Appendix D OTHER RESOURCES
INTRODUCTION
When researching and analyzing references for IT security, it is also best to continue using a structured methodology. The categorization of security elements found in the risk assessment methodology provides us with a way to group and assess the key aspects of any security program. If, in fact, an information security program is founded on the essential risk management exemplar, it already possesses a process to define the primary categories—threat, vulnerabilities, assets, and safeguards. Additionally, the McCumber Cube methodology has also structured the elements of the safeguards into technology, procedures, and human factors. With this starting point, you can more easily search and discover the many data elements required for an effective security environment.
As with any reference section such as this, many of these starting points will evolve and change. However, as with the McCumber Cube methodology, the categories and structure of the references will remain relatively constant. By searching within these categories, you can gather the basic information required to meet the needs of your security evaluation and risk assessment processes. I have only listed a few of the major resources in each of these areas. Broader research is strongly advised.
The information in this section is not intended to be a complete listing of all available products and services; it is only representational of the types of resources and data repositories available to security practitioners. This list is not meant to endorse any specific vendor nor provide any type of ranking. Any omissions, errors, or oversights are unintentional.
THREAT INFORMATION
Threat information is perhaps the most dynamic element of your security program. Historically, it factored little in the static programs used for those implementing risk avoidance or penetration-and-patch methodologies. For the future, however, an effective security program will require access to continually updated incident and trend data. This type of data requires significant resources to gather, analyze, and maintain. Fortunately, several services have been developed to meet this need. Most provide this service for a fee.
The largest repository of relevant threat data is currently maintained by Symantec Corporation (http://www.symantec.com/) and is provided to subscribers in the form of DeepSight Threat Management and DeepSight Alert Services.
Other threat services include:
VULNERABILITY AND SAFEGUARD INFORMATION
The chapter on vulnerability information cited MITRE’s CVE library. This is the best place to begin assessing technical vulnerabilities. Safeguard information is often comingled with vulnerability resources, so I have chosen to list several key resources here under the heading of vulnerability and safeguards. However, it is critical to consider all elements of safeguards—technical, procedural, and human factors. These may require some more detailed research to uncover. Other repositories of related information are also mentioned here:
- http://www.cve.mitre.org/
- http://www.cert.org/
- http://www.csrc.nist.gov/
- http://www.sans.org/
- http://www.securityfocus.com/
There are innumerable vendors, integrators, and technology firms that provide information security products and services to implement your chosen safeguards. Many of these entities offer a wide range of both products and services. Any compilation cited here will undoubtedly change dramatically over time, so they are not included here.
There are also numerous information resources for specific technical vulnerability and safeguard information. These are most often organized and disseminated based on the computing platform or operating system in question.
ASSET INFORMATION
Processes, methods, and techniques for the evaluation and management of information assets is the area most lacking in technical guidance and resources. More applied research is required in this soft science area. As the burgeoning requirements for the enforcement of confidentiality, integrity, and availability of information resources continue to be elevated, it is hoped that this discipline will receive the attention it deserves from academicians and practitioners alike. The chapter on information as an asset constitutes some of the major issues. The chapter on risk management metrics provides a starting point for your efforts at defining the empirical objective.
Most of the primary research needed to evaluate an organization’s information resources is to be found within the organization of operational environment itself. Many of the evaluation criteria for information are relative. In other words, the metrics you develop to determine the value of the information are tied to the missions and functions that information supports. All information is gathered, analyzed, and maintained to support some type of decision-making process. If not, there would be no need to possess it. So determining how much value to attach to specific elements of information is usually relative to the business function the information supports. This vital data is already contained with the business processes of the operational environment and requires extraction and analysis by the security practitioner. Without such data, the security and risk management environment will be a game of guesswork and approximation.