Forwarded from: Freddie Beaver <frebea44at_private> ok, Mark, please be kind to academia :-) Academic research needs to take the obvious, scrutinize it to pieces, and attempt to statistically validate it or hopefully find a questionable flaw that will give fodder for a dissertation or tenure-required publishing. In this process someone may actually "improve the wheel". I side with you on the fact that practitioners don't need to spend time creating their own taxonomies when CC, Cobit, etc are available, but the academics are required to. I should know, I've been on all three sides of the fence: academia, corporate, and defense! FYI for all: I'm looking into doing a statistical (scientific) validation of Cobit. If anyone knows of any pre-existing studies or survey instruments related to it, I would appreciate the feedback. Beav Freddie E. Beaver 6167 Lakefront Dr. N. Horn Lake, MS 38637 Home: (662) 781-2161 Cell: (901) 438-4805 Email: frebea44at_private ----- Original Message ----- From: "InfoSec News" <isnat_private> To: <isnat_private> Sent: Tuesday, August 26, 2003 7:51 AM Subject: Re: [ISN] towards a taxonomy of Information Assurance > Forwarded from: Mark Bernard <mbernardat_private> > > Dear Associates, > > Here we go again, some pointy heads have an idea!! Wow! > > Sorry guys, systems assurance reviews have already been pioneered so > why are we spending time creating a taxonomy like we just discovered > something? > > Systems assurance is based on two elements, they are as follows; > > (1). (POLICY); Compliance with security standards as directed by > corporate information security policy. This also takes into > consideration legislation and industry best practices. > > (2). (STANDARDS): Trusted Computer System Evaluation Criteria (TCSEC)/ > Orange Book, Information Technology Security Evaluation Criteria > (ITSEC), and/or the combination of both known as the Common Criteria. > You can also checkout Control Objectives for Information and Related > Technology (COBiT) at www.isaca.org > > > I can tell you that most organizations prefer to do there own > evaluations, so COBiT is perfect because it provides a framework for > Self-Review Assessments. > > http://www.isaca.org/template.cfm?Section=COBIT6 > > http://www.isaca.org/Template.cfm?Section=Assurance&Template=/TaggedPage/TaggedPageDisplay.cfm&TPLID=19&ContentID=8746 > > > Next!! > > Best regards, > Mark. E. S. Bernard, CISM, > > > ----- Original Message ----- > From: "InfoSec News" <isnat_private> > To: <isnat_private> > Sent: Monday, August 25, 2003 4:38 AM > Subject: [ISN] towards a taxonomy of Information Assurance > > > > Forwarded from: Abe Usher <abe.usher@sharp-ideas.net> > > > > Information Security Professionals at ISN, > > > > Bottom line: I'd like your help in shaping a usable taxonomy of > > Information Assurance.* > > > > I am presently working on creating a taxonomy of information assurance, > > based on the three aspects of: > > (1) Information characteristics > > (2) Information states > > (3) Security countermeasures > > > > These three aspects of Information Assurance (IA) were highlighted by > > John McCumber [1] as well as a team of West Point researchers [2] as a > > component of works that define an integrated approach to security. > > > > Within the next 6 months, I would like to create a taxonomy that > > graphically depicts the relationships of these three aspects. > > > > My intent is that this taxonomy could be used by the academic community, > > industry, and government in improving the precision of communication > > used in discussing information assurance/security topics. > > > > I have searched the Internet widely for a taxonomy of Information > > Assurance, but I have not found anything that is sufficiently detailed > > for application with real world problems. > > > > I've posted my initial results to the following URL: > > > > http://www.sharp-ideas.net/ia/information_assurance.htm > > > > for comments and peer review. > > > > Cheers, > > > > Abe Usher > > abe.usher@sharp-ideas.net > > > > > > * Information assurance is defined as "information operations that > > protect and defend information and information systems by ensuring > > their availability, integrity, authentication, confidentiality, > > and non-repudiation. This includes providing for restoration of > > information systems by incorporating protection, detection, and > > reaction capabilities. > > > > [1] McCumber, John. "Information Systems Security: A Comprehensive > > Model". Proceedings 14th National Computer Security Conference. > > National Institute of Standards and Technology. Baltimore, MD. > > October 1991. > > > > [2] Maconachy, Victor, Corey Schou, Daniel Ragsdale, and Don Welch. "A > > Model for Information Assurance: An Integrated Approach". Proceedings > > of the 2001 IEEE Workshop on Information Assurance and Security. > > U.S. Military Academy. West Point, NY. June 2001. - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Thu Aug 28 2003 - 06:07:45 PDT