NIST SP 800-137

From: GAO-15-714 | FEDERAL INFORMATION SECURITY: Agencies Need to Correct Weaknesses and Fully Implement Security Programs

***

Fewer Agencies Are Periodically Testing and Continuously Monitoring Controls

***

Although OMB reported overall increases in the 24 agencies’ continuous monitoring (from 81 percent in fiscal year 2013 to 92 percent in fiscal year 2014) of controls, inspectors general reported that fewer agencies had continuously monitored controls for their systems. For example, for fiscal year 2014, 12 inspectors general stated that their agency had ensuredinformation security controls were being monitored on an ongoing basis, including assessing control effectiveness, documenting changes to the system or its environment of operation, conducting a security impact analysis of the associated changes, and reporting the security state of the system to designated organizational officials. This is a decrease from fiscal year 2013, when 14 agencies had monitored security controls on an ongoing basis.

From: Business Solutions

By Christine Kern, contributing writer

According to a new study from MeriTalk, 45 percent of all federal agencies were targeted by insider threats, with 29 percent losing data to an insider incident over the past year. The report, Inside Job: The Federal Insider Threat Report, underwritten by Symantec, also found that although 76 percent of federal agencies are increasing attention on combating insider threats compared to a year ago, nearly half still suffered from an insider attack.

***

From: IT World Canada

Howard Solomon

Security information and event management (SIEM) suites can be valuable when implemented and configured right — and security teams are trained to make the best use of them. Still, failures and stalled deployments are common. Gartner analyst Oliver Rochford offers these pitfalls and how not to fall into them:

—Failing to plan before buying

Although SIEM solutions share a common capability and feature set, for example they are all competent at log management, third rd party technology support, workflow and deployment architectures do vary widely. As a consequence, buyers often select the “best” solution based on high level criteria such as fancy features, resulting in a mismatch of requirements when it comes to implementation. Instead, CISO should follow a formalized planning approach.

From: SIGNAL/AFCEA

By Sandra Jontz

From: Trend News Agency

By Aygun Badalova – Trend:

Trans Adriatic Pipeline AG (TAP) launched pre-qualification contracts for the supply and delivery of the Supervisory Control and Data Acquisition (SCADA) system and fibre optic cable, TAP reported on September 21.

These are the final large package contracts to be awarded by TAP for project construction as company provided items.

The scope of work is intended to cover:

– Engineering, procurement and installation of SCADA, telecommunications and security systems. The SCADA system will provide integrated and centralised continuous monitoring and control along the entire 878-kilometre gas transportation system with all data being transmitted back to the supervisory control center in the Pipeline Receiving Terminal (PRT) in southern Italy, overseeing the pipeline’s safe and sustainable operations.

From: FederalNewsRadio.com 1500 AM

By Jason Miller

There always has been healthy tension between auditors and operators. After what seemed a thaw between inspectors general and IT executives over the last few years, a recent event highlighted the continued friction between the two parties in how agencies protect federal data and networks.

***

Jim Quinn, the lead system engineer for the Department of Homeland Security’s continuous diagnostics and mitigation (CDM) program, said too often IGs rely on checklists to determine whether or not agencies complied with the policy and law requirements.

Read Complete Article

From: FierceGovernmentIT

By Dibya Sarkar

An industry group that represents several hundred government contractors wrote senior Obama administration officials to say that recently issued draft guidance covering cybersecurity in federal acquisitions falls far short of improving meaningful protection.

***

However, PSC’s letter points out that the draft “fails to provide meaningful standardized and uniform guidance” to agencies and contractors in the five areas – security controls, cyber incident reporting, information system security assessments, continuous monitoring and business due diligence.

Read Complete Article

From: Nextgov

By Aliya Sternstein

Agency IT administrators should leave hackers in their systems until outside investigators are called in. All federal data centers should be shuttered.

***

So, agencies should outsource information for safekeeping to cloud companies certified under FedRAMP, Spires said. The Federal Risk and Authorization Management Program, as the process is officially called, is a series of inspections and monitoring procedures vendors must undergo on a continuous basis to sell their goods to government.

Read Complete Article

On March 11, 2011, CRE filed a FOIA request with NIST seeking the public comments on their initial public draft of SP 800-137, “Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations.” NIST referred CRE’s request to the originating agencies. The Department of Defense’s response is attached below.

FOIA_Levinson

From: TechTarget

Expert Karen Scarfone examines the best SIEM products on the market to help you determine which one is right for your organization.

by Karen Scarfone

***

The products studied for this article are: AlienVault Open Source SIEM (OSSIM), EMC RSA Security Analytics, HP ArcSight Enterprise Security Manager (ESM), IBM Security QRadar SIEM, LogRhythm Security Intelligence Platform, McAfee Enterprise Security Manager, SolarWinds Log & Event Manager and Splunk Enterprise.

Each of these products has been evaluated against a set of seven criteria using information gathered from publicly available sources. The criteria are: