EMI replaced its Incident Command System (ICS) curricula with courses that meet the requirements specified in the National Incident Management System (NIMS). EMI developed the new courses collaboratively with the National Wildfire Coordinating Group (NWCG), the United States Fire Administration and the United States Department of Agriculture.
Although I haven’t written much about it on the blog (just the occasional post), one area I talk a lot about is incident response and disaster management. Translating my experiences as a 9-1-1 and disaster responder into useful business principles. I’m frequently asked where people can get management level training on incident management. While SANS and others have some technology-oriented incident response courses, the best management level training out there is from FEMA.
Yes, that FEMA.
For no cost you can take some of their Incident Command Systems (ICS) courses online. I highly recommend ICS 100 and ICS 200 for anyone interested in the topic. No, not all of it will apply, but the fundamental principles are designed for ANY kind of incident of ANY scale. If nothing else, it will get you thinking.
DEFCON, the 9000+ attendee hacker conference in Vegas has become a sort of hydra conference. It has become more like a global fair than what most people think of conferences; even the badge is highly unique.
I say this because there are so many things to do at DEFCON, other than going to talks, that you could spend your whole weekend looking at the “World’s Largest Boar!”, so to speak. One of the CTF (Capture the Flag) contest winners this year actually exclaimed that he only made it to 2 talks in 12 years! I am also one of those individuals who barely get a chance to go to talks and now that the speaker pool is so diverse, it’s hard to find all of the “stuff” they release.
Before anyone has a chance to post “it’s all on the DEFCON CD dummy,” I want to challenge them to try. After a weekend of googling (which came back with few results) and making contact with some of the speakers, I provide you with a mostly accurate list of “stuff” that was released at DEFCON this year. If any of the information is inaccurate, or a tool is missing, please contact me and I will update this post.
TO AUDIT OFFICIALS, AGENCY CIOS, AND OTHERS INTERESTED IN FEDERAL INFORMATION SYSTEM CONTROLS AUDITING AND REPORTING
This letter transmits the exposure draft of the Government Accountability Office (GAO) Federal Information System Controls Audit Manual (FISCAM) for your review and comment. The FISCAM presents a methodology for performing information system (IS) control audits of federal and other governmental entities in accordance with professional standards, and was originally issued in January 1999. We have updated the FISCAM for significant changes affecting IS audits.
The exposure draft revisions reflect changes in (1) technology used by government entities, (2) audit guidance and control criteria issued by the National Institute of Standards and Technology (NIST), and (3) generally accepted government auditing standards (GAGAS), as presented in Government Auditing Standards (also known as the “Yellow Book”). The Federal Information System Controls Audit Manual (FISCAM) provides a methodology for performing information system (IS) control audits in accordance with GAGAS. However, at the discretion of the auditor, this manual may be applied on other than GAGAS audits. As defined in GAGAS, IS controls consist of those internal controls that are dependent on information systems processing and include general controls and application controls. This manual focuses on evaluating the effectiveness of such general and application controls. This manual is intended for both auditors to assist them in understanding the work done by IS controls specialists, and
IS controls specialists to plan and perform the IS controls audit.
In addition, the FISCAM is consistent with the GAO/PCIE Financial Audit Manual (FAM). Also, the FISCAM control activities are consistent with and have been mapped to the NIST Special Publication 800-53.
Instructions for Commenting on the Exposure Draft
The exposure draft of FISCAM is available only in electronic form at http://www.gao.gov/cgi-bin/getrpt?rptno=GAO-08-1029G on GAO’s Web page. We request comments from federal audit officials, CIOs, financial managers, the public accounting profession, and other interested parties. Please associate your comments with specific references to section, paragraph, and age number. Also, please provide the rationale for your comments and proposed changes, along with suggested revised language. Please send your comments electronically to FISCAM@gao.gov no later than September 5, 2008.
We anticipate that the final version of FISCAM will be issued in the fall of 2008 for use in conducting fiscal year 2009 federal financial statement audits.