Author name: Bruce

The risk assessment model is decomposed in NIST SP 800-37, Guide for Risk Assessments. The risk assessment model is designed to identify threat sources and events, identify vulnerabilities and predisposing conditions, determine likelihood of occurrence, determine magnitude of impact and finally determine risk. Some of the devices used to do this are risk register: Risk Register Template – version a Risk Register Template – version b The risk assessment model is only one part of the risk management process in DIARMF and other risk management frameworks:  

As risk register is a tool in the form or spread sheet, application or database that you can use during risk assessments for risk identification.  It allows the person conducting the risk assessment to log the threat, asset and impact and give some idea of the probability of the threat.  It is used in DIARMF, DIACAP, project management and other risk management processes to help decision makers. Its also known as a risk log. Here is a risk register template I got from British Colombia gov site http://www.gov.bc.ca/fin/): Risk Register Template Here is another risk register template from the Israel Institute of Technology(webcourse.cs.technion.ac.il): Risk Register Template  

national security agency What is a national Security Agency? disclaimer:  I am not Edward Snowden.  YES, I am a contractor.  I have not and will not give up critical information that might harm my way of life.  I am NOT a fan of the Patriot Act for obvious reasons, but I have been to over a dozen countries, and I LOVE the USA (warts and ALL).  I am not going to get all patriotic and shit and I will keep my half baked political views to myself.  I will just say I am optimistic (which I am sure gives away some of my political leanings).  I will just say there is NO sensitive material on this blog!!  I do NOT have inside info on the workings of the NSA.  All aggregated data is from public sources. The NSA is probably the most powerful organization that has ever existed (2014).  I am not even going to speculated about their budget (leaked by a certain someone in currently in Mother Russia) I will just say its a xxxxload. The NSA is largest employer of mathematicians in the US.. that means that they hire the most mathematicians on planet Earth (which means the solar system-> galaxy-> known universe). It begs the question why?  Why do you need a classified number of mathematicians? This will also enable us to keep U.S. communications secure and maintain the country’s ability to exploit new, advanced foreign communications systems. I admire big visionaries.  The fact that the NSA knows how important crypto is really says a lot. Here is some declassified history of the NSA for your research: http://www.nsa.gov/public_info/_files/cryptologic_spectrum/early_history_nsa.pdf I am not a fan of unchecked power and unregulated black budgets but I am a huge fan of the NSA.  I know that is not popular but the NSA is incredible and I hope they keep pushing advanced mathematics and the next level.   **note:  maybe one day the NSA will be international and do bigger research in advanced mathematics.**

What is a risk assessment? To answer this question we must first know what “risk” is. There are many kinds of risks:  financial risks, safety risks, investment risk.  But we are talking about Security Risk.  In the context of SECURITY, risk is the likelihood that something harmful (a threat) will happen to something of value (an asset).  The asset must be vulnerable to the the harmful event. So a risk is the probability that a threat will exploit the weakness of an asset. A risk assessment is the process of identifying the actual risk.  This done by identifying the threat, the asset, the associated weaknesses and countermeasures and then determining the impact should the threat harm the asset. Risk identification is done with a risk assessment.  NIST SP 800-30, Guide for Conducting Risk Assessments breaks down the entire process of risk determination, risk identification. As described in the earlier post DIACAP Process: Risk = ((Vulnerability * Threat) / Countermeasure) * Asset Value at Risk IT Risk Risk is the likelihood that a threat will compromise the weakness of an asset.  So risk identification is based on knowing the threat, the vulnerability and the asset. Risk assessment report_Example

  Personnel Security is an important part of Information Assurance, risk management and information security.  Its a part of the equation that happens in the background. Personnel security is to ensure that everyone with security responsibilities at the organizations site meet the trustworthiness investigative levels for users with IA management access to defense information systems.  This is as established in Section E3.4.8 of DoDI 8500.2.   Personnel security makes sure that only individuals who have a valid need-to-know that is demonstrated by assigned official government duties and who satisfy all personnel security criteria.  This includes people with administration rights and those doing sensitivity background investigation requirements since they are granted access to information with special protection measures or restricted distribution as established by the information owner. All individuals requiring access to classified information are processed for access authorization in accordance with DoD personnel security policies. This includes maintenance personnel, since they also need to be cleared to the highest level of information on the system. Personnel security is an important job for making sure that the right people are hired to handle sensitive information.

