Security Catalyst Show – February 16 2009 – Certification & Accreditation

Posted by Michael Santarcangelo on February 16, 2009 · 1 Comment 

Welcome to the Security Catalyst Program – bringing you the ideas, insights and tools necessary to change the way people protect information. I am Michael Santarcangelo, your personal catalyst on this journey. Thanks for listening!

Binders stackOn today’s program, we explore Certification and Accreditation with the help of three experts who share an absolute wealth of knowledge.

A few quick notes

1. Into the Breach is available as an eBook and signed Hardcover from www.intothebreach.com Learn more about how to engage users, restore responsibility and hold people to account. In fact, this book lays out how to reduce costs without increasing risk, turn insiders into allies and manage people, information and risk better.

2. For 2009, I am excited to announce the expansion of the Security Catalyst Blog – with the awesome Catalyst Contributors. Visit the blog each day to get a fresh perspective

3. I’m in the process of revamping the podcast series for 2009. I know a lot of people are struggling – and in addition to being a voice of optimism, I’m building a team to share information and strategies necessary for making a difference this year. If you want to contribute, or if you are facing a challenge and need some help – shoot me an email: securitycatalyst@gmail.com

Stay tuned for more information.

For today’s program, I am joined by Mike Smith, Graydon McKee and Joe Faraone to discuss C&A.

Links at a glance

The presentation that started the idea for this episode: http://www.slideshare.net/rybolov/why-care-about-government-security?src=embed

Graydon, Joe, and Mike teach 2-day C&A workshop and a 5-Fridays NIST Framework for FISMA workshop for the Potomac Forum. http://www.potomacforum.org/

Graydon’s blog: http://www.ascensionriskmanagement.com/BlogOne/

Papers and presentations: http://www.ascensionriskmanagement.com/BlogOne/paperspresentations/

Mike’s blog:http://www.guerilla-ciso.com/

Papers and presentations: http://www.guerilla-ciso.com/papers-and-presentations

The most relevant NIST publications are special publications 800-37 and 800-53, available here: http://csrc.nist.gov/publications/PubsSPs.html

About the Experts

Mike Smith

Michael Smith is a Manager in the Audit and Enterprise Risk Services organization of Deloitte & Touche LLP, where he leads engagements to provide security services to both commercial enterprises and government agencies. Prior to Joining Deloitte, Michael served as the Chief Information Security Officer with the Unisys Federal Service Delivery Center based in Reston, Virginia.  His scope of responsibility included both providing governance and managing risk for several data centers, Security Operations Center, Network Operations Center, and Server Management Team.

Graydon McKee

Graydon McKee is the Vice President and Chief Operating Officer of Ascension Risk Management LLC.  Graydon is an accomplished Risk Management/Information Security professional with extensive experience in developing and implementing Information Risk Management and Information Security Programs to clients in both the public and private sector.  He is a recognized leader in government regulatory compliance (Federal Information Security Management Act and the Defense Information Technology Security Certification and Accreditation Process compliance) and has taught the process to over 2,000 individuals representing over 600 federal government agencies and offices. 

Joe Faraone

Joe Faraone is a Senior Information Security Architect with GCI Corporation, based in Reston, Virginia with over 20 years’ experience in Information Security. Joe has delivered services for numerous Federal customers including Certification and Accreditation support, Security Governance Gap Analysis and Independent Validation and Verification (IV&V).  Over his career, he has served as Lead Independent Security Engineer, Manager and Architect of a managed security center for an Intelligence Community Agency, and has performed Certification and Accreditation services for several high-assurance systems.

Bookmark and Share

Podcast: Play in new window | Download (30.5MB)

Filed under Blog, Podcast, Security Catalyst Contributors · Tagged with , , , ,

Three Challenges to Building Trust (and how to overcome them)

Posted by Michael Santarcangelo on June 22, 2008 · Leave a Comment 

How hard is it to build trust?

“When people honor each other, there is a trust established that leads to synergy, interdependence, and deep respect. Both parties make decisions and choices based on what is right, what is best, what is valued most highly.” –Blaine Lee

In my last article, I introduced the efforts of CompTIA to address a growing need in business today with the Trustmark certification.  The Trustmark, initially focused on small and medium-sized VARs, represents a promising step forward in how businesses demonstrate and verify they protect information. As outlined in part one, I see a far larger benefit for small and medium businesses everywhere – provided Trustmark is positioned and grown properly.

Note: The more I think about Trustmark and the challenges of getting it right, the more I see vast potential. As such, I’m lengthening this article into a series of posts to share more ideas and invite constructive conversation.

 

The Challenges

Now I turn my attention to addressing the key challenges – with suggestions on how to meet and overcome them. This is also a call to action for professionals to come together to tackle these challenges industry-wide.

When I left the Trustmark workshop, I sensed the start of a necessary program that is heading in the right direction. In the weeks since, I have continued to consider the approach – and the challenges that must be overcome — in the context of my own experience with frameworks, education and industry measurement.

Aside: these challenges are not unique to Trustmark – these are challenges many of us face every day, especially when it comes to presentations, standards development, projects and our day-to-day activities.

The next few articles will address some of the key challenges and provide some insights – based on my experience – to successfully address those challenges.

 

  1. No Need to Reinvent the Wheel
  2. Provide Transparency with Support
  3. Establish a Sound Audit Process

 

Make a Difference

While you may not (yet) share my enthusiasm for a way to verify how vendors and other businesses protect information, your experience, concerns, insights and ideas are essential to the success of this and other efforts. So – reach out to me by email, telephone, twitter or join me in the Security Catalyst Community to sound off.  I’m interested in any and all feedback – especially from small business owners, VARs, vendors, anyone who has been through this process. 

