Re: towards a taxonomy of Information Assurance (IA)

[jbarbo1 () umbc edu]

While I have little to no experience with this type of problem I offer two
observations. First, the whole concept of providing a taxonomy for IA
seems near impossible with the everchanging technology. Looking at your
diagrams, there are technologies already missing. As new things happen,
the taxonomy is going to have to be continuously updated. Second, have you
thought about looking at this on the other side of the fence, I just read
a paper that uses ontologies instead of taxonomies. Might want to look at
it, can be found at http://citeseer.nj.nec.com/584845.html.

Best of luck to you though.


> Fellow Information Security Professionals,
>
> Bottom line: I'd like your help in shaping a usable taxonomy of
> Information Assurance.*
>
> This taxonomy is part of my graduate studies, and will not be used for
> any commercial purposes.  It will remain an "open source" open project.
>
> I am presently working on creating a taxonomy of information assurance,
> based on the three aspects of:
> (1) Information characteristics
> (2) Information states
> (3) Security countermeasures
>
> These three aspects of Information Assurance (IA) were highlighted by
> John McCumber [1] as well as a team of West Point researchers [2] as a
> component of works that define an integrated approach to security.  I
> have also considered the works of Matt Bishop [3] in how to create a
> useful taxonomy.
>
> Within the next 6 months, I would like to create a taxonomy that
> graphically depicts the relationships of these three aspects.  I will
> use an "open source" model whereby all of my findings & results will be
> posted for public review and revision.
>
> My intent is that this taxonomy could be used by the academic community,
> industry, and government in improving the precision of communication
> used in discussing information assurance/security topics.
>
> I have searched the Internet widely for a taxonomy of Information
> Assurance, but I have not found anything that is sufficiently detailed
> for application with real world problems.
>
> I've posted my initial results to the following URL:
>
> http://www.sharp-ideas.net/ia/information_assurance.htm
>
> for comments and peer review.
>
> Cheers,
>
> Abe Usher
> abe.usher () sharp-ideas net
>
>
> * Information assurance is defined as "information operations that
> protect and defend information and information systems by ensuring their
> availability, integrity, authentication, confidentiality, and
> non-repudiation.  This includes providing for restoration of information
> systems by incorporating protection, detection, and reaction capabilities.
>
> [1] McCumber, John.  "Information Systems Security: A Comprehensive
> Model".  Proceedings 14th National Computer Security Conference.
> National Institute of Standards and Technology.  Baltimore, MD.  October
> 1991.
>
> [2] Maconachy, Victor, Corey Schou, Daniel Ragsdale, and Don Welch. "A
> Model for Information Assurance: An Integrated Approach".  Proceedings
> of the 2001 IEEE Workshop on Information Assurance and Security.  U.S.
> Military Academy.  West Point, NY.  June 2001.
>
> [3] Bishop, Matt.  "A Critical Analysis of Vulnerability Taxonomies".
> Department of Computer Science, University of California. Davis, CA.
> September 1996.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html