1. Addressing Cyber Fundamentals

How do we move from inconsistent security/privacy protection control approaches to solid fundamentals that address most basic risks faced by agencies?

Endorse existing ideas by voting for them. YOU MUST BE LOGGED ON TO VOTE.

1. Addressing Cyber Fundamentals

Cybersecurity is everyone’s responsibility

Although the OPM breach has been the major source of cybersecurity discussion the past few months, it is certainly not the only issue that needs to be addressed. During the panel discussion at the NACo Summit we also covered topics like the White House Cybersecurity Sprint and how to better protect systems and data for long-term security. If you are not familiar with the 30-day White House Cybersecurity sprint, it is... more »

Voting

6 votes
Public Input

1. Addressing Cyber Fundamentals

Director

Currently agencies self assess their cybersecurity posture. OMB should create a assessment standard and have an independent assessment board of government and industry SME's assess each agency, via a framework such as the one used for FEDRAMP.

Voting

4 votes
Public Input

1. Addressing Cyber Fundamentals

Need for New Standard other than AES-256

The Cybersecurity landscape involves multiple iterations of systems based on the AES256 Standard. This standard is easily breached making stopping intruders at the gate an impossible proposition. the Government and Private Industry needs to put more muscle behind the research, funding, test and deployment of a true "One Time Pad" standard for protecting filaes at rest and in transmission.

Voting

3 votes
Public Input

1. Addressing Cyber Fundamentals

Fundamentals of Security and Privacy start w/Risk Mitigation

Security/Privacy Protection Controls consistency is critical to mitigating organizational risk. Risk mitigation begins at the highest level of an organization. It is a combination of three key things—governance, accountability, and culture. Implementing an organizational governance process will bring myriad benefits, including lower costs, greater control, and overall increased efficiency and effectiveness. A benchmarked... more »

Voting

3 votes
Public Input

1. Addressing Cyber Fundamentals

1) How do we move from inconsistent security/privacy protection

This is the difference between thinking tactically and thinking strategically. If you are thinking tactically, your to-do list is endless. There is always one more control to install, one more security practice to implement. There is no way to prioritize the workload or to measure your improvement. Security practitioners sprint from task to task putting out fires, never taking the time to build a program that can absorb... more »

Voting

3 votes
Public Input

1. Addressing Cyber Fundamentals

Supported ITAPS recommendations

Part 1 - Security Risk Management (Regular print are supported ITAPS recommendations in response to questions, italics are expanded recommendations to more explicitly address questions, not directly addressed by ITAPS; participated in and collaborated with ITAPS OMB-OPM-NSC Task Force) 1. Addressing Cyber Fundamentals How do we move from inconsistent security/privacy protection control approaches to solid fundamentals... more »

Voting

2 votes
Public Input

1. Addressing Cyber Fundamentals

Supported ITAPS recommendations, part 2

Governance and Accountability: Establish an outcome-focused Governance Framework that covers all aspects of the enterprise, resulting in effective direction-setting, decision-making, oversight, transparency, and accountability. For example, fully execute and enforce the Federal Information Security Management Act (FISMA) as contemplated in the authorizing legislation and seek legislative reform where necessary. Escalate... more »

Voting

2 votes
Public Input

1. Addressing Cyber Fundamentals

Supported ITAPS recommendations, part 3

People and Organizations: Make information security a core part of organizational culture, ensuring greater awareness and better computing practices. For example, information security training should be mandatory for all government employees and contractors and information security performance should be an item in performance reviews. Optimize enterprise and workforce planning to leverage consolidation in security... more »

Voting

2 votes
Public Input

1. Addressing Cyber Fundamentals

Supported ITAPS recommendations, part 4

Finance and Procurement: Organizational procurement programs should have clearly defined and communicated priorities, accompanied by clear direction to procurement agents on the procedures to acquire technology consistent with those priorities, resulting in a consistent, predictable, and agile acquisition approach that will result in more secure technology deployments. For example, the Director of the Office of Management... more »

Voting

2 votes
Public Input

1. Addressing Cyber Fundamentals

We know what's wrong, but do we know what to fix?

Leadership is on the right track when it asks why people and organizations don't do what they're supposed to do. Lessons observed (what we know) aren't converted enough into lessons learned (what we do) to prevent familiar security lapses. This is true of ALL organizations, not just government, and always boils down to one thing: Behavior. Doing the right thing the right way, or not, is about behavior whether you're... more »

Voting

2 votes
Public Input

1. Addressing Cyber Fundamentals

Restrictive Deterrence

The National Consortium for the Study of Terrorism and Responses to Terrorism (START) placed warning banners on compromised systems to better understand how a hacker responds to such a message. The study found that the banners reduced commands from hackers by 8 percent. START, a Homeland Security Department-funded program through the University of Maryland, examined a type of cyber defense called restrictive deterrence.... more »

Voting

2 votes
Public Input

1. Addressing Cyber Fundamentals

Security Self Audit Checklist (SuperSIG)

Create a self-audit checklist that agencies could use on a regular basis to assess themselves on fundamental security capabilities. It would be risk profile based for each agency. Addresses the problem of just having this done by auditors (GAO/IG) or consultants. Keeps attention and resource needed to close weaknesses and vulnerabilities.

Note: FCC is example.

Voting

2 votes
Public Input

1. Addressing Cyber Fundamentals

Cyber Investment Board (SuperSIG)

Use Cyber Investment Management Boards (DOD example) where cyber projects are presented, defended, and measured against outcome based performance measures for funding. Helps get cybersecurity accountability as a shared responsibility across senior leadership of the organization and to understand costs and risk benefits.

Voting

2 votes
Public Input