As part of an ongoing effort to keep you informed about our latest work, this blog post summarizes some recently published SEI technical reports, white papers, and webinars in resilience, effective cyber workforce development, secure coding, data science, insider threat, and scheduling. These publications highlight the latest work of SEI technologists in these areas. This post includes a listing of each publication, author(s), and links where they can be accessed on the SEI website.

Managing Third Party Risk in Financial Services Organizations: A Resilience-Based Approach
By John Haller and Charles M. Wallen

Outsourcing to third parties and the resulting dependency risks have become a leading consideration for financial services firms, drawing extensive management attention and regulatory scrutiny. This is particularly true for third party risks that arise from the use of information and communication technology (ICT), which may include data breaches, fraud, access to sensitive internal information, reputation impacts, or disclosure of intellectual property. These concerns are exacerbated by a pervasive and dynamic cybersecurity threat landscape. Attackers know that third party suppliers can be a weak link and target them accordingly.

Recent, high profile incidents involving the financial industry highlight the unexpected or unintended consequences that can arise when organizations outsource support and processing activities. This is particularly true for customer-facing services supported by outsourced information technology. Regulators have emphasized careful oversight of third party suppliers and have strongly urged senior management to more directly engage in this area of risk management.
Download the whitepaper.

Striving for Effective Cyber Workforce Development
By Marie Baker

The United States is in a critical situation in terms of cyber preparedness. Cyber attacks and their sophistication are growing exponentially while the cyber workforce is striving to strengthen and sustain the talent needed to protect, detect, defend, and respond to these attacks. Effective cyber workforce development - increasing the number of qualified professionals in the field and having the right tools to advance their prowess in information security operations - is challenging.
Download the whitepaper.

Common Exploits and How to Prevent Them
By David Svoboda

This talk was given at the Secure Coding Symposium in Arlington, Virginia, in September 2016. At this event, software development and assurance professionals discussed current challenges in the areas of secure coding practice adoption and software assurance.
Download the presentation

Data Science: What It Is and How It Can Help Your Company
By Brian Lindauer and Eliezer Kanal

Over the past few years, there has been a veritable explosion of hiring in the field of data science. Just 10 years ago, the phrase data scientist was almost unheard of; now data scientist positions are advertised across numerous industries, with a particular focus on high tech. What is this position and why is it relevant? In this webinar, we discussed this position from a number of angles--what the term "data science" means, what skills a data scientist brings to the table, what competitive edge data science can bring to your team, and the differences between data science and business analysis. We also discussed a number of case studies that describe how data science can be integrated into existing businesses as well as how to best make use of data scientists' skills.
View the webinar.

How to Build an Effective Insider Threat Program to Comply With the New NISPOM Mandate
By Randall F. Trzeciak

On May 18, 2016, the U.S. Department of Defense (DoD) published Change 2 to DoD 5220.22-M, "National Industrial Security Program Operating Manual (NISPOM)." NISPOM Change 2 requires contractors to establish and maintain an insider threat program to detect, deter, and mitigate insider threats. In this webinar, Randy Trzeciak, technical manager of the CERT Insider Threat Center, describes the summary of new requirements mandated by NISPOM Change 2 and the impact they will have on DoD contracting organizations.
View the webinar.

Segment-Fixed Priority Scheduling for Self-Suspending Real-Time Tasks
By Junsung Kim, Björn Andersson (Carnegie Mellon University), Dionisio de Niz, Ragunathan (Raj) Rajkumar, Jian-Jia Chen, Wen-Hung Huang, Geoffrey Nelissen

Recent trends in system-on-a-chip show that an increasing number of special-purpose processors are being added to improve the efficiency of common operations. Unfortunately, the use of these processors may introduce suspension delays incurred by communication, synchronization, and external I/O operations. When these processors are used in real-time systems, conventional schedulability analyses incorporate these delays in the worst-case execution/response time, thereby significantly reducing the schedulable utilization.

This report describes schedulability analyses and proposes segment-fixed priority scheduling for self-suspending tasks. We model the tasks as segments of execution separated by suspensions. We start from providing response-time analyses for self-suspending tasks under rate monotonic scheduling (RMS). While RMS is not optimal, it can be used effectively in some special cases that we have identified. We then derive a utilization bound for the cases as a function of the ratio of the suspension duration to the period of the tasks. For general cases, we develop a segment-fixed priority scheduling scheme. Our scheme assigns individual segments different priorities and phase offsets that are used for phase enforcement to control the unexpected self-suspending nature.
Download the report.

Additional Resources

For the latest publications on SEI research, please visit https://resources.sei.cmu.edu/library/.