Friday, July 08, 2005

Request for Comments on NSA IAM and NSA IEM

Does anyone have experience with NSA's Infosec Assessment Methodology and Infosec Evaluation Methodology? Through my local ISSA chapter, I've signed up to take courses on both programs for a combined price less than that offered for the IAM alone at another venue. Being a consultant in the DC metro area, I believe I am going to hear NSA IAM and IEM mentioned more frequently. Any thoughts?


Ali said...

So far the only time I've heard of the IAM has been from consultants. Given that I work in a DoD world much of the time, this leads me to believe one of two things:

- That the IAM is too new so not many people have heard of it.

- That the IAM is too process oriented and documented and therefore completely against the religion of most fledgling security organizations (like the BS7799-2 / ISO 24743).

The DCMA seems to be paying attention to standards and processes more lately. So does Export Control. So I suspect you'll see more interest in IAM and associated friends over the next eighteen months.

In the mean-time you can use it as a differentiating factor on some of your gigs if the customer seems interested in that sort of thing. Cheers, -Ali

Anonymous said...

This reminds me of the times when I had to help a company (Engineering and Manufacturing Depts.) do their ISO900x certificatiion - total BS, with the exception of the marketing hipe, allowing them to advertise their products as "ISO900x compliant". This, in the US automotive industry, at that time (and more so in the present), was equivalent to "look how certified we are, while the Germans and Japanese kick our a**-es in real life products" ... the security area of IT is moving in the same direction :(

Anonymous said...

i studied the iam when it was taught by nsa staff directly. it's a high-level overview of an approach to infosec assessment. it's a good foundation for a beginning security professional because it teaches you to develop a hierarchical risk assessment, but it's inappropriate for anyone with more than a year of experience in the field. the credential itself doesn't infer competency, and because there isn't a strict methodology, you can't be sure that an assessment done by one iam-trained person will be similar to an assessment done by another iam-trained person.

but take my advice with caution: i also believe the cissp is a very over-rated credential (i have a cissp as well, but don't publicize that fact.)

Russ Rogers said...

As a standard disclosure, I should say right now that I'm with Security Horizon and hold a CRADA with NSA to teach the NSA courses.

With that said, let me start by saying the NSA IAM and IEM are intended to get people on the same sheet of music when it comes to performing assessments and evaluations. It intentionally leaves some room for flexibility in the processes. But the foundational areas are always the same. Part of the issue is that, as a customer, I can call 100 different firms that specialize in providing information security assessments, evaluations, audits, analysis; whatever you want to call it. And the sad truth of the matter is that I will likely get 100 different answers as to what one of these is comprised of, what's covered, and what the customer can expect to get back.

The IAM is a vulnerability assessment methodology, NOT a risk assessment or threat assessment. Granted, we HAVE to cover risk in the course, but the key focus areas are based on the identification of vulnerabilities? Why did NSA do that?

If we consider the modern definition of RISK as it applies to information security, you'll see that there are three main areas of which RISK is comprised: Threats, Impact (also known as asset value), and Vulnerabilities. If you think of this as a triangle with RISK being in the center and the three sides are these three things I've just mentioned, you can see that RISK is now an "area" within the triangle.

How do we limit our RISK most effectively? Can we change the Threats to our organization? Probably not... not really. What about the Impact, or the asset value? By changing this, we have to change our core business. The only side of the triangle we have direct control of is the Vulnerability side. By limiting our POTENTIAL vulnerabilities, we can decrease the area of RISK within the triangle.

Whew! That was a long answer to a short question. My point here really is that we all need to be doing the same core things so that the customer can understand what we're doing. NSA is working closely with Ron Ross at NIST to ensure we're hitting those requirements; and in some of the newer 800 series of documents you'll actually see the NSA methodologies mentioned.

As for how "hot" the methodologies are.. well, that depends on who you are. We've seen several requirements in RFPs from the Federal and Private sectors over the last 18 months for these methodologies. And yes, if you look at the NSA methodologies and if they're performed according to the requirements, results from one IAM should be similar to the results from another. The real key here is something that no one CAN teach... the expertise of the person doing the work. We can build a great methodology, but in the hands of a dolt, it's still going to be a case of "Garbage in / Garbage out".

Just my 2 cents. I'll be happy to take questions.

Richard Bejtlich said...


Thanks a lot for your insights. It's nice to see someone define the risk equation and its components properly! I think I will blog a link to your comments for the benefit of those who may consider this post "closed."