Houston, we have THE framework!

This is a similar topic to the one about Risk Assessment Methodologies, but the difference here is that we are focusing on the complete way to prevent and mitigate risk in the IT department.

The main framework is pretty much this:

Step 1: Categorize
Categorize the information system and the information processed, stored, and transmitted by that system based on an impact analysis.

Step 2: Select
Select an initial set of baseline security controls for the information system based on the security categorization; tailoring and supplementing the security control baseline as needed based on organization assessment of risk and local conditions.

Step 3: Implement
Implement the security controls and document how the controls are deployed within the information system and environment of operation.

Step 4: Assess
Assess the security controls using appropriate procedures to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system.

Step 5: Authorize
Authorize information system operation based upon a determination of the risk to organizational operations and assets, individuals, other organizations and the Nation resulting from the operation of the information system and the decision that this risk is acceptable.

Step 6: Monitor
Monitor and assess selected security controls in the information system on an ongoing basis including assessing security control effectiveness, documenting changes to the system or environment of operation, conducting security impact analyses of the associated changes, and reporting the security state of the system to appropriate organizational officials.

For more information about this, you can take a look at a document here. Or you can go to the NIST-RMF Overview and go as deep as you may want to go.

For now, that’s it, but as always, good day, good luck, be safe, eat well, move your ass at the gym or somewhere else, take your vitamins, talk to interesting people, don’t text and drive, have enough sex (even if it has to be with yourself), learn things, share things and try to make the world a better place, move on on achieving your definition of “success” and drink more coffee!

Is it at risk or not?

In the Podcast with Fernando Rubio, I mentioned I would upload a form to assess the risk in a project, this would tell you if the project is safe enough or if there are parts that need to be reworked. Knowing is the first part, after that, you would decide if the changes cost too much.

Here it is:

RiskAssessmentMets

For now, that is all, but as always, good day, good luck, be safe, eat well, move your ass at the gym or somewhere else, take your vitamins, talk to interesting people, don’t text and drive, have enough sex (even if it has to be with yourself), learn things, share things and try to make the world a better place, move on on achieving your definition of “success” and drink more coffee!

So your Uber driver doesn’t become a moto-thief!

Why study computer and information security? Actually, there are many reasons, from both sides, as a programmer and as a user, we should all, at least, be aware of what the heck can happen to us when we stand up from our chair and don’t lock the computer, or our cellphone, or our hard drive.

Many can say, “well, I’m not really anybody important with million-dollar secrets”, and yes, its not like we are protecting the formula to make the Coke, we are protecting something even bigger and with more value (maybe not according to the insurance companies, but still): OURSELVES!!!!!

So, quick story before you click to go back and stop reading this post. I was on Facebook reading my news feed (nothing fancy there), when I get to an interesting post that you can find here. Basically, what is says is that on August 11, the daughter of Ana Marcela Chavez (person who made the post) ordered an Uber to get back home. As usual, she got a text saying that her Uber had arrived. When she came out, 2 guys in a motorcycle were waiting for her instead of the Uber. They threatened her with a knife and she got robbed. The Uber never came. Mrs. Chavez tried to get in touch with someone from Uber but she never got a reply from them (but she did get a receipt and a charge for the trip that her daughter never took, by the way). Now, I am not saying this was a digital security breach, maybe the driver was an accomplice of the thieves and he alerted them of the girls location so they could assault on her. However, lets believe that the driver was not an accomplice and he just got his Uber phone stolen and the little bastards decided to use the Uber Driver App to get some victims. This is sad, this shouldn’t happen, but unfortunately, it does, and its our job to prevent it from happening again.

Having security sometimes can be a pain in the butt, but is important, its all about being safe and sound…

So, we need to look for ways to make ourselves more secure, minimize the risk; but at the same time, we cannot make our lives too complicated at  the point where we just hate it. You can setup 2-step verification, maybe the Uber driver has to enter a password or his fingerprint every time he accepts a trip or do something else in case his phone gets stolen. But then you face the fact that this might put him in danger, because maybe the thieves now are going to threat the driver to get the password or chop off his finger to keep his fingerprint, but every layer of security also makes it less likely for a simple bastard to steal something from you if its too much trouble…

There are many security threats out there, they come in many forms and from many places. They say ignorance is bliss, but not when it comes to security, to your well-being, because at that point, it stops being funny, it becomes a nightmare, because you don’t even expect it to happen, you didn’t even know it could happen.

So, how do you fix a problem you don’t even know you have yet? By studying the information security so you know the problems, the threats, how to fight them, how to prevent losses or breaches. It might be hard, you might not like it, but then again, its just so your Uber driver doesn’t become a moto-thief!

The Hello, World!

So this is me, trying the Blog in WordPress…