1 1 00:00:00,120 --> 00:00:01,410 In this lesson, we'll talk 2 2 00:00:01,410 --> 00:00:03,870 about step five in the real world. 3 3 00:00:03,870 --> 00:00:06,330 Now, step five is the assess step. 4 4 00:00:06,330 --> 00:00:07,950 Now, when it comes to the assess step 5 5 00:00:07,950 --> 00:00:09,330 our purpose is to determine 6 6 00:00:09,330 --> 00:00:11,700 if the controls are implemented correctly, 7 7 00:00:11,700 --> 00:00:14,670 operating as intended, and producing the desired outcome 8 8 00:00:14,670 --> 00:00:16,260 with respect to meeting the security 9 9 00:00:16,260 --> 00:00:18,450 and privacy requirements for the system 10 10 00:00:18,450 --> 00:00:20,280 and the organization. 11 11 00:00:20,280 --> 00:00:21,810 As we look at our assess step 12 12 00:00:21,810 --> 00:00:24,210 we really have eight main outcomes. 13 13 00:00:24,210 --> 00:00:25,950 First, we want the assessor 14 14 00:00:25,950 --> 00:00:28,260 or assessment team to be selected. 15 15 00:00:28,260 --> 00:00:30,510 Second, we need to develop our security 16 16 00:00:30,510 --> 00:00:32,490 and privacy assessment plans. 17 17 00:00:32,490 --> 00:00:36,540 Third, we need to review and approve those assessment plans. 18 18 00:00:36,540 --> 00:00:39,300 Fourth, our control assessments are going to be conducted 19 19 00:00:39,300 --> 00:00:41,850 in accordance with the assessment plans. 20 20 00:00:41,850 --> 00:00:44,400 Fifth, security and privacy assessment reports 21 21 00:00:44,400 --> 00:00:45,900 are going to be developed. 22 22 00:00:45,900 --> 00:00:48,900 Sixth, remediation actions to address deficiencies 23 23 00:00:48,900 --> 00:00:51,000 in the controls are undertaken. 24 24 00:00:51,000 --> 00:00:53,610 Seventh, security and privacy plans are updated 25 25 00:00:53,610 --> 00:00:55,770 to reflect control implementation changes 26 26 00:00:55,770 --> 00:00:58,680 based on the assessment and remediation actions we took. 27 27 00:00:58,680 --> 00:01:01,290 And eighth, our plan of action and milestones 28 28 00:01:01,290 --> 00:01:03,990 has been developed and is ready for action. 29 29 00:01:03,990 --> 00:01:06,360 So as we look at the assess step 30 30 00:01:06,360 --> 00:01:08,820 we are really now going to be focused on going through 31 31 00:01:08,820 --> 00:01:10,980 and determining if our controls have been put 32 32 00:01:10,980 --> 00:01:14,400 in place properly from our implementation standpoint. 33 33 00:01:14,400 --> 00:01:17,010 This means we've prepared, we've categorized, 34 34 00:01:17,010 --> 00:01:18,270 we've selected controls 35 35 00:01:18,270 --> 00:01:19,830 and we've implemented those controls, 36 36 00:01:19,830 --> 00:01:21,030 but now we're verifying 37 37 00:01:21,030 --> 00:01:23,010 that we actually implemented them properly 38 38 00:01:23,010 --> 00:01:24,120 and we're getting the outcome 39 39 00:01:24,120 --> 00:01:26,760 that we expected from those controls. 40 40 00:01:26,760 --> 00:01:29,310 Now, in general, I find the assess step to be one 41 41 00:01:29,310 --> 00:01:32,580 of the easiest steps inside of the risk management process. 42 42 00:01:32,580 --> 00:01:35,010 The reason I say this is because the assess phase 43 43 00:01:35,010 --> 00:01:37,440 is really an open book exam. 44 44 00:01:37,440 --> 00:01:39,900 Generally, you're not going to be assessing yourself 45 45 00:01:39,900 --> 00:01:42,330 and instead you're going to have a third party assessor 46 46 00:01:42,330 --> 00:01:44,370 or an assessment team come in 47 47 00:01:44,370 --> 00:01:46,920 and do this type of assessment for you. 48 48 00:01:46,920 --> 00:01:49,860 Now, that team may not be an external third party, 49 49 00:01:49,860 --> 00:01:52,470 but generally speaking, the assessment of your system 50 50 00:01:52,470 --> 00:01:54,660 against the risk management framework controls 51 51 00:01:54,660 --> 00:01:56,730 is going to be done by some kind of person 52 52 00:01:56,730 --> 00:01:59,790 who doesn't report to you through the same reporting chain. 