Request for Comments on NSA IAM and NSA IEM
Does anyone have experience with NSA's Infosec Assessment Methodology and Infosec Evaluation Methodology? Through my local ISSA chapter, I've signed up to take courses on both programs for a combined price less than that offered for the IAM alone at another venue. Being a consultant in the DC metro area, I believe I am going to hear NSA IAM and IEM mentioned more frequently. Any thoughts?
Comments
- That the IAM is too new so not many people have heard of it.
- That the IAM is too process oriented and documented and therefore completely against the religion of most fledgling security organizations (like the BS7799-2 / ISO 24743).
The DCMA seems to be paying attention to standards and processes more lately. So does Export Control. So I suspect you'll see more interest in IAM and associated friends over the next eighteen months.
In the mean-time you can use it as a differentiating factor on some of your gigs if the customer seems interested in that sort of thing. Cheers, -Ali
but take my advice with caution: i also believe the cissp is a very over-rated credential (i have a cissp as well, but don't publicize that fact.)
With that said, let me start by saying the NSA IAM and IEM are intended to get people on the same sheet of music when it comes to performing assessments and evaluations. It intentionally leaves some room for flexibility in the processes. But the foundational areas are always the same. Part of the issue is that, as a customer, I can call 100 different firms that specialize in providing information security assessments, evaluations, audits, analysis; whatever you want to call it. And the sad truth of the matter is that I will likely get 100 different answers as to what one of these is comprised of, what's covered, and what the customer can expect to get back.
The IAM is a vulnerability assessment methodology, NOT a risk assessment or threat assessment. Granted, we HAVE to cover risk in the course, but the key focus areas are based on the identification of vulnerabilities? Why did NSA do that?
If we consider the modern definition of RISK as it applies to information security, you'll see that there are three main areas of which RISK is comprised: Threats, Impact (also known as asset value), and Vulnerabilities. If you think of this as a triangle with RISK being in the center and the three sides are these three things I've just mentioned, you can see that RISK is now an "area" within the triangle.
How do we limit our RISK most effectively? Can we change the Threats to our organization? Probably not... not really. What about the Impact, or the asset value? By changing this, we have to change our core business. The only side of the triangle we have direct control of is the Vulnerability side. By limiting our POTENTIAL vulnerabilities, we can decrease the area of RISK within the triangle.
Whew! That was a long answer to a short question. My point here really is that we all need to be doing the same core things so that the customer can understand what we're doing. NSA is working closely with Ron Ross at NIST to ensure we're hitting those requirements; and in some of the newer 800 series of documents you'll actually see the NSA methodologies mentioned.
As for how "hot" the methodologies are.. well, that depends on who you are. We've seen several requirements in RFPs from the Federal and Private sectors over the last 18 months for these methodologies. And yes, if you look at the NSA methodologies and if they're performed according to the requirements, results from one IAM should be similar to the results from another. The real key here is something that no one CAN teach... the expertise of the person doing the work. We can build a great methodology, but in the hands of a dolt, it's still going to be a case of "Garbage in / Garbage out".
Just my 2 cents. I'll be happy to take questions.
Thanks a lot for your insights. It's nice to see someone define the risk equation and its components properly! I think I will blog a link to your comments for the benefit of those who may consider this post "closed."