"First we said it was too cold and that the fish were not feeding. Then we said it was too sunny and the fish were scared. Then we discovered that the fish had gone elsewhere. When we found the fish, we started casting to them with nice juicy baitfish flies."
So also is the story of the ISM Community Risk Assessment Methodology. After more than a few false-starts (Curphey changing the server platform, some flirtation with FAIR, almost scoring a free methodology to have and to hold, the apparent ADHD of the project lead), we are continuing down the merry path of creating our own risk assessment methodology.
Now that we're back to casting for trout, I would like to issue an Internet-wide call for volunteers. What I'm looking for is about a dozen people who know Risk Assessment and simultaneously know how to write well.
Really the methodology consists of several parts:
- A document that describes the process (partially started)
- A set of artifacts to assist in the process such as inventory spreadsheets and a risk register (partially done)
- Reference implementations where we take the process and test it out (not yet, we need the process first)
- References and similar projects
- Glossary
- Foo
I have a handy-dandy spreadsheet to track status. If you are interested in helping out, go to the RA forum at http://www.ism-community.org/forums/t/564.aspx (it's broken right now, I tried to upload the spreadsheet and it bombed out on me) or shoot me an email with a description of what you would like to help out with.
Cheers
--Mike
About rybolov
Russian Linguist, linux administrator, flyfisher, and security geek at-large.
My official press bio:
Michael Smith is the Chief Information Security Officer with the Unisys Federal Service Delivery Center based in Reston, Virginia. His scope of responsibility includes both providing governance and managing risk for several data centers, Security Operations Center, Network Operations Center, Server Management Team, and several disaster recovery sites.
Michael has performed numerous tasks throughout the Certification and Accreditation (C&A) process for clients in the Federal Civilian and Department of Defense environments. He has designed and performed security testing and evaluation engagements against national level systems in both the Federal Civilian and Department of Defense environments.
Michael graduated from the prestigious Defense Language Institute in Monterey, CA with a Department of Defense advanced linguistic certification in Russian and spent several years on active duty in the US army as a translator and specialist in information security.
Michael assisted with development of a DITSCAP methodology and Standard Operating Procedures for the Department of Defense's Tricare Management Activity (TMA) as well as performed many of the tasks associated with that methodology. Throughout the time Michael spent working with the TMA, he was responsible for development of documentation, performing security testing and evaluation, evaluating and conducting assessments of physical security, and the development and performance of risk assessments for remote sites throughout the continental United States.
While engaged with the Transportation Security Administration, Michael developed C&A documentation for numerous systems and sites throughout the Transportation Security Administration and helped to use C&A as the catalyst to build a security program.
In 2004, Michael was activated as a member of the Virginia National Guard and deployed to Afghanistan, where he conducted numerous combat patrols as an infantry squad leader.