53 53 00:01:59,790 --> 00:02:02,130 For example, it might be that I'm working 54 54 00:02:02,130 --> 00:02:04,290 on one ship inside the US Navy 55 55 00:02:04,290 --> 00:02:06,630 and you're working on another ship in the US Navy. 56 56 00:02:06,630 --> 00:02:10,770 So when I need a system looked at, you can assess my system 57 57 00:02:10,770 --> 00:02:13,530 and conversely, when you need a system assessed 58 58 00:02:13,530 --> 00:02:15,600 I can go and look at your system. 59 59 00:02:15,600 --> 00:02:18,360 That type of assessment trade happens all the time 60 60 00:02:18,360 --> 00:02:19,920 inside the Department of Defense, 61 61 00:02:19,920 --> 00:02:21,990 and this is a way that allows you to be able 62 62 00:02:21,990 --> 00:02:24,600 to have some autonomy when you're assessing a system 63 63 00:02:24,600 --> 00:02:26,280 because you don't work for that person 64 64 00:02:26,280 --> 00:02:28,410 and they're not the person who's signing your paycheck 65 65 00:02:28,410 --> 00:02:30,840 or signing your annual evaluation report. 66 66 00:02:30,840 --> 00:02:33,330 And so you as an assessor really do have the ability 67 67 00:02:33,330 --> 00:02:34,440 to tell them what is wrong 68 68 00:02:34,440 --> 00:02:36,420 with the controls as they've implemented them 69 69 00:02:36,420 --> 00:02:38,760 so we can have a more secure system. 70 70 00:02:38,760 --> 00:02:41,550 Essentially, when it comes time to do an assessment 71 71 00:02:41,550 --> 00:02:43,350 the assessor is going to follow a guide 72 72 00:02:43,350 --> 00:02:44,820 and that guide is going to contain 73 73 00:02:44,820 --> 00:02:46,230 all of the assessment procedures 74 74 00:02:46,230 --> 00:02:48,360 for the controls you selected. 75 75 00:02:48,360 --> 00:02:49,800 Those controls will come from 76 76 00:02:49,800 --> 00:02:52,740 the (indistinct) special publication 800-53 77 77 00:02:52,740 --> 00:02:54,870 which is part of our risk management framework 78 78 00:02:54,870 --> 00:02:57,810 and specifically it is that 500 page document 79 79 00:02:57,810 --> 00:02:59,640 that contains all of the different categories 80 80 00:02:59,640 --> 00:03:02,820 and controls that we can use inside of RMF. 81 81 00:03:02,820 --> 00:03:05,820 Now, my secret to being successful during this project 82 82 00:03:05,820 --> 00:03:08,250 actually is by reading the checklist. 83 83 00:03:08,250 --> 00:03:09,750 That's what I like to do first. 84 84 00:03:09,750 --> 00:03:12,750 I like to go in there in advance and see exactly 85 85 00:03:12,750 --> 00:03:15,090 if they have all the right documentation in place, 86 86 00:03:15,090 --> 00:03:16,830 because if I see that somebody doesn't 87 87 00:03:16,830 --> 00:03:18,480 have their documentation in place, 88 88 00:03:18,480 --> 00:03:20,340 this usually means they didn't also 89 89 00:03:20,340 --> 00:03:22,200 implement their controls properly either. 90 90 00:03:22,200 --> 00:03:23,730 And so this is a quick way to see 91 91 00:03:23,730 --> 00:03:26,100 are they ready for you to come in as an assessor? 92 92 00:03:26,100 --> 00:03:27,300 Because if they can't provide you 93 93 00:03:27,300 --> 00:03:29,580 with all the documentation you're expecting, 94 94 00:03:29,580 --> 00:03:31,290 that can be a case where they're not ready 95 95 00:03:31,290 --> 00:03:33,120 for you to actually come in as an assessor 96 96 00:03:33,120 --> 00:03:34,770 and they're just going to be wasting your time. 97 97 00:03:34,770 --> 00:03:36,127 So you may want to tell them, 98 98 00:03:36,127 --> 00:03:38,040 "Hey, here's what I need from you. 99 99 00:03:38,040 --> 00:03:40,890 Once you have it, then I'll schedule your assessment." 