How to Be a Successful ISSM

1
How to Be a Successful ISSM

• Tim Chancellor

2
TEN SECRETS OF INCREDIBLY EFFECTIVE ISSM'S

• Skills
• Computer Geek
• Diplomat
• Counselor
• Investigator
• Coach

3
Train, Train, Train

• Information Systems Security Manager (ISSM)
• Information Systems Security Manager
• Chapter 8 computer based training
• Quarterly ISSO Briefings
• Monthly ISSO Tips
• Information Systems Security Officer
• ISSO computer based training
• Information Systems User Briefing

4
Know your Program Managers

• Face to Face Meeting
• Accreditation Process
• Few managers understand either the accreditation
  process or the requirements to process classified
  data.
• Opportunity for them to begin to know you and
  seek advice.

5
Require Computing Requirements in Writing

• Nails down specific purpose configuration
  during pre-accreditation
• Have them complete the CONOP
• Have program appoint ISSO/Alternate
• Status of equipment on order
• Be aware of physical security requirements.

6
Early Coordination with CSA

• Invite customer to provide advice assistance
• Comfort level with direction being taken
• If cannot visit, will be glad you asked
• Wont be caught off guard if special requirements

7
Challenge, Challenge, Challenge

• Scrutinize the requirements, make decisions
  recommendations
• Watch for special caveats, NATO, etc.
• If it will be adequate, limit systems that will
  process the special caveat
• Consider how will affect any future networks

8
Review Review Again

• SPP is tedious work
• Having team review is helpful
• Dont forward until youre sure it meets program
  requirements
• Some ISSMs require approval in writing

9
Trust But Verify

• You are on the hook with DSS
• Perform 100 audit with outgoing/incoming ISSOs

10
Tactical Systems Require Coordination

• Development of deliverable/tactical systems to
  ensure you meet customer requirements
• Establish good working relationship with the
  customer
• Attend customer/program meetings

11
Start-up Briefings

• Once IATO or ATO conduct initial briefing with
  all key personnel
• Be sure to include a physical security specialist
• Face-to-face meeting ensures confusion is cleared
  up.

12
Post-Accreditation Inspection

• Schedule 30-60 days after start-up
• Clear up misunderstandings and ensure no auditing
  or record-keeping failures
• Better to catch before government review

13
Final Suggestions

• Network with other ISSMs
• Share successes and failures
• Best wishes!!!!