CISSP & CISM Certified Info System Security Pro

itdefpat

2009-06-09T10:06:00.000-07:00

CISSP CISM 2009

THE7

2008-09-16T21:45:00.000-07:00

1US//2NONUS//3SCI//FGI//5DISSEM//6NONINTEL//7DCLASDATE

6 & 7

2008-09-16T21:41:00.000-07:00

6 NON-INTEL: COMSEC SAR
7 DECLASS DATE

1. US

2008-09-16T21:37:00.000-07:00

1. U.S. Classification Markings: The classification is the first entry in the classification line.
The classification must be spelled out and may not be abbreviated in the classification line.
The four classification markings are:
Ø TOP SECRET
Ø SECRET
Ø CONFIDENTIAL
Ø UNCLASSIFIED

Example: TOP SECRET//COMINT-GAMMA/TK//RESEN,ORCON//COMSEC//1X

2. Non-U.S.

2008-09-16T21:27:00.000-07:00

2. Non-U.S. Classification Markings: Used by other countries and international
organizations. The markings must be listed in the registry and be a trigraph country code.
Authorized non-U.S. classification markings are:
Ø TOP SECRET (TS)
Ø SECRET (S)
Ø CONFIDENTIAL (C)
Ø RESTRICTED (R)
Ø UNCLASSIFIED (U)
Example: // DEU SECRET//X1

Additional examples of the Non-U.S. Classification Markings are:
TYPE PORTION PAGE (EXAMPLE) REMARKS

Non-U.S. Country Classification //[Country Trigraph] [Non-U.S. Classification Portion Abbreviation]
//DEU SECRET//X5
• Markings begin with double right slash (i.e., //)
• Cannot be used with U.S. Classification Markings
• Must use X5 as Declassification Date

COSMIC Top Secret Atomal (//CTSA) //COSMIC TOP SECRET ATOMAL//MR
NATO Secret (//NS) //NATO SECRET//MR
Secret ATOMAL (//NSAT) //SECRET ATOMAL//MR

+++
NATO Confidential (//NC) (//NCA) //NATO CONFIDENTIAL//MR
Confidential Atomal //CONFIDENTIAL ATOMAL//MR

++++
NATO Restricted (//NR) //NATO RESTRICTED//MR

• NATO Marking
• Cannot be used with U.S. Classification
• May be used by NATO organization only
• Must use MR as Declassification Date

3 SCI

2008-09-16T21:23:00.000-07:00

3. SCI Control Systems/Codewords: A SCI Control System is the system of procedural
protective mechanisms used to regulate or guide each program established by the Director of Central Intelligence as SCI. A control system provides the ability to exercise restraint, direction, or influence over or provide that degree of access control or physical protection necessary to regulate, handle or manage information or items within an approved program. Multiple entries may be chosen from the SCI Control System if the entries are applicable to the document.

TYPE PORTIO N PAGE (EXAMPLE) REMARKS
COMINT (SI) SERCRET//COMINT//[declass date]
• Referred to as SI
• May be use ONLY with: Top Secret, Secret or Confidential

GAMMA (G) TOP SECRET//COMINT-GAMMA-UMBRA//ORCON//[declass date]
• COMINT sub-control system/sub-compartment
• Requires: Top Secret and COMINT-UMBRA and ORCON

Talent Keyhole (TK) SECRET//TALENT-KEYHOLE//[declass date]
SECRET//TK//[declass date]
• May be used only with TS or S

4, FOREIGN GOV INFO

2008-09-16T21:21:00.000-07:00

4. Foreign Government Information (FGI): Information used in U.S. controlled documents
which contain controlled information of non-U.S. origin. Use FGI + trigraph country code in alphabetical order, separated by single spaces. List all country codes in alphabetical order separated by a single space. Substitute “FGI” where specific government must be concealed. The Foreign Government Markings are:

Ø FGI [Country Trigraph(s)]
Ø FGI

5 DISSEMINATION

2008-09-16T21:13:00.000-07:00

5. Dissemination Control Markings: Identifies the expansion or limitation on the distribution of classified information.

RS - RISK SENSITIVE
FOUO - FOR OFFIIAL USE ONLY
ORCON - ORIGINATOR CONTROLLED
IMCON - CONTROLLED IMAGERY
RD - RESTRICTED DATA
FRD - FORMERLY RD
SAMI - SOURCES AND METHODS INFORMATION
NF - NO FORN
PR PROPIN - PROPRIETARY INFORMATION
REL - RELEASABLE
CNWDI - Critical Nuclear Weapon Design Information

TERMS

2008-09-16T20:56:00.000-07:00

Acronyms
ADP – Automated Data Processing
AIS – Automated Information System
(C) – Confidential
CNWDI – Critical Nuclear Weapons Design Information
COMINT – Communication Intelligence
COMSEC - Communication Security
COSMIC – NATO Top Secret
DAN – Document Accountability Number
DCID –Director of Central Intelligence Directive
EO – Executive Order
FAX – Facsimile
FGI – Foreign Government Information
FOIA – Freedom of Information Act
FOUO – For Official Use Only
FRD – Formerly Restricted Data
ISOO – Information Security Oversight Office
ISSO – Information Systems Security Officers
LIMDIS – Limited Distribution
MR – Mandatory Review
MTMC – Traffic Management Commands
NATO – North Atlantic Treaty Organization
NOFORN – Not Releasable to Foreign Nationals
NSDD – National Security Decision Directive
NTM – National Technical Means
OADR – Originating Agency’s Determination Required
OCA – Original Classification Authority
OMB – Office Management and Budget
ORCON – Originator Controlled
PDD – Presidential Decision Directive
PHV – Permanent Historical Value
PROPIN – Caution, Proprietary Information Involved
(R) – Restricted
REL TO – Release To
RD - Restricted Data
RSEN – Risk Sensitive
(S) – Secret
SAP – Special Access Program
SAR – Special Access Required
SCI – Sensitive Compartmented Information
SF – Standard Form
STU – Secure Telephone Unit
(TS) – Top Secret
(U) – Unclassified
U.S. – United States
USA – United States of America

USG CLASSIFICATION GLOSSARY

2008-09-16T20:53:00.000-07:00

A SELECT FEW TERMS OF INTEREST:

Collateral – All national security information classified CONFIDENTIAL, SECRET, TOP
SECRET under the provisions of an Executive Order for which special Intelligence Community systems of compartmentation (such as, sensitive compartmented information) are not formally established.

Communication Intelligence or “COMINT” – Technical and intelligence information derived from foreign communication by other than the intended recipients.

Communication Security (COMSEC) – Protective measures to prevent unauthorized persons
from receive classified information via telecommunications.

Director of Central Intelligence Directive or “DCID” – The President’s principal foreign intelligence adviser appointed by him with the consent of the Senate to be the head of the Intelligence Community and Director of the Central Intelligence Agency and to discharge those authorities and responsibilities as they are prescribed by law and by Presidential and National Security Council directives.
("Dee-skid"). Several important DCID published.

Foreign Government Information – Information that is (a) provided to the U.S. by a foreign government or governments, and international organization of governments, or any element thereof with the expectation, expressed or implied, that the information, the source of the information, or both, are to be held in confidence; or (b) produced by the U.S. pursuant to or as a result of a joint arrangement with a foreign government or governments or an international organization of governments, or any element thereof requiring that the information, the arrangements, or both, are to be held in confidence.

GAMMA or “G” – Unclassified term used to describe a type of SCI

Limited Distribution or “LIMDIS” – Identify unclassified geospatial information and data which the SecDef may withhold from public disclosure.

Need-to-Know – A determination by an authorized holder of classified information that access to specific classified material in their procession is required by another person to perform a specific and authorized function to carry out a national task. Such person shall process an
appropriate security clearance and access approvals in accordance with DCID 1/14.

Sensitive Compartmented Information or “SCI” – Classified information concerning or derived from intelligence sources, methods, or analytical processes, which is required to be handled within formal access control systems established by the Director or Central Intelligence. The term does not include Restricted Data as defined in Section II, Public Law 83-703, Atomic Energy Act of 1954, as amended.

Special Access Program or “SAP” – Any program, which may or may not contain SCI, imposing need-to-know and access controls beyond those normally provided for access to CONFIDENTIAL, SECRET, and TOP SECRET information. Such controls may include, but are not limited to, access approval; adjudicative or investigative requirements; special designation of official s authorized to determine need-to-know; or special list or persons determined to have a need-to-know.

TK – Unclassified term used to describe a type of SCI.

Trigraph – A group of three letters used to identify specific country or specific accesses.

Unauthorized Disclosure – A communication or physical transfer or classified information to an unauthorized recipient.

CLASSIFICATIONS MADE EASY (NGA)

2008-09-16T20:49:00.000-07:00

USG CLASSIFICATION AND SECRECY

2008-09-16T20:05:00.000-07:00

The starting point for any discussion of US Government (USG) classification & secrecy is CAPCO:

http://www.danjryan.com/jscrpt.html
http://www.fas.org/sgp/library/moynihan/foreword.html
http://www.gpo.gov/congress/commissions/secrecy/index.

Prior to CAPCO, USG classification was haphazard and inconsistant. DoD, DoS and IC (and DoE as well) each had their own methods and markings, which were largely incompatible.
CAPCO standardized the processes and the markings.

CAPCO is managed by the National Archive, Information Security Oversight Office (ISOO). ISOO produces manuals and guidances on CAPCO, such as ISOO Implementing Directive No. 1
See http://www.archives.gov/isoo/training/marking-booklet.pdf
ISOO Dir No. 1 is the starting point for understanding.

Overarching DoD implementation of this can be found in DoD 5200.1
http://www.fas.org/irp/doddir/dod/5200-1ph/index.html

A more thorough discussion can be found in the NIMA guide (NIMA has since renamed to NGA):
http://ftp.fas.org/sgp/othergov/dod/nimaguide.pdf
Of particualar interest is introduction of the / separators. This document has extensive tables of possible combinations.
Also notes appropriate use of FOUO (and improper use)
Later section go in to great detail about using the full codes.

OpenID

2007-03-22T08:08:00.000-07:00

from freeyourid.com:

go to http://brett.osborne.name (mailto:brett@osborne.name)

Resume (download)

2006-10-16T18:12:00.000-07:00

CISSP+CISM WIKI

to get Word .doc or Acrobat .pdf of resume!

CISM Body of Knowlege/Domains

2006-10-08T17:58:00.000-07:00

• Information security governance
• Risk management
• Information security program(me) management
• Information security management
• Response management

Oh, my words!

2006-10-06T08:13:00.000-07:00

CISSP,CISM,information Assurance,Security,Systems Engineering,
Risk,vulnerability,regulations,standards,ISO,Polic,Architect,Assessment,
audit,firewall,intrusion,control,network

Overview

2006-10-03T07:06:00.000-07:00

Information System Security Professional - 15 years in IT; over 8 years IS Security experience.

Current:
Lockheed Martin (1997)2003-present
Joint Strike Fighter F-35 Program Autonomic Logistic Information System (ALIS)

Expertise:

Information Assurance (Governance) - policy, procedure, standards, compliance
Requirements - creation, revision and validation
Information Security analysis - requirements, initial design, architecture
Information Security - Network and Operating system protections (firewall, intrusion, virus, permissions)
Value: Cost/Technology/Schedule - Program Estimate at Completion, Risk, Basis of Estimate

Certifications:

CISSP - (ISC)2, 2005
CISM - ISACA, 2005

Associations

Information System Security Association (ISSA), Central Florida Chapter President 2006
Information Systems Audit and Control Association (ISACA), 2005 Board
International Council on Systems Engineering (INCOSE), Orlando Chapter Secretary 2006
ISC2 CISSP Exam Supervisor

Qualifications

2006-10-03T07:04:00.000-07:00

Certifications

CISSP
CISM

Other

US DoD Clearance

Top Secret (active)
NATO access
Foreign Government Information

Works, Writings and Publications

2006-10-02T21:28:00.000-07:00

Development of policies, procedures and architecture.
Development and implementation of information technology security methodologies, protocols and technologies (encryption, firewall, technical policies and configurations).
Analysis of applicable regulation and standards such various ISO (e.g. 17799) and NIST (e.g. FIPS and SPs)

Analyze customer need statements.
Compare to guidance, regulation, standards and policies.
Create appopriate policies and/or requirements statements.
Analyze existing requirements for appropriateness, parentage, and allocation.

Occasional expert reference source for publications such as Information Security Magazine, SearchSecurity.com, and Certification Magazine. Occasionally quoted by such on industry issues.