100 100 00:03:40,890 --> 00:03:41,820 In addition to this, 101 101 00:03:41,820 --> 00:03:43,980 once you start performing the assessment 102 102 00:03:43,980 --> 00:03:46,500 I want you to remember three key words, 103 103 00:03:46,500 --> 00:03:49,020 observe, interview and test. 104 104 00:03:49,020 --> 00:03:52,320 These are the three things we do as part of our assessment. 105 105 00:03:52,320 --> 00:03:53,970 Now, when I talk about observe 106 106 00:03:53,970 --> 00:03:57,120 I'm talking about going and watching something happening. 107 107 00:03:57,120 --> 00:03:59,760 For example, let's say that you said the screen lock 108 108 00:03:59,760 --> 00:04:02,310 was one of your controls and that it should be turned on 109 109 00:04:02,310 --> 00:04:03,960 if somebody walks away from the computer 110 110 00:04:03,960 --> 00:04:05,520 for more than two minutes. 111 111 00:04:05,520 --> 00:04:07,350 Well, what should you do? 112 112 00:04:07,350 --> 00:04:09,840 I would go up behind somebody as part of my assessment 113 113 00:04:09,840 --> 00:04:12,000 and say, "Don't touch your master keyboard" 114 114 00:04:12,000 --> 00:04:13,380 and start a stopwatch. 115 115 00:04:13,380 --> 00:04:15,090 And we would wait for two minutes. 116 116 00:04:15,090 --> 00:04:17,880 After two minutes, does that system lock itself? 117 117 00:04:17,880 --> 00:04:20,550 If it does, they pass that test because you've observed 118 118 00:04:20,550 --> 00:04:22,590 that it's doing what it was supposed to do. 119 119 00:04:22,590 --> 00:04:24,360 Now, I know that's kind of a simple example, 120 120 00:04:24,360 --> 00:04:25,710 but it is one of those controls 121 121 00:04:25,710 --> 00:04:28,530 that you're going to see all of the time as an assessor. 122 122 00:04:28,530 --> 00:04:31,230 Now, in addition to observing something happening like that 123 123 00:04:31,230 --> 00:04:34,380 we can also go to our second thing, which is interview. 124 124 00:04:34,380 --> 00:04:36,870 Now with interview, we're going to go and talk to people. 125 125 00:04:36,870 --> 00:04:39,097 So I might go around their office and say, 126 126 00:04:39,097 --> 00:04:40,890 "Hey, if you get up from the computer 127 127 00:04:40,890 --> 00:04:43,230 and it's been two minutes, does your computer lock?" 128 128 00:04:43,230 --> 00:04:45,270 If they say yes, that tells me yes, 129 129 00:04:45,270 --> 00:04:46,770 that control is effective. 130 130 00:04:46,770 --> 00:04:48,360 They are seeing it in action. 131 131 00:04:48,360 --> 00:04:50,580 Now, with that example, I would probably just observe it 132 132 00:04:50,580 --> 00:04:52,410 because it's a more efficient way of doing it 133 133 00:04:52,410 --> 00:04:54,840 but some things you can't directly observe. 134 134 00:04:54,840 --> 00:04:56,550 For example, let's say there was some kind 135 135 00:04:56,550 --> 00:04:58,770 of an administrative or management policy 136 136 00:04:58,770 --> 00:05:00,900 that everybody was supposed to be following. 137 137 00:05:00,900 --> 00:05:02,760 Well, if I go in and interview their staff 138 138 00:05:02,760 --> 00:05:04,380 and ask them about that policy, 139 139 00:05:04,380 --> 00:05:05,467 and their staff says 140 140 00:05:05,467 --> 00:05:07,470 "I don't know what policy you're talking about," 141 141 00:05:07,470 --> 00:05:09,180 that policy is not effective 142 142 00:05:09,180 --> 00:05:11,670 and therefore it's not meeting the outcomes that we desire 143 143 00:05:11,670 --> 00:05:14,040 from that control, and therefore we can mark that down 144 144 00:05:14,040 --> 00:05:16,410 as part of our assessment based on the interview 145 145 00:05:16,410 --> 00:05:19,050 that we know they're not following that policy. 