Jacob Horne’s Post

New podcast is up: set phasers to "NFO" edition. Remember that "class deviation" for DFARS clause 252.204-7012? 𝗧𝗵𝗲 𝗴𝗼𝗼𝗱 𝗻𝗲𝘄𝘀: NIST SP 800-171 revision 2 is the requirement for the next several years. 𝗧𝗵𝗲 𝗯𝗮𝗱 𝗻𝗲𝘄𝘀: NIST SP 800-171 revision 2 is the requirement for the next several years. You see while 171r2 is a smaller set of requirements compared to 171r3, it's only smaller because of several questionable and often deeply unhelpful tailoring decisions that allowed the authors to make the document arbitrarily small. This week we dive into the bizarre underbelly of "NFO" controls - cybersecurity requirements that are "𝗲𝘅𝗽𝗲𝗰𝘁𝗲𝗱 𝘁𝗼 𝗯𝗲 𝗿𝗼𝘂𝘁𝗶𝗻𝗲𝗹𝘆 𝘀𝗮𝘁𝗶𝘀𝗳𝗶𝗲𝗱 𝘄𝗶𝘁𝗵𝗼𝘂𝘁 𝘀𝗽𝗲𝗰𝗶𝗳𝗶𝗰𝗮𝘁𝗶𝗼𝗻" with several examples: - “-1 controls” - Training Records - Independent Assessments - External Connections - Configuration Management - Incident Response Plan - The SA Family Episode links are in the comments 👇 Like ❤️ and subscribe 🔔

From Dan Walsh: The #GRC team will have to evolve from a team where it's mainly audit focused, compliance focused, and security awareness or human risk management focused into one that is comfortable talking about a critical vulnerability in a certain repo or in a certain product with a, either a developer or software supplier. And understanding what the risks are of that, and how we mitigate those risks. Think about how we score vulnerabilities from the #CVE all the way down to the #CVS and how we rescore it because we're given additional context into the environment. That is also the exercise that should be happening now in vulnerability management programs across security programs. and it will have to continue to happen as software transparency, SBOM, the software supply chain evolves in this way. 🎙️ Free access to “daBOM” on your favorite podcast platforms: https://lnkd.in/eKGe2BRV 📌 VillageMD #sbom #devsecops #ciso #grc “Practical use of SBOM from a CISO in Healthcare” Listen to the full episode with #CISO Dan Walsh and DJ Schleen. dabom.show/dan-walsh 📌

NIST has launched four self-paced online introductory courses covering the following Special Publications: - SP 800-37 RMF Introductory Course - SP 800-53 Security and Privacy Controls Course - SP 800-53A Assessing Security and Privacy Controls Course - SP 800-53B Control Baselines Course I decided to take one of the courses, and I chose the RMF course to gain the “NIST” perspective on the framework they developed. It was highly informative, enhancing my prior knowledge of NIST 800-37. My opinion on the course: Pros: - The course dives deeper than expected for an introductory level, lasting about 3 hours. - It provides a thorough breakdown of each RMF step and explains how other NIST documents integrate into the framework. - The course clarifies the tasks listed for each step, complementing my existing knowledge of NIST 800-37. Cons: - The language used in the course is somewhat complex for an introductory level. For those new to the Risk Management Framework, the terminology might be challenging. - The course references many NIST documents, which could be confusing for individuals not already familiar with them. - You have to fill your own name in on the certificate of completion Overall: The course is excellent for refreshing and obtaining the “NIST” perspective. However, I recommend that true beginners also explore other resources that break down the RMF in simpler terms. Here are the links to the courses: ✅ NIST SP 800-37 - Risk Management Framework (RMF) Introductory Course: https://lnkd.in/eG5MzSuG ✅ NIST SP 800-53, Security and Privacy Controls for Information Systems and Organizations: https://lnkd.in/eNAWZDap ✅ NIST SP 800-53A, Assessing Security and Privacy Controls in Information Systems and Organizations: https://lnkd.in/eakkQRgf ✅ NIST SP 800-53B, Control Baselines for Information Systems and Organizations: https://lnkd.in/eUB3-GR9 #NIST #InfoSec #RMF #InformationSecurity #ContinuousLearning #RenderATL

