** They lure people with lies to gain sympathy **
Return-Path: gamabuza@babbalu.com
X-OriginalArrivalTime: 25 Mar 2009 04:12:42.0608 (UTC) FILETIME=[F18EDF00:01C9ACFF]
Dear Friend,
I am manager of one of the leading bank in South Africa in my bank We discovered an abandoned large sum of money (US$14.7M) belonging to one of our Foreign Customer Dr. George Brumley, an American Nationality, a businessman, who involved in air crash along with his family. You can confirm from the website below:
http://www.cnn.com/2003/WORLD/africa/07/20/kenya.crash/index.html
I am seeking for your Co-operation to front you as the beneficiary of the funds. No beneficiary, No other person knows about these funds neither operate this account since his death. The Strategy is to use our influence as managers of the bank to approve you as the beneficiary and release the funds over to you. So if you are interested please reply with Telephone, fax, address and occupation for further clarification.
Regards,
Mr. Gary Mabuza.
One C&A package to rule them all?
The federal government has a bunch of Certification & Accreditation processes. There is Department of Defense Information Assurance Certification & Accreditation (DIACAP) for the DOD, there’s Director of Central intelligence Directive (DCID) 6/3 for certain classified systems, there is National Information Assurance Certification & Accreditation (NIACAP) for National Security Systems. And under each of these their processes differ according the branch, leadership, organization and/or mission. Each process, organization, branch and mission has a different set of resources that they pull from. DIACAP pertains to military branches and pulls from the DoD 8500 series, many other federal agencies use National Institute of Standards and Technology (NIST) Special Publication (SP) 800-xx series.
Each agency, organization and/or branch uses their own methods and everyone is happy. The only problem is when a system gets exploited. When it happens there is mass panic and they realize that there are massive holes in the process.
Rumors and Trends
There have been rumors floating around about many of these federal C&A processes merging into one. At their core they are actually pretty similar. Take NIST SP 800-37, C&A of Federal Information Systems and DOD 8510, DIACAP for example. Both have an initial phase where data is gathered on the system and all parties involved with a system are pulled together (see table. 1 for more similarities).
|
Federal C&A Process
|
Phases
|
Activities
|
|
SP 800-37
|
Initiation Phase
|
Gather data, get agreement of all stake
holders
|
|
DIACAP
|
Initiate & Plan IA C&A
|
|
|
|
|
|
SP 800-37
|
Security Certification Phase
|
IA Control Assessment and agreement
|
|
DIACAP
|
Implement & Validate Assigned IA
Controls
|
|
|
|
|
|
SP 800-37
|
Security Accreditation Phase
|
Security implementation and assessment
|
|
DIACAP
|
Make Cert. Determination &
Accreditation Decision
|
|
|
|
|
|
DP 800-37
|
Continuous Monitoring Phase
|
Configuration management; FISMA reporting;
sustainment
|
|
DIACAP
|
Maintain Authorization to Operate
|
|
|
|
|
|
DIACAP
|
Decommission
|
Retire System
|
|
|
|
|
|
|
|
|
12-37?