Great video, hopefully when I get a job, I could place your video side by side because they are very detailed. This is really hands on the job training.
Would a format for POAM ID 220001 be used (22 being the year and 0001 being it ID), So any new vulnerability needed can be added based on the year. And would 9999 POAM ID be sufficient units to be in the POA&M per year?
@@KamilSec Understood! Thank you, Been following your content for a few weeks and I must say it brilliant the way you explain. Brings more interest to learn.
Thanks for taking the time to explain this often tedious process. I do have a question. What if the plug-ins are updated for the next scan, will the old plug-ins still show up when you do a search if it hasnt been remediated yet?
Hi. At my workplace one big change we have to doing the poam is the mitigation column in which we have to explain what we have currently in our environment thats in place currently while we work on a remediation of the vulnerability. The mitigation has to be specific to the vulnerability
Cool, I guess this is as a results the nature of your system. It could be that your system is public/internet facing or not behind any firewall or bastion host.
ZBeauty, unfortunately I cannot do a video in CSAM, there is no community version of the tool, and hence I cannot use the one for the government for UA-cam tutorial.
Yes, that varies from workplace to workplace. However having the last milestone completion date same as the POA&M schedule completion date can be a bit risking an overdue POA&M. This is because, if evidence of completion of the last milestone need to be reviewed and approved before the POA&M gets submitted for closure, that can be a stretch for the same date.
I am a new ISSO and will like to understand the contain of the Authorization Package and how these contains are made. In the POA&M, under Planned Milestone column, Where does the ISSO get all remediations to point them out under the planned milestone column?? Thank You 🙏🏽
Contents of the Authorization Package are SSP, SAR and POA&M and ATO Memo. Watch this video for more ua-cam.com/video/adxnNStDskA/v-deo.html The Remediation milestones for the technical controls are mostly from the system admins.
Prate, for the planned milestones, you really have to coordinate with the people who are actually going to do the remediations (Admins) to get the timeframe they think they can complete the remediation.
Thank You Sir, this is so helpful. Quick question 🙋♀️, what if you read the description of the Vulnerability and can’t determine the exact control? Is the another way to determine the exact control???
Thank you so much you are awesome! I have a question! I have an interview scheduled for next week! What type of technical questions do you think will come up? I already had the first interview and it was the RMF process and they have scheduled a second one for technical! Am so nervous!
Thats a tough call, however based on the JD you can deduce where their minds are. Nonetheless, you can make sure you know your OSI Model and TCP/IP Model, Security protocols and common ports, vulnerability management and so on...Good luck!
I thought it is highly recommended we remediate critical vulnerability 15days, High Vulnerability 30days, Moderate Vulnerability 60 days, Low Vulnerability 90days. If the above is true and the information system overall water mark is Moderate. 1) What scheduled completion date will be assigned to a critical Vulnerability even if the POC said it will take 3months to remediate? 2) Are we going to base our time frame on POC suggested time frame? 3) Do we put into consideration overall water mark of the information system during our POAM creation and remediation process? 4) What is the best approach in creating our scheduled completion date? I really appreciate your time and clarification. Thank you.
Good questions Christian, So first of all if the system teams have the resources to remediate within (15 days or 30 days), they would have done that and we will not worry creating the POA&M. But there are instances even if the agency is asking the team to fix a critical vulnerability with days, the system team simply cannot do that, for instance if the issue is related to a vendor releasing a patch that are not yet available. In that case a POA&M is created to track the remediation efforts until the vendor release the patch. Hope that makes sense.
Hi - are you able to provide a link to the videos you advise we review prior to this? I'll also send an email request for the template to practice against - are you able to add that in the more section also?
ua-cam.com/video/lNH_4o5XSlE/v-deo.html So, the excel files are bit large and uploading them on AWS S3 bucket and sharing the link here for easy download will incur some significant monthly bill, hence the need for people to request via e-mail.
Yes generally you can refer to RA-5 (Vulnerability Scan) or SI-2 (Flaw Remediation) however, if the control involves say configuration or Cryptographic findings you can refer to CM-6 or SC-13 controls respectively.
Chaii!. excellent video bro, God bless you and increase your knowledge. if you don't mind how can i contact you, i need you to be my mentor in this field. thank you
Kamil you and your household will forever be blessed for what you do even with your busy schedule.
Thank you so much bro. I appreciate all the prayers and kind words!!!
I am watching this video for the second time, and I have gained so much knowledge again. I thank you so much, maybe God continue to bless you, sir.
You are so welcome, Ameen!
can't see the previous video about the Nessus vulnerability scan result analysis
See the link below for the Nessus Vulnerability Scan Analysis Video:
ua-cam.com/video/lNH_4o5XSlE/v-deo.htmlsi=okbFctPiKRgOX1_t
Kamil, God bless you!!!
Ameen
Great video , Thank you
Glad you enjoyed it
Thank you brother... this was excellent
Very welcome
Great hands on tutoria, keep it up. Please will it be possible to get the excel template of the POA&M?
You can get access to the spreadsheet from my Patreon page
Another excellent video on POA&M. Can't get anything more precise and well articulated. Thank you for the work you do.
I have a question. Where can I pick the control code like you did?
My pleasure bro!
All the controls codes will be in appendix D of SP 800 53
Excellent post
Thanks for watching, I hope you will help share the videos to promote the channel!
Thank you for this excellent video, so detailed and well explained. More grease to your elbow.
You are so welcome!
Excellent presentation.
Thank you kindly!
Great video, hopefully when I get a job, I could place your video side by side because they are very detailed. This is really hands on the job training.
God bless you for this great job
Thanks Man!
which roles would do these kind of tasks? such as creating POAMs, SSPs, etc?
IT Security Analyst, ISSO, POA&M Manager, Alternate ISSO....
Good video 👍🏿
Thank you Kamil
You’re very welcome Lawrence!
I have been learning from your videos. You have great content!
I appreciate that, thanks!
Thanks Kamil… great post as usual 👍
Glad you enjoyed it!
Great video boss !!
Thanks!
Looking for Splunk configuration video hope u do one one day
Thank you fir the video. It was helpful. Thank you
You are welcome!
Great video, thanks!
Great one.
THANKS VERY MUCH. PLEASE DO YOU HAVE A VIDEO ON POA&M WITH SECURITY CONTROL SINCE THIS WAS WITH THE NESSUS SCAN VULNERABILITY
Sorry, I do not.
Would a format for POAM ID 220001 be used (22 being the year and 0001 being it ID), So any new vulnerability needed can be added based on the year. And would 9999 POAM ID be sufficient units to be in the POA&M per year?
yes, that works. However way the organization decides on is fine.
@@KamilSec Understood! Thank you, Been following your content for a few weeks and I must say it brilliant the way you explain. Brings more interest to learn.
Who does the scan analysis?
IT Security Analyst or the ISSO
Thanks for taking the time to explain this often tedious process. I do have a question. What if the plug-ins are updated for the next scan, will the old plug-ins still show up when you do a search if it hasnt been remediated yet?
The plugins will be the same for a vulnerability, never changes except the vulnerability is fix and it wont show up in the next scan.
@KamilSec Thank you Sir!
Hi. At my workplace one big change we have to doing the poam is the mitigation column in which we have to explain what we have currently in our environment thats in place currently while we work on a remediation of the vulnerability. The mitigation has to be specific to the vulnerability
Cool, I guess this is as a results the nature of your system. It could be that your system is public/internet facing or not behind any firewall or bastion host.
Hey Kamil, do you do one on one training?
Zakari!! you too much
Great video! Can you do a video about CSAM?
ZBeauty, unfortunately I cannot do a video in CSAM, there is no community version of the tool, and hence I cannot use the one for the government for UA-cam tutorial.
Good morning sir
Good morning Bradon
Also our security manager instructed us that our last milestone date match the scheduled completion date. Does that vary by workplace?
