If you’re into doing things the government way, Laura Taylor’s article “Security Certification and Accreditation 101” is a great primer on SC&A processes.
I’ve often thought that a good C&A process used regularly is much more beneficial and critical than your average penetration test or even giant OCATVE or NIST “risk assessment” (which are usually just vulnerability assessments with some “probability” and “mitigation” thrown on). Some things to note about C&A
- I’ve always thought it remarkably stupid that NIST differentiates between “business risk” and “system risk”. But thinking about their approach in 800-30 and how they got to where they are explains a lot, so at least I can understand why they’re kind of messed up.
- A C&A process, without a “risk mindset” is still beneficial, but it becomes somewhat “best practices” in approach - and lessens the effectiveness of the undertaking.
Regarding that second point, from the article:
If you are the CIO of a U.S. federal agency, your systems will likely be shut down if they don’t pass the accreditation process, which could become career limiting.
“Career limiting”. What a great phrase! Now, in order to have a good C&A process it is absolutely critical that a proper risk expression and framework be used. Why? Well, as an example, given the NIST approach to risk (with it’s differentiation between “business risk” and “system risk” - point one above), how comfortable would you be making potentially “career limiting” decisions using that methodology?
A C&A process simply moves you towards a better state of knowledge concerning your assets. Moving from any state of nature to a state of knowledge is dicey unless you have good priors and a relevant framework. That takes metrics and good risk analysis.
Tags: compliance, information risk, information, risk, risk management, risk_management, information, security, information security, information_security, governance, compliance, enterprise_architecture
(via RiskAnalys.is)June 12, 2007, 8:17am Comments
