In this CSIAC podcast, Jim West discusses how the CIA triad has played a part in the management of risk, but lacks the details of considering all aspects of risk. West, describes a 9-point core security principles star that will better prepare many organizations to seek out possible solutions to risks, and provide senior leadership a more detailed visualization of what principles are acceptable risk and which ones are not.
The CSIAC Podcast
The CSIAC Podcast features discussions with Subject Matter Experts on emerging topics in the fields of cybersecurity, modeling and simulation, software engineering and knowledge management. One-on-one and round-table discussions are held to provide insight into highly technical topics and increase user awareness.
Part 2 of this 6-part video series discusses the compilation process model, the preprocessor, and operations of the compile-link-load tool chain. The Execution model is described with a focus on function stack frames, memory, and use of streams.
Part 1 of this 6-part video series discusses techniques for structuring code to support an effective code management strategy (specifically with regard to readability and maintenance) as software systems become large and difficult to understand. The use of packages with object factories and interfaces is discussed with an example.
In part four of the RMF Categorization podcast series, the SMEs discuss the various roles and responsibilities as well as the operating environment. Any individual that interacts with a system has a certain role or responsibility in the implementation of the system security program. These roles and responsibilities are propagated across three tiers: 1) the organization, 2) mission/business processes and 3) information systems. The operating environment consists of the system authorization boundary as well as all external entities interacting with the system information types. The operating environment should result in a specific implementation of prescribed security requirements and provide a measurement of a security program's effectiveness.
In part three of the RMF Categorization podcast series, the SMEs discuss the process of aligning the security objectives. The security objectives provide a common understanding of the impact levels on the information types as well as a common viewpoint of a system compromise and its organizational impact. The security objectives allow the system owner to identify security requirements in order to mitigate and reduce risks to the system.
In part two of the RMF Categorization podcast series, the SMEs discuss the process of accurately identifying information types. The identification of the information types establishes the foundation for the system security program. The information types serve as the baseline by which the mission owner as well as the adversary both measure success. Information types allow the system owner to respond to cybersecurity risks by utilizing specified security requirements.
In part one of the RMF Categorization podcast series, the SMEs discuss what a security program is and why it is important. A security program defines the people, processes and technologies used to manage cybersecurity risk to the environment in which your system operates. This document serves as the blueprint for how your system operates and responds to the ever changing threat landscape.
During the height of the Cold War, the biggest fear involved the possibility of mutually assured destruction (MAD) from nuclear warfare. However, in today’s digital world, we find that military and strategic systems are under constant siege from cyber attacks. Within the nuclear realm, the threat of cyber attacks is relatively high due to advanced…
To many, cybersecurity is a well-known but poorly understood topic. System owners specializing in non-software/Information Technology (IT) functions have undoubtedly been warned of the potentially disastrous consequences of a cyber incident, but often lack a fundamental understanding of how one prevents them from occurring. And while Advanced Persistent Threats (i.e., state-sponsored groups) have grown increasingly adept, many successful and well-publicized attacks did not involve a high-level of sophistication, and thus were largely avoidable. This short video attempts to simplify a number of cybersecurity concepts and practices to help individuals prevent many common and avoidable cybersecurity pitfalls.
In an effort to strengthen the cyber defense and cyber resilience measures within information technology systems, government and industry partners are increasingly turning to ethical hackers and incorporating bug bounty programs, which offer rewards for uncovered vulnerabilities. Bug Bounty Programs are “incentivized, results-focused programs that encourage security researchers to report security issues to the sponsoring…