the joy of open agile government security compliance
play

The Joy of Open, Agile Government Security Compliance Using - PowerPoint PPT Presentation

Aug 20, 2023 •350 likes •1.24k views

The Joy of Open, Agile Government Security Compliance Using F/LOSS, Agile and DevSecOps to help make compliance secure Fen Labalme TOC How did I get here What is CivicActions What is compliance Making compliance fun Culture

  1. The Joy of Open, Agile Government Security Compliance Using F/LOSS, Agile and DevSecOps to help make compliance secure Fen Labalme

  2. TOC ➔ How did I get here ➔ What is CivicActions ➔ What is compliance ➔ Making compliance fun ➔ Culture of Security ➔ Next steps Drupal GovCon 2019 | The Joy of Open, Agile Government Security Compliance | Fen Labalme | @OpenPrivacy | @CIVICACTIONS

  3. How did I get here Always had an interest in privacy and security Drupal GovCon 2019 | The Joy of Open, Agile Government Security Compliance | Fen Labalme | @OpenPrivacy | @CIVICACTIONS

  4. Fen’s backstory ➔ 1977 Ron Rivest & Adi Shamir ➔ 1981 NewsPeek (social media) ➔ 1983 Broadcatch ➔ 1986 WELL Peace host, EFF ➔ 1992 Cypherpunks, General Magic ➔ 1994 P3P, XRI, IDCommons ➔ 2005 CivicActions... Drupal GovCon 2019 | The Joy of Open, Agile Government Security Compliance | Fen Labalme | @OpenPrivacy | @CIVICACTIONS

  5. Fen’s backstory ➔ 1977 Ron Rivest & Adi Shamir ➔ 1981 NewsPeek (social media) ➔ 1983 Broadcatch ➔ 1986 WELL Peace host, EFF ➔ 1992 Cypherpunks, General Magic ➔ 1994 P3P, XRI, IDCommons ➔ 2005 CivicActions... Drupal GovCon 2019 | The Joy of Open, Agile Government Security Compliance | Fen Labalme | @OpenPrivacy | @CIVICACTIONS

  6. Fen’s backstory ➔ 1977 Ron Rivest & Adi Shamir ➔ 1981 NewsPeek (social media) ➔ 1983 Broadcatch ➔ 1986 WELL Peace host, EFF ➔ 1992 Cypherpunks, General Magic ➔ 1994 P3P, XRI, IDCommons ➔ 2005 CivicActions... Drupal GovCon 2019 | The Joy of Open, Agile Government Security Compliance | Fen Labalme | @OpenPrivacy | @CIVICACTIONS

  7. Fen’s backstory ➔ 1977 Ron Rivest & Adi Shamir ➔ 1981 NewsPeek (social media) ➔ 1983 Broadcatch ➔ 1986 WELL Peace host, EFF ➔ 1992 Cypherpunks, General Magic ➔ 1994 P3P, XRI, IDCommons ➔ 2005 CivicActions... Drupal GovCon 2019 | The Joy of Open, Agile Government Security Compliance | Fen Labalme | @OpenPrivacy | @CIVICACTIONS

  8. Fen’s backstory ➔ 1977 Ron Rivest & Adi Shamir ➔ 1981 NewsPeek (social media) ➔ 1983 Broadcatch ➔ 1986 WELL Peace host, EFF ➔ 1992 Cypherpunks, General Magic ➔ 1994 P3P, XRI, IDCommons ➔ 2005 CivicActions... Drupal GovCon 2019 | The Joy of Open, Agile Government Security Compliance | Fen Labalme | @OpenPrivacy | @CIVICACTIONS

  9. Fen’s backstory ➔ 1977 Ron Rivest & Adi Shamir ➔ 1981 NewsPeek (social media) ➔ 1983 Broadcatch ➔ 1986 WELL Peace host, EFF ➔ 1992 Cypherpunks, General Magic ➔ 1994 P3P, XRI, IDCommons ➔ 2005 CivicActions... Drupal GovCon 2019 | The Joy of Open, Agile Government Security Compliance | Fen Labalme | @OpenPrivacy | @CIVICACTIONS

  10. Fen’s backstory ➔ 1977 Ron Rivest & Adi Shamir ➔ 1981 NewsPeek (social media) ➔ 1983 Broadcatch ➔ 1986 WELL Peace host, EFF ➔ 1992 Cypherpunks, General Magic ➔ 1994 P3P, XRI, IDCommons ➔ 2005 CivicActions... Drupal GovCon 2019 | The Joy of Open, Agile Government Security Compliance | Fen Labalme | @OpenPrivacy | @CIVICACTIONS

