ConvoCourses

Cyber Security Compliance and IT Jobs

assess

Do I teach Security Control Assessor (SCA) activity?

by Leave a Comment

In this video, we talk about whether I teach security control assessor (SCA) activities. As of 3/2/2021, I don’t have a comprehensive teaching on security control assessor work. I do cover the assessment portion of the NIST 800-37 risk management process, but I don’t teach if from the perspective of a security control assessor like you would expect to see from a deep SCA course. I currently do risk assessments so, I could teach some aspect of being a security control assessor as it relates to risk management framework.

risk assessment methods

by Leave a Comment

Risk assessment methods are covered in NIST SP 800-30, Risk Management and NIST SP 800-115, Technical Guide to Information Security Testing and Assessment.

NIST SP 800-30 covers a high level view framework of risk assessment methods.  As you see in the Risk Assessment Methodology Flowchart.

risk assessment method
risk assessment method

More details on each step in the Risk Assessment method Flow chart.. Its an important aspect of Risk Management as a whole so its talked about over and over on this site.

NIST SP 800-115, Technical Guide to Information Security Testing and Assessment, is are the tasks for assessing security controls so it is an important part of risk assessment methods.  You have to know the characteristics of the system (step one of the NIST 800-30, Risk Assessment methods) to do information security testing and assessment.

Information security testing in 800-115 uses 3 types of assessment methods to analyze the effectiveness on security controls (Step 4 of Risk Assessment Method flow chart) and possibly identify vulnerabilities (Step 3):

testing, examination, and interviewing

Testing = process of exercising one or more assessment objects under specific conditions to compare actual and expected behaviors.

Examination = process of checking, inspecting, reviewing, observing, studying, or analyzing one or more assessment objects to facilitate understanding, achieve clarification, or obtain evidence.

Interviewing = the process of conducting discussions with individuals or groups within an organization to facilitate understanding, achieve clarification, or identify the location of evidence.

–NIST SP 800-115

 

diarmf-assess

by Leave a Comment

What is a DIARMF assessment?

diarmf-assess

DIARMF assessment
DIARMF assessment

After DIARMF Step 3, Implement, the security controls must be assessed.  Assess a security control means to check it to see if it has been implemented to protect the system as it is suspected.  

To minimize risk that comes with vulnerabilities being exploited the organization cannot just assume that someone has implemented the security controls.  The organization cannot take an engineers or technicians or administrators or ANYONEs word for it that the security controls are implemented correctly.  

If you are familiar with DIACAP, Phase 3, Implement and Validate Controls then DIARMF Step 4 should be familiar because validating controls is the same as assessing controls.

Types of Assessments

Taken from Public Page DoD Compliance Inspections (MORE HERE):

There are actually several types of compliance inspections (assessments) your organization can be subject to.  

  • Command Cyber Readiness Inspection (CCRI) – A formal inspection conducted under the direction of USCYBERCOM’s Enhanced Inspection Program.

  • Security Assistance Visits (SAVs) – A process by which DISA FSO personnel will conduct an on-site assessment and validation of compliance with mandated IA, CND, certification and accreditation (C&A), or other focus areas either as a standalone effort or in preparation for a scheduled inspection or evaluation.

  • CNDSP Level II Inspections – CNDSP evaluations are an on-site evaluation and validation of compliance with mandated CND Service requirements as outlined in DoD O-8530.1 and DoDI O-8530.2.

  • CNDSP Level II Designation Assessments – CNDSP validations are a review and validation of alignment to an accredited CNDSP. A formal recommendation is provided upon completion of the on-site evaluation.

  • IA Readiness Reviews (IARRs) – A formal review in 12 IA areas to determine a site’s current IA program status and provide formal recommendations for improvements in areas where deficiencies or non-compliance are discovered.

  • Enclave and System Certification – Can provide on-site technical assessments and certifications recommendations to a Designated Approving Authority (DAA) in support of enclave accreditation, coalition enclave or systems.

  • Combatant Command (COCOM) exercise support – DISA provides critical exercise support for the COCOMs in various theater and global exercises. This support can come from a variety of areas and include CND technology Subject Matter Experts (SMEs), CND Integrators, and CND analysts.

FUCK The CCRI?

I used to teach the DIACAP and DIARMF and everyone I met was stressed out about CCRI.. listen.. Fuck the CCRI!  AND here is why: the DoD and other federal organizations are constantly coming up with new names and new types of audits.  But the concept remains the same.  Risk = Threat * Vulnerability * Asset.

I am NOT SAYING don’t do your job.  I am saying do your job to the greatest of your ability.  And I am saying it will not help to stress about stuff you cannot change.  Do what is within your power to do.

Auditors are assessing controls to see if they have been implemented to their standard.  If your organization is informed of the risks and willing to document, take responsibility and take action then any new audit by new organizations will find you knowledge and prepared like Spartans.  Know their rules well enough that you can answer all questions and set their standard by knowing your systems risks intimately.  How can you be stressed if you have done all you can do?  What good will it do to stress out about stuff you cannot control?  You cannot control how the auditor will perceive your security.  But you can control how prepared you are and how informed your organization is of all risks that have been found.

Usually if you are straight up with the Assessors, they will give lots of leeway.  If you start lying and try to sweep known risks under the rug then they may find it and offer 0 leniency and go straight to your commander to humiliate you and question your integrity and skills.  You can lose your job and/or respec.

Who is involved with the DIARMF Assessment?

Assessment of the security controls involves all interested parties, all stakeholders:  Information system security officer & administrators who may have applied the security controls, the Information system owners who put forth the orders to conduct the security controls, the system engineers who want to make sure the system still works while security controls are implemented, and of course those conducting the security control assessments.   

All of these entities have a singular goal of security the system to minimize the risk while maintaining functionality.  The DIARMF assessment step is where this is to occur.

Ultimately its the responsibility of the Information System Owner.  It is his or her responsibility to know is supposed to be done, delegate someone or some group to get the system prepared, fund the outside organization to do it and see the process through.  Usually, they hire a Information Security professional or have some sort of system security officer that runs the operations of planning, implementation, assessment, getting the system authorized and continuous monitoring.  

Assessment Readiness Inspection

A very prepared and successful unit will do their OWN internal assessments and know all the systems shortcoming more intimately than any hacker or outside organization.  to be prepared they should do pentesting, continuous scans of the network and a robust change management program.

  • The organization that wants to prepare will have a budget and schedule and a plan for the assessments (internal and external).  They will do the following to make sure the system is ready:

  • Make sure security policies are in place.  The policies should be approved by the system owner in writing or signed and address the security controls.

  • Choose an approved Security Control Assessor.  In the DoD they are called Auditors.  You should establish communication with them.  Be honest, upfront, and professional.  Give them as much information as they need to make their visit smooth with ZERO surprises

    • Establish who, what, when, where and how of their visit

    • Provide them with all policies, SSP, POA&M, SAR

  • Know the scope of the assessment (are they only looking at code, process, the network or everything)

  • Notify all stakeholders.  The information system owner should already know, but in some cases they are too busy to stay in the loop on intimate details.. they should know about this.  Or they could get blind sided.\

  • Conduct a strict SELF assessment prior to any outside organization coming in.. I cannot stress this enough. So few organization take the time to do this