Q: Why should we care about what our security posture is?
A: The short answer is liability and risk management. Companies that are taking an active risk management approach will reduce the likelihood of failure to meet regulatory compliance. Knowing what your security posture is can assist management in effectively assigning resources to achieve business and security goals.
Q: I’m looking at working with the federal government; what should I read?
A: The Federal Information Security Management Act of 2002 (FISMA) and the related documents that are discussed in the FISMA document.
Q: My company currently supports the DITSCAP process. Why was that not covered in this chapter?
A: DITSCAP has been superceded by DIACAP. The transition process is fully explained on the DITSCAP Web site (go to http://iase.disa.mil and click DIACAP).
Q: Can you use more security objectives than confidentiality, integrity, and availability?
A: Yes, but doing so is customer specific. Some customers may want authentication or nonrepudiation. Authentication is the process of determining whether someone or something is who or what he, she, or it claims to be. Nonrepudiation is the ability to ensure that the sender of a communication cannot deny the authenticity of his or her signature on a document or the sending of a message that he or she originated. Other security objectives used depend upon the customer.
Q: How does a risk assessment differ from a self-assessment?
A: Risk assessments are normally conducted by an independent group that cannot be influenced by organizational politics. Self-assessments can be any of the assessments discussed in this chapter but are conducted by internal staffing.
Q: What is the validity of PDD-63? I was under the impression that PDD-63 expired when President Clinton left office.
A: That is correct. PDD-63 expired when Clinton left office, but President G. W. Bush signed PDD-1 as an interim stopgap measure to prevent the intent of PDD-63 from dying. The current authority for Critical Infrastructure Protection is HSPD-7.
Q: Can I use something like the DISA IAVA system instead of CVE?
A: Yes, the requirement is to use an industry standard. IAVA is a DOD industry standard, whereas CVE is a security industry standard. It is important to pick the appropriate standard for your customer and stick with it.
Q: If CVEs comprise a dictionary of vulnerabilities and ICAT is a database of vulnerabilities, which should I use?
A: We recommend that you use the ICAT. ICAT provides much more information than CVE and includes all the CVEs.
Q: Why is it important to provide a justification discussion for every finding?
A: The discussion portion of every finding is important to ensure that management has enough information to make good risk-management decisions. Consider that a report is delivered 30 days after the conclusion of the assessment. Management may not have time for the next week or two to start implementing the vulnerability management. What is the chance that the managers will remember what you told them in the out-briefing? They probably won’t remember exactly what you explain and will have to rely on their favorite administrator to fill in the gaps. If the administrator does not want to do the remediation for a particular finding, he or she will try to shift the management opinion. So you need to provide enough information to make good risk-management decisions.
Q: I have never seen the IPR before. Is it truly useful?
A: Yes. At the end of the out-briefing, the customer wants to know how his or her company is doing. For years, the answer has always come as a personal opinion on the assessor’s part. The IPR shows how the customer is doing without much opinion playing a part.