146 146 00:05:19,050 --> 00:05:22,020 Now, the third thing we can do is we can test something. 147 147 00:05:22,020 --> 00:05:23,670 For example, let's say that they said 148 148 00:05:23,670 --> 00:05:25,410 they've enabled multifactor authentication 149 149 00:05:25,410 --> 00:05:26,640 on everybody's accounts 150 150 00:05:26,640 --> 00:05:28,560 because that's one of their controls. 151 151 00:05:28,560 --> 00:05:30,900 As the assessor, how can I test that? 152 152 00:05:30,900 --> 00:05:32,760 Well, one way would be for me to go 153 153 00:05:32,760 --> 00:05:35,640 and look at a couple of people as they're trying to log in. 154 154 00:05:35,640 --> 00:05:37,110 That could be an observation 155 155 00:05:37,110 --> 00:05:38,460 where I watch somebody log in 156 156 00:05:38,460 --> 00:05:39,780 and see if they actually log in 157 157 00:05:39,780 --> 00:05:41,970 using multifactor authentication. 158 158 00:05:41,970 --> 00:05:44,340 Another way that I can actually test that though 159 159 00:05:44,340 --> 00:05:45,277 would be for me to say, 160 160 00:05:45,277 --> 00:05:48,330 "Hey, I need a user account to use during my assessment. 161 161 00:05:48,330 --> 00:05:50,820 Go and provision me a user account called Jason." 162 162 00:05:50,820 --> 00:05:52,260 So they go off and create an account. 163 163 00:05:52,260 --> 00:05:53,700 They give me the username and password 164 164 00:05:53,700 --> 00:05:55,350 and I try logging in the system. 165 165 00:05:55,350 --> 00:05:57,600 If I can log in the system using just a username 166 166 00:05:57,600 --> 00:05:59,220 and password, guess what? 167 167 00:05:59,220 --> 00:06:00,240 They failed the test 168 168 00:06:00,240 --> 00:06:02,400 because that's not multifactor authentication. 169 169 00:06:02,400 --> 00:06:03,870 That is a single factor. 170 170 00:06:03,870 --> 00:06:06,030 Both of those are considered knowledge factors 171 171 00:06:06,030 --> 00:06:08,760 because I know my username and I know my password. 172 172 00:06:08,760 --> 00:06:11,287 Alternatively, if they provision my accountant said, 173 173 00:06:11,287 --> 00:06:13,770 "Now when you log in, you're going to get a text message 174 174 00:06:13,770 --> 00:06:15,150 to your cell phone that's going to give you 175 175 00:06:15,150 --> 00:06:18,210 that second factor authentication as a one time used code." 176 176 00:06:18,210 --> 00:06:19,980 That means they're meeting MFA 177 177 00:06:19,980 --> 00:06:21,810 or multifactor authentication. 178 178 00:06:21,810 --> 00:06:24,300 Or maybe they tied it to an RSA key fob 179 179 00:06:24,300 --> 00:06:27,090 or they tied it to a smart card with a pin number. 180 180 00:06:27,090 --> 00:06:29,280 Any of these would work to meet the MFA 181 181 00:06:29,280 --> 00:06:31,350 or multifactor authentication requirement. 182 182 00:06:31,350 --> 00:06:33,570 The idea here is we can test these things 183 183 00:06:33,570 --> 00:06:35,160 by asking them to create an account 184 184 00:06:35,160 --> 00:06:36,660 and then try to log in with that account 185 185 00:06:36,660 --> 00:06:38,100 to see if that works. 186 186 00:06:38,100 --> 00:06:40,140 If it does and I only use a single factor, 187 187 00:06:40,140 --> 00:06:41,280 they failed the test. 188 188 00:06:41,280 --> 00:06:43,470 If that login required me to use two factors, 189 189 00:06:43,470 --> 00:06:44,670 then they pass that test. 190 190 00:06:44,670 --> 00:06:45,570 And we can do this 191 191 00:06:45,570 --> 00:06:47,700 for all of the different controls we have. 192 192 00:06:47,700 --> 00:06:49,740 Now, a lot of your controls are going to be based 193 193 00:06:49,740 --> 00:06:51,180 on things like verifying 194 194 00:06:51,180 --> 00:06:53,220 that security patches have been enabled. 