Sunday, April 29, 2007


I'm moving along with the lecture notes for my class. I've got some more detail on the NIST FISMA criteria. It looks like a perfectly decent security standard on the surface. You start by categorizing your information systems, determine the security controls, document these controls, assess the effectiveness of the controls, lather, rinse and repeat. FISMA gets a lot of criticism, expecially on the SANS mailing list for being an ineffective paperwork drill. This may well be true, but if an agency has absolutely nothing in place, I imagine FISMA would at least provide a framework for future improvements.

I'm also looking at the NSA IAM/IEM process. I was certified in the IAM via SecurityHorizon. It is very puzzling that this process is so minimally documented in any public domain sites or documents. If you do a Google (tm) search on "NSA IAM" the first hits are all training organizations offering certification prep. A security certificaiton methodology so heavily endorsed by the premier Federal government security agency should at least have a standards document available.

I finally (after many months) received permission to reproduce the PCI documents in my course reader. Unfortunately the reader went to UCLA previously. There is no change of including the printed versions of the PCI standards at least this go-around.

If you are interested in my class, check out UCLA Extension's Web site. I wish they would allow deep linking to a single class, but I am not their Webmaster.