The Federal Risk and Authorization Management Program (FedRAMP) Project Management Office officially released its High baseline for High impact-level systems. This baseline is at the High/High/High categorization level for confidentiality, integrity, and availability in accordance with FIPS 199; and is mapped to the security controls from the NIST SP 800-53, Rev. 4 catalog of security controls. Previously, the FedRAMP authorization process was only designed for low and moderate impact systems. The number of controls for each of the FedRAMP defined impact system levels is presented below:
The release cumulates several months of work from the FedRAMP PMO, numerous agencies, cloud service providers and key stakeholders that established the draft baseline, collected industry and federal comments, and completed pilot programs.
FedRAMP High Baseline The establishment of the FedRAMP High Security baseline is critical for federal agencies to migrate more high-impact level data to the cloud. The High baseline is the strongest FedRAMP level to date, covering sensitive, unclassified data. According to FedRAMP Director Matt Goodrich, most of the information to be covered under the High baseline will be law enforcement data and patient health records. This should cover the needs of several civilian agencies, the Department of Defense (DoD), and the Department of Veterans Affairs (VA).
FedRAMP High Baseline Authorized Cloud Service Providers The three Infrastructure-as-a-Service (IaaS) providers who participated in the FedRAMP High baseline pilot program and achieved Authorization are:
Microsoft’s Azure GovCloud
Amazon Web Services GovCloud
CSRA / Autonomic Resources’ ARC-P
Federal agencies are able to review these vendor’s security packages, through OMB MAX, to begin to use these services immediately.
Coalfire was one of the earliest Third Party Assessment Organizations (3PAO) in FedRAMP, providingFedRAMP assessment or advisory services to cloud service providers in pursuit of their FedRAMP P-ATO or Agency ATO. If you’d like to talk to one of our staff about the new FedRAMP High baseline or have questions about the FedRAMP process, please contact us.
Abel Sussman, Director, TAAS–Public Sector and Cyber Risk Advisory, Coalfire
This past week, Palo Alto Networks hosted our very first Intern Tech Week to give our interns the chance to connect with teams from different branches of the company. It was an opportunity to not only learn more about Palo Alto Networks products but also see how they are made.
We kicked off the week last Monday with a deep dive from the creative minds behindAutoFocus. Scott Simkin, Senior Threat Intelligence Manager; Bilal Malik, Senior Product Manager; and Farshad Rostamabadi, Software Engineering Manager, discussed how they worked as a team to create a game-changing product that provides actionable threat intelligence to businesses and governments.
Tuesday began with a field trip to Flex to discover how our products are made. Vonnie French, Vice President, Supply Chain Operations, and her team provided an overview of the manufacturing organization and took the interns on a tour of the factory to see the entire cycle, from where the products are built to how they’re packaged and shipped to our customers.
The interns then met up with their hiring managers at Baylands Park to enjoy some good eats and fun outdoor games.
On Thursday, we got to find out what goes on in the mind of a hacker! Bryan Lee from Unit 42 stopped by to discuss what motivates hackers and what the future looks like for the cybersecurity industry. Ashwin Dewan, an intern from Product Management, learned a few new things from Bryan. “The presentation from the Unit 42 researcher helped me understand the company mission and vision,” he said. “Palo Alto Networks exists because hackers do, and understanding what a hacker is, and does, is as important as understanding any particular part of the platform.”
We ended the week with a great talk by our InfoSec Team. Rinki Sethi, Senior Director, Information Security, led a presentation with Lucas Moody, CISO, and other Information Security experts. This engaging panel discussed how they work to protect our brand and people using our best-in-class products. They also led the interns through an exercise of thinking through risk assessments, giving them a glimpse of what our customers do on a daily basis.
One of the main goals of our Summer Intern Program is to provide our interns with experiences that offer them a meaningful connection with our business. By hosting this Tech Week, we wanted our interns to learn more about the company and our products and get a glimpse into what our culture is truly like.
We think we achieved this because, as the week wrapped up, Channel Operations Intern, Jennifer Lu, said, “Seeing all the different people that made time for us interns, from Nir [Zuk] to Unit 42 to the InfoSec team, I really felt like I was part of Palo Alto Networks. I could clearly see the incredibly supportive, humble, and collaborative culture from every person I met at Tech Week! We are thankful for all of the great speakers we had this week and we already can’t wait for next year!”
When speaking to people who never considered a career in cyber or information security, we often find an audience put off by the perception that it is only for the technically minded. This couldn’t be further from the truth! Lucy Chaplin, a young consultant from the United Kingdom (U.K.) who became an Associate of (ISC)2 last year, demonstrates the possibilities.
Lucy considers herself lucky to have missed out on graduate programme schemes for management consulting. Coming out of Bristol University in 2012 with an honours degree in Economics and Politics, these programmes seemed to be the obvious choice at the time; and she made a concerted effort to contact The Big Four global consulting firms and small consultancies alike. Her research led to KPMG’s risk consultancy practice, which was a little bit more technical than the career she had imagined, but not daunting.
