ISSA E-News: July 2, 2009

In this Issue

July Issue of the ISSA Journal: Now Available Online
July ISSA Journal Featured Article: Successful Security Control Selection Using NIST SP 800-53
Cast Your Vote Now for the International Board of Directors
Register Now for July 14 ISSA Web Conference - Non Repudiation of Data: Maintaining the Integrity of Data and Information
Special ISSA Journal Issue on Standards - Call for Articles
ISSA and ASIS Partner on Networking and Educational Opportunities
Showcase Your Chapter Photos and Logo at the 25th Anniversary
ISSA Journal Goes Green

July Issue of the ISSA Journal: Now Available Online

This month's issue of the ISSA Journal is now available online and features peer-reviewed articles on:

Successful Security Control Selection Using NIST SP 800-53
ITS Program Management: Talking the Executive Language
Balancing IT Security Compliance, Complexity, and Cost
PAN Encryption: Yes, We Can Standardize Now
Performing Hardcopy Risk Assessments for Operational Processes Handling PII
Mobile Endpoint Security
Data Breach Study Reveals Significant Rise in Targeted Attacks

If you would like to receive your Journal electronically, just log in to the ISSA website and update your member profile.

July ISSA Journal Featured Article: Successful Security Control Selection Using NIST SP 800-53

By Chad Andersen - ISSA member, Northern Virginia, USA Chapter

With the NIST framework, the decision to implement selected security controls is structured and based on the risk tolerance and mission objectives of the organization.

Federal information systems are required to comply with Public Law 107-347, better known as The Federal Information Security Management Act (FISMA) of 2002. As a part of this law, information systems must ensure adequate security to protect government assets and information. FISMA delegates the development of the security standards to the National Institute of Standards and Technology (NIST). NIST has in turn developed a number of security standards and guidance related to FISMA, including NIST Special Publication (SP) 800-53 Recommended Security Controls for Federal Information Systems.

While NIST SP 800-53 is required for federal (unclassified) information systems, NIST encourages its use outside of the federal space as well. Non-federal government and commercial organizations can utilize the NIST framework to formalize their security program, analyze risk, and make informed decisions for securing their information, assets, and services. Information system categorization.

Determining how much security is enough is a daunting task and is often filled with guesswork. However, with the NIST framework, the decision to implement selected security controls is structured and based on the risk tolerance and mission objectives of the organization.

Federal Information Processing Standard (FIPS) 199, Standards for Security Categorization of Federal Information and Information Systems, requires all unclassified federal information systems to determine the security categorization of the information system. NIST provides a comprehensive framework for determining the security categorization using FIPS 199 in conjunction with SP 800-60, Guide for Mapping Types of Information and Information Systems to Security Categories. SP 800-60 defines a set of common information types and the impact of loss, corruption, or disclosure of the information based on the government's mission. The FIPS 199 categorization is assigned an impact level (High, Moderate, or Low) for each of the three categories - confidentiality, integrity, and availability (C-I-A). While individual impacts are identified for C-I-A, the overall information system categorization is determined as the highest of the three impacts. The FIPS 199 categorization is then used to select the initial baseline of security controls using SP 800-53.

Non-federal/commercial system owners may choose to utilize the information types and impacts as defined in SP 800-60 or they may identify their unique information types and impacts based on their missions and risk tolerance. The categorization of the non-federal/commercial system may be more difficult since information types and impact of loss are not always fully documented within an organization or may drastically change based on the executive in charge at the time of the assessment. It is the security professional's responsibility to assist with the categorization of the information and arbitrate among the stakeholders to come to a consensus.

It is important to separate the impact categorization from the implementation of security controls. Information system owners tend to worry about the financial cost of implementing additional security controls and base the categorization on the available funding. While the implementation of controls is related to the categorization of the system, having the budget drive the categorization will only serve to de-value the information and mission of the system. A distorted security categorization will result in underestimating the risk of operating the information system, expose the organization to unknown risk, and likely result in continuing to under-fund the security controls for years to come. It is better to identify the organizational impact of the system correctly and build the security controls around that determination.

To continue reading or for the complete article CLICK HERE

Cast Your Vote Now for the International Board of Directors

If you have not already cast your ballot, vote now for the volunteer leaders who best represent your vision for meeting the professional needs of ISSA members. This year you are electing the chief financial officer, chief operating officer, vice president and four directors.

Credentials were delivered by email to eligible voters from election@issa.org on June 22. If you did not receive credentials, please check your spam folder. If your credentials were not diverted to your spam folder, contact Elections Support or call 1 866 349 5818 within the US, +1 206 388 4584 (international), extension 103, to speak with Dana Paulino.

As in past elections, your credentials were sent from the vendor's server to ensure the confidentiality of your unique username and password. The email appears to come from election@issa.org because it was felt a message from VoteNet would not be recognized and voter credentials would be deleted. So while the sender looks to be election@issa.org, it is actually from votenet@jangomail.com.

