Archive for the ‘Policy and Governance’ Category

New Electronic Authentication Guideline for Fed Agengies

December 17, 2011

Electronic Authentication Guideline (NIST Special Publication 800-63-1), from the NIST expands the options for government agencies that need to verify the identity of users of their Web-based services.

This recommendation provides technical guidelines for Federal agencies implementing electronic authentication and is not intended to constrict the development or use of standards outside of this purpose. The recommendation covers remote authentication of users (such as employees, contractors, or private individuals) interacting with government IT systems over open networks. It defines technical requirements for each of four levels of assurance in the areas of identity proofing, registration, tokens, management processes, authentication protocols and related assertions. This publication supersedes NIST SP 800-63.

Strategic Plan for the Federal Cyber-Security Research and Development Program

December 10, 2011

This report outlines the Obama Administration’s road map of priorities for government agencies that sponsor research and development on cyber-security.

As recommended in the Cyberspace Policy Review’s near-term action plan, Trustworthy Cyberspace replaces the piecemeal  approaches of the past with a set of coordinated research priorities whose promise is to “change  the game,” resulting in a trustworthy cyberspace. As called for in the policy review’s mid-term action plan, this plan identifies opportunities to engage the private sector in activities for transitioning promising R&D into practice. In addition, and consistent with the PCAST recommendations, it prioritizes the development of a “science of security” to derive first  principles and the fundamental building blocks of security and trustworthiness.

NIST Issues Cloud Computing Roadmap

November 5, 2011

Eric Chabrow / BankInfoSecurity

The National Institute of Standards and Technology said the draft publication defines high-priority requirements for standards, official guidance and technology developments that need to be met in order for agencies to accelerate their migration of existing IT systems to the cloud computing model. “A key contribution of the roadmap effort is to focus the discussion to achieve a clear understanding between the government and private sector, particularly on the specific technical steps – standards, guidance and technology solutions – needed to move federal IT from its current early-cloud state to a cloud-based foundation, as envisioned in the Federal Cloud Computing Strategy.

Tool to plan for Cyberattack

October 29, 2011

ComputerWorld / Nancy Gohring

The Small Biz Cyber Planner will ask a series of questions such as “Does your business use credit cards?” and “Does your business have a public website?” Based on the responses, it will generate a planning guide to help companies put in place basic policies to protect against cyberthreats.

Alternate Internet to Secure Critical Infrastructures

October 29, 2011

ExecutiveGov / Katelyn Noland

The alternate Internet would be built with the intention of securing critical systems where there would be strict access rules and those who are allowed entry must report any suspicious behavior.

NIST’s Guide for Conducting Risk Assessments

October 1, 2011

The National Institute for Standards and Technology (NIST) is currently seeking comments through Nov. 4 on its Guide for Conducting Risk Assessments.

In addition to providing a comprehensive process for assessing information security risk, the publication also describes how to apply the process at the three tiers in the risk management hierarchy—the organization level, mission/business process level, and information system level.

To facilitate ease of use for individuals or groups conducting risk assessments within organizations, a set of exemplary templates, tables, and assessment scales for common risk factors is also provided. The templates, tables, and assessment scales give maximum flexibility in designing risk assessments based on the express purpose, scope, assumptions, and constraints established by organizations.

From “IT Governance” to “Governance of Enterprise IT”

September 11, 2011

Steven De Haes / ISACA Blog

…..Governance of Enterprise IT (GEIT) is an integral part of corporate governance and addresses the definition and implementation of processes, structures and relational mechanisms in the organizations that enable both business and IT personnel to execute their responsibilities in support of business-IT alignment and the creation of business value from IT-enabled investments. GEIT clearly goes beyond the IT-related responsibilities and expands toward (IT-related) business processes needed for business value creation. ISACA frameworks such as Val IT and the upcoming COBIT 5 fully embrace these concepts.

