems (CNSS) website, www.cnss.gov,…

System Categorization-Take the Time to Get it Right

By Lon J. Berman, CISSP The story is told of an intern who is asked by his boss to pick up some items from the supply room in the basement. The young man is not sure how to get down there, but, seeing an open door, assumes it is the stairway and steps through. Unfortunately the door turns out to be an…

Information Security Continuous Monitoring Course Date Just Added!

We have just added a course date for the Information Security Continuous Monitoring training that is coming up this fall (September 22 – 24, 2015). Information Security Continuous Monitoring (three days) covers roles and responsibilities, establishment and implementation of the ISCM strategy, analysis and reporting of findings, and program review in accordance with NIST Special Publication…

What Are CCIs and Why Should I Care About Them?

By Kathryn M. Farrish, CISSP One of the more recent information security innovations is the Control Correlation Identifier, or CCI. Each CCI provides a standard identifier and description for “singular, actionable statements” that comprise a security control or security best practice. The purpose of CCIs is to allow a high level statement made in a…

Spotlight: Information Security Continuous Monitoring

By Lon Berman, CISSP No longer just a technical issue, instead a strategic program to manage cybersecurity risk. Targeted cyber attacks are a strategic organizational problem. Cyber attackers are more sophisticated than ever before, and it has become vitally important to understand how to manage risk and implement a continuous monitoring program.  More than just…