  11. What is CivicActions? Holistic digital government services using human-centered design, Drupal, open data and agile/DevSecOps practices Drupal GovCon 2019 | The Joy of Open, Agile Government Security Compliance | Fen Labalme | @OpenPrivacy | @CIVICACTIONS

  12. CivicActions ➔ 2004 CivicActions founded ◆ Berkeley founders, 100% remote work ➔ 10 years: Empowering at the Edges ◆ Amnesty International, Greenpeace, ... ➔ 2014 Transforming Government ◆ DSCA (DoD) was our first federal client Drupal GovCon 2019 | The Joy of Open, Agile Government Security Compliance | Fen Labalme | @OpenPrivacy | @CIVICACTIONS

  13. CivicActions ➔ 2004 CivicActions founded ◆ Berkeley founders, 100% remote work ➔ 10 years: Empowering at the Edges ◆ Amnesty International, Greenpeace, ... ➔ 2014 Transforming Government ◆ DSCA (DoD) was our first federal client Drupal GovCon 2019 | The Joy of Open, Agile Government Security Compliance | Fen Labalme | @OpenPrivacy | @CIVICACTIONS

  14. CivicActions ➔ 2004 CivicActions founded ◆ Berkeley founders, 100% remote work ➔ 10 years: Empowering at the Edges ◆ Amnesty International, Greenpeace, ... ➔ 2014 Transforming Government ◆ DSCA (DoD) was our first federal client Drupal GovCon 2019 | The Joy of Open, Agile Government Security Compliance | Fen Labalme | @OpenPrivacy | @CIVICACTIONS

  15. CivicActions Agencies served include: Defense Security Cooperation Agency (DSCA) ➔ U.S. Department of Education (DoED) ➔ U.S. Department of Health and Human Services (HHS) ➔ National Science Foundation (NSF) ➔ Federal Communications Commission (FCC) ➔ U.S. Department of Veteran Affairs (VA) ➔ San Francisco Department of the Environment (SFE) ➔ U.S. General Services Administration (GSA) ➔ Smithsonian Museum of Natural History ➔ Drupal GovCon 2019 | The Joy of Open, Agile Government Security Compliance | Fen Labalme | @OpenPrivacy | @CIVICACTIONS

  16. What is this “Compliance”? A condensed history of how federal compliance got here Drupal GovCon 2019 | The Joy of Open, Agile Government Security Compliance | Fen Labalme | @OpenPrivacy | @CIVICACTIONS

  17. Federal Compliance ➔ 1995 British Standard BS 7799 Origins ➔ Code of practice for information security management ➔ 1996 HIPAA ➔ 2002 SOX (Sarbanes-Oxley) ➔ 2004 PCI DSS v1 ➔ 2005 BS 7799 adopted as ISO 27000 (latest revision in 2013) Drupal GovCon 2019 | The Joy of Open, Agile Government Security Compliance | Fen Labalme | @OpenPrivacy | @CIVICACTIONS

  18. Federal Compliance ➔ 1995 British Standard BS 7799 Origins ➔ Code of practice for information security management ➔ 1996 HIPAA ➔ 2002 SOX (Sarbanes-Oxley) ➔ 2004 PCI DSS v1 ➔ 2005 BS 7799 adopted as ISO 27000 (latest revision in 2013) Drupal GovCon 2019 | The Joy of Open, Agile Government Security Compliance | Fen Labalme | @OpenPrivacy | @CIVICACTIONS

  19. Federal Compliance ➔ 1995 British Standard BS 7799 Origins ➔ Code of practice for information security management ➔ 1996 HIPAA ➔ 2002 SOX (Sarbanes-Oxley) ➔ 2004 PCI DSS v1 ➔ 2005 BS 7799 adopted as ISO 27000 (latest revision in 2013) Drupal GovCon 2019 | The Joy of Open, Agile Government Security Compliance | Fen Labalme | @OpenPrivacy | @CIVICACTIONS

  20. Federal Compliance ➔ 1995 British Standard BS 7799 Origins ➔ Code of practice for information security management ➔ 1996 HIPAA ➔ 2002 SOX (Sarbanes-Oxley) ➔ 2004 PCI DSS v1 ➔ 2005 BS 7799 adopted as ISO 27000 (latest revision in 2013) Drupal GovCon 2019 | The Joy of Open, Agile Government Security Compliance | Fen Labalme | @OpenPrivacy | @CIVICACTIONS

