In reviewing the final revision of NIST Special Publication (SP) 800-37, Rev. 1, the traditional Certification and Accreditation (C&A) process has been transformed into the Risk Management Framework (RMF). The RMF sets forth a good start for a consensus C&A model and will hopefully provide a change in the traditional approach to C&A; focusing on a more dynamic process that is stateful with the changes in the operational environment and threat vectors. Given the emphasis in the RMF to promote the concept of near real-time risk management, Federal Agencies will need to become more effective on how to manage their... Read more →
« January 2010 | Main | March 2010 »
Posts from February 2010
27 February 2010
Federal Agencies Lack Proper Security-Related Risk Management Practices
Posted by Matthew Metheny on 27 February 2010 at 08:37 PM in Cybersecurity Training, IT Security, Risk | Permalink
|
Comments (0)
|
TrackBack (0)
Protect or exploit?
The perennial discussion about the value of risk analysis has broken out yet again over on CISSPforum. It's close to being classed as one of our zombie topics - the ones that we think we've successfully killed off after getting nowhere but some time later they arise from the grave to haunt us again, over and over. I wouldn't mind so much but we seem to dance around the same old handbags every time: Quantitative versus qualitative risk analysis - the pros and cons of each, and innumerable associated methods, tools and techniques Risk-based versus experience and good practice-based security... Read more →
Posted by Gary Hinson on 27 February 2010 at 04:14 AM in Risk | Permalink
|
Comments (0)
|
TrackBack (0)
20 February 2010
Demotivational Speaking
The Harvard Business School has words of wisdom at http://hbswk.hbs.edu/archive/5289.html in an article on "Why your employees are losing motivation," by David Sirota, Louis A. Mischkind, and Michael Irwin Meltzer. It's not directly about security, but the fact that it seems to be striking a chord with so many security bloggers and microbloggers is significant. The article's closing words about the ways in which management may unwittingly demotivate staff are applicable to many, many people who aren't security professionals, of course: "Many companies treat employees as disposable... ...Employees generally receive inadequate recognition and reward: About half of the workers in... Read more →
Posted by David Harley on 20 February 2010 at 07:39 AM in IT Security, Operations Security | Permalink
|
Comments (2)
08 February 2010
Cyber Security Central
This blog entry focuses on introducing a new community focused resource designed to provide an avenue for the collaboration and sharing of information relating to Cyber Security. The Cyber Security Central website (www.cybersecuritycentral.com) seeks to extend the knowledge and best practices within the cyber security community. The overall goal of the site is to provide a platform to support the implementation of the National Cyber Security Strategy. Since the inception of the project a few months ago, I have tried to establish a site that seeks to demonstrate a broad view of the cyber security community from both the national... Read more →
Posted by Matthew Metheny on 08 February 2010 at 04:45 PM in Cybersecurity Certifications, Cybersecurity Training, Digital Forensics, IT Security, Malware, Network Security, Operations Security, Privacy, Risk | Permalink
|
Comments (0)
|
TrackBack (0)
05 February 2010
CobiT maps to
ISACA maps of CobiT to ITIL, NSIT SP800-53, CMMI, ISO 17799/27002, Project Management BOK, and others. Read more →
Posted by Rob Slade on 05 February 2010 at 07:31 PM in Cybersecurity Certifications, Cybersecurity Training, IT Security | Permalink
|
Comments (0)
Microsoft awareness kit
Microsoft has a kit of awareness materials that you can download for free. There are some PowerPoint slide decks. These should be reviewed prior to use, since, while they do have some content, they have an awful lot of blank holes which need to be filled with your company name and some additional details. There are also templates for brochures, etc, but these contain no content, and are simply formats and styles. Read more →
Posted by Rob Slade on 05 February 2010 at 07:23 PM in Cybersecurity Training, IT Security, Network Security, Operations Security | Permalink
|
Comments (0)
02 February 2010
Know thyself
Psychological profile of what makes a good defender in the infosec world. Read more →
Posted by Rob Slade on 02 February 2010 at 06:07 PM in Cybersecurity Training, Insider Risk | Permalink
|
Comments (0)
SSN algorithm
Given the importance and wide use of US Social Security Numbers (even though the use is legally restricted), this article on how to determine SSNs is fairly important. Read more →
Posted by Rob Slade on 02 February 2010 at 05:47 PM in Cybersecurity Training, Legal, Privacy | Permalink
|
Comments (0)
Search
Categories
- (ISC)² Chapters (22)
- (ISC)² Events (159)
- Center for Cyber Safety and Education (52)
- Cloud Security (132)
- Cybersecurity Certifications (376)
- Cybersecurity Training (310)
- Cybersecurity Workforce (242)
- Digital Forensics (29)
- Ethics (52)
- Government (123)
- Insider Risk (56)
- IT Security (372)
- Legal (45)
- Malware (112)
- Network Security (175)
- Operations Security (140)
- Privacy (116)
- Ransomware (83)
- Risk (195)
- Software Development (44)
- Spotlight (71)