the joy of open agile government security compliance
play

The Joy of Open, Agile Government Security Compliance Using - PowerPoint PPT Presentation

Aug 20, 2023 •350 likes •1.24k views

The Joy of Open, Agile Government Security Compliance Using F/LOSS, Agile and DevSecOps to help make compliance secure Fen Labalme TOC How did I get here What is CivicActions What is compliance Making compliance fun Culture

  1. The Joy of Open, Agile Government Security Compliance Using F/LOSS, Agile and DevSecOps to help make compliance secure Fen Labalme

  2. TOC ➔ How did I get here ➔ What is CivicActions ➔ What is compliance ➔ Making compliance fun ➔ Culture of Security ➔ Next steps Drupal GovCon 2019 | The Joy of Open, Agile Government Security Compliance | Fen Labalme | @OpenPrivacy | @CIVICACTIONS

  3. How did I get here Always had an interest in privacy and security Drupal GovCon 2019 | The Joy of Open, Agile Government Security Compliance | Fen Labalme | @OpenPrivacy | @CIVICACTIONS

  4. Fen’s backstory ➔ 1977 Ron Rivest & Adi Shamir ➔ 1981 NewsPeek (social media) ➔ 1983 Broadcatch ➔ 1986 WELL Peace host, EFF ➔ 1992 Cypherpunks, General Magic ➔ 1994 P3P, XRI, IDCommons ➔ 2005 CivicActions... Drupal GovCon 2019 | The Joy of Open, Agile Government Security Compliance | Fen Labalme | @OpenPrivacy | @CIVICACTIONS

  5. Fen’s backstory ➔ 1977 Ron Rivest & Adi Shamir ➔ 1981 NewsPeek (social media) ➔ 1983 Broadcatch ➔ 1986 WELL Peace host, EFF ➔ 1992 Cypherpunks, General Magic ➔ 1994 P3P, XRI, IDCommons ➔ 2005 CivicActions... Drupal GovCon 2019 | The Joy of Open, Agile Government Security Compliance | Fen Labalme | @OpenPrivacy | @CIVICACTIONS

  6. Fen’s backstory ➔ 1977 Ron Rivest & Adi Shamir ➔ 1981 NewsPeek (social media) ➔ 1983 Broadcatch ➔ 1986 WELL Peace host, EFF ➔ 1992 Cypherpunks, General Magic ➔ 1994 P3P, XRI, IDCommons ➔ 2005 CivicActions... Drupal GovCon 2019 | The Joy of Open, Agile Government Security Compliance | Fen Labalme | @OpenPrivacy | @CIVICACTIONS

  7. Fen’s backstory ➔ 1977 Ron Rivest & Adi Shamir ➔ 1981 NewsPeek (social media) ➔ 1983 Broadcatch ➔ 1986 WELL Peace host, EFF ➔ 1992 Cypherpunks, General Magic ➔ 1994 P3P, XRI, IDCommons ➔ 2005 CivicActions... Drupal GovCon 2019 | The Joy of Open, Agile Government Security Compliance | Fen Labalme | @OpenPrivacy | @CIVICACTIONS

  8. Fen’s backstory ➔ 1977 Ron Rivest & Adi Shamir ➔ 1981 NewsPeek (social media) ➔ 1983 Broadcatch ➔ 1986 WELL Peace host, EFF ➔ 1992 Cypherpunks, General Magic ➔ 1994 P3P, XRI, IDCommons ➔ 2005 CivicActions... Drupal GovCon 2019 | The Joy of Open, Agile Government Security Compliance | Fen Labalme | @OpenPrivacy | @CIVICACTIONS

  9. Fen’s backstory ➔ 1977 Ron Rivest & Adi Shamir ➔ 1981 NewsPeek (social media) ➔ 1983 Broadcatch ➔ 1986 WELL Peace host, EFF ➔ 1992 Cypherpunks, General Magic ➔ 1994 P3P, XRI, IDCommons ➔ 2005 CivicActions... Drupal GovCon 2019 | The Joy of Open, Agile Government Security Compliance | Fen Labalme | @OpenPrivacy | @CIVICACTIONS

  10. Fen’s backstory ➔ 1977 Ron Rivest & Adi Shamir ➔ 1981 NewsPeek (social media) ➔ 1983 Broadcatch ➔ 1986 WELL Peace host, EFF ➔ 1992 Cypherpunks, General Magic ➔ 1994 P3P, XRI, IDCommons ➔ 2005 CivicActions... Drupal GovCon 2019 | The Joy of Open, Agile Government Security Compliance | Fen Labalme | @OpenPrivacy | @CIVICACTIONS