  21. Federal Compliance ➔ 1995 British Standard BS 7799 Origins ➔ Code of practice for information security management ➔ 1996 HIPAA ➔ 2002 SOX (Sarbanes-Oxley) ➔ 2004 PCI DSS v1 ➔ 2005 BS 7799 adopted as ISO 27000 (latest revision in 2013) Drupal GovCon 2019 | The Joy of Open, Agile Government Security Compliance | Fen Labalme | @OpenPrivacy | @CIVICACTIONS

  22. Federal Compliance 2002 - FISMA became law Origins Federal Information Security Management Act ➔ The process takes 9-18 months, $600K-$1.5m ➔ Grants a 3-year “Authority to Operate” (ATO) Drupal GovCon 2019 | The Joy of Open, Agile Government Security Compliance | Fen Labalme | @OpenPrivacy | @CIVICACTIONS

  23. Federal Compliance ➔ 2013 - CDM : Continuous Diagnostics and Origins Mitigation (“Continuous Monitoring”) ➔ 2014 - FISMA (modernization) ➔ 2015 - NIST 800-53r4 : Guide for Applying the Risk Management Framework (RMF) to Federal Information Systems: a Security Life Cycle Approach Drupal GovCon 2019 | The Joy of Open, Agile Government Security Compliance | Fen Labalme | @OpenPrivacy | @CIVICACTIONS

  24. Federal Compliance Origins Drupal GovCon 2019 | The Joy of Open, Agile Government Security Compliance | Fen Labalme | @OpenPrivacy | @CIVICACTIONS

  25. Federal Compliance Origins CDM monitoring agents are generally designed for Windows & proprietary software (Microsoft or McAfee) OK, maybe I’m a little biased Drupal GovCon 2019 | The Joy of Open, Agile Government Security Compliance | Fen Labalme | @OpenPrivacy | @CIVICACTIONS

  26. Federal Compliance ➔ 2013 - CDM : Continuous Diagnostics and Origins Mitigation (“Continuous Monitoring”) ➔ 2014 - FISMA (modernization) ➔ 2015 - NIST 800-53r4 : Guide for Applying the Risk Management Framework (RMF) to Federal Information Systems: a Security Life Cycle Approach Drupal GovCon 2019 | The Joy of Open, Agile Government Security Compliance | Fen Labalme | @OpenPrivacy | @CIVICACTIONS

  27. Federal Compliance ➔ 2013 - CDM : Continuous Diagnostics and Origins Mitigation (“Continuous Monitoring”) ➔ 2014 - FISMA (modernization) ➔ 2015 - NIST 800-53r4 : Guide for Applying the Risk Management Framework (RMF) to Federal Information Systems: a Security Life Cycle Approach Drupal GovCon 2019 | The Joy of Open, Agile Government Security Compliance | Fen Labalme | @OpenPrivacy | @CIVICACTIONS

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Agile for the Government Product Owner Agile Government Leadership Outcomes for today

Agile for the Government Product Owner Agile Government Leadership Outcomes for today

Agile for the Government Product Owner Agile Government Leadership Outcomes for today www.AgileGovLeaders.org/Academy Why you should do this course Lesson 1: Introduction To Agile Lesson 1: Reading List What Is Agile? Why Agile In

411 views • 24 slides
The ABS journey so far How Agile is being applied within government in pragmatic ways Presented by:

The ABS journey so far How Agile is being applied within government in pragmatic ways Presented by:

The ABS journey so far How Agile is being applied within government in pragmatic ways Presented by: Juliet Fallace Agile Capability Lead, Australian Bureau of Statistics 1. A waterfall agency to agile 1. Sequenced approach 1. Experimental

523 views • 25 slides
The WJP Open Government Index Juan Carlos Botero and Alejandro Ponce Defining Open Government

The WJP Open Government Index Juan Carlos Botero and Alejandro Ponce Defining Open Government

The WJP Open Government Index Juan Carlos Botero and Alejandro Ponce Defining Open Government The WJP defines open government as a government that shares information, empowers people with tools to hold the government accountable, and fosters

658 views • 33 slides
Open Government Mark Diner Chief Advisor Open Government

Open Government Mark Diner Chief Advisor Open Government

Open Government Mark Diner Chief Advisor Open Government h$p://www.glenbow.org/libhtm/famousf.htm (picture) 2 3 Open Government across the G8 We, the G8, agree that open data

132 views • 12 slides
Secure Agile Development With FISMA Compliance https://www.fyrmassociates.com/ FYRM Overview

Secure Agile Development With FISMA Compliance https://www.fyrmassociates.com/ FYRM Overview

