The Authority to Operate (ATO) is necessary to work in the system of US federal government agencies. My recent Journal article provides details on how to obtain the authority to operate. The following steps can help US enterprises gain the approval to operate with the federal government:
● Ensure confidentiality, integrity and availability—The first necessary step toward achieving ATO is confidentiality, integrity and availability (CIA). This means that only approved people can get in, any changes to the system or data are genuine, and the system is up and ready for use. ● Embrace the NIST 800-53 control families—Every family is a tightly knit assembly of control with a dash-one, or parent control, followed by offspring controls that dive deep into the security measure. For instance, the Access Control Family starts with the dash one control of access control policy. It is followed by more detailed controls to be implemented and assessed such as Account Management and Access Enforcement. Using the lists of controls within each of the 18 NIST control families allows users to demonstrate security that is in place or that it is being planned. ● Keep the evidence—Just like in any operational process, you create or gather documentation to delineate the process and what has taken place. Just like any trail or audit, you keep evidence of the path you have taken. The ATO process allows you to gather and store all the security documentation. This serves well in building a case for the security posture of your system and how it fits into your federal agency’s risk profile.
My recent ISACA Journal article discusses what every chief information security officer (CISO) must know about Secure Shell (SSH) key management. This is a topic that keeps me awake at night and should be of major concern to the whole audit community.
In short, SSH is a tool for systems management, automation and file systems, and it is used in every data center in every major enterprise. It introduced a new authentication mechanism based on cryptographic keys, called public key authentication. Unfortunately, in the default configuration, OpenSSH allows any user to provision new credentials for themselves and their friends, and these credentials never expire—not even when the user’s account is removed if the credentials have been added to a service account.
A study in 2016 found that 80% of the more than 500 chief information security officers (CISOs) surveyed consider privileged access management (PAM) a significant topic, and a number of them have already implemented specific PAM solutions. In general, these solutions try to attain the following goal(s):
Over the course of a variety of implementation projects, we found that implementing PAM is not only a question of technical functionality; a successful PAM solution, in fact, requires a comprehensive framework comprising the following building blocks:
We are living in a digital world where a staggering number of data breaches have resulted in the theft of personal data of end users across a broad spectrum of sectors, such as financial, health care and media. The growing adoption of the cloud, mobile devices and social media has resulted in an increase in incidents related to the theft of personal data.
As organizations begin the scramble to comply with the European Union (EU) General Data Protection Regulation (GDPR), there is a dire need to understand its scope and the privacy requirements mentioned in the standard. The regulation is applicable to all organizations that store, process and transmit any personal data related to an EU resident. The GDPR will replace Directive 95/46/EC, which has been the basis of European data protection law since it was introduced in 1995. The regulation will apply to even those organizations that may not have a presence in the EU, but are processing or accessing the personal data of EU data subjects.
Exponential increases in the computing power and availability of massive data sets, among other factors, have propelled the resurgence of artificial intelligence (AI), bringing an end to the so-called AI winter—a bleak period of limited investment and interest in AI research. Commercial deployment of AI systems is fast becoming mainstream as businesses seek to gain deeper customer insights, lower operating costs, improve efficiency or boost agility.
The proliferation of AI raises intriguing opportunities; however, associated risk exists, and it should be considered, as its impacts can result in significant consequences. My recent Journal article provides practical strategies to mitigate 3 crucial risk factors associated with the commercial adoption of AI: