RE: [soa-rm-ra] Good Security Reference Material

[Rex Brooks <rexb@starbourne.com>]

Thanks Jeff, Danny, Tom & Dave,

My webhosting service, which handles my domain-based email, was down 
with a cascading set of crashes that ate its way through their RAID 2 
backup and forced them to do a more laborious tape-backup 
restoration. The restrictions of Sarbanes-Oxley requires that my 
audit trails be reliable, and since I eat my own cooking, I have had 
to wait it out and start catching up on my work now that the system 
is back up. This also requires a boatload of verification for my 
purposes, so I am just beginning to get my head above water. 
Unfortunately this had nothing to do with missing this week's 
meeting. I was just overbooked. It has just made the process of 
catching up a bit more tedious.

Blah blah blah, disclaimer done. While I appreciate these resource 
materials and I will avail myself of them, as I was going through the 
process of the initial draft, and going through the materials I have, 
I realized that once we step beyond abstract generalities in our 
descriptions of the threat model and start getting specific, we are 
going down a road that is almost certainly going to be filled with 
competing counter-measures, so while I don't think we would be in 
danger of becoming too-concrete if we mention the available 
standards, as examples only, once we get started, we are going to be 
faced with Canadian, European, Asian, jurisdictions wondering if this 
work is really US-only, no matter how dominant our economy and its 
governmental regulations are for us personally.

This is going to be the devil sitting on our shoulders throughout 
this exercise, and just so you don't think I'm trying to be the 
international gadfly stinging us every time we turn around, let me 
say that as current chair of the Cyberwar Work Group of the 
Cooperative Open-Source Medical Banking Architecture and Technology 
(COMBAT) Project of the Medical Banking Project heading off to DC at 
the end of this month for another conference, I can guaran-darn-tee 
you I aint. Sorry for the mini-rant, but you'd actually have to be 
worried about the NOAA HazCollect implementation of the OASIS Common 
Alerting Protocol (CAP), as Tom and Dave and I are, to know how 
current circumstances exemplify how difficult it can be once the door 
is opened to specific, concrete implementation-specific instances of 
security-related standards, or even advisory material.

So, as we thread our way through this minefield, I have to say that 
we better stay abstract unless we want to get saddled with compliance 
considerations. We need to set the stage for good policy, not 
threat-specific measures per jurisdiction, or we will create a 
monster.

Now, I hope I get a chance to read up on this more, and discover that 
I have been howling at the moon. ;-)

Cheers,
Rex

At 7:58 AM -0400 6/16/06, Tom Merkle wrote:
>Great input! Thanks!
>I have been using the FIPS-199 Standards for the Security Categorization
>of Federal Information and Federal Information Systems and FIPS-200
>Minimum Security Requirements for Federal Information and Federal
>Information Systems as basic guidelines. The FIPS-200 mirrors Jeff's
>presentation (nice job on it Jeff)in many aspects.
>I'll pick up a copy of the book that Danny suggested.
>
>
>Regards,
>
>Tom Merkle
>
>
>-----Original Message-----
>From: Danny Thornton [mailto:danny_thornton2@yahoo.com]
>Sent: Thursday, June 15, 2006 2:56 PM
>To: soa-rm-ra@lists.oasis-open.org
>Subject: Re: [soa-rm-ra] Good Security Reference Material
>
>The book "core Security Patterns" is directly in line with Jeff's slide
>presentation and goes into great detail about how to incorporate and
>apply security - life cycle, process, standards, technologies, patterns,
>products. For right now, it is about as up to date as you will find in a
>published book. 
>
>Danny
>
>--- Jeffrey A Estefan <Jeffrey.A.Estefan@jpl.nasa.gov>
>wrote:
>
>>  Dave, Rex, and Tom,
>>
>>  Following up on Danny's recommendation, I also encourage you to review
>
>>  this briefing material I posted sometime back on a candidate SOA
>>  security model:
>>
>>
>http://www.oasis-open.org/apps/org/workgroup/soa-rm-ra/download.php/1757
>3/06-04-00008.000.pdf
>>
>>  You should see some alignment with the policy model Danny has put
>>  together.
>>  According to our RA guiding requirements, policy and security threats
>>  are feeds to the security model.  I believe the current RA outline
>>  only includes the threat model but it should be broader in scope.
>>
>>  Regards...
>>
>>   - Jeff
>>
>>
>>
>
>
>__________________________________________________
>Do You Yahoo!?
>Tired of spam?  Yahoo! Mail has the best spam protection around
>http://mail.yahoo.com


-- 
Rex Brooks
President, CEO
Starbourne Communications Design
GeoAddress: 1361-A Addison
Berkeley, CA 94702
Tel: 510-849-2309