RE: [ISN] towards a taxonomy of Information Assurance

From: InfoSec News (isnat_private)
Date: Thu Aug 28 2003 - 00:24:28 PDT

  • Next message: InfoSec News: "[ISN] Industry group wants DHS agency to review deal with Microsoft"

    Forwarded from: "Skroch, Michael" <mjskrocat_private>
    
    This thread is of interest to me because it is fundamental to
    effective engineering and assessment of systems security/assurance.  
    We should avoid problems in considering this issue because of not only
    the varied definitions we have of terms like Information Assurance
    (IA), Systems Assurance, etc., but also the types of systems that
    might be addressed and the level of detail that might be considered.  
    Infosec or Information Operations is a large domain to consider...
    
    It seems that Abe Usher is considering more fundamental components
    that contribute to IA and how they might compose and be addressed.  
    These are not well addressed in TCSEC and CC.  Mr. Barnard seems to be
    starting at a higher systems level of how policy is essential and how
    standards can assist in meeting policy objectives.  It seems both
    approaches are valid (actually necessary) and that there are multiple
    voids in-between and much refinement that is needed throughout the
    domain to move information security/assurance from an art to a
    science, to an engineering discipline.  A while back, I ran a
    short-lived program called Information Assurance Science and
    Engineering Tools (IASET) that started to address that need.  Google
    "IASET information assurance" for more info.
    
    As far as Abe's quest, I think there are a lot of existing resources
    to be considered and understood so any work performed can build on (or
    knowingly discard) what has already been discovered.  The quest will
    not be a simple one.
    
    We've been working toward "Sustainable Security" that includes steps
    of a control framework (we like CobiT), security policy, security
    planning, and implementation or engineering guidance.  We'll have a
    paper out on this soon, but already have a number of reports and
    papers out on some components of this approach.
    
    mike
    
    --
    Michael J. Skroch (skraw)
    Manager, Information Operations Red Team & Assessments
    Sandia National Laboratories
    mjskrocat_private
    http://www.sandia.gov/iorta/
    http://www.sandia.gov/idart/
    
    
    -----Original Message-----
    From: InfoSec News [mailto:isnat_private]
    Sent: Tuesday, August 26, 2003 6:52 AM
    To: isnat_private
    Subject: Re: [ISN] towards a taxonomy of Information Assurance
    
    
    Forwarded from: Mark Bernard <mbernardat_private>
    
    Dear Associates,
    
    Here we go again, some pointy heads have an idea!! Wow!
    
    Sorry guys, systems assurance reviews have already been pioneered so
    why are we spending time creating a taxonomy like we just discovered
    something?
    
    Systems assurance is based on two elements, they are as follows;
    
    (1). (POLICY); Compliance with security standards as directed by
    corporate information security policy. This also takes into
    consideration legislation and industry best practices.
    
    (2). (STANDARDS): Trusted Computer System Evaluation Criteria (TCSEC)/
    Orange Book, Information Technology Security Evaluation Criteria
    (ITSEC), and/or the combination of both known as the Common Criteria.
    You can also checkout Control Objectives for Information and Related
    Technology (COBiT) at www.isaca.org
    
    
    I can tell you that most organizations prefer to do there own
    evaluations, so COBiT is perfect because it provides a framework for
    Self-Review Assessments.
    
    http://www.isaca.org/template.cfm?Section=COBIT6
    
    http://www.isaca.org/Template.cfm?Section=Assurance&Template=/TaggedPage/Tag
    gedPageDisplay.cfm&TPLID=19&ContentID=8746
    
    
    Next!!
    
    Best regards,
    Mark. E. S. Bernard, CISM,
    
    
    ----- Original Message ----- 
    From: "InfoSec News" <isnat_private>
    To: <isnat_private>
    Sent: Monday, August 25, 2003 4:38 AM
    Subject: [ISN] towards a taxonomy of Information Assurance
    
    
    > Forwarded from: Abe Usher <abe.usher@sharp-ideas.net>
    >
    > Information Security Professionals at ISN,
    >
    > Bottom line: I'd like your help in shaping a usable taxonomy of
    > Information Assurance.*
    >
    > I am presently working on creating a taxonomy of information assurance,
    > based on the three aspects of:
    > (1) Information characteristics
    > (2) Information states
    > (3) Security countermeasures
    >
    > These three aspects of Information Assurance (IA) were highlighted by
    > John McCumber [1] as well as a team of West Point researchers [2] as a
    > component of works that define an integrated approach to security.
    >
    > Within the next 6 months, I would like to create a taxonomy that
    > graphically depicts the relationships of these three aspects.
    >
    > My intent is that this taxonomy could be used by the academic community,
    > industry, and government in improving the precision of communication
    > used in discussing information assurance/security topics.
    >
    > I have searched the Internet widely for a taxonomy of Information
    > Assurance, but I have not found anything that is sufficiently detailed
    > for application with real world problems.
    >
    > I've posted my initial results to the following URL:
    >
    > http://www.sharp-ideas.net/ia/information_assurance.htm
    >
    > for comments and peer review.
    >
    > Cheers,
    >
    > Abe Usher
    > abe.usher@sharp-ideas.net
    >
    >
    > * Information assurance is defined as "information operations that
    > protect and defend information and information systems by ensuring their
    > availability, integrity, authentication, confidentiality, and
    > non-repudiation.  This includes providing for restoration of information
    > systems by incorporating protection, detection, and reaction capabilities.
    >
    > [1] McCumber, John.  "Information Systems Security: A Comprehensive
    > Model".  Proceedings 14th National Computer Security Conference.
    > National Institute of Standards and Technology.  Baltimore, MD.
    > October 1991.
    >
    > [2] Maconachy, Victor, Corey Schou, Daniel Ragsdale, and Don Welch. "A
    > Model for Information Assurance: An Integrated Approach".  Proceedings
    > of the 2001 IEEE Workshop on Information Assurance and Security.
    > U.S. Military Academy.  West Point, NY.  June 2001.
    
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Thu Aug 28 2003 - 03:36:32 PDT