Re: towards a taxonomy of Information Assurance (IA)

From: Meritt James (meritt_james_at_bah.com)
Date: 08/27/03

  • Next message: Jerry Heidtke: "RE: Odd worm traffic?"
    Date: Wed, 27 Aug 2003 11:52:26 -0400
    To: Abe Usher <abe.usher@sharp-ideas.net>
    
    

    You may wish to look into the structure/form/organization of mitre's CVE
    library. The Common Vulnerabilities and Exposures home page is at
    http://www.cve.mitre.org/

    Jim

    Abe Usher wrote:
    >
    > Fellow Information Security Professionals,
    >
    > Bottom line: I'd like your help in shaping a usable taxonomy of
    > Information Assurance.*
    >
    > This taxonomy is part of my graduate studies, and will not be used for
    > any commercial purposes. It will remain an "open source" open project.
    >
    > I am presently working on creating a taxonomy of information assurance,
    > based on the three aspects of:
    > (1) Information characteristics
    > (2) Information states
    > (3) Security countermeasures
    >
    > These three aspects of Information Assurance (IA) were highlighted by
    > John McCumber [1] as well as a team of West Point researchers [2] as a
    > component of works that define an integrated approach to security. I
    > have also considered the works of Matt Bishop [3] in how to create a
    > useful taxonomy.
    >
    > Within the next 6 months, I would like to create a taxonomy that
    > graphically depicts the relationships of these three aspects. I will
    > use an "open source" model whereby all of my findings & results will be
    > posted for public review and revision.
    >
    > My intent is that this taxonomy could be used by the academic community,
    > industry, and government in improving the precision of communication
    > used in discussing information assurance/security topics.
    >
    > I have searched the Internet widely for a taxonomy of Information
    > Assurance, but I have not found anything that is sufficiently detailed
    > for application with real world problems.
    >
    > I've posted my initial results to the following URL:
    >
    > http://www.sharp-ideas.net/ia/information_assurance.htm
    >
    > for comments and peer review.
    >
    > Cheers,
    >
    > Abe Usher
    > abe.usher@sharp-ideas.net
    >
    > * Information assurance is defined as "information operations that
    > protect and defend information and information systems by ensuring their
    > availability, integrity, authentication, confidentiality, and
    > non-repudiation. This includes providing for restoration of information
    > systems by incorporating protection, detection, and reaction capabilities.
    >
    > [1] McCumber, John. "Information Systems Security: A Comprehensive
    > Model". Proceedings 14th National Computer Security Conference.
    > National Institute of Standards and Technology. Baltimore, MD. October
    > 1991.
    >
    > [2] Maconachy, Victor, Corey Schou, Daniel Ragsdale, and Don Welch. "A
    > Model for Information Assurance: An Integrated Approach". Proceedings
    > of the 2001 IEEE Workshop on Information Assurance and Security. U.S.
    > Military Academy. West Point, NY. June 2001.
    >
    > [3] Bishop, Matt. "A Critical Analysis of Vulnerability Taxonomies".
    > Department of Computer Science, University of California. Davis, CA.
    > September 1996.
    >
    > ---------------------------------------------------------------------------
    > Attend Black Hat Briefings & Training Federal, September 29-30 (Training),
    > October 1-2 (Briefings) in Tysons Corner, VA; the world's premier
    > technical IT security event. Modeled after the famous Black Hat event in
    > Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors.
    > Symantec is the Diamond sponsor. Early-bird registration ends September 6.Visit us: www.blackhat.com
    > ----------------------------------------------------------------------------

    -- 
    James W. Meritt CISSP, CISA
    Booz | Allen | Hamilton
    phone: (410) 684-6566
    ---------------------------------------------------------------------------
    Attend Black Hat Briefings & Training Federal, September 29-30 (Training), 
    October 1-2 (Briefings) in Tysons Corner, VA; the world's premier 
    technical IT security event.  Modeled after the famous Black Hat event in 
    Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors.  
    Symantec is the Diamond sponsor.  Early-bird registration ends September 6.Visit us: www.blackhat.com
    ----------------------------------------------------------------------------
    

  • Next message: Jerry Heidtke: "RE: Odd worm traffic?"