Secure Agile Development With FISMA Compliance https://www.fyrmassociates.com/ FYRM Overview Qualifications Performance Strategy Experience CPAR 4/4 Secure Agile Respected Partner CMS, DOE Knowledge Sharing FedRAMP

197 views • 16 slides
Open Government 1 What is Open Government? Transparency Citizen Accountability participation

Open Government 1 What is Open Government? Transparency Citizen Accountability participation

Open Government 1 What is Open Government? Transparency Citizen Accountability participation 2 Why is it important? A key Government of Canada priority. A recognized international movement. An opportunity for public servants to

323 views • 11 slides
Security and Compliance Theater The Seventh Deadly Disease John Willis @botchagalupe

Security and Compliance Theater The Seventh Deadly Disease John Willis @botchagalupe

Security and Compliance Theater The Seventh Deadly Disease John Willis @botchagalupe botchagalupe@gmail.com https://github.com/botchagalupe/my-presentations You cant Lean, Agile, SAFE, Devops or even SRE your way around a bad

534 views • 41 slides
Does e-government improve government capacity? Evidence from tax compliance cost, tax revenue and

Does e-government improve government capacity? Evidence from tax compliance cost, tax revenue and

Introduction and motivation Empirical strategy Results Conclusion Does e-government improve government capacity? Evidence from tax compliance cost, tax revenue and public procurement competitiveness Anna Kochanova, Zahid Hasnain

558 views • 22 slides
Effective Security for the Post-compliance Era Security Awareness and Training for Security

Effective Security for the Post-compliance Era Security Awareness and Training for Security

Effective Security for the Post-compliance Era Security Awareness and Training for Security Specialists M. ANGELA SASSE, RUHR UNIVERSITY BOCHUM & UCL The problem MENSCHLICH WELTOFFEN LEISTUNGSSTARK 2 ENISA Report December 2018

362 views • 33 slides
SELLING AGILE V E S A PA L M U @ W U N D E R . U K B U S I N E S S A N D S T R AT E G Y T R

SELLING AGILE V E S A PA L M U @ W U N D E R . U K B U S I N E S S A N D S T R AT E G Y T R

SELLING AGILE V E S A PA L M U @ W U N D E R . U K B U S I N E S S A N D S T R AT E G Y T R A C K Vendor? Customer? In-house team? New to agile? Some agile? 100% agile? Questions, feedback on Twitter #SellingAgile The Story 1.

918 views • 54 slides
Agile Security The Good The Bad (and mostly) The Ugly Daniel Liber ~whoami Current:

Agile Security The Good The Bad (and mostly) The Ugly Daniel Liber ~whoami Current:

Agile Security The Good The Bad (and mostly) The Ugly Daniel Liber ~whoami Current: Security Leader @ CyberArk Product security Strategy and process driven A pain in the insecurity s a$$ Past @ multiple places

906 views • 32 slides
FAST Agile Radical Disruption and New Method to Scaling Agile Ron Quartel A SCALABLE WAY OF

FAST Agile Radical Disruption and New Method to Scaling Agile Ron Quartel A SCALABLE WAY OF

FAST Agile Radical Disruption and New Method to Scaling Agile Ron Quartel A SCALABLE WAY OF SELF-ORGANIZING PEOPLE AROUND WORK VIA OPEN SPACE Ron Quartel @ronquartel Software Developer 20 years Agile developer since 2002 (Extreme

767 views • 58 slides
Agile Security Pits Daniel Liber ~whoami Current: Security Leader @ CyberArk Product

Agile Security Pits Daniel Liber ~whoami Current: Security Leader @ CyberArk Product

Pole Vaulting over Agile Security Pits Daniel Liber ~whoami Current: Security Leader @ CyberArk Product security Strategy and process driven A pain in the insecurity s a$$ Past @ multiple places Consulting, Research,

581 views • 32 slides
The AGILE Data Center and the First AGILE Catalog Carlotta Pittori, on behalf of the AGILE

The AGILE Data Center and the First AGILE Catalog Carlotta Pittori, on behalf of the AGILE

The AGILE Data Center and the First AGILE Catalog Carlotta Pittori, on behalf of the AGILE Collaboration 2009 Fermi Symposium 2 - 5 November 2009, Washington AGILE on PSLV-C8 Sriharikota, India The AGILE April 15, 2007 Payload: the most

853 views • 38 slides
Security and Compliance in Clouds Jan Jrjens , Kristian Beckers Fraunhofer Institute for

Security and Compliance in Clouds Jan Jrjens , Kristian Beckers Fraunhofer Institute for

