Title: Risk Management Framework
Speaker: Terri Merz, CISM, MS CS
Cynergy Group of Baltimore
The Defense Information Assurance Risk Management Framework
Are We Ready to Change Our Focus?
In 1983, those individuals supporting the Department of Defense in the area of “Automated Data Processing” found themselves confronted with a completely new set of support requirements: Automated Data Processing Security. These requirements came to by way of the National Security Agency (NSA) in the form of a formidable tome entitled the “Trusted Computer System Evaluation Criteria”(also known as “The Orange Book”).
Since then, the Department of Defense has been lumbering towards a synchronized and unified approach to Cyber Security, often with checkered success. The two main initiatives that mark these efforts included the Department of Defense Technology Security Certification and Accreditation Process (DITSCAP) and the Department of Defense Information Assurance Certification and Accreditation Process (DIACAP).
While attempting to define Cyber Security during the DITSCAP phase, the DoD simultaneously attempted to implement a structured approach to the development and integration of Information Technology (IT).
Leaning heavily on the Software Engineering Institutes Capability Maturity Model (SEI CMM), the DoD introduced a number of initiatives designed to formalize the IT development process. Presuming such initiatives would be successful, both the DITSCAP and the DIACAP were designed to integrate with a formalized Systems Development Life Cycle (SDLC). However, with most organizations unable to implement a structured SDLC, attempts to integrate security into these missing processes, created a contrived effort, often resulting in organizations viewing the process of Certification and Accreditation as an annoying “paper work drill”.
While each process ultimately concluded with some statement of risk, risk is not what drove organizations to compliance. The “stick” that was designed to ensure process implementation was policy compliance, which could impact IT funding. Whether that approach was successful or not is certainly a point of debate.
Even though both DITSCAP and DIACAP implementations could be seen as tortured approaches to security, each process did evolve, and lessons were learned. These lessons were integrated into tailored processes, often driven by the Combatant Commands and introduced through out DoD Departments by way of policies. Today, the DoD is still struggling to synchronize and unify its security posture under one process.
However, the brave new interconnected world has given rise to a new and dangerous phenomenon: Advanced Persistent Threats (APT’s) and these demand our immediate attention. While the DIACAP was introduced in 2006 (and still has numerous organizations pining for compliance) the dawn of APT’s is forcing the Department of Defense to refine their approach to Cyber Security (yet once again) on a whole scale basis by way of the Department of Defense Information Assurance Risk Management Framework (DIARMF). What does this mean, and what are the chances we can successfully implement this process? Will it change our risk profile in a meaningful manner or are we looking at yet another paperwork drill?
Ms. Merz is co-founder of Cynergy Group of Baltimore. Cynergy Group specialized in providing
Information Security to Federal, State and Local law enforcement agencies. Clients included:
Federal Bureau of Investigation, National Security Agency, and Department of the Navy, Florida
Department of Law Enforcement, and the Department of Homeland Security. Cynergy Group was
awarded the prestigious Incubator Client of the Year award in 2006 placing Cynergy at the top of
30,000 companies worldwide. That same year, Ms. Merz was awarded the “Bravo! CEO” award as
well as one of Maryland’s top 100 small businesses.
For the past 17 and ½ years, Ms. T. Merz focused on education, training and career experiences in
the field of Information Systems Security Engineering and Technical Program Management. Some
of Ms. Merz’s engagements include: Security Interim Program Team Leader for the development
of the US Central Command’s Deployable headquarters in support of CENTCOM’s 9/11 response,
Program Manager (PM) for the Federal Aviation Administration penetration test, PM for the
development of GSA 3 year IT security plan, PM for DLA penetration testing task, Technical task
lead to the Chief Security Officer at DISA for the development of a security engineering process
designed to integrate with the Global Command and Control System’s systems development
life cycle, PM for the Veteran’s Administration’s FISMA report and response to Congress, and
Systems Security Plan (SSP) development (in accordance with NIST 800-53), Lead Information
Systems Security Engineer (ISSE) for the Department of Education Certification and Accreditation
(C&A) efforts involving the development of C&A artifacts, to include the SSP, Contingency plan
and Configuration Management Plan in accordance with NIST 800-53 standards. As the Health
Insurance Accountability and Portability Act (HIPPA) was promulgated, Ms. Merz developed
several implementation plans for insurance providers, to include third party billers as well as
training programs for executive health care professionals.
Ms. Merz is currently working on a Doctor of Science in Computer Science with a specialty in
Information Security at the University of Fairfax.
Master’s Degree, Computer Science, Information Security, Colorado Technical University,
Colorado Springs (completion date 2/2012)
Graduate Certificate, Information Systems Security Engineering, George Washington University,
2000, Washington DC
B.S., in Computer Science, University of Maryland, 1993, College Park, MD
Certified Information Security Manager, (CISM) ISACA
National Security Agency: Information Systems Security Assessment Methodology (IAM),
Certified by the Committee on National Security Systems, Information Systems Security Manager
Certified by the Committee on National Security Systems, Information Systems Security Officer
Certified by the Committee on National Security Systems, Certification Agent (CNSS 4015)
Certified Navy Validator, SPAWAR
Women in Defense (2007 Vice President Capital Chapter)
D.C. Metro Area Women in Technology
Baltimore County Leadership 2000
National Defense Industrial Association (Member Board of Directors, Aberdeen Chapter)
Information Assurance Technical Framework (IATF)
Conquering Layer 7 Attacks, CTU 2011
Using a Risk Management Framework to Assess Organizational Policies, CTU 2011