ISM-Community was originally created and the steering committee formed in Fall of 2006. During that time, one of our key activities was to come up with a list of projects that were worthwhile, and that list became somewhat of a direction for us to move in.
One of the first priorities has been to develop a risk assessment methodology. Me being of a US Government mindset, my first question was "What's wrong with NIST SP 800-30?" Well, 800-30 is a good start, but like I've said before, there are some things such as templates, examples, and suggestions that NIST can't give you because then all the auditors take it as gospel/doctrine instead of implementation technique. We want to bridge that gap.
We traveled down the RA Methodology road over the past 6 months or so and due to a handful of factors, mostly time constraints (find me a security person worth anything at all and they're up to their eyeballs in projects) and a couple of false paths we've gone down (FAIR was a good one, but we had a philosophy/licensing issue), the project has stuttered.
What remains to be done? Well, this is my roadmap for the near- to moderate-term future:
- Finish off the remaining RA Methodology sections
- Creation of artifacts/templates/examples to support the methodology
- Field-testing to validate the methodology
At some point, the artifacts will suffer from scope-creep as they become a set of ISM . That's OK.
In true NPO form, I'm asking for volunteers who can help out. The first step is to look at the existing incarnation of the RA Methodology and make recommendations.
About rybolov
Russian Linguist, linux administrator, flyfisher, and security geek at-large.
My official press bio:
Michael Smith is the Chief Information Security Officer with the Unisys Federal Service Delivery Center based in Reston, Virginia. His scope of responsibility includes both providing governance and managing risk for several data centers, Security Operations Center, Network Operations Center, Server Management Team, and several disaster recovery sites.
Michael has performed numerous tasks throughout the Certification and Accreditation (C&A) process for clients in the Federal Civilian and Department of Defense environments. He has designed and performed security testing and evaluation engagements against national level systems in both the Federal Civilian and Department of Defense environments.
Michael graduated from the prestigious Defense Language Institute in Monterey, CA with a Department of Defense advanced linguistic certification in Russian and spent several years on active duty in the US army as a translator and specialist in information security.
Michael assisted with development of a DITSCAP methodology and Standard Operating Procedures for the Department of Defense's Tricare Management Activity (TMA) as well as performed many of the tasks associated with that methodology. Throughout the time Michael spent working with the TMA, he was responsible for development of documentation, performing security testing and evaluation, evaluating and conducting assessments of physical security, and the development and performance of risk assessments for remote sites throughout the continental United States.
While engaged with the Transportation Security Administration, Michael developed C&A documentation for numerous systems and sites throughout the Transportation Security Administration and helped to use C&A as the catalyst to build a security program.
In 2004, Michael was activated as a member of the Virginia National Guard and deployed to Afghanistan, where he conducted numerous combat patrols as an infantry squad leader.