May 2011
| 
|
Thanks to our Silver-Level Corporate Patron
|
|
Need Your Own Copy of The Risk Communicator?
|
|
Write for Us
|
| Have you seen a story you would
like to see included in The Risk Communicator? Do you have a research project you want to share with your colleagues? If so, please contact
the newsletter staff at newsletter@sarma.org. |
Legal Matters
| Copyright 2011
SARMA
All Rights Reserved
Privacy Policy
The views expressed in The Risk Communicator reflect the views of their authors, and do not neccesarily reflect the views of SARMA, the US Government or the employers or clients of the contributors.
|
|
|
President's Corner
|
| |
Dear Fellow SARMA Members,
Welcome to the beginning of summer and the May issue of The Risk Communicator. For the fortunate among us, the warm weather provides an opportunity to fire up the grill, hit the links or relax by the pool. Unfortunately, for others, it's a time to recover from the damage caused by spring floods and strong storms.
In addition to record floods throughout the Mississippi River watershed, a series of devastating storms has spawned hundreds of tornadoes across the Midwest, Deep South and Mid-Atlantic. These tragedies remind us that practicing sound risk management is also critical at the personal level. As we've seen, local resources can often be overwhelmed by large-scale disasters, while state and federal assistance can take time to arrive. In this regard, having enough food and water for at least three days, along with basic first aid supplies, cash and other necessities, can make a difference. The Federal Emergency Management Agency (FEMA) provides excellent planning guidance for individuals and families to follow in this regard.
However, as we have seen, the enormity of some events may still overwhelm even the best-prepared. The devastating tornado that recently struck Joplin, Missouri is an example of this. In such cases, assistance beyond what can be offered by government can be critical. For those interested in assisting the victims of the Joplin tornado, the Missouri Department of Public Safety provides links to established organizations assisting with the disaster-relief and long-term recovery efforts there.
Turning to another subject, many of you will recall that I wrote about several important milestones in the maturation of the nation's approach to managing risk in last month's issue of TRC. The recent release of Risk Management Fundamentals by the U.S. Department of Homeland Security (DHS) marks another step in this progression. According to its preamble, this document is intended to establish the Department's overarching risk management doctrine, and in so doing, promote a common understanding of risk management for homeland security, enable consistent risk management application and training, and support development of a risk management culture across DHS. This is the first concrete step towards implementing DHS Directive 007-03, which established a department-wide policy for Integrated Risk Management (IRM) earlier this year. This also continues a positive trend towards elevating risk management as a core component of our national approach to homeland security.
Other developments underscore some of the challenges that remain. For example, the budget deal for Fiscal Year 2011 produced significant reductions to the overall funding available for grants that go towards enhancing domestic preparedness at the state and local levels (and for certain infrastructure like transit systems and ports). At the same time, the Congressional oversight committees continue to question the impact these programs are having. Finally, in adjusting the programs to accommodate this year's cuts, DHS reduced by more than half the number of cities receiving direct support. Most of these were small- to medium-sized cities -- the very cities that documents found in Osama bin Laden's compound suggest were desirable targets.
All of this begs the question: what is the basis for decision-making relative to these programs? I'm not suggesting that risk data alone will address this question, or that our larger cities should not receive a preponderance of the funding. However, there is currently no process for establishing baseline risk, a precursor to understanding the delta between current and required capabilities, or a means of measuring the impact of the billions already invested in buying down that risk. Without this, my fear is that decisions will continue to be made in the years to come that lack an important data point -- all at a time when the pressure will continue grow to find additional cuts.
Finally, as many of you know, SARMA accomplishes its mission through a variety of means: by providing a forum for collaboration across government, business and academia; by serving as a source for the professional development of those in the field; and by acting as a focal point for industry and government engagement in national policy and strategy development. However, our ability to carry out these vital activities depends on both continuing individual membership dues and the generosity of our corporate patrons. In that regard, I would like to take a moment to acknowledge several firms that have recently contributed their support to these endeavors:
- Visual Risk Technologies, Inc.
I know you all join me in saying a heartfelt thanks to our newest partners, and as always, thanks for letting me share my thoughts.
