tag:blogger.com,1999:blog-4088979.post114988046332277126..comments2023-10-16T06:06:25.012-04:00Comments on TaoSecurity Blog: Certification & Accreditation Re-vitalizationRichard Bejtlichhttp://www.blogger.com/profile/13512184196416665417noreply@blogger.comBlogger8125tag:blogger.com,1999:blog-4088979.post-1157268760767697402006-09-03T03:32:00.000-04:002006-09-03T03:32:00.000-04:00i wonder how companies like google, Amazon.com or ...i wonder how companies like google, Amazon.com or bank of america do C&A...can't the IC learn from them?<BR/><BR/>I bet they don't create reams of docs that no one reads...Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-1150332403904684972006-06-14T20:46:00.000-04:002006-06-14T20:46:00.000-04:00C&A's are good in that they help you assess your r...C&A's are good in that they help you assess your risks, point out areas that you may not have a plan, like COOP, and help you evaulate risk versus gain.<BR/><BR/>However, far too much time and effort is spent preparing 5+ pounds of paper that is rarely, if ever, read while far too little time and effort is spent actually doing security.<BR/><BR/>In other words, they are kind of like many CISSP's, they can talk about security but doing security is a whole n'other matter. ;-)Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-1150124821720883232006-06-12T11:07:00.000-04:002006-06-12T11:07:00.000-04:00I was working in a department where all the C&A pa...I was working in a department where all the C&A paperwork was completed, yet no one was watching the actually technology in the C&A. Great, you have IDS systems on the border routers, uh...are you watching them?? I was picking up root passwords over ftp and other fun things. :-)<BR/><BR/>A completed C&A is an approval to operate, but does not mean that you system is secure enough to never have it's CIA compromised. C&A does not mean "Your entire security program is completed for 3 years".Shirkdoghttps://www.blogger.com/profile/11570146126536682558noreply@blogger.comtag:blogger.com,1999:blog-4088979.post-1150120748079083102006-06-12T09:59:00.000-04:002006-06-12T09:59:00.000-04:00C&A is fine, but it's only part of the work. You ...C&A is fine, but it's only part of the work. You can use a lack of C&A as something to blame when you have a security breach, but as Richard points out, detection and response are just as important to the success of your security program.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-1150074110342232672006-06-11T21:01:00.000-04:002006-06-11T21:01:00.000-04:00As a (new) DoDIIS certifier, I think the C&A proce...As a (new) DoDIIS certifier, I think the C&A process is definitely needed, although it should be tweaked. The one thing you're missing is that anything related to intelligence is automatically assigned to the upper enclave. However, that doesn't mean that developers and sysadmins should be free to engage in poor security practices. The biggest problem that I've seen is with the ATOs, IATOs, etc. Groups would recieve an IATO and continue to request a new IATO every year without having to go through the process to obtain an ATO (good for 3 years).Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-1149999518793847912006-06-11T00:18:00.000-04:002006-06-11T00:18:00.000-04:00The problem with C&As is that there doesn't seem t...The problem with C&As is that there doesn't seem to be one standard to work towards. However, we should fix it (yes, I know this is near impossible) not throw the baby out with the bathwater.<BR/><BR/>I've been on the receiving end of C&As for the past 5-6 years now - and all of our systems/networks are much more secure because of them. Among the myriad of items that are looked at, intrusion prevention is one of them. If someone elses C&A didn't include looking at intrusion prevention, see my first sentence.<BR/><BR/>The other issue I see with C&As is that a lot of folks on the receiving end associate C&As with a visit from the IRS. They should learn do work <I>with</I> the accreditation folks, and not against them. Yes, I know this is sometimes impossible because of manpower issues, but you know what, securing your systems/networks has to be done.<BR/><BR/>My two cents.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-1149886017301704812006-06-09T16:46:00.000-04:002006-06-09T16:46:00.000-04:00Tim, are you serious? By intrusion I mean a compr...Tim, are you serious? By intrusion I mean a compromise of CIA. So if C&A isn't supposed to prevent a compromise of CIA, then why bother with those items you cite? <A HREF="http://iainsidethebeltway.typepad.com/" REL="nofollow">Neat blog</A> by the way.Richard Bejtlichhttps://www.blogger.com/profile/13512184196416665417noreply@blogger.comtag:blogger.com,1999:blog-4088979.post-1149885824868817162006-06-09T16:43:00.000-04:002006-06-09T16:43:00.000-04:00The point of a C&A process is not to prevent intru...The point of a C&A process is not to prevent intrusions. Properly executed, a C&A process will ensure that you have assessed your risk, measured your compliance with your own policies and, most of all, have someone of authority stand up and take ownership for the security of the system. <BR/><BR/>Conceptually, the idea of certification and accreditation does make for better security. The execution of the C&A process, so far, has not be all the effective. At least with the forum, they are trying to enlist better ways to do it.Anonymousnoreply@blogger.com