RE: towards a taxonomy of Information Assurance

[InfoSec News <isn () c4i org>]

Forwarded from: "Skroch, Michael" <mjskroc () sandia gov>

This thread is of interest to me because it is fundamental to
effective engineering and assessment of systems security/assurance.  
We should avoid problems in considering this issue because of not only
the varied definitions we have of terms like Information Assurance
(IA), Systems Assurance, etc., but also the types of systems that
might be addressed and the level of detail that might be considered.  
Infosec or Information Operations is a large domain to consider...

It seems that Abe Usher is considering more fundamental components
that contribute to IA and how they might compose and be addressed.  
These are not well addressed in TCSEC and CC.  Mr. Barnard seems to be
starting at a higher systems level of how policy is essential and how
standards can assist in meeting policy objectives.  It seems both
approaches are valid (actually necessary) and that there are multiple
voids in-between and much refinement that is needed throughout the
domain to move information security/assurance from an art to a
science, to an engineering discipline.  A while back, I ran a
short-lived program called Information Assurance Science and
Engineering Tools (IASET) that started to address that need.  Google
"IASET information assurance" for more info.

As far as Abe's quest, I think there are a lot of existing resources
to be considered and understood so any work performed can build on (or
knowingly discard) what has already been discovered.  The quest will
not be a simple one.

We've been working toward "Sustainable Security" that includes steps
of a control framework (we like CobiT), security policy, security
planning, and implementation or engineering guidance.  We'll have a
paper out on this soon, but already have a number of reports and
papers out on some components of this approach.

mike

--
Michael J. Skroch (skraw)
Manager, Information Operations Red Team & Assessments
Sandia National Laboratories
mjskroc () sandia gov
http://www.sandia.gov/iorta/
http://www.sandia.gov/idart/


-----Original Message-----
From: InfoSec News [mailto:isn () c4i org]
Sent: Tuesday, August 26, 2003 6:52 AM
To: isn () attrition org
Subject: Re: [ISN] towards a taxonomy of Information Assurance


Forwarded from: Mark Bernard <mbernard () nbnet nb ca>

Dear Associates,

Here we go again, some pointy heads have an idea!! Wow!

Sorry guys, systems assurance reviews have already been pioneered so
why are we spending time creating a taxonomy like we just discovered
something?

Systems assurance is based on two elements, they are as follows;

(1). (POLICY); Compliance with security standards as directed by
corporate information security policy. This also takes into
consideration legislation and industry best practices.

(2). (STANDARDS): Trusted Computer System Evaluation Criteria (TCSEC)/
Orange Book, Information Technology Security Evaluation Criteria
(ITSEC), and/or the combination of both known as the Common Criteria.
You can also checkout Control Objectives for Information and Related
Technology (COBiT) at www.isaca.org


I can tell you that most organizations prefer to do there own
evaluations, so COBiT is perfect because it provides a framework for
Self-Review Assessments.

http://www.isaca.org/template.cfm?Section=COBIT6

http://www.isaca.org/Template.cfm?Section=Assurance&Template=/TaggedPage/Tag
gedPageDisplay.cfm&TPLID=19&ContentID=8746


Next!!

Best regards,
Mark. E. S. Bernard, CISM,


----- Original Message ----- 
From: "InfoSec News" <isn () c4i org>
To: <isn () attrition org>
Sent: Monday, August 25, 2003 4:38 AM
Subject: [ISN] towards a taxonomy of Information Assurance


> Forwarded from: Abe Usher <abe.usher () sharp-ideas net>
>
> Information Security Professionals at ISN,
>
> Bottom line: I'd like your help in shaping a usable taxonomy of
> Information Assurance.*
>
> I am presently working on creating a taxonomy of information assurance,
> based on the three aspects of:
> (1) Information characteristics
> (2) Information states
> (3) Security countermeasures
>
> These three aspects of Information Assurance (IA) were highlighted by
> John McCumber [1] as well as a team of West Point researchers [2] as a
> component of works that define an integrated approach to security.
>
> Within the next 6 months, I would like to create a taxonomy that
> graphically depicts the relationships of these three aspects.
>
> My intent is that this taxonomy could be used by the academic community,
> industry, and government in improving the precision of communication
> used in discussing information assurance/security topics.
>
> I have searched the Internet widely for a taxonomy of Information
> Assurance, but I have not found anything that is sufficiently detailed
> for application with real world problems.
>
> I've posted my initial results to the following URL:
>
> http://www.sharp-ideas.net/ia/information_assurance.htm
>
> for comments and peer review.
>
> Cheers,
>
> Abe Usher
> abe.usher () sharp-ideas net
>
>
> * Information assurance is defined as "information operations that
> protect and defend information and information systems by ensuring their
> availability, integrity, authentication, confidentiality, and
> non-repudiation.  This includes providing for restoration of information
> systems by incorporating protection, detection, and reaction capabilities.
>
> [1] McCumber, John.  "Information Systems Security: A Comprehensive
> Model".  Proceedings 14th National Computer Security Conference.
> National Institute of Standards and Technology.  Baltimore, MD.
> October 1991.
>
> [2] Maconachy, Victor, Corey Schou, Daniel Ragsdale, and Don Welch. "A
> Model for Information Assurance: An Integrated Approach".  Proceedings
> of the 2001 IEEE Workshop on Information Assurance and Security.
> U.S. Military Academy.  West Point, NY.  June 2001.




-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.