Design IT Security for a Death Star

Interested in developing the skills you need to be an IT security professional supporting the U.S. Federal Government? Are you currently trying to follow NIST security guidance but are feeling overwhelmed? Why not collaborate to build a set of examples that can enhance your skills, while at the same time providing the security community with tools to improve security?

For 15 years now I have been an IT Security contractor for the U.S. Government. For much of that time I have been using standards published by the National Institute of Standards and Technology (NIST) to design and document security architecture.

While I have found NIST publications to be well written, the sheer volume of material I had to read and the lack of  examples of security documents has often left me feeling overwhelmed.

 

Problem of Collaboration

One of the problems with collaborating in security planning is that details are often too sensitive to share broadly. This often leads to security engineers developing templates, spreadsheets, and databases for themselves or their group, leaving others to develop their own material. This duplication of effort wastes a great deal of time and lessens the effectiveness of the security controls that are implemented.

 

Crowdsourcing a Fictional Project

I propose that one way to collaborate and keep sensitive information secure is to build a fictional collaborative project. Crowdsourcing security architecture and planning using the NIST security framework on a fictional architecture with supporting documents that can be shared and improved is one of the best ways to collaborate without risking the release of sensitive information.

To have fun with this, and to avoid encouraging the cutting and pasting that minimizes real security, I have an idea for a government project to base the security architecture on.

In 2012, “J.D.” from Longmont, CO posted a joke (I hope) proposal on the whitehouse.gov website suggesting the U.S. build a Death Star. Over 34,000 people “signed” on to this idea, which encouraged the White House to respond. Paul Shawcross, Chief of the Science and Space Branch at the Office of Management and Budget (OMB), responded with some fun of his own.

I suggest that for our fictional collaborative project, we plan IT security for a Death Star. Something like this is flexible enough for a small number of volunteers to create some simple documents (well, as simple as NIST allows), or for a larger group to create significantly more detailed plans. In any case, the documents created would all be subject to a Creative Commons license, allowing anyone to use and share whatever is produced.

The result would be an educational opportunity for anyone who wants to better understand NIST security, and the project would provide valuable examples and perhaps simple tools that would make it easier for those designing NIST-compliant security.

This could also lead to a group that could discuss issues related to NIST compliance, without having to share details of their projects.

 

Get in Touch

Updated May 11, 2014

To kick things off, I’ve created two ways to begin a dialogue with everyone who is interested in this project. I just created a bare-bones LinkedIn group called:
NIST Security Development

Alternatively, if you’d prefer email, I’ve created a Yahoo email list. subscribe by going to the Yahoo Groups site https://groups.yahoo.com/group/NISTsec, or just send an email to:
nistsec-subscribe@yahoogroups.com

 

Updated May 27, 2014

A project wiki has been created for this effort. There is still a great deal of work to get the wiki going, but it is ready for users and editing. The site is:

https://sfads.org

This is the same wiki software that is used for Wikipedia, so there are lots of resources on creating pages for it. While it might seem a bit intimidating to those who have not used wikis before, the syntax is really pretty easy, and you’ll get the hang of it quickly.

The best thing about a wiki is that it is easy to edit, and easy to revert to an older version if something goes wrong.

I’ll also be creating and sharing spreadsheets via Google Docs because spreadsheets are just easier there. Google Docs can also handle presentation slides, diagrams, and document templates.

If you are interested in helping, please create an account on the wiki and we can start collaborating on this project.

Jim

Advertisements

18 Responses to Design IT Security for a Death Star

  1. I may be interested

  2. n0mad says:

    If you think you would like to organize some parts of the IT security framework around the SANS controls, I’d be interested.

    [http://www.slideshare.net/jderienzo/map-critical-securitycontrolscsc41tonistsp80053rev4]

    n0mad

    • Jim Wiedman says:

      n0mad, I’m not opposed to incorporating the SANS top 20 into the discussion, but my focus is on creating examples of NIST compliance.

  3. Information Assurance says:

    Hi,

    I would be interested if you would be developing from the real point of view. Based on organizations business and risks and from the right perspective of information security or assurance built in every process, in roles and responsibilities and after that for the part you are mentioning aka IT Security. In the organization IT Security is no more than 30 % and Information Security/Assurance is the rest.

    Checking the box of requirements and controls or developing?

    • Jim Wiedman says:

      I am not a fan of security for the sake of checking a box. One of the things I’d like to see with this is an example of considering the needs of the organization (what would that be for a Death Star?) and designing security to match those needs. If that’s what you mean by “real point of view” then we are on the same page.

      We can have debates for years on the definitions of information assurance, information security, IT security, cybersecurity, etc. I tend to consider them interchangeable, but I know others have strong feelings about different definitions of each.

      I’m looking at working through the NIST security lifecycle for this. Does that help?

  4. Jim Wiedman says:

    To kick things off, I’ve created two ways to begin a dialogue with everyone who is interested in this project. I just created a bare-bones LinkedIn group and a Yahoo group.

    You can find this group by going to LinkedIn and doing a group search for:
    NIST Security Development

    Alternatively, if you’d prefer email, I’ve created a Yahoo email list. subscribe by going to the Yahoo Groups site https://groups.yahoo.com/ and searching for NISTsec, or just send an email to:
    nistsec-subscribe@yahoogroups.com

    Let me know if you have any questions.

  5. I’m interested and think this would be fun.

  6. doug burkhart says:

    sounds interesting… and maybe a good way to bone up on NIST.

    • Jim Wiedman says:

      Doug, that is my hope for this project. Hope you’ll join one of the groups mentioned above. We’ve got a good turn-out so far and are beginning to organize the effort.

  7. Melanie Wright says:

    I would be interested. I am an up-and-coming sercurity professional. I am a security analyst with a Bachelors in Information Systems Security and learn extremely quickly. I need advanced mentors to train me extreme-fast-track. This sounds interesting. I am an InfraGard member.

    • Jim Wiedman says:

      Melanie, it would be great to have you onboard. Sounds like this would be a project that would be useful to you, and where you could contribute. Hope you join one of the groups.

  8. Hi Jim, I would like to participate as well, and appreciate your organizing this. Do you have any NIST documents you recommend that I read, or do we need to better define our scope first? Thank you.

  9. James O. Ellithorpe says:

    Jim,

    I might be able to help you from a more “academic” and “training/mentoring” perspective. Get in touch with me if interested. I am now in the final stages completing my PhD dissertation with my dissertation focusing on “Cyber-Security” training and mentoring. I see my greatest strength, beside many years of experience, being someone who can add real depth to the concepts and provide a high-level foundation to the project.

    James E., PhD (ABD)

    • Jim Wiedman says:

      James,

      Your help would be greatly appreciated. We have a new wiki site where we can start collaborating, if you’d like to set up an account:

      https://sfads.org

      Looking forward to working with you,

      Jim

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: