NIST Releases New Federal Cloud Standards - Cloud Computing. Patriot Day: 10 years later - Assurance in the Aether. Two New Publications Provide a Cloud Computing Standards Roadmap and Reference Architecture. The National Institute of Standards and Technology (NIST) has published two new documents on cloud computing: the first edition of a cloud computing standards roadmap and a cloud computing reference architecture and taxonomy.
Together, the documents provide guidance to help understand cloud computing standards and categories of cloud services that can be used government-wide. These documents, along with others from NIST and NIST working groups, will be incorporated into the NIST U.S. Government Cloud Computing Technology Roadmap, expected to be published in November, 2011. Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of computing resources, including servers, data storage and applications and services. The working group categorized these standards for features such as security, portability and interoperability, and identified models, studies and use cases relevant to cloud computing.
Web security. Plenty to Hide. June 7, 2012 By Jay Stanley , Senior Policy Analyst, ACLU Speech, Privacy and Technology Project at 1:57pm A commentator on my recent post about the DEA installing license plate scanners on the nation’s interstate highways asks, “If you aren't doing anything illegal why would you care if someone captures your license plate number?”
Another commentator countered: “If I'm not doing anything illegal, why do the police need to record my license plate number?” It’s a great response. But the original poster’s point is a frequent refrain: “Why should I care about surveillance if I have nothing to hide?” Here are the answers to this question that I have settled upon over time: Some people do have something to hide, but not something that the government ought to gain the power to reveal.
Nessus FAQ. If your whole life is in your phone, you'd better not lose it. 'Trust in Allah, but tie up your camel," says an Arabic proverb. And that is exactly what I have started doing, hitching my smart phone - which has become as valuable as a camel in our modern days - to a clip I set up in each of my bags, to prevent it from getting lost again. Once was more than enough to push me into a different routine. Imagine this - and it could happen to anyone at any time: I was sitting at a very important meeting and when I saw the others there pull out their smart phones and place them on the table before our discussion started, I searched in my bag to do the same - and couldn't find my phone. It has become a common habit (a bad one I may add): if someone reaches for his or her phone to check a message or email or whatever, we all do the same.
I wasn't even thinking about my BlackBerry until the VIP in the meeting checked his. After fumbling in my bag and making sure it was not there, I found that it was almost impossible to stay focused on the meeting.
Building For A Secure Future: Risk Assessment. Before a designer can recommend security measures for a facility, he or she must understand what people and property–the "assets" in security parlance–need to be protected. Usually this assessment is quite straightforward, but the task gets complicated when trying to predict where threats may come.
This knowledge has a direct bearing on what kinds of damage the designer must attempt to mitigate. "You can't even do the simplest facility assessment until you know what the threats are. What's the point? " says Bill McCarthy, an associate architect with RTKL in Baltimore. The assortment of potential security problems facing any organization has always been limited only by the collective imaginations of its members. PREDICTING THREATS The range of difficulty involved in predicting threats against persons and property runs the gamut from the obvious to the impossible. What law enforcement can determine using crime figures alone is somewhat limited because they omit many factors. What is the best starting point to embrace risk management? « InfoSecAlways.com. This is a topic that has generated a great deal of traffic on the Linkedin “Governance, Risk and Compliance Management (GRC) site.
If you are a member I recommend you read through the comments, if not you should consider joining. This is a cross post, slightly modified, of my answer to this question, so forgive the double traffic if you are a member. I was shocked that no one had mentioned the size and financial ability of the company. So this addresses both small and large corporations with and without financial money allocated to security. If the company is 300 people and has very little money then usually the starting point is convincing management why money needs to be directed towards an assessment versus actually doing something tangible. Therefore, obtaining management support through some shock and awe factor will help get buy in and then you can do a risk assessment. Like this: Like Loading... Sarbanes–Oxley Act of 2002. The bill was enacted as a reaction to a number of major corporate and accounting scandals including those affecting Enron, Tyco International, Adelphia, Peregrine Systems and WorldCom.
These scandals cost investors billions of dollars when the share prices of affected companies collapsed, and shook public confidence in the US securities markets. The act was approved by the House by a vote of 423 in favor, 3 opposed, and 8 abstaining and by the Senate with a vote of 99 in favor, 1 abstaining. President George W. Bush signed it into law, stating it included "the most far-reaching reforms of American business practices since the time of Franklin D.
Roosevelt. The era of low standards and false profits is over; no boardroom in America is above or beyond the law Debate continued as of 2007 over the perceived benefits and costs of SOX. Major elements[edit] History and context: events contributing to the adoption of Sarbanes–Oxley[edit] Timeline and passage of Sarbanes–Oxley[edit] Risk Assessment: A Starting Point. Recently I was asked if I could provide a few pointers to help in developing a risk assessment process for an organization. I thought I would share my response. First, I would like to draw your attention to the mind map image over to the left of this text. The mind map represents a basic risk management methodology and is provided by Wikiversity. If you are unfamiliar with Wikiversity, it is an interesting project which is “devoted to learning resources and learning projects for all levels, types, and styles of education from pre-school to university, including professional training and informal learning.”
It is a very interesting project and I applaud their efforts. Basic Terminology A good starting point in developing a risk assessment process is NIST SP 800-30, “Risk Management Guide for Information Technology Systems.” Risk assessment is the first process in the risk management methodology. NIST SP 800-30 contains information on risk assessment and management. Framework Blogs.