My best,
Kerry
Kerry L. Thomas
President
|
| Events | | SARMA 5th Annual Conference Update
The speaker agenda is coming together nicely for our 5th Annual Conference, to be held from the morning of Tuesday September 13 through midday on Thursday September 15, 2011 in Arlington, Virginia. If you are interested in presenting or in being part of a panel discussion and haven't already filled out our Speaker Application Form, please do so today! Details can be found below. Our co-hos  t for the event will be the George Mason University School of Law's Center for Infrastructure Protection and Homeland Security (CIP/HS). This year's conference will take place at Founders Hall (see photo right), a beautiful new facility on GMU's Arlington campus. Our conference theme is Security Risk 10 Years After 9/11: How Far Have We Come and What Lies Ahead? We will take a retrospective look back at what we have -- or have not -- learned and accomplished over the past decade, and delve into what's in store for the risk profession in the coming years. Specific subject areas will include the following:
- Community Risk
- Critical Infrastructure Risk
- Cybersecurity Risk
- Public Policy for Risk Management
- Risk Education and Training
- Risk Management Standards
- Security Risk Methodologies and Practices
We expect to have approximately 60 expert speakers over the two-and-a-half-day conference, and there's still time to suggest ideas for individual presentations and panel discussions. If you or someone you know specializes in a particular subject that addresses some aspect of our broad theme, please download and fill out our Speaker Application Form (which can be found on the SARMA website here), and email it to the conference planning team at conference@sarma.org as soon as possible .Don't miss your opportunity to present at this exceptional forum for collaboration, information-sharing and networking, and to meet and interact with a wide array of practitioners from federal, state and local governments, private industry and academia. We look forward to hearing your ideas, and hope to see you at the annual conference in September. --------- Call for Participation: The Tenth Workshop on Economics of Information Security (WEIS 2011) The Workshop on the Economics of Information Security (WEIS), to be held June 14-15, 2011 in Fairfax, Virginia, is the leading forum for interdisciplinary scholarship on information security, combining expertise from the fields of economics, social science, business, law, policy and computer science. The workshop is sponsored by George Mason University School of Law's Center for Infrastructure Protection and Homeland Security (CIP/HS). Prior workshops have explored the role of incentives between attackers and defenders, identified market failures dogging Internet security, and assessed investments in cyber-defense. This workshop will build on past efforts using empirical and analytic tools to not only understand threats, but also strengthen security through novel evaluations of available solutions. Questions addressed at past WEIS events include:
- How should information risk be modeled given the constraints of rare incidence and high interdependence?
- How do individuals' and organizations' perceptions of privacy and security color their decision making?
- How can we move towards a more secure information infrastructure and code base while accounting for the incentives of stakeholders?
CIP/HS encourages economists, computer scientists, government officials, business school researchers, legal scholars, policymakers, security and privacy specialists, as well as industry experts to attend the workshop. More details on the workshop can be found here. Registration is open to the public, but space is limited! --------- Call for Participation: Workshop on Cybersecurity Incentives (WoCI 2011) CIP/HS is also sponsoring the Workshop on Cybersecurity Incentives (WoCI 2011), to be held June 16, 2011 in Fairfax, Virginia. The workshop will discuss the history, present, and future of societal mechanisms and institutional designs that leverage incentives to bring an acceptable balance between security and other priorities in cyberspace. The agenda will focus on illustrating cyberspace as an ecosystem of actors and discuss their roles and responsibilities, and the dynamics of their interaction and interconnectivity. Scholarship in law, economics and other fields within the behavioral sciences informs stakeholders about how markets, incentives and legal rules affect each other and shed light on determinations of liability and responsibility. This is considered essential to achieving efficient accountability and a sound public-private order in cyberspace. Considerations of what is technologically possible and feasible will be included. Ongoing debate and research in this area will be presented in practical terms allowing for participants to immediately realize implementable options for governing cybersecurity at the enterprise and national levels. The workshop will be composed of presentations and panel discussions covering the legal, economic and technological facets of the topics presented. For more information, please visit the workshop website. |
Careers
| | |
Help Wanted: Labor Dept. Questionnaire on
Security Occupations
Research Triangle Institute (RTI), on behalf of the U.S. Department of Labor, is soliciting your expert input as it researches two security-related occupations for the Occupational Information Network, or O*NET, the nation's primary source of occupational information.
O*NET is gathering this information for a national database that is being used by millions of employers, workers, educators and students across the country. This database provides information about the skills, abilities, activities, and work context for about 900 occupations nationwide.
O*NET is asking SARMA and its members to provide current and essential information about Security Managers. This is a worthwhile endeavor that will help the general public understand the responsibilities of the occupations. By completing and returning the O*NET questionnaires, you will contribute to a key resource, providing our nation's citizens with continuously updated occupational information. Responses from experts such as yourself will be combined to define the skills, knowledge and other aspects of work in your field.
O*NET is currently researching the knowledge required, the way the work is performed, and typical work settings for the following two occupations:
- Security Managers: (O*NET SOC # 11-9199.57) Direct an organization's security functions, including physical security and safety of employees, facilities, and assets.
- Security Management Specialists: (O*NET SOC # 13-1199.52) Conduct security assessments for organizations, and design security systems and processes. May specialize in areas such as physical security, personnel security, and information security. May work in fields such as health care, banking, gaming, security engineering, or manufacturing.
Do you have at least five years' experience in either one of these categories? Are you still active in the occupation, including teaching, training or supervising?
If so, please email or call Traci Davis at the O*NET Operations Center at RTI (tdavis@onet.rti.org or 877-233-7348, ext. 109) and provide the following information:
- Which occupation describes your experience best: Security Manager or Security Management Specialist?
- Years of experience with the occupation
- Your area of focus, sub-specialty or industry
Ms. Davis will respond with more specific information about the project. The information experts provide about the occupation will be combined with responses from other professionals from across the country and will become the government reference for the work on the O*NET website. Contact information submitted by experts will be kept confidential. More information about O*NET can be found here.
SARMA encourages you to participate in this important project!
|
Research
| | Risk and Resilience: A Briefing by the Homeland Security Studies and Analysis Institute
"Risk and Resilience: Exploring the Relationship", a new report by the Homeland Security Studies and Analysis Institute (HSI) on behalf of the Department of Homeland Security, was recently released in final form after much anticipation. HSI Fellow Jerome Kahan, leader of the team that produced the report, provided the following briefing:
Homeland security risk analysis has been a central element of policy and planning to make the nation safer. In both government and non-government realms, however, the concept of resilience has steadily emerged as another key element of homeland security. Yet risk and resilience have tended to be treated as independent elements of homeland security with little if any linkages between them.
Given this situation, the Homeland Security Studies and Analysis Institute (HSI) undertook an exploration of the relationship between risk and resilience, based on the hypothesis that there is indeed such a relationship. The analytic approach was designed to discover the nature of the relationship between these concepts, and to demonstrate the potential utility of these findings to homeland security policy makers and planners.
Results of the team's research and analysis include: producing a set of consolidated definitions for resilience for the infrastructure, organizations, communities and ecosystems domains; formulating a series of resilience features that apply to a broad range of systems across the four domains; developing a model that generates a resilience profile for visually characterizing a given system's performance against a specified adverse event; establishing a qualitative framework for correlating risk and resilience; and devising a proof of concept method for quantitatively relating risk and resilience.
More generally, the team concluded that the relationship between risk and resilience could be taken one step further by forging their respective policies, precepts and programs into an integrated homeland security strategy. Such a strategy could exploit the synergies between risk and resilience, which generally speaking are inversely reinforcing, while preserving their unique elements and fundamental purposes.
|
| Analysis | |
Continuous Monitoring: Risk Management the
Right Way
by Bruce BrodyFor the past decade, the Federal Information Security Management Act (FISMA) was the process by which federal departments and agencies were required to assess the risk to their information systems, put controls in place to manage the risk, and authorize those systems to operate in a risk-based, cost-effective manner. Unfortunately, the actual implementation of FISMA devolved into a static, paper-based compliance process; billions of dollars were expended on notebooks of paper that constituted certification and accreditation (C&A) packages, and those notebooks sat on shelves for three years until the process began all over again. Nearly a decade of FISMA -- the legislation, its oversight and its implementation -- did very little to improve security among executive-branch agencies. Instead, the culture of paper-based compliance drills, checklists and scorecards enriched the vendor community and generated executive bonuses, but the security of our federal networks and systems did not appreciably improve. Thankfully, both Congress and the executive branch now understand the shortcomings of FISMA and have begun the process of transitioning to continuous monitoring of security controls. At least that's their intention. But what exactly is continuous monitoring? We first caught a glimpse of the new concept in one of the earliest of many bills over the past two years, drafted by Delaware Sen. Tom Carper's staff on the Senate Homeland Security and Governmental Affairs Committee. It contained the first attempt at a legal definition for continuous monitoring: "The term 'automated and continuous monitoring' means monitoring at a frequency and sufficiency such that the data exchange requires little to no human involvement and is not interrupted" (S.B. 3480 in the 111th Congress and S.413 in the 112th Congress) The Office of Management and Budget (OMB) followed, anticipating the new legislation by issuing the reporting requirements that would begin the transition away