Mark a Russo Cissp-Issap Itilv3

A GUIDE FOR 2020 SUPPLY CHAIN RISK MANAGEMENT (SCRM) APPLICATION IN THE REAL WORLD..In this 2021 re-release of the SCRM 2.0, there has been added clarification of control implementation. NIST SP 800-161 controls are critical to a successful Supply Chain Risk Management process, vital to ensuring that hardware, software, and services are equally vetted to ensure that supply chain elements are free from defect, counterfeit, or fraud. This update is designed to provide greater clarity needed to ensure an active defensive posture by public and private sector organizations.Welcome to the next iteration of SCRM. Based on a detailed explanation of current threats and application of NIST SP 800-161. From the internationally acclaimed cybersecurity thought-leader, Mr. Russo provides two distinct NIST 800-161, "Supply Chain Risk Management Practices for Federal Information Systems and Organizations," approaches to resolve the modern day challenge of SCRM. The solutions, while similar, provide a 21st Century resolution to better approach in a systematic way to prevent compromises to the US and global IT supply chain.The use of varied supply chain attacks by cyber attackers to access, for example, software development infrastructures have been major vectors of concerns for governments as well as the private sector. These attacks typically include targeting publicly connected software "build, test, update servers," and other portions of a software development environment. Nation-state agents can then inject malware into software updates and subsequent releases have far-ranging impacts to the IT supply chain; the challenge continues to grow.SCRM 1.0 is a concept for establishing an effective and repeatable process that can be applied against standard supply chain components such as hardware, firmware, software, etc. The author introduces SCRM 2.0, much like SCRM 1.0 (Product-based approach), the need is to turn to a much more precarious aspect of SCRM. We must consider the service piece of SCRM that includes the people, companies, and organizations along the supply chain that may also be compromised within the global marketing of IT equipment and capabilities. This is the next most significant issue facing the field of cybersecurity protection in the 21st Century. This updated version updates content for the reader and adds more clarity on the topic of SCRM in 2020.

In this SECOND EDITION of THE AGILE SECURITY DEVELOPMENT LIFE CYCLE (A/SDLC) we expand and include new information to improve the concept of "Agile Cyber." We further discuss the need for a Security Traceability Requirements Matrix (SecRTM) and the need to know where all data elements are located throughout your IT environment to include Cloud storage and repository locations. The author continues his focus upon ongoing shortfalls and failures of "Secure System Development." **The author is pleased to announce that this book will be referenced in a pending 2020 release by the OSD CIO in its "Application Security Guide for DOD Acquisitions" ** GO ARMY **The author seeks to use his over 25 years in the public and private sector program management and cybersecurity to create a solution. This book provides the first-ever integrated operational-security process to enhance the readers understanding of why systems are so poorly secured. Why we as a nation have missed the mark in cybersecurity? Why nation-states and hackers are successful daily? This book also describes the two major mainstream "agile" NIST frameworks that can be employed, and how to use them effectively under a Risk Management approach. We may be losing "battles, " but may be its time we truly commit to winning the cyber-war.

CAN THERE TRULY BE AGILE CYBERSECURITY IN AGILE DEVELOPMENT?...YESJust look to what the National Institute of Standards and Technology (NIST) has done with its creation of the "National Cybersecurity Framework (NCF)." It is designed for both the private sector and is especially important for those working within a designated area of a US Critical Infrastructure sector. This book is designed to provide the how-to to address the 108 controls effectively and efficiently. It brings you through the process to assure compliance and enhanced cybersecurity in an Agile approach. This book is about what "secure" should look like and how you and your IT staff can be confident in implementing security for sensitive data and Intellectual Property in an ever-changing cyber-threat environment.

FOR CYBERSECURITY PROFESSIONALS WRESTLING WITH THE CLOUD SERVICE LEVEL AGREEMENT (CSLA)This book is not another Cloud Security Theory book, it is a practical and how-to volume for both the Cloud Service Customer (CSC) and Cloud Service Provider (CSP) negotiate the CSLA based on defined terms and metrics. This is more than a high-level description of "risks and challenges" involved in entering into a true CSLA. It is a "down in the weeds" approach with nearly 100 specific Service Level Objectives (SLO)-the next level down--with suggested metrics that get you started on Day 1.This book is written for the cybersecurity professional who needs to review, help develop, and assess whether a CSLA is complete or not for the purpose of accreditation and access to an active network. We have assembled the latest information in what you need to know and understand as you help companies and agencies challenged by using a third-party service provider, and especially one using cloud technologies. This book also includes extensive examples and suggestions to do your job better, faster, and smarter. Welcome to the "wave" we call "the cloud."