Forwarded from: Mark Bernard <mbernardat_private> Dear Associates, Here we go again, some pointy heads have an idea!! Wow! Sorry guys, systems assurance reviews have already been pioneered so why are we spending time creating a taxonomy like we just discovered something? Systems assurance is based on two elements, they are as follows; (1). (POLICY); Compliance with security standards as directed by corporate information security policy. This also takes into consideration legislation and industry best practices. (2). (STANDARDS): Trusted Computer System Evaluation Criteria (TCSEC)/ Orange Book, Information Technology Security Evaluation Criteria (ITSEC), and/or the combination of both known as the Common Criteria. You can also checkout Control Objectives for Information and Related Technology (COBiT) at www.isaca.org I can tell you that most organizations prefer to do there own evaluations, so COBiT is perfect because it provides a framework for Self-Review Assessments. http://www.isaca.org/template.cfm?Section=COBIT6 http://www.isaca.org/Template.cfm?Section=Assurance&Template=/TaggedPage/TaggedPageDisplay.cfm&TPLID=19&ContentID=8746 Next!! Best regards, Mark. E. S. Bernard, CISM, ----- Original Message ----- From: "InfoSec News" <isnat_private> To: <isnat_private> Sent: Monday, August 25, 2003 4:38 AM Subject: [ISN] towards a taxonomy of Information Assurance > Forwarded from: Abe Usher <abe.usher@sharp-ideas.net> > > Information Security Professionals at ISN, > > Bottom line: I'd like your help in shaping a usable taxonomy of > Information Assurance.* > > I am presently working on creating a taxonomy of information assurance, > based on the three aspects of: > (1) Information characteristics > (2) Information states > (3) Security countermeasures > > These three aspects of Information Assurance (IA) were highlighted by > John McCumber [1] as well as a team of West Point researchers [2] as a > component of works that define an integrated approach to security. > > Within the next 6 months, I would like to create a taxonomy that > graphically depicts the relationships of these three aspects. > > My intent is that this taxonomy could be used by the academic community, > industry, and government in improving the precision of communication > used in discussing information assurance/security topics. > > I have searched the Internet widely for a taxonomy of Information > Assurance, but I have not found anything that is sufficiently detailed > for application with real world problems. > > I've posted my initial results to the following URL: > > http://www.sharp-ideas.net/ia/information_assurance.htm > > for comments and peer review. > > Cheers, > > Abe Usher > abe.usher@sharp-ideas.net > > > * Information assurance is defined as "information operations that > protect and defend information and information systems by ensuring their > availability, integrity, authentication, confidentiality, and > non-repudiation. This includes providing for restoration of information > systems by incorporating protection, detection, and reaction capabilities. > > [1] McCumber, John. "Information Systems Security: A Comprehensive > Model". Proceedings 14th National Computer Security Conference. > National Institute of Standards and Technology. Baltimore, MD. > October 1991. > > [2] Maconachy, Victor, Corey Schou, Daniel Ragsdale, and Don Welch. "A > Model for Information Assurance: An Integrated Approach". Proceedings > of the 2001 IEEE Workshop on Information Assurance and Security. > U.S. Military Academy. West Point, NY. June 2001. - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Tue Aug 26 2003 - 09:57:41 PDT