Taxonomy of Operational Cyber Security Risks

August 20, 2011

Cebula and Young / Carnegie Mellon

This report presents a taxonomy of operational cyber security risks that attempts to identify and organize the sources of operational cyber security risk into four classes: (1) actions of people, (2) systems and technology failures, (3) failed internal processes, and (4) external events. Each class is broken down into subclasses, which are described by their elements. This report discusses the harmonization of the taxonomy with other risk and security activities, particularly those described by the Federal Information Security Management Act (FISMA), the National Institute of Standards and Technology (NIST) Special Publications, and the CERT Operationally Critical Threat, Asset, and Vulnerability EvaluationSM (OCTAVE®) method.

COBIT 5: Available for Public Comments

July 10, 2011

The Framework and Process Reference guide exposure drafts are available for download from the ISACA site.

This foundational COBIT volume introduces the following, which combine to provide a comprehensive, effective framework to support the governance and management of enterprise information and related technology:

  • Principles
  • Drivers
  • Benefits
  • Enablers
  • Other aspects

The COBIT 5 Process Reference Guide incorporates and is the successor to COBIT 4.1, Val IT and Risk IT processes. It describes the:

  • Goals cascade
  • Process model
  • Process reference model
  • Detailed processes
The online questionnaire will remain open until 31 July 2011.

North Atlantic Cyber Security Organisation (?)

July 2, 2011

Sounds like the right move

This new security challenge was on the agenda at the June 8th-9th meeting of NATO defence ministers in Brussels. Ministers agreed on an action plan and on a revised cyber defence policy which will not only ensure a quicker and more effective protection of NATO’s own network, but also provide the Allies and Partners with more assistance in preventing the cyber attacks, coping with them and limiting their impact.

The new strategy requires that all NATO structures be brought under a centralised protection system, and that all of its networks be monitored round the clock as of 2012.

Supplemental Guidance on Authentication

July 2, 2011

The Federal Financial Institutions Examination Council (FFIEC) today issued a supplement to the Authentication in an Internet Banking Environment guidance, issued in October 2005. The purpose of the supplement is to reinforce the risk-management framework described in the original guidance and update the FFIEC member agencies’ supervisory expectations regarding customer authentication, layered security, and other controls in the increasingly hostile online environment.

Protecting Sensitive Information: The Virtue of Self-Restraint

June 5, 2011

Dallas Boyd @ Homeland Security Affairs Journal

The motives behind disclosures of sensitive information vary, but a common refrain is that they spur remedial action that would otherwise be avoided. Critics argue, however, that these revelations recklessly endanger the public. Whatever their effect, a soft consensus seems to have formed that airing this information does not subtract from national security to such an extent as to justify the extraordinary powers that would be required to suppress it.

Board oversight of risk

May 31, 2011

Marks on Governance

A recent KPMG study showed that risk management practices still have a very long way to go. In particular, boards members continue to be concerned that they have insufficient information with which to manage risk.


April 30, 2011

A database of current guidance, laws and directives on how the Federal government secures its IT assets.

Coordinated Vulnerability Disclosure

April 30, 2011

More and more companies are coming with formal Coordinated Vulnerability Disclosure Processes/Standards

After a product or service is released, we feel security is a shared responsibility across the broad community. Collaboration between security researchers and vendors is ultimately about preventing attacks and protecting the computing ecosystem.  By working together through coordinated efforts when vulnerabilities are identified, we can effectively minimize customer risk while a solution is developed.   We encourage others to adopt this philosophy in the interest of creating a safer and more trusted internet for everyone. 

Cybersecurity Two Years Later

February 3, 2011

This is a follow up to the 2008 report “Securing Cyberspace for the 44th Presidency”, published by Center for Strategic and International Studies (CSIS), which included 25 recommendations for change. Now two years later, CSIS published this report to review where progress has been made on these recommendations and where action is necessary. The report identified 10 key areas where the nation must take action. The report starts with

2010 should have been the year of cybersecurity. It began with a major exfiltration of data from Google and other Fortune 500 companies, saw the Department of Defense describe how its classified networks had been compromised, watched the Stuxnet worm cut through industrial control systems, and ended with annoying denial of service attacks over Wikileaks.

and suggest cloud as one of the solutions –

Cloud computing has weaknesses, but it also offers the opportunity to aggregate and automate cyber defense. Much of the burden of security will shift from consumers and businesses to service providers that may be better equipped to meet advanced challenges.

which is correct but it’ll not come free – data security during transmission from end user to cloud and authentication will be two big ticket items that we need to pay for. The report ends with……and with what will not work.

Many of the solutions still advocated for cybersecurity are well past their sell-by date. Public-private partnerships, information sharing, and self-regulation, are remedies we have tried for more than a decade without success. We need new concepts and new strategies if we are to reduce the risks in cyberspace to the United States.

ABC: Attribute-Based Credentials

January 27, 2011

This is the most simple, honest, and practical answer to the question “how can I protect my privacy” – divulge less information about yourself on web and other platforms!

…in many cases, there’s no need for someone verifying your credentials to know everything about you. A bouncer at a nightclub needs to know that you’re 21, not your name or home address. A county database may only require proof that you’re a local resident, not your phone number or e-mail address.

Old rivals, Microsoft and IBM, are developing a solution to this problem using a system called ABC4Trust

Attribute-based Credentials (ABC) allow a holder to reveal just the minimal information required by the application, without giving away full identity information. These credentials thus facilitate the implementation of a trustworthy and at the same time privacy-protecting digital society.

One likely application for the ABC system: electronic identity cards issued by national governments. Microsoft has already demonstrated a system that can verify that someone is at least 18 years old and resides in Berlin, without disclosing an actual birthdate.

Comments Welcome…on FTC’s Privacy Report

January 22, 2011

If you missed this earlier, FTC has extended deadline for comments on Privacy Report (Protecting Consumer Privacy in an Era of Rapid Change: a Proposed Framework for Businesses and Policy Makers) until Feb 18th.

Stakeholders emphasized the need to improve transparency, simplify the ability of consumers to exercise choices about how their information is collected and used, and ensure that businesses take privacy-protective measures as they develop and implement systems.

At the same time, commenters and participants urged regulators to be cautious about restricting the exchange and use of consumer data in order to preserve the substantial consumer benefits made possible through the flow of information.  Participants noted, for example, that the acquisition, exchange, and use of consumer data not only helps to fund a variety of personalized content and services, but also allows businesses to innovate and develop new products and services that offer consumers convenience and cost savings.

Time to craft new International Standards / Best Practices?

January 20, 2011

At first glance it felt as if some author is trying to get attention by using controversial heading but as I read the post, I realized author  <quote> drafted most of the original text that evolved into ISO 27002 and achieved the world’s first accredited certification <unquote>. Yes, it’s David Lacey (Director of Research, ISSA-UK) expressing his views on the current state of security.

Today’s ISO standards are based on a body of text created over twenty years ago. In fact, aside from a sprinkling of security technologies, which you can count on one hand, nothing really new has emerged in the lifetime of today’s security managers.


The traditional Swiss Cheese model of defence in depth is falling down. It’s not just methods, standards and technologies that have failed to keep up with a changing threat landscape. We also lack the communications and psychology skills needed to influence security attitudes and behaviour across an extended community of networked staff, customers and suppliers.

But he also suggested solutions (i.e., what has worked or might work) –

The Global Security Challenge encourages and rewards innovative security technologies……Virtualisation transforms the infrastructure from both a user’s and an attacker’s perspective…….Trusted computing also offers huge potential for eliminating a large slice of the risk landscape, through reliable, automatic device authentication and data encryption…….One thing is certain: We need much greater vision and investment in new security technologies.

Goals for cyber policymaking

January 5, 2011

Howard Schmidt discusses guiding principals that lie behind White House Internet policymaking: Deterrence, resilience, privacy and partnerships.

The concept of privacy must evolve to a point that the information necessary for an online transaction is minimized and available for the shortest amount of time to validate the transaction and then vanish. 


Get every new post delivered to your Inbox.

Join 1,113 other followers