To ensure that you receive important announcements during the election, please be sure to whitelist issa.org if you have not already done so and the servers listed at http://www.jangomail.com/senders.asp.

General, CISO Executive, Corporate Organizational, Government Organizational and Lifetime members in good standing as of June 21, 2009 are eligible to vote. Students and temporary members of any kind are not voting members.

Before final submission of the ballot, you will have an opportunity to review your selections and print a receipt. The receipt will include a unique confirmation number, which should be kept confidential. Candidate biographies and the goals they wish to achieve as members of the ISSA Board of Directors can be accessed from the ballot and are also available on our website for your review CLICK HERE. All ballots must be received by midnight US Pacific time on July 19 (7:00 a.m. GMT on July 20).

Register Now for the July 14 ISSA Web Conference

July 14, 2009
Title: Non Repudiation of Data: Maintaining the Integrity of Data and Information
Start Time: 9am US Pacific /12 noon US Eastern/ 5pm London Time.
Length of Web Conference: 2 Hours

Web Conference Overview:
Share the combined expertise of the ISSA membership by attending the July 2009 ISSA Web Conference. Join your fellow members as they listen to experts as they discuss trends, best practices and real world examples of non repudiation law and how one maintains the integrity of data and information through technology and electronic transaction authentication.

Presentations Include:

Strong Authentication for Joe Six Pack? It's Finally Happening
Presented by: Bo Holland - Founder and CEO, Debix
Data Integrity in the Courtroom: Putting Information Security on the Witness Stand
Presented by: Jeffrey Ritter, Esq. - CEO, Waters Edge Consulting
Considerations for Content Aware Data Security Solutions
Presented by: Websense

Thank you to Websense for their generous support of the July ISSA Web Conference

Special ISSA Journal Issue on Standards - Call for Articles

Standards are an integral part of our world. They provide a common, comprehensive framework for defining the security, integrity, availability, governance, and compliance requirements demanded of organizations and their information systems. As such, it is important for security professionals to be aware of current standards, how they are formulated, and how to apply them.

An upcoming issue of the ISSA Journal will be devoted to all aspects of standards. To make that issue as meaningful as possible, we would like to hear from those of you in the trenches who must work with standards on a daily basis. We are interested in formal standards at the national and international level, private industry standards such as PCI, and how to apply and use guidelines such as the U.S. NIST 800 series.

Please submit your articles or questions to editor@issa.org. Our publishing guidelines may be found on the ISSA website in the Journal section.

ISSA and ASIS Partner on Networking and Educational Opportunities

ASIS International 55th Annual Seminar & Exhibits: ASIS 2009

September 21-24, 2009
Anaheim, CA

ISSA has collaborated with ASIS International to provide members with an extended depth of security expertise. As part of this on-going partnership, ISSA is sponsoring a high-quality information security track at the ASIS International 55th Annual Seminars & Exhibits. We hope that you take advantage of this exceptional educational and networking opportunity, available to ISSA members at the ASIS member price (discount applied at checkout).

ASIS 2009 covers the full spectrum of security—all vertical industries, government and private sector, around the globe. As the world’s leading security event, ASIS pays dividends immediately—and the payoff continues throughout the year. You’ll be armed with—and energized by—the latest knowledge, technology, and strategies to deal with today’s challenges. Details at: www.asisonline.org/ASIS2009

ASIS Keynotes/General Sessions Overview CLICK HERE

Download the Seminar Overview (pdf) CLICK HERE

For ISSA Member discount registration CLICK HERE

Showcase Your Chapter Photos and Logo at the 25th Anniversary

A photo history is being planned for ISSA's 25th Anniversary Celebration in Anaheim, California, USA on Sunday, September 20. The planning committee would like to showcase your chapter photos and logos.

We would love to have a group photo of your chapter members. Also of particular interest are pictures from your more casual, networking or just plain silly events such as golf tournaments, cruises, picnics - anything that will stimulate conversation and humor. Digital photos are preferred, but if you have older photos you would be willing to lend, we will scan and return the originals to you.

Share your memorable moments with us. What is the most significant experience or most meaningful achievement you have had as a member of ISSA and why was it important to you?

Send your photos, memorable moments and logos to Dana Paulino. ISSA's 25th Anniversary Celebration will precede the ASIS International 55th Annual Seminar and Exhibits where ISSA will be sponsoring an information security track. ISSA members may attend the ASIS conference at the ASIS member price.

The ISSA Journal Goes Green

If you would like to receive the ISSA Journal in electronic format you can now opt-in to this new alternative by updating your ISSA member profile. Those who prefer the hard copy will continue to receive their usual copy unless they opt-in to e-delivery.

E-News Archive