Plenty of useful information packed into Summit 7's SummitUp Podcast this week, a particularly solid piece from Jacob Horne is a deep dive on the genesis and composition of the "Policy" requirement that has been on the In and Out NIST Burger menu all along. To level set and unify in language, Horne wisely points to NIST SP 800-12 from the Paleolithic period of formalized, regulated governance. Also important to note is how modern NIST SPs 800-171 and 53 (and their assessment 'a' counterparts) mandate event driven and less than annually Organizational Defined Parameter (ODP) specified cadence of review and refresh of said policies(see below). At the peril of abusing the well-abused parlance of "left-of-boom", this is very much a regulatory boom organizations would be wise to get to the left of as soon and as proactively as possible. Auditors will feast upon organizations that fail to do so in the nearer-than-you-think future. One other note, resources like this podcast featuring Horne and Jason Sproesser are out there, FOR FREE! This is the golden age of excellent cybersecurity podcasts, I hope folks at all levels of the ecosystem are partaking of these great contributions to rise all cyber boats. Section 2.5 - Information Security Policy Information security policy is defined as an aggregate of directives, regulations, rules, and practices that prescribes how an organization manages, protects, and distributes information. In making these decisions, managers face difficult decisions with regard to resource allocation, competing objectives, and organizational strategy, all of which relate to protecting technical and information resources as well as guiding employee behavior. Managers at all levels make choices that can affect policy, with the scope of the policy’s applicability varying according to the scope of the manager’s authority https://lnkd.in/e27_Wsa3

As usual, a lot of useful information packed into Summit 7's SummitUp Podcast this week, a particularly solid piece from Jacob Horne is a deep dive on the genesis and composition of the "Policy" requirement that has been on the In and Out NIST Burger menu all along. To level set and unify in language, Horne wisely points to NIST SP 800-12 from the Paleolithic period of formalized, regulated governance. Also important to note is how modern NIST SPs 800-171 and 53 (and their assessment 'a' counterparts) mandate event driven and less than annually Organizational Defined Parameter (ODP) specified cadence of review and refresh of said policies(see below). At the peril of abusing the well-abused parlance of "left-of-boom", this is very much a regulatory boom organizations would be wise to get to the left of as soon and as proactively as possible. Auditors will feast upon organizations that fail to do so in the nearer-than-you-think future. One other note, resources like this podcast featuring Horne and Jason Sproesser are out there, FOR FREE! This is the golden age of excellent cybersecurity podcasts, I hope folks at all levels of the ecosystem are partaking of these great contributions to rise all cyber boats. Section 2.5 - Information Security Policy Information security policy is defined as an aggregate of directives, regulations, rules, and practices that prescribes how an organization manages, protects, and distributes information. In making these decisions, managers face difficult decisions with regard to resource allocation, competing objectives, and organizational strategy, all of which relate to protecting technical and information resources as well as guiding employee behavior. Managers at all levels make choices that can affect policy, with the scope of the policy’s applicability varying according to the scope of the manager’s authority https://lnkd.in/ecNXaets

This is going to be a must if you are a defense contractor. Whether you choose us to be your NIST assessor or whether you choose someone else, you have to set your scope effectively. Robert McVay will walk through the steps of how to reach this goal.

Check out my the second podcast I did with Chaleit's Ankit Prateek, and Dan Haagman on The Art of Systematic Security Assurance (Part 2): Bridging Gaps Through Shared Responsibility. I always love chatting with these guys. The biggest problem is keeping the conversation short. Get a little bit more insight as to how Chaleit and I work together to find a better way of doing security assurance, and get insight into my approach https://lnkd.in/eeEpj2-m #security #pentest #penetrationtesting #ciso

NIST has launched four self-paced online introductory courses covering the following Special Publications: - SP 800-37 RMF Introductory Course -SP 800-53 Security and Privacy Controls Course - SP 800-53A Assessing Security and Privacy Controls Course - SP 800-53B Control Baselines Course I decided to take one of the courses, and I chose the RMF course to gain the "NIST" perspective on the framework they developed. It was highly informative, enhancing my prior knowledge of NIST 800-37. My opinion on the course: Pros: -The course dives deeper than expected for an introductory level, lasting about 3 hours. - It provides a thorough breakdown of each RMF step and explains how other NIST documents integrate into the framework. - The course clarifies the tasks listed for each step, complementing my existing knowledge of NIST 800-37. Cons: - The language used in the course is somewhat complex for an introductory level. For those new to the Risk Management Framework, the terminology might be challenging. - The course references many NIST documents, which could be confusing for individuals not already familiar with them. - You have to fill your own name in on the certificate of completion Overall: The course is excellent for refreshing and obtaining the "NIST" perspective. However, I recommend that true beginners also explore other resources that break down the RMF in simpler terms. #NIST #Infosec #RMF #ContinousLearning

ICYMI 👀 What are the latest cybersecurity trends concerning monitoring, risk management and AI? Find out from Park Place’s John Parlee and Phil Harris from IDC. 🎧 Listen here: https://lnkd.in/etn63KuS #techpodcast