  11. What is CivicActions? Holistic digital government services using human-centered design, Drupal, open data and agile/DevSecOps practices Drupal GovCon 2019 | The Joy of Open, Agile Government Security Compliance | Fen Labalme | @OpenPrivacy | @CIVICACTIONS

  12. CivicActions ➔ 2004 CivicActions founded ◆ Berkeley founders, 100% remote work ➔ 10 years: Empowering at the Edges ◆ Amnesty International, Greenpeace, ... ➔ 2014 Transforming Government ◆ DSCA (DoD) was our first federal client Drupal GovCon 2019 | The Joy of Open, Agile Government Security Compliance | Fen Labalme | @OpenPrivacy | @CIVICACTIONS

  13. CivicActions ➔ 2004 CivicActions founded ◆ Berkeley founders, 100% remote work ➔ 10 years: Empowering at the Edges ◆ Amnesty International, Greenpeace, ... ➔ 2014 Transforming Government ◆ DSCA (DoD) was our first federal client Drupal GovCon 2019 | The Joy of Open, Agile Government Security Compliance | Fen Labalme | @OpenPrivacy | @CIVICACTIONS

  14. CivicActions ➔ 2004 CivicActions founded ◆ Berkeley founders, 100% remote work ➔ 10 years: Empowering at the Edges ◆ Amnesty International, Greenpeace, ... ➔ 2014 Transforming Government ◆ DSCA (DoD) was our first federal client Drupal GovCon 2019 | The Joy of Open, Agile Government Security Compliance | Fen Labalme | @OpenPrivacy | @CIVICACTIONS

  15. CivicActions Agencies served include: Defense Security Cooperation Agency (DSCA) ➔ U.S. Department of Education (DoED) ➔ U.S. Department of Health and Human Services (HHS) ➔ National Science Foundation (NSF) ➔ Federal Communications Commission (FCC) ➔ U.S. Department of Veteran Affairs (VA) ➔ San Francisco Department of the Environment (SFE) ➔ U.S. General Services Administration (GSA) ➔ Smithsonian Museum of Natural History ➔ Drupal GovCon 2019 | The Joy of Open, Agile Government Security Compliance | Fen Labalme | @OpenPrivacy | @CIVICACTIONS

  16. What is this “Compliance”? A condensed history of how federal compliance got here Drupal GovCon 2019 | The Joy of Open, Agile Government Security Compliance | Fen Labalme | @OpenPrivacy | @CIVICACTIONS

  17. Federal Compliance ➔ 1995 British Standard BS 7799 Origins ➔ Code of practice for information security management ➔ 1996 HIPAA ➔ 2002 SOX (Sarbanes-Oxley) ➔ 2004 PCI DSS v1 ➔ 2005 BS 7799 adopted as ISO 27000 (latest revision in 2013) Drupal GovCon 2019 | The Joy of Open, Agile Government Security Compliance | Fen Labalme | @OpenPrivacy | @CIVICACTIONS

  18. Federal Compliance ➔ 1995 British Standard BS 7799 Origins ➔ Code of practice for information security management ➔ 1996 HIPAA ➔ 2002 SOX (Sarbanes-Oxley) ➔ 2004 PCI DSS v1 ➔ 2005 BS 7799 adopted as ISO 27000 (latest revision in 2013) Drupal GovCon 2019 | The Joy of Open, Agile Government Security Compliance | Fen Labalme | @OpenPrivacy | @CIVICACTIONS

  19. Federal Compliance ➔ 1995 British Standard BS 7799 Origins ➔ Code of practice for information security management ➔ 1996 HIPAA ➔ 2002 SOX (Sarbanes-Oxley) ➔ 2004 PCI DSS v1 ➔ 2005 BS 7799 adopted as ISO 27000 (latest revision in 2013) Drupal GovCon 2019 | The Joy of Open, Agile Government Security Compliance | Fen Labalme | @OpenPrivacy | @CIVICACTIONS

  20. Federal Compliance ➔ 1995 British Standard BS 7799 Origins ➔ Code of practice for information security management ➔ 1996 HIPAA ➔ 2002 SOX (Sarbanes-Oxley) ➔ 2004 PCI DSS v1 ➔ 2005 BS 7799 adopted as ISO 27000 (latest revision in 2013) Drupal GovCon 2019 | The Joy of Open, Agile Government Security Compliance | Fen Labalme | @OpenPrivacy | @CIVICACTIONS

