Design IT Security for a Death Star

May 3, 2014

Interested in developing the skills you need to be an IT security professional supporting the U.S. Federal Government? Are you currently trying to follow NIST security guidance but are feeling overwhelmed? Why not collaborate to build a set of examples that can enhance your skills, while at the same time providing the security community with tools to improve security?

For 15 years now I have been an IT Security contractor for the U.S. Government. For much of that time I have been using standards published by the National Institute of Standards and Technology (NIST) to design and document security architecture.

While I have found NIST publications to be well written, the sheer volume of material I had to read and the lack of  examples of security documents has often left me feeling overwhelmed.

 

Problem of Collaboration

One of the problems with collaborating in security planning is that details are often too sensitive to share broadly. This often leads to security engineers developing templates, spreadsheets, and databases for themselves or their group, leaving others to develop their own material. This duplication of effort wastes a great deal of time and lessens the effectiveness of the security controls that are implemented.

 

Crowdsourcing a Fictional Project

I propose that one way to collaborate and keep sensitive information secure is to build a fictional collaborative project. Crowdsourcing security architecture and planning using the NIST security framework on a fictional architecture with supporting documents that can be shared and improved is one of the best ways to collaborate without risking the release of sensitive information.

To have fun with this, and to avoid encouraging the cutting and pasting that minimizes real security, I have an idea for a government project to base the security architecture on.

In 2012, “J.D.” from Longmont, CO posted a joke (I hope) proposal on the whitehouse.gov website suggesting the U.S. build a Death Star. Over 34,000 people “signed” on to this idea, which encouraged the White House to respond. Paul Shawcross, Chief of the Science and Space Branch at the Office of Management and Budget (OMB), responded with some fun of his own.

I suggest that for our fictional collaborative project, we plan IT security for a Death Star. Something like this is flexible enough for a small number of volunteers to create some simple documents (well, as simple as NIST allows), or for a larger group to create significantly more detailed plans. In any case, the documents created would all be subject to a Creative Commons license, allowing anyone to use and share whatever is produced.

The result would be an educational opportunity for anyone who wants to better understand NIST security, and the project would provide valuable examples and perhaps simple tools that would make it easier for those designing NIST-compliant security.

This could also lead to a group that could discuss issues related to NIST compliance, without having to share details of their projects.

 

Get in Touch

Updated May 11, 2014

To kick things off, I’ve created two ways to begin a dialogue with everyone who is interested in this project. I just created a bare-bones LinkedIn group called:
NIST Security Development

Alternatively, if you’d prefer email, I’ve created a Yahoo email list. subscribe by going to the Yahoo Groups site https://groups.yahoo.com/group/NISTsec, or just send an email to:
nistsec-subscribe@yahoogroups.com

 

Updated May 27, 2014

A project wiki has been created for this effort. There is still a great deal of work to get the wiki going, but it is ready for users and editing. The site is:

https://sfads.org

This is the same wiki software that is used for Wikipedia, so there are lots of resources on creating pages for it. While it might seem a bit intimidating to those who have not used wikis before, the syntax is really pretty easy, and you’ll get the hang of it quickly.

The best thing about a wiki is that it is easy to edit, and easy to revert to an older version if something goes wrong.

I’ll also be creating and sharing spreadsheets via Google Docs because spreadsheets are just easier there. Google Docs can also handle presentation slides, diagrams, and document templates.

If you are interested in helping, please create an account on the wiki and we can start collaborating on this project.

Jim