Information Security News mailing list archives
Re: towards a taxonomy of Information Assurance
From: InfoSec News <isn () c4i org>
Date: Thu, 28 Aug 2003 02:25:11 -0500 (CDT)
Forwarded from: Freddie Beaver <frebea44 () earthlink net> ok, Mark, please be kind to academia :-) Academic research needs to take the obvious, scrutinize it to pieces, and attempt to statistically validate it or hopefully find a questionable flaw that will give fodder for a dissertation or tenure-required publishing. In this process someone may actually "improve the wheel". I side with you on the fact that practitioners don't need to spend time creating their own taxonomies when CC, Cobit, etc are available, but the academics are required to. I should know, I've been on all three sides of the fence: academia, corporate, and defense! FYI for all: I'm looking into doing a statistical (scientific) validation of Cobit. If anyone knows of any pre-existing studies or survey instruments related to it, I would appreciate the feedback. Beav Freddie E. Beaver 6167 Lakefront Dr. N. Horn Lake, MS 38637 Home: (662) 781-2161 Cell: (901) 438-4805 Email: frebea44 () earthlink net ----- Original Message ----- From: "InfoSec News" <isn () c4i org> To: <isn () attrition org> Sent: Tuesday, August 26, 2003 7:51 AM Subject: Re: [ISN] towards a taxonomy of Information Assurance
Forwarded from: Mark Bernard <mbernard () nbnet nb ca> Dear Associates, Here we go again, some pointy heads have an idea!! Wow! Sorry guys, systems assurance reviews have already been pioneered so why are we spending time creating a taxonomy like we just discovered something? Systems assurance is based on two elements, they are as follows; (1). (POLICY); Compliance with security standards as directed by corporate information security policy. This also takes into consideration legislation and industry best practices. (2). (STANDARDS): Trusted Computer System Evaluation Criteria (TCSEC)/ Orange Book, Information Technology Security Evaluation Criteria (ITSEC), and/or the combination of both known as the Common Criteria. You can also checkout Control Objectives for Information and Related Technology (COBiT) at www.isaca.org I can tell you that most organizations prefer to do there own evaluations, so COBiT is perfect because it provides a framework for Self-Review Assessments. http://www.isaca.org/template.cfm?Section=COBIT6
http://www.isaca.org/Template.cfm?Section=Assurance&Template=/TaggedPage/TaggedPageDisplay.cfm&TPLID=19&ContentID=8746
Next!! Best regards, Mark. E. S. Bernard, CISM, ----- Original Message ----- From: "InfoSec News" <isn () c4i org> To: <isn () attrition org> Sent: Monday, August 25, 2003 4:38 AM Subject: [ISN] towards a taxonomy of Information AssuranceForwarded from: Abe Usher <abe.usher () sharp-ideas net> Information Security Professionals at ISN, Bottom line: I'd like your help in shaping a usable taxonomy of Information Assurance.* I am presently working on creating a taxonomy of information assurance, based on the three aspects of: (1) Information characteristics (2) Information states (3) Security countermeasures These three aspects of Information Assurance (IA) were highlighted by John McCumber [1] as well as a team of West Point researchers [2] as a component of works that define an integrated approach to security. Within the next 6 months, I would like to create a taxonomy that graphically depicts the relationships of these three aspects. My intent is that this taxonomy could be used by the academic community, industry, and government in improving the precision of communication used in discussing information assurance/security topics. I have searched the Internet widely for a taxonomy of Information Assurance, but I have not found anything that is sufficiently detailed for application with real world problems. I've posted my initial results to the following URL: http://www.sharp-ideas.net/ia/information_assurance.htm for comments and peer review. Cheers, Abe Usher abe.usher () sharp-ideas net * Information assurance is defined as "information operations that protect and defend information and information systems by ensuring their availability, integrity, authentication, confidentiality, and non-repudiation. This includes providing for restoration of information systems by incorporating protection, detection, and reaction capabilities. [1] McCumber, John. "Information Systems Security: A Comprehensive Model". Proceedings 14th National Computer Security Conference. National Institute of Standards and Technology. Baltimore, MD. October 1991. [2] Maconachy, Victor, Corey Schou, Daniel Ragsdale, and Don Welch. "A Model for Information Assurance: An Integrated Approach". Proceedings of the 2001 IEEE Workshop on Information Assurance and Security. U.S. Military Academy. West Point, NY. June 2001.
- ISN is currently hosted by Attrition.org To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY of the mail.
Current thread:
- towards a taxonomy of Information Assurance InfoSec News (Aug 25)
- <Possible follow-ups>
- Re: towards a taxonomy of Information Assurance InfoSec News (Aug 26)
- Re: towards a taxonomy of Information Assurance InfoSec News (Aug 28)
- RE: towards a taxonomy of Information Assurance InfoSec News (Aug 28)
- RE: towards a taxonomy of Information Assurance InfoSec News (Aug 28)
- Re: towards a taxonomy of Information Assurance InfoSec News (Aug 28)
- RE: towards a taxonomy of Information Assurance InfoSec News (Aug 29)