  21. Federal Compliance ➔ 1995 British Standard BS 7799 Origins ➔ Code of practice for information security management ➔ 1996 HIPAA ➔ 2002 SOX (Sarbanes-Oxley) ➔ 2004 PCI DSS v1 ➔ 2005 BS 7799 adopted as ISO 27000 (latest revision in 2013) Drupal GovCon 2019 | The Joy of Open, Agile Government Security Compliance | Fen Labalme | @OpenPrivacy | @CIVICACTIONS

  22. Federal Compliance 2002 - FISMA became law Origins Federal Information Security Management Act ➔ The process takes 9-18 months, $600K-$1.5m ➔ Grants a 3-year “Authority to Operate” (ATO) Drupal GovCon 2019 | The Joy of Open, Agile Government Security Compliance | Fen Labalme | @OpenPrivacy | @CIVICACTIONS

  23. Federal Compliance ➔ 2013 - CDM : Continuous Diagnostics and Origins Mitigation (“Continuous Monitoring”) ➔ 2014 - FISMA (modernization) ➔ 2015 - NIST 800-53r4 : Guide for Applying the Risk Management Framework (RMF) to Federal Information Systems: a Security Life Cycle Approach Drupal GovCon 2019 | The Joy of Open, Agile Government Security Compliance | Fen Labalme | @OpenPrivacy | @CIVICACTIONS

  24. Federal Compliance Origins Drupal GovCon 2019 | The Joy of Open, Agile Government Security Compliance | Fen Labalme | @OpenPrivacy | @CIVICACTIONS

  25. Federal Compliance Origins CDM monitoring agents are generally designed for Windows & proprietary software (Microsoft or McAfee) OK, maybe I’m a little biased Drupal GovCon 2019 | The Joy of Open, Agile Government Security Compliance | Fen Labalme | @OpenPrivacy | @CIVICACTIONS

  26. Federal Compliance ➔ 2013 - CDM : Continuous Diagnostics and Origins Mitigation (“Continuous Monitoring”) ➔ 2014 - FISMA (modernization) ➔ 2015 - NIST 800-53r4 : Guide for Applying the Risk Management Framework (RMF) to Federal Information Systems: a Security Life Cycle Approach Drupal GovCon 2019 | The Joy of Open, Agile Government Security Compliance | Fen Labalme | @OpenPrivacy | @CIVICACTIONS

  27. Federal Compliance ➔ 2013 - CDM : Continuous Diagnostics and Origins Mitigation (“Continuous Monitoring”) ➔ 2014 - FISMA (modernization) ➔ 2015 - NIST 800-53r4 : Guide for Applying the Risk Management Framework (RMF) to Federal Information Systems: a Security Life Cycle Approach Drupal GovCon 2019 | The Joy of Open, Agile Government Security Compliance | Fen Labalme | @OpenPrivacy | @CIVICACTIONS

Recommend

Agile for the Government Product Owner Agile Government Leadership Outcomes for today

Agile for the Government Product Owner Agile Government Leadership Outcomes for today

Agile for the Government Product Owner Agile Government Leadership Outcomes for today www.AgileGovLeaders.org/Academy Why you should do this course Lesson 1: Introduction To Agile Lesson 1: Reading List What Is Agile? Why Agile In

411 views • 24 slides
The ABS journey so far How Agile is being applied within government in pragmatic ways Presented by:

The ABS journey so far How Agile is being applied within government in pragmatic ways Presented by:

The ABS journey so far How Agile is being applied within government in pragmatic ways Presented by: Juliet Fallace Agile Capability Lead, Australian Bureau of Statistics 1. A waterfall agency to agile 1. Sequenced approach 1. Experimental

523 views • 25 slides
The WJP Open Government Index Juan Carlos Botero and Alejandro Ponce Defining Open Government

The WJP Open Government Index Juan Carlos Botero and Alejandro Ponce Defining Open Government

The WJP Open Government Index Juan Carlos Botero and Alejandro Ponce Defining Open Government The WJP defines open government as a government that shares information, empowers people with tools to hold the government accountable, and fosters

658 views • 33 slides
Open Government Mark Diner Chief Advisor Open Government

Open Government Mark Diner Chief Advisor Open Government

Open Government Mark Diner Chief Advisor Open Government h$p://www.glenbow.org/libhtm/famousf.htm (picture) 2 3 Open Government across the G8 We, the G8, agree that open data

132 views • 12 slides
Secure Agile Development With FISMA Compliance https://www.fyrmassociates.com/ FYRM Overview

Secure Agile Development With FISMA Compliance https://www.fyrmassociates.com/ FYRM Overview

