I work for an independant radio station in Central Vermont, which due to the mountainous terrain could only be heard from select cities surrounding Montpelier. In fact, one of the few places our frequencies could actually be picked up is in Northfield, where Norwich’s brick and mortar campus is located. For many years, we operated … Read more
Performance is often measured of terms of economic impact, and based on the more than 93 Million dollar, two year IT overhaul that is planned for the Office of Personnel Management, you could say there is a significant impediment to performance. Obviously the OPM should have been doing more to reinforce their security, and encrypt … Read more
A Security Assessment Report (SAR) is a detailed aggregation of information that includes technical specifications, and other basic identifying information pertaining to the system, system owner, and control assessor, as well as the surrounding information environment and details about the timing, scope, and details about the current assessment. Security Assessment Reports are considered pivotal in … Read more
According to Jones, Information Security is the boolean possibility of an incident occuring, but risk is the probable frequency and magnitude of future loss. In regards to risk management, security has no meaning. The only relevant question is: What are the odds that I’ll lose? There are many questions to consider when considering probability. For … Read more
Important aspects to monitor in the cyclical process of the risk management framework include: Monitoring Key Updates: Monitoring your update schedule can establish a timeline for system events, and mark progress or performance progressions or problems. System updates are not the only thing that should be continuously monitored. Updates also include refreshing assessments or policy … Read more
Why did the federal government move from a compliance based accreditation and certification process to more of a risk based process; and what impact has that shown to cyber security in all three sectors; agency, defense, and intelligence? Risk based accreditation could be considered the lesser of two evils. While no system can provide complete … Read more
What relevant additions you would make to cyber security policy and provide reasoning? The first addition I would like to make to cyber security policy would be decreasing the relevant amount of time it takes to instill policy change. Defense acquisition is a slow procedure, and when creating new tools or programs for cyber security, … Read more
Although continuous monitoring is a step found later in the Risk Management process, please expound on why developing the monitoring strategy here would assist in the later steps of both the SDLC and the RMF. “Continuous monitoring enables information security professionals and others to see a continuous stream of near real-time snapshots of the state … Read more
A Contingency plan is a backup plan in case of emergency, a continuity of operations plan is the protocol to continue business operations in case of permanent damage to the premises. If a contingency plan is throwing down a jacket and grabbing a fire extinguisher before you open the window, a continuity plan would be … Read more
Compliance and accreditation infer the ability to provide security for everything. In preparing a rubric for emergency response, compliance, and accreditation, there are generally two schools of thought. risk based planning and vulnerability based planning. According to the CNSS, a “Vulnerability Assessment” is the systematic examination of an information system or product to determine the … Read more