I’m writing this more for an outlet than anything else. I’m an IT Guy with over 30 years in the field. I earned an B.S. in Computer Science, an MA in Information Systems Management and certificates of (ITIL, CISSP, and CISA), so I have a general understanding of what I ‘m talking about. Early on I had to make a choice between a creative or technical path. I chose the technical, but always stayed in touch with the creative. Today I don’t regret the choices I’ve made, just question them as in “What the heck was I thinking”?
Today I work for a fortune 100 company with specific responsibilities in IT Security and regulatory compliance, specifically with NIST and other federal agencies. My function is sort of Rosetta stone of translation. Translate Fed-Speak into policies, procedures and action.
I hate the modern-day auditing function. It is not helpful at all and effectively allows summary judgements to be levied by without reproach. The management functions are punitive and fearful that passing an audit is all they really care about. Business management are scared and generally feel that having a box checked as ‘complete’ is some magic shield from which no harm will come.
My own opinion is that the Internal Audit function should be a partner to the business and act in a consultant capacity instead of judge, jury and executioner. They should be the teacher and the strategic leader from which new and better cyber security initiatives rise from. That’s what I do.
Before 2002 every Federal agency had their own IT staff, policies, procedures. It was a huge waste of money but it worked at the time. In 2002, the FISMA (Federal Information Security Act) was signed into law. This authorized the branch of the Department of Commerce known as the National Institute of Standards and Technology as the sole source of US Federal computer security guidelines. This wasn’t something that was created overnight, NIST developed computer security guidelines since the 1970’s. The law was the way that the US went from a patchwork of independent practices to one way to do it. This quietly did somethign that was rarely done before. It streamlined a government process.
Within NIST, there are many departments and divisions. The one that I am going to write about is the “Computer Security Division”. Keep in mind that you will not learn something super secret here, just how to do things better. Within the Computer Security Division there is the Computer Security Resource Center which I have linked to their website. This is where we will continue from the next time.