Archive for March, 2009
URGENT CONCEPT!! Plane Crashed Send Money (SCAM)

** They lure people with lies to gain sympathy **

Return-Path: gamabuza@babbalu.com
X-OriginalArrivalTime: 25 Mar 2009 04:12:42.0608 (UTC) FILETIME=[F18EDF00:01C9ACFF]

Dear Friend,

I am manager of one of the leading bank in South Africa in my bank We discovered an abandoned large sum of money (US$14.7M) belonging to one of our Foreign Customer Dr. George Brumley, an American Nationality, a businessman, who involved in air crash along with his family. You can confirm from the website below:

http://www.cnn.com/2003/WORLD/africa/07/20/kenya.crash/index.html

I am seeking for your Co-operation to front you as the beneficiary of the funds. No beneficiary, No other person knows about these funds neither operate this account since his death. The Strategy is to use our influence as managers of the bank to approve you as the beneficiary and release the funds over to you. So if you are interested please reply with Telephone, fax, address and occupation for further clarification.

Regards,

Mr. Gary Mabuza.

New Certification & Accreditation Process (Rumor)

One C&A package to rule them all?

The federal government has a bunch of Certification & Accreditation processes. There is Department of Defense Information Assurance Certification & Accreditation (DIACAP) for the DOD, there’s Director of Central intelligence Directive (DCID) 6/3 for certain classified systems, there is National Information Assurance Certification & Accreditation (NIACAP) for National Security Systems. And under each of these their processes differ according the branch, leadership, organization and/or mission. Each process, organization, branch and mission has a different set of resources that they pull from. DIACAP pertains to military branches and pulls from the DoD 8500 series, many other federal agencies use National Institute of Standards and Technology (NIST) Special Publication (SP) 800-xx series.

Each agency, organization and/or branch uses their own methods and everyone is happy. The only problem is when a system gets exploited. When it happens there is mass panic and they realize that there are massive holes in the process.

Rumors and Trends

There have been rumors floating around about many of these federal C&A processes merging into one. At their core they are actually pretty similar. Take NIST SP 800-37, C&A of Federal Information Systems and DOD 8510, DIACAP for example. Both have an initial phase where data is gathered on the system and all parties involved with a system are pulled together (see table. 1 for more similarities).

Federal C&A Process

Phases

Activities

SP 800-37

Initiation Phase

Gather data, get agreement of all stake
holders

DIACAP

Initiate & Plan IA C&A

 

 

 

SP 800-37

Security Certification Phase

IA Control Assessment and agreement

DIACAP

Implement & Validate Assigned IA
Controls

 

 

 

SP 800-37

Security Accreditation Phase

Security implementation and assessment

 

DIACAP

Make Cert. Determination &
Accreditation Decision

 

 

 

DP 800-37

Continuous Monitoring Phase

Configuration management; FISMA reporting;
sustainment

DIACAP

Maintain Authorization to Operate

 

 

 

DIACAP

Decommission

Retire System

 

 

 

 

 

 

12-37?