From: NoPasara
Alex Sverdlov
I often discuss the issues of applying practical information security standards with people from the Eastern European infosec community – the common understanding is, here in Europe and probably in Asia, Africa, Australia – we are lagging behind the United States in the development of best practices for information security.
As it turns out, except in the States, nobody has taken the initiative to create the absolutely best information security practices and make them public (that last part is very important).
Luckily, we don’t have to invent the wheel – we have FISMA (http://csrc.nist.gov/groups/SMA/fisma/index.html), which takes care of Risk Management, Security Categorization, Security Controls, Security Assessment, Authorization and Monitoring, Security Configuration Settings, Industrial Control System Security and Compliance.
Information Security Officers often face the question: “What should I do now?” – after passing a few audits (with passing or failing scores), establishing some security best practices, your daily tasks may overwhelm you. Not having a clear goal, you can lose that passion, the desire to polish your company’s information security practices to their absolute best.
Well, here is a goal for you – why not establish the FISMA act best practices at your organization? It does not matter how many books on information security you read, where your degree is from – you will never know or read more than the collective knowledge, employed into the creation of FISMA. Therefore, it is a really good idea to use something which had so many resources put into it, and given to you for FREE!
Set a goal – one FISMA practice (such as Risk Management or Security Assessment) every 6 months – in 2-3 years, you will have covered them all, as some may not require 6 months to implement.
When you start reading through the materials, you will often notice they have been created with Federal Agencies in mind, following the U.S. standards of naming roles within government entities and organizations – which is confusing initially. It is a good idea to ignore these roles and naming conventions and focus on the minimum security standards and best practices they have created.
What the creators of FISMA call “minimum”, in fact, is a really ambitious goal for most organizations and companies worldwide! Just establishing FIPS-199 or FIPS-200 at your company will be a major effort (if you are not in the U.S. and you have never tried following such strict guidelines) – and yet again, these are minimum security requirements!
You can also use the FedRAMP program (http://www.gsa.gov/portal/category/102371), the NSA Security Configuration Guides – just try going one step at a time. It will help you get to your destination with less stress and better results.
Here at NOPASARA, we have chosen the path of using the best standards and practices with the goal of securing our clients. Compared to other Managed Security Services providers, who run automated tools to scan your environment and then use the same tools to produce an expensive report – we do the slow and effective work of establishing Information Security Best Practices.
Alex Sverdlov is the founder of NoPasara, author of numerous Information Security research papers and articles published in CIO and other InfoSec magazines. Certifications: CASP (Comptia Advanced Security Practitioner), CEH (Certified Ethical Hacker), CHFI (Certified Hacking Forensic Investigator), MCSE (Microsoft Certified Systems Engineer)
Leave a Reply