Information Technology Reference
In-Depth Information
architectural drivers through compliance requirements during each phase of the
system development life cycle:
n
−
−
n
−
−
n
−
n
−
Technical infrastructure IA
2
verification
C&A procedures (e.g., NIST SP 800-37, NIACAP, DITSCAP)
SSE-CMM
Development IA
2
verification
Common Criteria
SEI-CMM/SEI-CMMI
Administrative IA
2
verification
COOP tabletop exercises
Business process IA
2
verification
Is X [consistent | extensible | scalable | auditable | agile | process oriented | as
simple as it can be | as complex as it needs to be, but no more | etc.], where
X
∈
(policy, process, procedure, plan, tool, intelligence gathering, intelli-
gence processing, end-user interface, end-user data collection, etc.)?
Training and education and training and awareness
NIST training standards in SP 800-50 and SP 800-16
n
−
SETA effectiveness metrics measure the success of dissemination, awareness,
understanding, and compliance.
Dissemination
metrics may track number of communications sent (number
of e-mails, snail-mails, Web pop-ups, voice mail reminders, and live training ses-
sions via conference call or online chat).
Awareness
metrics may track number
of communications read (number of e-mails opened via return receipt, pop-up
acknowledgments, voice mail retrievals, and live session attendees). Consider pro-
viding a survey; consider using statistical sampling to avoid involving the entire
employee population.
Understanding
metrics are derived from a quiz or survey
with required participation. Finishing the quiz sends a unique employee identifier
plus a score.
Compliance
metrics track number of calls to help desk or security
desk since training/awareness program, or track number of violations since train-
ing/awareness program compared to pretraining/awareness.
8.8
priacy
Webster defines
privacy
as “the quality or state of being apart from company or
observation; freedom from unauthorized intrusion.”
The Privacy Act 1974 men-
tions “privacy” five times and does not provide a definition. The Health Insurance
Portability and Accountability Act (HIPAA) Final Privacy Rule (FSR) mentions
http://www.webster.com/cgi-bin/dictionary?book=Dictionary&va=privacy (accessed Decem-
ber 2004).