By blending our voices and experience together, we are able to influence positive change (while actively considering and addressing unintended consequences).

Stay tuned… 

Bookmark and Share

Filed under Blog · Tagged with , , , , , ,

Can you be trusted? Can you prove it?

Posted by Michael Santarcangelo on June 19, 2008 · 2 Comments 

“What questions do I need to ask to make sure my vendor is protecting my information?”

I got asked that question last week from a new client working through the Protecting Information Program (PIP). Following the PIP process, he realized vendors were supporting key systems — raising questions he could not answer. He needed more assurance that he wasn’t taking on unnecessary risk – and was looking for guidance. It is a good question. The challenge, however, is to provide an equally good answer.

Traditionally, the answer to that question is focused on the vendor employees in terms of how many hold a security certification (my status as a CISSP Instructor has been valuable in the past). This is better than nothing, but all-too-common is the situation where the cobbler’s children wear no shoes (or the modern adaptation where the contractor’s spouse never has anything fixed around the house). 

Instead of relying on individuals holding certifications, some turn to checklists. Checklists are both good and dangerous (I feel another post coming on about my experiences with developing checklists). Checklists that are simple easy-to-understand and as easy to apply/answer are more effective. But what happens if the business asking the questions lacks the experience to gauge the answers?

We need a better solution.

I recently got an insider’s look at a better solution: The Security Trustmark, a new organizational-level certification being developed by CompTIA. Some limited information is available here: http://www.comptia.org/sections/trustmark/

From their website:

The CompTIA Security Trustmark is a vendor neutral accreditation around security business capabilities and processes that have been agreed upon by the IT industry to promote generally accepted security practices that will invoke the trust of end-users.

The objective of the CompTIA Security Trustmark accreditation is to develop a baseline standard of security practices around service and support business competencies for Solution Providers and Managed Services Providers (MSPs).

After participating in the workshop and spending a few weeks pondering this approach, I want to briefly introduce what I consider to be the benefits of this offering, share what I liked and explain where I see the challenges (tomorrow).

And then I want to learn – join me in the conversation about this whether by email (securitycatalyst – gmail), by twitter (http://twitter.com/catalyst), in the Security Catalyst Community Discussion Forums or by telephone. I want to learn about other models, efforts, and attempts. I want to understand if there are additional challenges for us to consider. I want to understand how this effort is (or becomes) useful to more people.

 

The Starting Point

Initially, this approach is geared toward small and mid-size vendors and VARS: companies that work within “the channel.” This approach:

  • sets a standard for smaller companies to achieve, allowing them to demonstrate to their channel partners they pose less risk to work with
  • allows vendors higher confidence across their entire channel
  • creates distinction for VARs and Channel Vendors alike that results in competitive advantage

With the growing attention on breaches, privacy and compliance – rather than working to explain all of your measures, think of the power of explaining that you have attained the Trustmark – publicly verifiable and audited.

 

The Big Picture (as I see it today)

My passion for this, of course, is bigger. In the last few years, a growing challenge for those I work with is defining and explaining the minimum set of acceptable controls to protect information. Equally challenging for larger organizations is designing and employing third-party (vendor) review processes.

This results in a lot of re-creating the wheel. And it increases the cost of business for everyone involved. I have no argument with the need for due-diligence on vendors – but lament every year the lack of a “common application” approach that seems to work for university applicants.

Imagine being able to pre-validate vendors by virtue of having a Trustmark?

Provided the core elements of Trustmark are publicly available (transparent) and regularly maintained to represent the distilled good practices for managing people, information and risk, we collectively take a step forward.

  • Businesses know what is expected of them – and will have the opportunity for the guidance and support to take the appropriate actions for their business. They can then earn the Trustmark designation and use that to differentiate themselves for contracts.
  • Companies seeking to review vendors can greatly cut down on costs and timelines for vendors with a valid and audited Trustmark. It may not replace the current programs – but it certainly establishes a stronger base to start from and increases assurance while decreasing risk.

Done right, Trustmark is not another reinvention of the wheel. Rather, it provides a clear direction for businesses that distills the best of industry guidance. I envision this operating almost as an “overlay” – where several valid methods to meet the controls are deemed acceptable. This reduces complexity and more naturally meets the needs of those who seek the certification. For example, companies already compliant with HIPAA and PCI should be able to easily earn the Trustmark. At the same time, a company that need not meet any of those requirements is equally able to address and satisfy the controls necessary to get certified.

Over time, I envision this meeting the needs of car dealers, medical offices, bank branches – the very places we visit on a regular basis. I see this as the smartest way to distill the best of our industry and present guidance in simple terms to businesses that want to protect information, but focus on other areas (for example, making money).

Answering the Question

No question, I am excited about the potential Trustmark holds (both short-term and long-term). I see this as a real answer to valid and necessary questions about how vendors protect information — in a way that builds trust and allows everyone to focus on whatever they do best while meeting fiduciary duties.

As I was working on this article, I took an unexpected meeting with a company facing the same challenge: how to assess their vendors from an information-protection perspective. The marketplace is ready for standard guidance and a program that builds confidence; we have an opportunity to make a difference!

Tomorrow, I’ll continue this article by explaining the key challenges I see facing Trustmark, as well as some insights on how to avoid it. In the meantime – how do you answer the question when asked about assessing vendors? How do we avoid creating the wheel? How would this benefit your business?

Bookmark and Share

Filed under Blog · Tagged with , , , , ,