195 195 00:06:53,220 --> 00:06:55,440 To do that, you can run a vulnerability scan 196 196 00:06:55,440 --> 00:06:58,867 using something like Nmap or Nessus or OpenVAS 197 197 00:06:58,867 --> 00:07:01,290 or Qualys or any of these different tools. 198 198 00:07:01,290 --> 00:07:03,180 All of those would be a way for you to test that 199 199 00:07:03,180 --> 00:07:04,710 that system is up to date 200 200 00:07:04,710 --> 00:07:06,060 with the latest security patches 201 201 00:07:06,060 --> 00:07:08,850 based on all known vulnerabilities that are out there. 202 202 00:07:08,850 --> 00:07:11,700 Now remember, money and time are not infinite. 203 203 00:07:11,700 --> 00:07:14,310 So as an assessor and the organization 204 204 00:07:14,310 --> 00:07:15,720 that's hiring the assessor, 205 205 00:07:15,720 --> 00:07:18,150 you have to determine exactly what the priorities 206 206 00:07:18,150 --> 00:07:19,260 are going to be. 207 207 00:07:19,260 --> 00:07:21,450 For example, you're going to have communications 208 208 00:07:21,450 --> 00:07:22,530 with the authorizing official 209 209 00:07:22,530 --> 00:07:24,180 at the beginning of your assessment 210 210 00:07:24,180 --> 00:07:27,090 to determine what things they really care about. 211 211 00:07:27,090 --> 00:07:29,550 One assessment I did in the past when I arrived, 212 212 00:07:29,550 --> 00:07:31,440 I first met with the authorizing official, 213 213 00:07:31,440 --> 00:07:32,273 and I asked them, 214 214 00:07:32,273 --> 00:07:34,200 "What are the things that keep you up at night? 215 215 00:07:34,200 --> 00:07:36,090 What are the things that really worry you?" 216 216 00:07:36,090 --> 00:07:37,710 And based on their responses, 217 217 00:07:37,710 --> 00:07:40,020 I then tailored my assessment and my test plan 218 218 00:07:40,020 --> 00:07:42,390 based on those things because those are the things 219 219 00:07:42,390 --> 00:07:44,880 that the authorizing official was really focused on. 220 220 00:07:44,880 --> 00:07:47,700 And so since I knew I was only going to be at that facility 221 221 00:07:47,700 --> 00:07:49,920 for one week, I wanted to make sure the things 222 222 00:07:49,920 --> 00:07:52,080 I was really spending all my time on were the things 223 223 00:07:52,080 --> 00:07:54,300 that that authorizing official cared about. 224 224 00:07:54,300 --> 00:07:55,590 In that particular case 225 225 00:07:55,590 --> 00:07:57,450 the authorizing official was really focused 226 226 00:07:57,450 --> 00:07:59,640 on things like, data and rest encryption, 227 227 00:07:59,640 --> 00:08:02,700 data and transit encryption, data and process encryption, 228 228 00:08:02,700 --> 00:08:03,990 ensuring their security patches 229 229 00:08:03,990 --> 00:08:05,760 were being done on a timely basis, 230 230 00:08:05,760 --> 00:08:08,160 making sure multifactor authentication was being used 231 231 00:08:08,160 --> 00:08:09,240 and things like that. 232 232 00:08:09,240 --> 00:08:10,800 And knowing that those were the things 233 233 00:08:10,800 --> 00:08:12,270 that were at the top of their list, 234 234 00:08:12,270 --> 00:08:13,650 I could then prioritize those 235 235 00:08:13,650 --> 00:08:16,050 and make sure I did those on days one, two, and three 236 236 00:08:16,050 --> 00:08:18,540 and then any extra time I had on days four and five 237 237 00:08:18,540 --> 00:08:21,270 I could then focus on the rest of my checklist. 238 238 00:08:21,270 --> 00:08:24,000 This is the idea of making sure you're taking into account 239 239 00:08:24,000 --> 00:08:26,910 because your time and money are not going to be infinite 240 240 00:08:26,910 --> 00:08:28,830 you really do need to have a good scoping 241 241 00:08:28,830 --> 00:08:30,150 of your assessment plan 242 242 00:08:30,150 --> 00:08:31,890 and the way to do this most effectively 243 243 00:08:31,890 --> 00:08:33,090 is going to be by meeting with 244 244 00:08:33,090 --> 00:08:35,010 that authorizing official up front. 245 245 00:08:35,010 --> 00:08:36,060 Because at the end of the day 246 246 00:08:36,060 --> 00:08:38,250 our goal as an assessor is to validate 247 247 00:08:38,250 --> 00:08:39,750 if they've met the requirements 248 248 00:08:39,750 --> 00:08:41,700 and implemented their controls properly, 249 249 00:08:41,700 --> 00:08:44,940 so they can get an ATO an authorization to operate 250 250 00:08:44,940 --> 00:08:46,830 from that authorizing official. 251 251 00:08:46,830 --> 00:08:47,700 To help with that, 252 252 00:08:47,700 --> 00:08:49,860 we as assessors need to help ensure 253 253 00:08:49,860 --> 00:08:51,570 that we're giving the authorizing official 254 254 00:08:51,570 --> 00:08:53,040 the information they need, 255 255 00:08:53,040 --> 00:08:55,410 specifically the information they care about 256 256 00:08:55,410 --> 00:08:58,080 in order to make a good risk based decision 257 257 00:08:58,080 --> 00:09:00,870 based on this seven step RMF process. 258 258 00:09:00,870 --> 00:09:03,510 Now, another example I've had in the past as an assessor 259 259 00:09:03,510 --> 00:09:06,540 is when I went and checked on if people were doing logging. 260 260 00:09:06,540 --> 00:09:08,970 Now, logging is one of those controls that you should have 261 261 00:09:08,970 --> 00:09:11,610 as a detective control on all of your systems. 262 262 00:09:11,610 --> 00:09:13,590 Now, when I asked, "Do you do logging?" 263 263 00:09:13,590 --> 00:09:14,790 They said, "Yes." 264 264 00:09:14,790 --> 00:09:16,770 I said, "Okay, check, move on." 265 265 00:09:16,770 --> 00:09:17,970 That's as far as I needed to go 266 266 00:09:17,970 --> 00:09:20,370 if I was doing an interview based assessment. 267 267 00:09:20,370 --> 00:09:22,957 But in addition to that, I might say, 268 268 00:09:22,957 --> 00:09:24,780 "Well, show me your logs." 269 269 00:09:24,780 --> 00:09:27,810 Now I'm testing them and verifying they actually did it 270 270 00:09:27,810 --> 00:09:29,850 and not just taking their word for it. 271 271 00:09:29,850 --> 00:09:31,770 In this case, they can go into the system 272 272 00:09:31,770 --> 00:09:34,260 and show me their logs, and in this case they did. 273 273 00:09:34,260 --> 00:09:36,630 Now, I said, "Okay, how often do you rotate your logs?" 274 274 00:09:36,630 --> 00:09:39,150 They said, "Oh, we rotate them every seven days." 275 275 00:09:39,150 --> 00:09:40,230 And I said, "Well, that's a problem 276 276 00:09:40,230 --> 00:09:41,940 because according to your controls 277 277 00:09:41,940 --> 00:09:44,880 you need to have at least 30 days worth of logs on site 278 278 00:09:44,880 --> 00:09:47,160 and another six months offsite. 279 279 00:09:47,160 --> 00:09:48,330 How are you meeting that requirement 280 280 00:09:48,330 --> 00:09:50,850 if you're rotating your logs every seven days?" 281 281 00:09:50,850 --> 00:09:52,350 And based on that they weren't meeting 282 282 00:09:52,350 --> 00:09:53,820 the control as implemented. 283 283 00:09:53,820 --> 00:09:55,440 Now, they could have been doing everything else 284 284 00:09:55,440 --> 00:09:56,490 with logging right. 