“I have never looked back. I asked for the opportunity to speak to as many people as I could around different practice areas and it became obvious that this was a high-growth industry that promised a lot of opportunity,” Chaplin says.
Celebrating her 25th birthday this year, Lucy is well aware that her choice has fast-tracked her career. She has worked on a variety of business, technical and strategic programmes examining technical risk, business resilience, infrastructure, cybersecurity and now Data Insight Services, where she helps clients take advantage of the volumes of data they have running through their systems to maximise the impact of their data and reporting. Her assignments have even included a stint on the McLaren Alliance, where she got a close-up view of the cars and met star Formula One driver Jenson Button.
Given the level of information and IT security required in the work she was doing, Lucy sought to solidify her knowledge in this area. Luckily, she was supported by her employer to pursue the Certified Information Systems Security Professional (CISSP®). She is now an Associate of (ISC)2 while she gains the five years’ experience required for full professional recognition.
“This was a great credential to work for because it really helped me get a broader view of the field, and the directions I could take in my career,” she says, adding, “As a young female who hadn’t studied the area, it also demonstrates that I understand the technical aspects of what I am working on. I continue to be very business-oriented, with a strong understanding of how technology works; but I have never had to be a technology expert. I work with others when such deep expertise is needed.”
What advice would Lucy give to graduates today?
“When you graduate, there is so much pressure on you from employers, family and peers to have a clear idea of what you want. But I got into a field that was changing too much to be able to build a five-year plan. In this organisation, my five-year plan changes with both the firm’s and my priorities. Take the time to talk to as many people as you can. Ask recruitment agents to refer you to people who can talk to you about their work. Attend events and ignore the pressure — let them tell you what is possible.”
When you listen to Indra Nooyi, PepsiCo CEO, you hear calm, measured confidence. When you listen to Sheryl Sandberg, Facebook COO, you hear upbeat, energized confidence. And when you listen to Mary Barra, GM CEO, you hear the concise messaging and confidence of a been-there-done-that leader.
Each of these women telegraphs leadership through her voice. When you listen, you don’t think, “I am listening to a woman leader.” You just know you are listening to a leader, a person with a passion for what she wants to convey and the utmost belief in her mission.
Our voices are one of the most powerful tools we can develop and leverage to convey leadership. By the same token, a weak voice lacking a passionate, well-defined, meaningful message will hinder our ability to grow and advance as leaders.
Sheryl Sandberg exhorts us to lean in. The most obvious way to do that is through what we say and how we say it.
One’s voice and the way one talks about their work is a powerful signal that we read instantly. We know leadership when we hear it.
Leaders Stand Out As a recruiter and career coach for IT audit and IT governance, risk and compliance (GRC) professionals, I listen to a myriad of professional voices as people describe their jobs and careers. The leaders stand out from the moment they speak. They talk about their work with energy and intensity. Their thoughts are organized and they are clear about their contributions to their clients and teams. They communicate what they do by illustrating their work with specific examples.
An important point: Leaders build credibility by demonstrating what they do and have done, not by talking in generalities.
Indra Nooyi, in an interview about her keys to success, says that excellent communication skills were her focus early on. She worked hard to present a genuine voice and clear messages of her vision.
One can read books about improving communication, but doing the scary work of practicing your leadership voice, making mistakes along the way, is the best way to hone your message and vocal presence. Networking at conferences is an outstanding training ground for trying out messages and getting immediate feedback.
While networking at your next meeting, conference or coffee break, offer something about the exciting work you and your team are doing to drive the enterprise and make it a great place. Your understanding of the bigger picture, and passion about the mission, are critical leadership elements of this communication. Craft your story into a concise one to one and a half minute presentation of the cool stuff you are doing. Leading means communicating a vision for the greater good. This simple act helps you do that.
Illustrate Your Leadership Competencies I use the STAR (Situation – Task – Action – Result) technique to help candidates create examples for interviews. Behavioral interview questions, designed to help interviewers assess competencies and traits, not the least of which is leadership skills, demand examples that illustrate thought process, character, decision making, judgment, persuasion and conflict resolution. Using STAR as a framework to organize work examples and accomplishments will help you create interesting stories that differentiate you from the competition. Your goal is to be memorable—in a good way. This method will help you achieve that.
People get to know us through the stories we tell. Leaders illustrate their work through powerful stories.
Important tip: When you acknowledge your team or describe how you fit into it, put the focus on your contributions. This is critical. I prep people for interviews every day. The most common interview mistake I hear—made by men, but even more so by women—is subsuming individual accomplishment under the mantel of “we” and being uncomfortable stepping up and saying this is what I am doing, this is what I bring to the table.
Leadership presence is something you can cultivate every day. Your work presents you with multiple opportunities to lean in and speak. Small changes in how you present yourself, your vision, your knowledge and your contributions will earn you greater recognition as a leader.
Editor’s note: The ISACA Now Blog section is celebrating Women in Technology Month throughout June by featuring female bloggers. If you are a female blogger and would like to contribute a blog, please contact us at news@isaca.org.