Standards, Regulations, Guidance and Policy

2006-10-02T21:21:00.000-07:00

IETF, IEEE, ISO and other relevant standards
NASA and DoD standards, policies handbooks and guidelines, expecially DoD 8500 and related.
Federal Information Processing Standards (FIPS), NIST, OMB, White House and GAO Standards and Practices
Public Law (P.L.) 100-235, "Computer Security Act of 1987"
Office of Management and Budget Circular No. A-130, "Management of Federal Information Resources"
P.L. 106-398, Government Information Security Reform Act (The Security Act of 2000).
DITSCAP by inference of the above citations
HIPAA
Sarbanes-Oxley
FISMA

Key Technologies

2006-10-02T21:18:00.000-07:00

Firewall; Intrusion detection; Virtual Private Networks, Public Key Infrastructure, and cryptography;
Perimeter Security and Vulnerability Assessment:
Used tools such as ISS Internet Scanner, Nmap, Cheops and Nessus.
Deploy security systems and devices (firewalls, intrusion sensors).

Networks:

Network security technology and practices - routers, firewalls, etc. Configuration, rules, ACLs, protocols, ports.
General Security Functions - anti-virus/malicious, vulnerability management (scanners, security evaluation testing, penetration testing), intrusion controls, VPNs, encryption
DNS
VLAN
IP network design

Operating Systems

Windows

Web Server configuration, especially security managment of services, port, protocols
Operating System secure configuration - services, ports, protocols, permissions/shares

Experience (1)

2006-10-02T20:54:00.001-07:00

Systems Engineer Sr

Lockheed Martin Simulation, Training & Support
09/27/2003-Present
Performs technical planning, system integration, verification and validation, cost and risk, and supportability and effectiveness analyses for total systems. Analyses are performed at all levels of total system product to include: concept, design, fabrication, test, installation, operation, maintenance and disposal.

Includes Requirements analysis for system-wide and subsystem allocation. Analyze and interpret requirements proposed from higher tier organizations.

Ensures the logical and systematic conversion of customer or product requirements into total systems solutions that acknowledge technical, schedule, and cost constraints. Performs functional analysis, timeline analysis, detail trade studies, requirements allocation and interface definition studies to translate customer requirements into hardware and software specifications.

Experience (2)

2006-10-02T20:54:00.000-07:00

Network Security Strategic Design:

apply current and new technologies to the design, development, evaluation, and integration of System Security.
Interact with senior internal and external personnel on significant matters requiring coordination between internal groups and other organizations.
Apply regulations and standards based on a full and competent knowledge of governmental, industry and best practices and principles.
See list below.

Author Security Policies, analyses and other technical documentation at multiple levels.
Demonstrated participation and leadership within several Information Security focused organizations and publications

Experience (3)

2006-10-02T20:53:00.000-07:00

System Engineering in support of developing the System Security Architecture.

Investigated various technologies and methodologies in order to provide most effective solution based on cost, schedule and technical measures. Provided and proposed architectures:

Assessed Security Requirements. Used various methodologies (e.g. DoDAF and NC3TA). Knowledge of various standards (such as NIST and DoD publications, directives & instructions (e.g. FIPS, DoDI/D 8500, NISPOM, DCID6/3), industry standards (e.g. RFCs, ISO 17799, ISO 13335, SSE-CMM) utilized to analyze information risks, gaps and develop requirements. Information System Risk (Threat & Vulnerability management) Analysis. Define and design safeguards and countermeasures appropriate to accepted level of risk and budget.
• Infrastructure Defense, Design Integration and System Analysis:
Worked with interdisciplinary Teams to develop Security Architectures.
Contributing author to Security Architecture
Architecture Development (e.g. DoD Architecture Framework, NATO NC3TA, Open Group TOGAF, etc.)

Experience (4)

2006-10-02T20:51:00.000-07:00

Provide direction on Threat Management, Identification Management.
Support for program financial planning (“Estimate At Completion”) and sub-project pre-proposal.
Reviewed and revised Program Security Requirements, contract analysis; gap analysis
• Program Internationalization Sub-Project
Analysis of multi-national requirements and standards.
Utilized NATO C3 Technical Architecture to create sub-project architecture
Designed preliminary estimate for technical elements.
Correlated ISO standards (ISO 17799, 13335) to program requirements; gap analysis.

System engineering costing estimation:
Estimation of effort of multiple tasks over various periods to occur during seven e year period.

Experience

2006-10-02T17:03:00.000-07:00

Key Experience

Joint Strike Figheter (F-35)
Risk
System Engineering
Requirements
Risk
System Security
Engineering Estimates
CISSP + CISM

Back in to the Chase

2006-10-02T16:47:00.000-07:00

Another mass Reduction in Force. Only second in ten years. Its a love-hate relationship when it comes to governement contracting business (5 years in support of NASA, 4 i/s/o Joint Strike Fighter).