Miss something? Want to read it again? Want to make sure you skip it?
Let’s take a minute and talk about risk mitigation for a little bit today. Specifically, Reduction, as one of the four types of Risk Mitigation techniques (avoidance, reduction, transference, and acceptance).
Let’s take a few minutes and discuss something near and dear to all of our hearts. Auditing. If you just cringed like a vampire being tossed a tanning light, you’re not alone. What I’d like to take some time to discuss is how having an audit policy can make your audit review a little less cringe-worthy.
The past few days I have been looking at cyber hygiene and noticed something. While everyone seems to be talking about it. No one is talking about the same thing. Everyone has a different opinion of what you should do for cyber hygiene, a different checklist, and even different services of what they offer to do for you. If you Google cyber hygiene you will get everything from 11 Rules, Three Steps, and maybe even 10 Tips. So, this seemed the perfect topic for some pontification fuel.
Why do We keep screwing this up?
Here’s the thing. Regardless of what ATO methodology you are trying to execute. I say it that way based on a webinar I sat through recently. Folks are trying to repackage the RMF process with different names thinking they are solving problems in a novel approach to make a buck. Regardless of what ATO methodology you are trying to execute, there comes to a point where you hit big ol’ Step 6, Monitoring. We’re all bad at it.
“Why do we do what we do” and “You should receive a benefit from every requirement in the JSIG” for those of you just joining us. Let’s pick a couple of logs to talk about today with those two lenses in mind. The requirements are pretty straightforward, cut and dried.
Take charge of the tools that you use to manage your network. Do not be mastered by them. Never trust your tools. Understand what they are telling you.
Johnny Grant, the CSD Deputy Director, takes a moment to share his pontifications on what he sees as the biggest challenges to the community.
RAR! Unleash the beast and make your Risk Assessment Reports the Lion King, not the Tiger King.
If you made it this far, you made it to the beginning. Which is appropriate. A Cyber Security program is only as good as your ability to inspect yourself.
It Depends 