Session recording
Ben Scott
dragonhawk at gmail.com
Mon Mar 31 18:17:20 EDT 2008
On Mon, Mar 31, 2008 at 4:12 PM, Tom Buskey <tom at buskey.name> wrote:
>> These days, it's the Common Criteria standards,
> NISPOM and Chapter 8 specifically.
NISPOM Chapter 8 is even less useful than the CC stuff. NISPOM
doesn't even define terms in many cases. And it never covers
implementations -- it's basically a list of requirement scenarios,
with some guidance on when to use which scenario. Rarely has so much
been written, and yet said so little.
FAISSR basically just regurgitates all of NISPOM Ch 8, changing all
the "You must" directives to "We will" promises, so that your Security
Plan reads just like the NISPOM. Mindless bureaucrats love it, of
course. Gag. And I can say the actual accrediting auditors we've had
to deal with have been significantly more aware of what's going on, so
just regurgitating the standards won't cut it. I expect that varies
with jurisdiction, though.
(For those wondering: NISPOM = National Industrial Security Program
- Operating Manual. It (sort of) spells out what DoD contractors have
to do for security. FAISSR is... some Flordia agency, I think, that
somehow got their template blessed with holy penguin pee, or
something. Google finds this stuff, if you really want to know.)
Practical guidance on how to *actually secure* systems is sadly less
available than bureaucracy. The best I've found (for my needs) are
the NSA Security Configuration Guides:
http://www.nsa.gov/snac/downloads_all.cfm
But that's all written in a US Defense mindset. I expect someone
setting out to implement, say, HIPAA guidelines, would find it
unsuitable for those purposes. (Or maybe not; I don't know much about
HIPAA -- just enough to know I want nothing to do with it! :) )
> I'd guess that the only way to allow a 95/98 system is to put it in a locked
> room with only the user and the security officer allowed in. Oh - and no
> networking to the outside room.
Pretty much. "Stand-alone, system high". For that matter, every
NISP implementation I've ever dealt with has been that way, including
more recent doze and nix. No LAN, no WAN, and certainly no Internet.
It's a lot easier, and thus a lot cheaper. In particular, multi-level
security -- correctly handling information of different sensitivity
levels -- requires fancy stuff largely not available for Windows or
Linux.
-- Ben
More information about the gnhlug-discuss
mailing list