atsec information security at the 2012 RSA

Austin/Munich – As in previous years, atsec will again be offering information about its range of IT security testing and evaluation services at the 2012 RSA conference in San Francisco, CA (February 27th to March 2nd). This includes Common Criteria evaluation, FIPS 140-2 cryptographic module and cryptographic algorithm testing, NASPO compliance, GSA FIPS 201 personal identity verification evaluation and testing, ISO/IEC 27001 consulting, and general IT consulting services.
We invite you to come and talk to us (booth 1342-15) about your IT security needs. You will have the opportunity to chat with a number of knowledgeable IT security experts:

• Salvatore la Pietra ,CEO
• Helmut Kurth, Chief Scientist
• Fiona Pattinson, Director of Business Development and Strategy
• Gerald Krummeck, CC Laboratory Manager, Germany
• Kenneth Hake, CC Laboratory Manager, U.S.
• Yi Mao, Ph. D., Deputy CST Laboratory Manager, U.S.
• Jeremy Powell, Deputy CC Laboratory Manager, U.S.

More information about the conferences and atsec is available at:

• http://www.atsec.com
• http://www.rsaconference.com
• http://www.rsa.german-pavilion.com

FRITSA: Do You Understand How all of your IT Security Assurance Efforts fit Together?

On January 19^th Fiona Pattinson gave a presentation titled “FRITSA: Do You Understand How all of your IT Security Assurance Efforts fit Together?" at the ISSA Austin chapter's monthly meeting.

The presentation is now available for download on our website.

Happy Birthday, atsec!

Austin, Munich, Stockholm, Beijing – On the 11th of January, atsec celebrates its 12th birthday. As always, our best wishes and thanks to all of the contributors: our customers, our partners, and our employees. A lot has happened during these years and we invite you to take a look at our news section to get an overview of the events of 2011.
This year R.G. "Jerry" Converse of Fulbright & Jaworski L.L.P. took up the pen and sent us this birthday greeting:

“Happy Birthday, atsec!
You are not an ordinary 12-year-old! Your knowledge and wisdom extend well beyond your years. Some of the best people in the world work at atsec and make it what it is today. We at Fulbright & Jaworski LLP are honored to list atsec information security corporation among its clients.
Our best wishes to you for many more years of success.”
R.G. "Jerry" Converse
Fulbright & Jaworski L.L.P.

Austin ISSA

I enjoy having the opportunity to support our local security community and so I am very happy to have the opportunity to present to the Austin ISSA on January 19 (Thursday) - 11:30am to 1pm.

In this presentation I will explain a little about IT security assurance, describing a basic concepts about what security assurance is, and what it is not. I will also explain the framework used in the IT security industry that attempts to make sense of all of those disparate security claims (from ISO/IEC 27001, FISMA compliance, FIPS 140-2, Common Criteria, personnel certifications, PCI compliance, etc, etc).

This presentation is derived from the work currently being performed in ISO's JTC1 SC27 (IT security techniques subcommittee) in revising ISO/IEC 15443, a Framework for IT Security Assurance (FRITSA).

- Fiona Pattinson

FedRAMP Industry Day

I've been watching the FISMA implementation program and the related Federal Risk and Authorization Management Program, FedRAMP, program for quite some time now and on Friday the 16th December, 2011, I was lucky enough to be able to attend the FedRAMP Industry Day, hosted by GSA.

Building on the recent announcement of the OMB's FedRAMP Policy memo giving the requirements for a standardized program for the security assessment, authorization, and continuous monitoring for cloud products and services. Presenters from GSA and NIST described the program built through a collaboration of several agencies including NIST, GSA, DHS, the DoD,the OMB and others. The program introduces an innovative policy approach to developing trusted relationships between Executive departments and agencies and cloud service providers (CSPs).

My impression of the proposed program is refreshingly good. The evident co-operative philosophy between the agencies coupled with an outline of a program that described goals aimed at providing the right assurance to those who need it indicated to me that a lot of active listening has been happening over the past months. Paying attention to lessons learned in the conformance assessment sector, and an emphasis on appropriate standards has led to the definition of a what I hope will be a successful program. An emphasis of the quality of third party assessors from the outset is a good place to start when a program based on trust is being established. It's a shame that not all conformity assessment programs have that same philosophy.

The program should be up and running during the course of 2012, so we won't have to wait too long to see if my prediction is true. Of course I would expect to see a few teething problems, as I would with any new program.

The program has updated the FedRAMP web page recently. FAQs, the OMB policy and the requirements for third party assessor organizations (3PAO) are all to be found here.

- Fiona Pattinson