Andrew Tarvin is a best-selling author and professional stand-up and improv comedian. He teaches people and organizations how to use humor to be more effective and productive. Tarvin has worked with more than 100 organizations including Procter & Gamble, GE and Western & Southern Life Insurance, speaking, training, and coaching on topics ranging from humor in the workplace to communicating confidently to strategic disengagement.
ISACA Now: There are so many potential landmines when it comes to using humor at work, but overthinking humor can result in stilted un-funniness. What’s the solution? Tarvin: This a great question and a common concern for using humor in the workplace. While there are potential landmines, that doesn’t mean humor shouldn’t be used at all. Sending an email could theoretically get you fired (such as if you hit “reply all” on a distribution list causing a massive “Don’t hit reply all” flurry of emails), but we still use email. Just as email is a tool, humor is a tool.
The key to avoiding landmines while still being funny is intent. If you are using humor to get back at someone or really even “just to be funny,” it is more likely to come across negatively. However, if you have a specific reason for using humor (to connect with someone, get people to read an email, etc.), and come from a positive, inclusive perspective, your humor will be better received, creating laughter without offense.
Another way to think about it is that using humor doesn’t give you an excuse to be a jerk or talk about taboo subjects in the workplace. An offensive joke may “just be a joke,” but it’s still offensive.
ISACA Now: Governance, risk and control are not known for their ability to inspire humor. How can someone inject appropriate humor in otherwise serious tasks and jobs? Tarvin: Who says IT governance can’t inspire humor? There’s so much to laugh about in the auditing and control of computer systems…
OK, so it can be a little dry, but the drier the material, the easier it is to instill humor because it’s so unexpected. Just because a job or work is serious doesn’t mean that it can’t be done in a fun, engaging and inspiring way. When I was a project manager at Procter & Gamble, small changes to how I worked had a huge impact. Simple things like using images in my presentations or giving my project team nicknames, went a long way in making the work more enjoyable. My colleagues from one team still call me Drewsito.
Don’t think about using humor as changing what you do, just how you do it. No matter your role, you still have to communicate messages, build relationships and be productive—all things that humor can help you do.
ISACA Now: Can humor be instilled in an entire organization? How? Tarvin: Humor can be instilled in an entire organization, and the answer to how is simple… but not necessarily easy. It’s like how cooking is simple (follow the instructions) but not necessarily easy (my chicken always comes out burnt).
Humor in an organization comes down to individuals making a choice to find ways to enjoy their work more. The best way to encourage people to make that choice is to support them when they attempt to use humor. If someone adds humor to a presentation or email, let them know that you appreciate it (yes, even if the humor didn’t necessarily make you laugh).
Having a leadership team that embraces and uses humor is a huge help as well. The number 1 reason people don’t use humor at work more often is that they don’t think their boss or coworkers would approve. If you can dispel that myth, people will start to try new things; encourage that behavior, and it will start to spread.
It’s like a zombie apocalypse. It all starts with a patient zero and spreads from there. (For a more corporate metaphor, see Margaret Mead: “Never doubt that a small group of thoughtful, committed citizens can change the world; indeed, it’s the only thing that ever has.”)
ISACA Now: We’ve all had a supervisor who used humor—or what they thought was humor—in a passive-aggressive or even an active-aggressive manner that was off-putting and more about power than leadership. Can we use humor to safely defuse those situations? How? Tarvin: You certainly can use humor to defuse a situation, but how you do it comes down the specific circumstances. Perhaps one of the biggest challenges with humor is that it is very situational; what works in one setting for one person could backfire in a different setting with a different (or even the same) person.
For example, I think puns are like the coolest technologies we support—everyone should want to use them every day. Instead, they tend to be more like audits—people groan whenever they hear about them (sorry, just a joke to all of my auditors out there).
Safely using humor to defuse the situation goes back to having positive intent about the humor you use and really understanding your purpose.
ISACA Now: Oftentimes when teams want to solve a significant problem or do some major brainstorming the words, “Okay, let’s get serious and focus,” are used. How can humor regain a seat at the table? Tarvin: It’s important to recognize that serious work doesn’t mean it can only be done in a serious way. In fact, the more serious something is, the more power humor tends to have, particularly when it comes to problem solving. Humor and creativity are both about finding unique connections and providing a new perspective.
In one study, students who watched a 20-minute comedy video before being asked to solve a problem were nearly 4 times more likely to solve the problem than students who didn’t watch the film. (If you want to know what problem they had to solve, check out the Candle Problem.) Humor gets the brain looking for new connections. Take this simple joke: “I can’t believe I got fired from the calendar factory. All I did was take a day off.” In order to understand it, your brain started making connections between “calendar factory” and “take a day off.” That same process is how we solve problems.
If you’re serious about solving a problem, you’ll use the best means to solve that problem, and humor is one of them.
Andrew Tarvin, Author, 2016 Governance, Risk and Control Conference Presenter