Secure Agile Development With FISMA Compliance https://www.fyrmassociates.com/ FYRM Overview Qualifications Performance Strategy Experience CPAR 4/4 Secure Agile Respected Partner CMS, DOE Knowledge Sharing FedRAMP

197 views • 16 slides
Open Government 1 What is Open Government? Transparency Citizen Accountability participation

Open Government 1 What is Open Government? Transparency Citizen Accountability participation

Open Government 1 What is Open Government? Transparency Citizen Accountability participation 2 Why is it important? A key Government of Canada priority. A recognized international movement. An opportunity for public servants to

323 views • 11 slides
Security and Compliance Theater The Seventh Deadly Disease John Willis @botchagalupe

Security and Compliance Theater The Seventh Deadly Disease John Willis @botchagalupe

Security and Compliance Theater The Seventh Deadly Disease John Willis @botchagalupe botchagalupe@gmail.com https://github.com/botchagalupe/my-presentations You cant Lean, Agile, SAFE, Devops or even SRE your way around a bad

534 views • 41 slides
Does e-government improve government capacity? Evidence from tax compliance cost, tax revenue and

Does e-government improve government capacity? Evidence from tax compliance cost, tax revenue and

Introduction and motivation Empirical strategy Results Conclusion Does e-government improve government capacity? Evidence from tax compliance cost, tax revenue and public procurement competitiveness Anna Kochanova, Zahid Hasnain

558 views • 22 slides
Effective Security for the Post-compliance Era Security Awareness and Training for Security

Effective Security for the Post-compliance Era Security Awareness and Training for Security

Effective Security for the Post-compliance Era Security Awareness and Training for Security Specialists M. ANGELA SASSE, RUHR UNIVERSITY BOCHUM & UCL The problem MENSCHLICH WELTOFFEN LEISTUNGSSTARK 2 ENISA Report December 2018

362 views • 33 slides
SELLING AGILE V E S A PA L M U @ W U N D E R . U K B U S I N E S S A N D S T R AT E G Y T R

SELLING AGILE V E S A PA L M U @ W U N D E R . U K B U S I N E S S A N D S T R AT E G Y T R

SELLING AGILE V E S A PA L M U @ W U N D E R . U K B U S I N E S S A N D S T R AT E G Y T R A C K Vendor? Customer? In-house team? New to agile? Some agile? 100% agile? Questions, feedback on Twitter #SellingAgile The Story 1.

918 views • 54 slides
Agile Security The Good The Bad (and mostly) The Ugly Daniel Liber ~whoami Current:

Agile Security The Good The Bad (and mostly) The Ugly Daniel Liber ~whoami Current:

Agile Security The Good The Bad (and mostly) The Ugly Daniel Liber ~whoami Current: Security Leader @ CyberArk Product security Strategy and process driven A pain in the insecurity s a$$ Past @ multiple places

906 views • 32 slides
FAST Agile Radical Disruption and New Method to Scaling Agile Ron Quartel A SCALABLE WAY OF

FAST Agile Radical Disruption and New Method to Scaling Agile Ron Quartel A SCALABLE WAY OF

FAST Agile Radical Disruption and New Method to Scaling Agile Ron Quartel A SCALABLE WAY OF SELF-ORGANIZING PEOPLE AROUND WORK VIA OPEN SPACE Ron Quartel @ronquartel Software Developer 20 years Agile developer since 2002 (Extreme

767 views • 58 slides
Agile Security Pits Daniel Liber ~whoami Current: Security Leader @ CyberArk Product

Agile Security Pits Daniel Liber ~whoami Current: Security Leader @ CyberArk Product

Pole Vaulting over Agile Security Pits Daniel Liber ~whoami Current: Security Leader @ CyberArk Product security Strategy and process driven A pain in the insecurity s a$$ Past @ multiple places Consulting, Research,

581 views • 32 slides
The AGILE Data Center and the First AGILE Catalog Carlotta Pittori, on behalf of the AGILE

The AGILE Data Center and the First AGILE Catalog Carlotta Pittori, on behalf of the AGILE

The AGILE Data Center and the First AGILE Catalog Carlotta Pittori, on behalf of the AGILE Collaboration 2009 Fermi Symposium 2 - 5 November 2009, Washington AGILE on PSLV-C8 Sriharikota, India The AGILE April 15, 2007 Payload: the most

853 views • 38 slides
Security and Compliance in Clouds Jan Jrjens , Kristian Beckers Fraunhofer Institute for

Security and Compliance in Clouds Jan Jrjens , Kristian Beckers Fraunhofer Institute for