Information Security Specialist is one of the broadest, catch all terms within system security.  Information security specialist is usually the title organizations use when there are so many hats to wear that its a hat store. The Information Security Specialist Position reminds me of that old In Living Colour Skit “Hey Mon” And Information Security Specialist is an intrusion analyst, a security analyst, a system analyst, a system security analyst, an information assurance analyst and you document findings!  It seems like a way to get you to do anything they tell you without pinning the position down. If you want to get an idea of what this job entails you REALLY, REALLY have to read the job description.  The best I can do is tell you what I have done and what I have seen others do while holing this title. When I was in the USAF I was given title information security specialist and I was an assistant firewall administrator, configured and maintained the base intrusion detection system, wrote the base policy and was acting information system security officer.  So basically, I did everything. As a contractor, they had me doing system security engineering, information system security officer and Army Information Management Officer (unit help desk guy).

Computer Network Defense is listed in the DoDD 8140, Cyberspace workforce has as a task among the Protect & Defend Category. Job Description of Computer Network Defense The actual work of Computer Network Defense covers Protect & defend and Analyze and possibly other categories.  A system security analyst doing CND work is expect to monitor, detect and respond to security incidents on the network.  They need to be familiar with not only information system security tools to monitor network traffic but they must also be able to know what the actual packets look like with certain patterns emerge on the network.  They must be familiar with certain patterns to detect network attacks and be familiar with incident handling. Tools of Computer Network Defense System security analyst performing CND work should be able to use a packet sniffer (protocol analyzer) such as wireshark and etherape.  The are also expected to be knowledgeable of certain Intrusion Detection System (such as Snort).  Or they can also have working experience with Intrusion Prevention Systems.  Since there are so many products that do very similar work of IPS, IDS, or packet analyzer knowing one really good and having a little hands on with others is usually ok.  What is important is knowing signature system attacks well enough to detect them when they occur, understanding ports, protocols and services and being intimately familiar with network packets. Computer Network Defense Certification GIAC Certified Intrusion Analysts (GCIAs) - The top of the food chain for security analysts doing pure analyst work.  Highly, highly respect intrusion cert. GIAC Certified Incident Handler (GCIH) – Help certification to establish yourself. CISSP – not really relevant or specialized for incident analysis but accepted like a VISA card. Security+…not so much.. its like bringing a knife to a gun fight.

There are a lot of entry level information assurance jobs for IT professionals wanting to specialize or for college students wanting to get there first year of experience or even those brand new to the Information Technology. What ever the case, an information assurance job is a great start. The best situation you can be in when attempting to get entry level information assurance jobs is to have some IT experience doing system security.  Experience such as applying system security controls, installing patches, running vulnerability scans with tools like nexpose, retina, nessus or working with organization policy makers creating system security plans and standards for the network. No Technical skills necessary for entry level information assurance jobs The most appealing thing about entry level information assurance jobs is that you don’t always have to be technical because there are Information Assurance jobs that focus entirely on writing policies and creating standards.  While you don’t need specific hands on technical experience, you should have a working understanding of the technology you create standards for.  For example, you don’t have to know how to configure the screen saver on a RedHat system, but you should understand why its important that the automatic screen locking/screen saver mechanism be implemented or why it should not. Entry level information assurance jobs for people who don’t know ANYTHING In some cases, you don’t even need to understand IT to start.  Some positions only require that you have the appropriate security clearance and be able to work with others and all the rest you can learn as you go.  Since certain security clearance levels are hard to get and maintain and expensive for a company to get for you, they have a lot of leeway for entry level information assurance jobs.. and even high level IA jobs depending on the security clearance level required. Security Provision entry level information assurance jobs Information Assurance Compliance requires that you know government regulations 80% and have a 20% understanding of the technology you will apply it too.  Although IA compliance should only be reserved for seasoned IT veterans, managers typically allow ANYONE in these positions because most IT professionals HATE doing compliance.  (see dod 8140 for more info) Operate & Maintenance for entry level information assurance jobs Information Assurance Officers (Information System Security Officers) is a great entry level information assurance job.  It gives immediate exposure to HOW information assurance is applied.  Operations & Maintenance also has Tech Support, and basic system administration that are great entry level information assurance jobs. (see dod 8140 for more info) Certification of Entry level Information Assurance Jobs As of this writing (2014) most entry level IA positions will require either a degree or experience with a Comptia Security+ certification.  Sometimes an organization will hire you with the understanding that you will get one.  But that has become rare these days.

