Informed Control - Resources from 2007 RSA Conference Presentation
This page provides links to documents referenced from the presentation "Assessment Techniques for Auditing Identity Management" by Mark Wahl. This page was last updated 2007 February 7.
Documents mentioned in the presentation
- NIST SP 800-37, Guide for the Security Certification and Accreditation of Federal Information Systems (May 2004)
"The purpose of this publication is to provide guidelines for the security certification and accreditation of information systems supporting the executive agencies of the federal government."
- NSA INFOSEC Assurance Training and Rating Program (IATRP) INFOSEC Assessment Methodology (IAM) and INFOSEC Evaluation Methodology (IEM)
"The IAM consists of a standard set of activities required to perform an INFOSEC assessment. In other words, the methodology explains the depth and breadth of the assessment activities that must be performed to be acceptable within the IATRP. The IEM consists of a standard set of activities required to perform an INFOSEC evaluation."
- ARP spoofing
"The principle of ARP spoofing is to send fake, or 'spoofed', ARP messages to an Ethernet LAN. These frames contain false MAC addresses, confusing network devices, such as network switches. As a result frames intended for one machine can be mistakenly sent to another (allowing the packets to be sniffed) or an unreachable host (a denial of service attack). ARP spoofing can also be used in a man-in-the-middle attack in which all traffic is forwarded through a host with the use of ARP spoofing and analyzed for passwords and other information."
- NIST SP 800-30, Risk Management Guide for Information Technology Systems, July 2002
"Risk management is the process of identifying risk, assessing risk, and taking steps to reduce risk to an acceptable level. This guide provides a foundation for the development of an effective risk management program, containing both the definitions and the practical guidance necessary for assessing and mitigating risks identified within IT systems. The ultimate goal is to help organizations to better manage IT-related mission risks."
- NIST FIPS 199, Standards for Security Categorization of Federal Information and Information Systems, February 2004
"This publication establishes security categories for both information and information systems. The security categories are based on the potential impact on an organization should certain events occur which jeopardize the information and information systems needed by the organization to accomplish its assigned mission, protect its assets, fulfill its legal responsibilities, maintain its day-to-day functions, and protect individuals. Security categories are to be used in conjunction with vulnerability and threat information in assessing the risk to an organization."
- NIST SP 800-53 Rev. 1, Recommended Security Controls for Federal Information Systems, December 2006
"The purpose of this publication is to provide guidelines for selecting and specifying security controls for information systems supporting the executive agencies of the federal government. The guidelines apply to all components of an information system that process, store, or transmit federal information."
- NSA Current Security Configuration Guides
"NSA has developed and distributed configuration guidance for a wide variety of software from open source to proprietary software. The objective of the configuration guidance program is to provide NSA's customers with the best possible security options in the most widely used products."
Common Criteria Portal List of Evaluated Products
"To say that a product has been evaluated is to say that a defined methodology has been applied to its assessment. This of itself carries no information about the verdict of the evaluation, but merely states that a verdict has been obtained. Evaluations are conducted by the commercial testing laboratories."
- NIST SP 800-53A, Guide for Assessing the Security Controls in Federal Information Systems, April 2006
"The purpose of this publication is to provide guidelines for assessing the effectiveness of security controls employed in information systems supporting the executive agencies of the federal government. The guidelines apply to the security controls defined in NIST Special Publication 800-53, Recommended Security Controls for Federal Information Systems."
General Accounting Office Federal Information System Controls Audit Manual Volume I, February 1999
"This manual describes the computer-related controls that auditors should consider when assessing the integrity, confidentiality, and availability of computerized data. It is a guide applied by GAO primarily in support of financial statement audits and is available for use by other government auditors.";
- Computer Security Institute 2005 Computer Crime and Security Survey
- US Secret Service Insider Threat Study, August 2004
"For the Insider Threat Study, researchers from the Secret Service CERT/CC have focused on identifying the physical and online behaviors and communications that insiders engaged in before the incidents, as well as how the incidents were eventually executed, detected, and the insider identified."
- Federal Information Security Management Act of 2002
"The purposes of this subchapter are to (1) provide a comprehensive framework for ensuring the effectiveness of information security controls over information resources that support Federal operations and assets; (2) recognize the highly networked nature of the current Federal computing environment and provide effective governmentwide management and oversight of the related information security risks, including coordination of information security efforts throughout the civilian, national security, and law enforcement communities; (3) provide for development and maintenance of minimum controls required to protect Federal information and information systems; (4) provide a mechanism for improved oversight of Federal agency information security programs; (5) acknowledge that commercially developed information security products offer advanced, dynamic, robust, and effective information security solutions, reflecting market solutions for the protection of critical information infrastructures important to the national defense and economic security of the nation that are designed, built, and operated by the private sector; and (6) recognize that the selection of specific technical hardware and software information security solutions should be left to individual agencies from among commercially developed products. "
- Revised Appendix III to OMB Circular No A.130, Security of Federal Automated Information Resources
"This Appendix establishes a minimum set of controls to be included in Federal automated information security programs; assigns Federal agency responsibilities for the security of automated information; and links agency automated information security programs and agency management control systems..."
Many other government computer security best practice publications can be found at the NIST Computer Security home page.
References to identity data breaches
- "Consumer data company warns 145,000 of possible identity theft", Associated Press, February 17, 2005
"The thieves apparently used previously stolen identities to create what appeared to be legitimate businesses seeking ChoicePoint accounts, the company said. They opened about 50 accounts and received volumes of data on consumers, including names and addresses, important identification numbers and job histories. "
- "ChoicePoint Data Cache Became a Powder Keg", Robert O'Harrow Jr., Washington Post, March 5, 2005
" Before granting service, ChoicePoint typically requires a photocopy of a driver's license and business records on file with a state or local government agency. A ChoicePoint employee would then verify that such a person and company exists. Identity thieves skirted this system by using fake IDs and by setting up front companies on paper, registered with government agencies in phony names, according to court and company records....ChoicePoint officials, meanwhile, said they have since identified more than 50 accounts that appear to be phony."
- "Top techie leaves, 2 others fired after AOL privacy leak", Anick Jesdanun, Associated Press, August 22, 2006
"AOL's chief technology officer left the company, and two other workers were fired in the aftermath of a privacy breach that involved the intentional release of more than 650,000 subscribers' Internet search terms. Although American Online had substituted numeric IDs for the subscribers' user names, the search queries themselves contained Social Security numbers, medical conditions and other data that could be traced to an individual."
- "Ernst & Young loses four more laptops", Ashlee Vance, The Register, February 26, 2006
"This theft follows a higher-profile incident in which an Ernst and Young employee lost his laptop containing the social security numbers and other personal information of customers. One such customer happened to be Sun Microsystems CEO Scott McNealy who was told that his social security number had been compromised - an incident first reported here. The laptop with McNealy's data was stolen from an employee's car, according to Ernst and Young."
- "Fidelity lost HP's employee data to impress HP",Ashlee Vance, The Register, March 24, 2006
"Fidelity indicates that the data was imported onto a laptop in order to support discussions for a meeting at HP, during which Fidelity demonstrated a new software product they believed would assist HP in addressing some administrative issues related to the HP retirement plans," HP told its staff yesterday. "It was not necessary for the discussions or the demonstration that the data be transmitted in this way, and HP was not informed ahead of time that this would occur. HP views this as a very serious problem."
Additional privacy breaches can be found in the chronological list at the Privacy Rights Clearinghouse.