From: Security Professional (redteamer@gmail.com)
Date: Thu Jun 16 2005 - 08:03:01 EDT
Dave,
I hear your concerns. I too perform red teaming for the govt. and
deal with FISMA all the time. The problem with FISMA is that it is
treated as a "check in the box" and not as an important security
mandate. People are "aggrivated" by it and just do the minimum to be
able to check off the box and move on.
This is typical in the govt. most places you go. It's just the nature
of the beast. But, what your team should be doing is not only the
check in the box type tests, but also full blown pen-tests year round.
This needs to be initiated by your immediate supervisor and moved up
the chain from him / her. If it is brought directly to the higher
ups, they won't understand the need for constant red teaming because
they "think" you already have this happening for FISMA requirements.
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:54:25 EDT