Yes, that varies from workplace to workplace. However having the last milestone completion date same as the POA&M schedule completion date can be a bit risking an overdue POA&M. This is because, if evidence of completion of the last milestone need to be reviewed and approved before the POA&M gets submitted for closure, that can be a stretch for the same date.
I am a new ISSO and will like to understand the contain of the Authorization Package and how these contains are made. In the POA&M, under Planned Milestone column, Where does the ISSO get all remediations to point them out under the planned milestone column?? Thank You 🙏🏽
Contents of the Authorization Package are SSP, SAR and POA&M and ATO Memo. Watch this video for more ua-cam.com/video/adxnNStDskA/v-deo.html
The Remediation milestones for the technical controls are mostly from the system admins.
I’m a new ISSO, so for the planned milestones how would I know what to put or is there some type of reference I can go off of?
Prate, for the planned milestones, you really have to coordinate with the people who are actually going to do the remediations (Admins) to get the timeframe they think they can complete the remediation.
@@KamilSec thank you 🙏🏾
Thank You Sir, this is so helpful. Quick question 🙋♀️, what if you read the description of the Vulnerability and can’t determine the exact control? Is the another way to determine the exact control???
Unfortunately, that comes with experience working with these controls.
Thank you so much you are awesome! I have a question! I have an interview scheduled for next week! What type of technical questions do you think will come up? I already had the first interview and it was the RMF process and they have scheduled a second one for technical! Am so nervous!
Thats a tough call, however based on the JD you can deduce where their minds are. Nonetheless, you can make sure you know your OSI Model and TCP/IP Model, Security protocols and common ports, vulnerability management and so on...Good luck!
@@KamilSec Thank you so much !
WHAT do you do when you are not sure about the name of the control to be remediated?
Good question, you can also refer to some old POA&Ms with the same or similar findings to get an idea.
I thought it is highly recommended we remediate
critical vulnerability 15days,
High Vulnerability 30days,
Moderate Vulnerability 60 days,
Low Vulnerability 90days.
If the above is true and the information system overall water mark is Moderate.
1) What scheduled completion date will be assigned to a critical Vulnerability even if the POC said it will take 3months to remediate?
2) Are we going to base our time frame on POC suggested time frame?
3) Do we put into consideration overall water mark of the information system during our POAM creation and remediation process?
4) What is the best approach in creating our scheduled completion date?
I really appreciate your time and clarification.
Thank you.
Good questions Christian, So first of all if the system teams have the resources to remediate within (15 days or 30 days), they would have done that and we will not worry creating the POA&M. But there are instances even if the agency is asking the team to fix a critical vulnerability with days, the system team simply cannot do that, for instance if the issue is related to a vendor releasing a patch that are not yet available. In that case a POA&M is created to track the remediation efforts until the vendor release the patch. Hope that makes sense.
Hi - are you able to provide a link to the videos you advise we review prior to this? I'll also send an email request for the template to practice against - are you able to add that in the more section also?
ua-cam.com/video/lNH_4o5XSlE/v-deo.html
So, the excel files are bit large and uploading them on AWS S3 bucket and sharing the link here for easy download will incur some significant monthly bill, hence the need for people to request via e-mail.
@@KamilSec can i get a copy of the excel for practice. Thank you
Is there a way to automate this from data in ServiceNOW?
Partially, but human input would still be needed.
Hello, how can I reach out please?
kaamilzak@gmail.com
I was expecting the control to be RA-5 SI-2
Yes generally you can refer to RA-5 (Vulnerability Scan) or SI-2 (Flaw Remediation) however, if the control involves say configuration or Cryptographic findings you can refer to CM-6 or SC-13 controls respectively.
Like Like Like
Chaii!. excellent video bro, God bless you and increase your knowledge. if you don't mind how can i contact you, i need you to be my mentor in this field. thank you
kaamilzak@gmail.com
@@KamilSec Thank you for your response bro.
Hello Bro, I have contacted several times but no response, Pls try and make some time for me, lol, thank you.
Thank you Kamil
You're welcome Fati, Trust you are doing well?