285 285 00:09:56,490 --> 00:09:58,230 For example, they were encrypting the logs 286 286 00:09:58,230 --> 00:09:59,460 and they were sending them offsite 287 287 00:09:59,460 --> 00:10:01,740 after that seven day period as part of the rotation 288 288 00:10:01,740 --> 00:10:04,410 and all of the other things, and they showed me all of that. 289 289 00:10:04,410 --> 00:10:07,830 But the problem is the control said they needed 30 days 290 290 00:10:07,830 --> 00:10:09,360 and they were only using seven days. 291 291 00:10:09,360 --> 00:10:11,160 So they failed that check 292 292 00:10:11,160 --> 00:10:12,180 and that was something that got added 293 293 00:10:12,180 --> 00:10:13,950 to their plan of action and milestones 294 294 00:10:13,950 --> 00:10:16,290 for them to go back and increase their storage base 295 295 00:10:16,290 --> 00:10:19,740 for logs so they can hold 30 days worth of logs on site. 296 296 00:10:19,740 --> 00:10:22,290 And that's the idea here when we talk about observing, 297 297 00:10:22,290 --> 00:10:23,760 interviewing and testing 298 298 00:10:23,760 --> 00:10:26,850 as are three different actions that we take as an assessor. 299 299 00:10:26,850 --> 00:10:28,500 Now, the final piece of advice I have 300 300 00:10:28,500 --> 00:10:31,170 when it comes to the assessment piece in the real world 301 301 00:10:31,170 --> 00:10:33,510 is that it's important that you give grace to other people 302 302 00:10:33,510 --> 00:10:35,910 that you're working with during this process. 303 303 00:10:35,910 --> 00:10:37,230 As you're going through and testing 304 304 00:10:37,230 --> 00:10:39,000 all of these different controls, 305 305 00:10:39,000 --> 00:10:41,250 one of the things you're going to be doing is working a lot 306 306 00:10:41,250 --> 00:10:43,650 with both those people who selected the controls 307 307 00:10:43,650 --> 00:10:46,080 and the people who implemented those controls. 308 308 00:10:46,080 --> 00:10:48,600 Now, often those two people may not get along 309 309 00:10:48,600 --> 00:10:50,460 and they can be pointing fingers at each other 310 310 00:10:50,460 --> 00:10:52,170 about whose fault it is. 311 311 00:10:52,170 --> 00:10:55,020 As the assessor, you really don't care whose fault it is, 312 312 00:10:55,020 --> 00:10:58,290 you care whether or not that system is going to be secure. 313 313 00:10:58,290 --> 00:10:59,250 Now, I will tell you, 314 314 00:10:59,250 --> 00:11:03,060 no system you assess is going to pass 100% of your checks. 315 315 00:11:03,060 --> 00:11:05,400 Instead, you're going to find a laundry list of things 316 316 00:11:05,400 --> 00:11:07,980 that could be improved, and that's okay. 317 317 00:11:07,980 --> 00:11:09,390 As you're going through the systems, 318 318 00:11:09,390 --> 00:11:11,370 it's important to document everything you find 319 319 00:11:11,370 --> 00:11:12,780 that is not optimal 320 320 00:11:12,780 --> 00:11:15,060 and those things can be recommendations for improvement 321 321 00:11:15,060 --> 00:11:16,860 and things that'll get added to their (indistinct) 322 322 00:11:16,860 --> 00:11:18,780 to increase the security of that system 323 323 00:11:18,780 --> 00:11:20,550 and minimize its risk. 324 324 00:11:20,550 --> 00:11:23,340 In addition to this, as you're working with these folks 325 325 00:11:23,340 --> 00:11:25,260 you're going to be asking a lot of questions, 326 326 00:11:25,260 --> 00:11:27,270 and sometimes those people you're asking 327 327 00:11:27,270 --> 00:11:28,830 may not have the answer. 328 328 00:11:28,830 --> 00:11:30,660 Oftentimes, they've implemented something 329 329 00:11:30,660 --> 00:11:31,920 because they were told to do it 330 330 00:11:31,920 --> 00:11:34,050 by somebody higher up in the organization. 331 331 00:11:34,050 --> 00:11:36,390 For example, one of the controls might be 332 332 00:11:36,390 --> 00:11:38,460 to do file integrity monitoring. 333 333 00:11:38,460 --> 00:11:40,140 Now, there's lots of different tools out there 334 334 00:11:40,140 --> 00:11:41,670 that you can use to be able to perform 335 335 00:11:41,670 --> 00:11:43,350 file integrity monitoring. 