System Security Engineer is a critical job in the cyberspace workforce.  As information technology has become a centerpiece for our lives, the security of IT has been more and more in demand.  A security engineer is expected to have a working understanding of IT enough to be able to strike a balance between operational functionality and application security controls. System Security Engineer (ISSE, CSSE, SSE I/S Security Engineer) actually can mean anything.. So you actually need to read the job description.  But in this post, I am referring to SSE from the perspective Risk Management and DIARMF. And Risk Management SSE needs to be savvy enough with the operational needs and security needs to balance the risk.  While a security engineer does not take risks of the organization they work for, they do consult the decision makers that do take risks. Many security engineers are not hands on.  Meaning they might not touch the servers or configure routers, but they must know enough to orchestrate the over all security of the organization or system they are assigned to. System Security Engineering Tasks I have been in system security engineer positions where I did have hands-on tasks working directly with the system administrators and I have had some where I rarely even seen the systems that I wrote system security plans for. System Security Engineers do consultation where they are working directly with information owners, project managers, information system security managers or technical security practitioners to come up with the most cost effective strategy for applying security controls with a certain level of effort within a certain time constraint.   A good security engineer understands all these factors and make sure the decision makers are well informed.  As an SSE the last thing you want to do is a prima madonna and attempt to put security beyond the scope of the operational mission.  And don’t be a hero, even if you really care about the mission you must ALWAYS remember the risk is not yours to bear and neither is the decision of what security controls (if any) will be applied. Tasks of a system security engineer   System security engineers do system security related documentation such as system security plans, plan of action and milestones, security assessment reports and other supporting documentation. A day in the life of a system security engineer might consist of attending configuration management meetings, meeting with system administrators to address new challenges, writing authorization packages, coordinating with other units to complete an authorization package, reading the latest change to a regulation or organizational standard, WRITING an organizational standard and in some cases they are actually doing security administration on some system. CYBER System Security Engineer (CSSE) With Dod 8140 and the cyber-ization of the every goddamn thing! I believe the new term will be CYBER System Security Engineer (CSSE) and in the past it was commonly refer to as an Information System Security Engineer (ISSE). As stated above and SSE can be just about anything computer security related.  I have been a SSE and done nothing put paperwork but also been an SSE and done mostly installations of system security controls.  My former co-worker just got a position as an Information System Security Engineer (I/SE) and he will be doing all ArcSight admin stuff.

WHAT IS INFORMATION ASSURANCE (IA)? Information Assurance is not just information security. Information Assurance is managing the risk associated with the confidentiality, integrity and availability of information.  While IA is definitely INFORMATION SECURITY, it is a much more comprehensive approach to information security. Information assurance is the practice of assuring the confidentiality, integrity and availability of the processing, storing and/or transmission of data.  Information assurance is used as a more complete approach to information security. Information assurance includes not only information security but also includes operational, physical security and all aspects of protecting the data.   Other factors involved with providing information assurance include: Authenticity & non-repudiation. Some standards cover the process of information assurance:   ISO/IEC 27001:2005, Information security management system (ISMS) DoD Information Assurance Certification & Accreditation Process (DIACAP) Defense Information Assurance Risk Management Framework (DIARMF) Each branch of the US Armed services covers Information assurance in their own guide: United States Air Force: Air Force Policy Directive 33-2, Information Assurance Program United States Army: AR 25-2, Information Assurance United States Department of Navy: SECNAV M-5239.1, DON Information Assurance Program Depart of Homeland Security – Cybersecurity Assurance not really a guide but you get the idea* All of this will change real soon as each branch aligns themselves with DIARMF Process/NIST risk management framework.