Showing posts with label standards/policies. Show all posts
Showing posts with label standards/policies. Show all posts

QOTD - NIST on Continuous Monitoring

NIST wrote a FAQ to answer many of the questions about Continuous Monitoring and whether it replaces the security authorization process (it does NOT).
Are there any risks associated with continuous monitoring?
Organizations should exercise caution in focusing solely on continuous monitoring at the expense of a holistic, risk‐based security life cycle approach. Without the appropriate planning for security controls (preferably early in the system development life cycle) and the correct implementation of those controls, the value of continuous monitoring is greatly diminished. This is because the near real‐time, ongoing monitoring of weak and/or ineffective security controls resulting from flawed information security requirements can result in a false sense of security.
Src: NIST FAQ
Also see NIST 800-37, Applying the Risk Management Framework to Federal Information Systems (February 2010)
Posted by DrInfoSec on 6/04/2010 0 comments
Labels: , , ,

QOTD - Pescatore on Occurrences

Data loss is to information security as patient mortality is to medicine. 'Extremely rare' has to mean 'close to never' vs. 'not often.' -- John Pescatore, Vice President at Gartner Inc.
Src: SANS NewsBites Vol 11 Num 80
Posted by DrInfoSec on 10/14/2009 0 comments
Labels:

QOTD - PrivacyProf on tracking PII

Most business leaders, especially in business units, and in the legal office, just assume that all storage locations for PII are known and that there is a 100% complete inventory for it somewhere. Infosec, IT and most privacy practitioners know the real deal; it is rare that PII is formally defined, and even rarer to have an inventory of all PII. Considering the ease with which PII can be copied and distributed literally thousands of times with just one press of a button, and stored in any number of mobile devices and outside storage locations, it is very hard to have a complete PII inventory. But, it must be done. And doing so will help to determine the controls and other safeguards that need to be placed around PII to keep from having it stolen, leaked or lost.
Rebecca Herold, The PrivacyProf, blogging about the news that the University of Central Missouri didn't know that two printed reports (w/ 7,000 student names, SSNs, addresses, and birthdates) were stolen from a location on campus.

I have had similar findings in many of the information security assessments that I conducted in that management was often shocked to hear about the various sources and destinations of sensitive information throughout an organization. Until an organization traces the flow of sensitive data generated and consumed, management cannot hope to have an accurate inventory that data, its location, or whether it has been properly disposed of.

[Note: emphasis is mine]

Src: Stolen Print Documents With PII Found On Crook; Otherwise UCM Would Not Have Known The Reports Were Stolen - Realtime IT Compliance
Posted by DrInfoSec on 7/02/2009 0 comments
Labels: , , , ,

QOTD - Schultz on Mandatory Security Standards

Like it or not, mandatory security standards are inevitable in the US at some point in time. Without them, the US will continue to have too many weak links in its critical computing infrastructure. -- Dr. Eugene Schultz, CTO of Emagined Security
Src: SANS NewsBites Vol 11 Num 26
Posted by DrInfoSec on 4/06/2009 0 comments
Labels: ,
Subscribe to: Posts (Atom)