336 336 00:11:43,350 --> 00:11:45,180 And as you're going through this checklist 337 337 00:11:45,180 --> 00:11:46,650 and you ask them questions about it 338 338 00:11:46,650 --> 00:11:48,180 as part of your interview, 339 339 00:11:48,180 --> 00:11:50,580 you may find out that the person you're talking to 340 340 00:11:50,580 --> 00:11:52,980 doesn't really know how file integrity monitoring works 341 341 00:11:52,980 --> 00:11:54,570 on that particular system. 342 342 00:11:54,570 --> 00:11:56,280 They were just told as a system administrator 343 343 00:11:56,280 --> 00:11:58,170 to install XYZ tool. 344 344 00:11:58,170 --> 00:12:01,650 Now, XYZ product vendor knows exactly how that tool works 345 345 00:12:01,650 --> 00:12:03,270 and why it provides that ability. 346 346 00:12:03,270 --> 00:12:05,640 But if you're asking that system administrator how it works 347 347 00:12:05,640 --> 00:12:07,380 they may look at you like you have a third eye 348 348 00:12:07,380 --> 00:12:08,370 in the middle of your forehead 349 349 00:12:08,370 --> 00:12:10,470 because they just don't know the answer. 350 350 00:12:10,470 --> 00:12:13,260 In these cases, they may feel like you're asking ridiculous 351 351 00:12:13,260 --> 00:12:15,810 or silly questions or trying to make them look stupid 352 352 00:12:15,810 --> 00:12:17,850 and that's not really your goal as an assessor. 353 353 00:12:17,850 --> 00:12:20,760 Your goal is to make sure the organization is well protected 354 354 00:12:20,760 --> 00:12:22,770 and that the system has a reasonable level 355 355 00:12:22,770 --> 00:12:24,060 of risk associated with it 356 356 00:12:24,060 --> 00:12:26,700 before the authorizing official gives you an ATO 357 357 00:12:26,700 --> 00:12:29,190 or authority to operate for that system. 358 358 00:12:29,190 --> 00:12:30,480 In order to help with this, 359 359 00:12:30,480 --> 00:12:32,520 it's important that you use your soft skills 360 360 00:12:32,520 --> 00:12:35,040 and understand that these people are not your enemies. 361 361 00:12:35,040 --> 00:12:37,770 Your job as a assessor is not to beat up the staff, 362 362 00:12:37,770 --> 00:12:39,090 but it's to get this package 363 363 00:12:39,090 --> 00:12:41,010 through the risk management framework process 364 364 00:12:41,010 --> 00:12:42,510 and going through all seven steps 365 365 00:12:42,510 --> 00:12:44,580 until we can get that authorization to operate 366 366 00:12:44,580 --> 00:12:46,470 and get that system online. 367 367 00:12:46,470 --> 00:12:49,020 Now, sometimes it may feel like a battle or a war 368 368 00:12:49,020 --> 00:12:51,420 and that they're adversarial, but don't treat 'em that way 369 369 00:12:51,420 --> 00:12:53,730 because if you do, their defenses will go up 370 370 00:12:53,730 --> 00:12:55,650 and they will just be harder to work with 371 371 00:12:55,650 --> 00:12:56,790 and it's going to make your job 372 372 00:12:56,790 --> 00:12:58,590 as an assessor much more difficult. 373 373 00:12:58,590 --> 00:13:01,710 So remember, soft skills are really important in this world, 374 374 00:13:01,710 --> 00:13:03,810 especially when you're coming into the organization 375 375 00:13:03,810 --> 00:13:06,000 as an outsider, because you're this assessor, 376 376 00:13:06,000 --> 00:13:08,250 this third party who's coming in from the outside 377 377 00:13:08,250 --> 00:13:10,470 and you're going through all the work they've already done 378 378 00:13:10,470 --> 00:13:12,840 to validate all their controls are properly implemented 379 379 00:13:12,840 --> 00:13:14,070 and that they're providing the security 380 380 00:13:14,070 --> 00:13:15,887 they think they are.