Archive for risk management

You are browsing the archives of risk management.

The NIST PM Security Control Family

The NIST PM control family is a set of security controls that were added to the NIST SP 800-53 catalog of controls in version 3. These controls are fundamental and foundational and need to be established early in the System Development Life Cycle (SDLC). They lay the groundwork for processes that are critical to information […]

Software Assurance Tools

Software Assurance deals with making sure that software acts as it was intended and is free from vulnerabilities. Too often these days, our software is distributed while it is still filled with undiscovered flaws that attackers may be able to use to penetrate our systems. It is far more cost effective to spend the time […]

Security Controls – Tools for Your Gameplan

FOOTBALL In football (and other sports) the gameplan is an important part of success. How well the gameplan is implemented on the field will determine the final score, but with a flawed gameplan, performance may become irrelevant. Football organizations may use groups of scouts and coaches and spend weeks performing an analysis of their upcoming […]

Agile Defense with NIST Controls

Agile Defense In the past, information systems security often focused simply on perimeter defense, wrongly assuming that a strong perimeter was the only defense needed. Then, as regulations became more complex and more legal, infosec became more “compliance-centric”, trying to pass the security audits required by law. Compliance oriented security produces reams of paperwork and […]

Continuous Monitoring

Continuous monitoring is about keeping an ongoing watch on how well your security controls are doing their job. NIST introduced this idea back in 2004 when they were also evangelizing about the Authorization process, then known as Certification and Accreditation (or C&A). By law (FISMA), NIST supplies federal organizations with security guidance, which can be […]

Patch and Vulnerability Management

NIST 800-40 “Creating a Patch and Vulnerability Management Program” describes the functions and processes that a patch and vulnerability management program should cover in order to maintain effective security. Importance of patch management As operating systems, applications and utility tools continue to manifest exploitable flaws, rapid application of security patches becomes critical to security. Attackers […]

FIPS Validated Encryption

FIPS 140-2 is the current (soon to be revised to FIPS 140-3) NIST encryption standard for government agencies protecting sensitive but unclassified information. NIST operates a Cryptographic Module Validation Program (CMVP) that offers testing of encryption (cryptographic modules) in products to ensure they are compliant with the FIPS standard. This testing involves not only which […]

Security Control Matrix

This matrix is a map that correlates attackers methodology with NIST 800-53 security controls: ATTACK METHODOLOGY/CONTROL Recon General/Google RA-3 RISK ASSESSMENT – you can only reduce exposure and can never “stop” general reconnaissance, but you damn well better know what you’re defending before the attacker starts to find out Network scanning CM-7 LEAST FUNCTIONALITY – […]

Federal Cyber-Security

NIST (National Institute of Standards and Technology) has provided Federal Agencies with all the tools they need to get cyber-security done right. But obviously, it’s not being done right yet at most agencies. Why not? Failure to understand the threat level – this was certainly once the top problem… maybe not so much anymore with […]

800-53 rev3 FINAL

NIST has released the final copy of SP 800-53 rev3 “Recommended Security Controls for Federal Information Systems and Organizations”. This document is the encyclopedia of security controls for federal agencies and this is the third revision since it was originally released in 2005. The impact level baseline information bar that was removed in the Final […]