
Security Assessment & Authorization (SA&A): A Kinder, Gentler Approach
- On June 17, 2016
- In Blogs
- By Chris Howell
- 0 Comments
Before 2002, IT was much simpler. The basic IT framework was essentially three phases: Phase 1 was to build it; Phase 2 was to get it to work; and Phase 3 was just waiting for things to break and, then, fix them.
Following the September 11 attacks, the U.S. government passed the E-Government Act that entitled the Federal Information Security Management Act (FISMA) in 2002. According to the National Institute of Standards and Technology (NIST), it “requires each federal agency to develop, document, and implement an agency-wide program to provide information security for the information and information systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor, or other source.” Unfortunately, system administrators immediately felt the weight and pressure that FISMA meant, and they didn’t like it. Fourteen years later, this negative sentiment and association still exist.
IT compliance professionals—whether they’re information system security officers (ISSO) or security assessors—are involved in the Risk Management Framework (RMF). This framework ensures that system administrators accurately portray their systems within the SA&A documentation in the event of an incident (or worse). However, when IT compliance professionals become involved, there is often a feeling of dread among system administrators. The rift between system administrators and IT compliance officers has come about because of the practices of some IT compliance professionals. Without prior experience or having just passed their certification exam, some simply follow a “do-this-because-the-book-says-you’re-wrong” approach.
So, how do you overcome the negative stereotype against IT compliance professionals? Cloudburst Security recommends the following tips:
1. Feel their pain. Let system administrators know you’ve been inserted to guide them through this painstaking, federally-mandated event and that you’re there to gradually help them. This goes a lot further than just dropping documents and deadlines on them.
2. Practice risk management versus risk elimination. Often, a control isn’t adhered to because the system administrator feels that it will hinder the performance of the target system. Provide them with the opportunity to be heard. Then, see if there is an alternative solution or provide solid justifications to request a waiver to the control.
3. Lay out the plan in terms they understand. And hold them accountable to it. System administrators need to understand the benefits to them, in order to best work with you.
4. Set milestones. This allows them to pre-plan their efforts and provide the support needed to complete the required documentation.
To learn more about how Cloudburst Security can be part of your team and boost your success in SA&A, email us at: info@cloudburstsecurity.com