Security and Compliance in Clouds Jan Jrjens , Kristian Beckers Fraunhofer Institute for Software and Systems Engineering ISST (Dortmund, Germany) http://jan.jurjens.de Security is the Major Show-Stopper Jan Jrjens: Security and Compliance

768 views • 18 slides
Technology Transformation Service transform government services government practices government

Technology Transformation Service transform government services government practices government

Technology Transformation Service transform government services government practices government culture peoples lives What makes up TTS? 18F Custom Partner Solutions Products & Platforms Transformation Learn Office of Agile BPA

572 views • 14 slides
Associate Professor Panos Vlachopoulos, Macquarie University Associate Professor Eva Dobozy,

Associate Professor Panos Vlachopoulos, Macquarie University Associate Professor Eva Dobozy,

Associate Professor Panos Vlachopoulos, Macquarie University Associate Professor Eva Dobozy, Curtin University What? What do we know about Learning Design? What approaches, models, frameworks have been developed over the years? Why? Why

500 views • 13 slides
Approche Algorithmique des Syst` emes Distribu es (AASR) Guillaume Pierre

Approche Algorithmique des Syst` emes Distribu es (AASR) Guillaume Pierre

Approche Algorithmique des Syst` emes Distribu es (AASR) Guillaume Pierre guillaume.pierre@irisa.fr Dapr` es un jeu de transparents de Maarten van Steen VU Amsterdam, Dept. Computer Science 04b: Communication (2/2) Contents Chapter

685 views • 39 slides
DUNE Near Detector: Perspective from NDDG A. D. Bross (FNAL), H.A. Tanaka (SLAC/Stanford) for the

DUNE Near Detector: Perspective from NDDG A. D. Bross (FNAL), H.A. Tanaka (SLAC/Stanford) for the

DUNE Near Detector: Perspective from NDDG A. D. Bross (FNAL), H.A. Tanaka (SLAC/Stanford) for the DUNE Near Detector Design Group (NDDG) HISTORY AND ORGANIZATION Near Detector Design Group (NDDG) follows from the Near Detector Concept Study

611 views • 7 slides
Sliding-Block back analysis of Earthquake-Induced Slides. Article January 2000 DOI:

Sliding-Block back analysis of Earthquake-Induced Slides. Article January 2000 DOI:

See discussions, stats, and author profiles for this publication at: https://www.researchgate.net/publication/274764204 Sliding-Block back analysis of Earthquake-Induced Slides. Article January 2000 DOI: 10.3208/sandf.40.6_61 CITATIONS READS

288 views • 16 slides
Mixminion: Design of a Type III Anonymous Remailer Protocol Roger Dingledine The Free Haven

Mixminion: Design of a Type III Anonymous Remailer Protocol Roger Dingledine The Free Haven

Mixminion: Design of a Type III Anonymous Remailer Protocol Roger Dingledine The Free Haven Project 1 Threat Model (what we aim to defend against) Global passive adversary can observe everything Owns half the nodes We are not

656 views • 41 slides
Paradigms of Privacy Research & Privacy Engineering Seda Grses f.s.gurses@tudelft.nl TU

Paradigms of Privacy Research & Privacy Engineering Seda Grses f.s.gurses@tudelft.nl TU

Paradigms of Privacy Research & Privacy Engineering Seda Grses f.s.gurses@tudelft.nl TU Delft/ KU Leuven 18. June 2019 GDPR requires data protection by design and by default (Article 25) A complex law with many requirements. More

950 views • 58 slides
Tracking Prey in the Cyberfores t Bruce Potter gdead@shmoo.com Brian Wotring brian@shmoo.com

Tracking Prey in the Cyberfores t Bruce Potter gdead@shmoo.com Brian Wotring brian@shmoo.com

Tracking Prey in the Cyberfores t Bruce Potter gdead@shmoo.com Brian Wotring brian@shmoo.com July 29, 2004 Blackhat Briefings USA 2004 The Ground Rules Dont believe anything I say Daytime - Security consultant Beltway

759 views • 35 slides
Monero an anonymous altcoin Dionysis Zindros ATHECRYPT 2016 Overview Bitcoins problems

Monero an anonymous altcoin Dionysis Zindros ATHECRYPT 2016 Overview Bitcoins problems

Monero an anonymous altcoin Dionysis Zindros ATHECRYPT 2016 Overview Bitcoins problems Moneros solutions Fungibility Anonymity Unlinkability Untraceability Acknowledgments Bitcoin Genve, Universit

734 views • 52 slides

More recommend