from the paper-based compliance and meaningless scorecards that characterized the former FISMA process. The new OMB reporting requirements were presented in OMB Memorandum 10-15, signed on April 21, 2010: "Agencies need to be able to continuously monitor security-related information from across the enterprise in a manageable and actionable way." As agencies scratched their collective heads to figure out continuous monitoring, the Department of Homeland Security (DHS) followed with its Continuous Asset Evaluation, Situational Awareness and Risk Scoring (CAESARS) Reference Architecture Report, which came out in September. DHS decided to examine the programs already emerging at the Departments of State and Justice and the Internal Revenue Service. While these programs are good starts, they are not yet fully realized continuous monitoring programs. Even more unfortunately, CAESARS did not consider the most mature and robust of the federal continuous monitoring programs: that of the House of Representatives. While it may be difficult to appreciate why the House has the best current example of continuous monitoring in government, one of the obvious reasons, other than a deep understanding of real security, is that the House is exempt from the distractions and resource drains of the FISMA albatross. Then followed NIST Special Publication 800-137, released in December 2010 and in public comment period until March 2011. It defined information security continuous monitoring as: "...maintaining ongoing awareness of information security, vulnerabilities, and threats to support organizational risk decisions." Thanks to NIST, we now have an acknowledgement that continuous monitoring is all about effective risk management. But let's take stock of where we stand in the midst of all of these activities: Congress has not yet passed a FISMA Reform bill, so a legal definition of continuous monitoring does not yet exist, and no two other definitions of continuous monitoring precisely match. DHS's review of existing continuous monitoring programs failed to take into account the only one really doing it right. And if you were to ask every agency today what they are doing in continuous monitoring, the miraculous answer is that they are all doing it! But then, they all claimed to be secure in the FISMA process, so most of them are merely FISMA-izing continuous monitoring. What's missing is something practical that can be implemented within a large federal enterprise. At the heart of the FISMA Reform movement that started all of this progress are three very important concepts that, if they can be implemented correctly by federal departments and agencies, will significantly improve the status of information security throughout the federal enterprise. To put it simply, agencies will be required to put in place risk-based security controls and perform continuous monitoring of these controls against measures of effectiveness. Continuous monitoring against measures of effectiveness is a whole new challenge for almost every department and agency. Measures of effectiveness require an assessment that the security controls are not just in place but they are operating effectively. No longer can an agency check to see if one-third of its controls every year are merely in place. From now on, all controls, at all times, are to be in place and operating effectively in the context of the risk profile of the department or agency. This requirement will be a huge leap from where most departments and agencies are today. This will also require a complete reassessment of the agency's workforce, skill sets, contractor support and overall security posture. Yet to be exposed in all of this will be the agencies who previously misrepresented their security posture with absurd or meaningless metrics, or failed to verify adequately the false reporting of subordinate components, or a myriad of other disingenuous activities that were allowed to exist under the previous FISMA processes. The real power of the continuous monitoring processes is its focus on the true security posture of the enterprise with little human involvement to tamper with the results. That shift alone is a good thing. In the end, federal information security is all about protecting our nation's systems and networks from those who wish to do them harm. Risk-based continuous monitoring against measures of effectiveness will go much farther than FISMA in achieving this noble goal. This time, let's get it right. Bruce Brody is the former Chief Information Security Officer at the Departments of Energy and Veterans Affairs. He is currently an executive in the information security industry supporting the federal market.
|
|
Key Reports
| |
White House: International Strategy for Cyberspace
A new report from the White House lays out the administration's cyberspace strategy and notes, among others things, that the nation "will act on well-developed response plans to isolate and mitigate disruption to our machines, limiting effects on our networks, and potential cascade effects beyond them."
Get the report
DHS: Risk Management Fundamentals
A new report from DHS is intended to serve as "an authoritative" and "capstone document" regarding "the principles and process of homeland security risk management and what they mean to homeland security planning and execution."
Get the report
START: Al Qaeda Terrorist Attacks by Year
The National Consortium for the Study of Terrorism and Responses to Terrorism provides a helpful review of the timing, frequency and location of Al Qaeda attacks worldwide.
Get the report
HSPI: Interim Task Force Report on Resilience
A new report from the Homeland Security Policy Institute at George Washington University notes that "without aligning the definitions and frameworks in a manner that will motivate more tangible behaviors and actions, resiliency will remain an abstract concept reserved for policy directives and academic papers." Get the report |
|
|
|
|