Security and Compliance in Clouds Jan Jrjens , Kristian Beckers Fraunhofer Institute for Software and Systems Engineering ISST (Dortmund, Germany) http://jan.jurjens.de Security is the Major Show-Stopper Jan Jrjens: Security and Compliance

768 views • 18 slides
Technology Transformation Service transform government services government practices government

Technology Transformation Service transform government services government practices government

Technology Transformation Service transform government services government practices government culture peoples lives What makes up TTS? 18F Custom Partner Solutions Products & Platforms Transformation Learn Office of Agile BPA

572 views • 14 slides
Data Management and Open Access PSFC Strategy for Compliance Martin Greenwald, Mark London, Josh

Data Management and Open Access PSFC Strategy for Compliance Martin Greenwald, Mark London, Josh

Data Management and Open Access PSFC Strategy for Compliance Martin Greenwald, Mark London, Josh Stillerman, Jason Thomas February 25, 2016 New Government-Wide Regulations Are Aimed at Preserving and Sharing the Results of Publicly Funded

107 views • 9 slides
Strategies to Maximize the Security Efforts into the Agile Software Development Life Cycle Without

Strategies to Maximize the Security Efforts into the Agile Software Development Life Cycle Without

Strategies to Maximize the Security Efforts into the Agile Software Development Life Cycle Without Increasing the Headcount Anderson Maranho Ventura Dadario Information Security Flare Security, So Paulo, Brazil anderson@dadario.com.br

428 views • 3 slides
Substation Security Blake Beale - Manager, CIP Compliance & Security Systems Jeff Imsdahl

Substation Security Blake Beale - Manager, CIP Compliance & Security Systems Jeff Imsdahl

Substation Security Blake Beale - Manager, CIP Compliance & Security Systems Jeff Imsdahl Director, Physical Security & Deputy CSO October 31, 2018 Substation Security Program Project established fall 2013 On site evaluations

235 views • 6 slides
When devops meets security Michael Brunton-Spall I'm from the Government and I'm here to

When devops meets security Michael Brunton-Spall I'm from the Government and I'm here to

When devops meets security Michael Brunton-Spall I'm from the Government and I'm here to help I'm from security and I'm here to help Government Digital Service Simpler, Clearer, Faster The state of information security in 2015

844 views • 70 slides
IT Security Compliance Management can be done right! (and make sense doing so) 1 Hi. My name

IT Security Compliance Management can be done right! (and make sense doing so) 1 Hi. My name

IT Security Compliance Management can be done right! (and make sense doing so) 1 Hi. My name is Adrian Wiesmann. I work as an IT Security Officer for a Swiss Financial Institute and my daywork is to bother, to pester and to annoy to help

638 views • 39 slides
Compliance Cautions INVESTIGATING SECURITY ISSUES ASSOCIATED WITH U.S. DIGITAL-SECURITY STANDARDS

Compliance Cautions INVESTIGATING SECURITY ISSUES ASSOCIATED WITH U.S. DIGITAL-SECURITY STANDARDS

Compliance Cautions INVESTIGATING SECURITY ISSUES ASSOCIATED WITH U.S. DIGITAL-SECURITY STANDARDS ROCK CK S STEVENS, KEVIN HALLIDAY, MICHELLE MAZUREK // UNIV IVERSIT ITY O OF M MARYLAND JOSIAH DYKSTRA, JAMES CHAPMAN, ALEX FARMER //

290 views • 27 slides
Compliance Cautions Investigating Security Issues Associated with U.S. Digital-Security Standards

Compliance Cautions Investigating Security Issues Associated with U.S. Digital-Security Standards

LASER Workshop 2020 Compliance Cautions Investigating Security Issues Associated with U.S. Digital-Security Standards Rock Stevens , Kevin Halliday, Michelle Mazurek / / University of Maryland Josiah Dykstra, James Chapman, Alexander F armer

345 views • 22 slides
Momchil Karov VanSecSIG Best Buy Canada Oct 12, 2018 1 PRESENTED BY: (A.K.A. THE

Momchil Karov VanSecSIG Best Buy Canada Oct 12, 2018 1 PRESENTED BY: (A.K.A. THE

HOW TO EMBED SECURITY INTO AGILE? Momchil Karov VanSecSIG Best Buy Canada Oct 12, 2018 1 PRESENTED BY: (A.K.A. THE WHO AM I SLIDE) Momchil Karov, MSc., CISSP Principal Security Architect Enterprise Risk and Compliance Best

777 views • 44 slides

More recommend