Discussion on:
View:
Show:
"Orwellian" refers to George Orwell, the author of 1984 (as well as several other important books). Orson Welles was an amazing actor, writer, and producer (radio's "War of the Worlds" and the movie "Citizen Kane") of a huge body (pun intended) of work. I can't believe that you have conjoined these two completely separate persons.
I had that same thought. The paragraph started out talking about George Orwell and even gets Orwellian correctly credited but then takes a left turn to Orson Welles. Huh??????
I apologize for the mistake. And, I appreciate you pointing it out. I do happen to know who they both are, not sure why I slipped.
all the time. Especially since Orson Welles did "War of the Worlds" by H.G. Wells; oy-VAY!! I get 'em mixed up! 
The subject disciplines have ben practiced by security proffesionals for the past decade plus. The probel is that technology advances so quickly that one is constantly in need of training and refreshers in order to stay on the leading edge. Resting ones laurels quckly get one into obsolescence and out of the mainstream. Its a difficult pursuit and requires a dedicatd professional and dedicated expenditure of resources.
The ARMS process attempts to quantifiy security and risk by assigning numerical values to threats and exposures as well as effiiciency of countermeasures, methods, and means. This tool alone can save governments and business considerable funds when applied to enterprise security. Again its and engineering process requiring constant updates and refinements as well considerable intelligence about the applicabe threats to a given process, facility, procedure or what have you to protect.
Let's hope recognition enables a cadre of trained System Security Engineers to work this needed discipline...
The ARMS process attempts to quantifiy security and risk by assigning numerical values to threats and exposures as well as effiiciency of countermeasures, methods, and means. This tool alone can save governments and business considerable funds when applied to enterprise security. Again its and engineering process requiring constant updates and refinements as well considerable intelligence about the applicabe threats to a given process, facility, procedure or what have you to protect.
Let's hope recognition enables a cadre of trained System Security Engineers to work this needed discipline...
I agree with you that the pieces are there. What Cory and Bruce are advocating is the professional needs "street-cred" and to be recognized as a purveyor of "how it is" rather than someone you listen to then dismiss as an alarmist.
Nice to hear something positive about the need for Security Engineering professionals. I'm on a Security Engineering team and it takes a bit of effort to get activities accomplished because there are so few of us. Most security professionals are focused on the Security Operations side of things and there is a distinct difference between the two areas. Unfortunately, Security Operations gets more focus because they are "on the front lines" defending the perimeters of the organizations they are assigned to protect. Too bad that management doesn't realize that if you build security in (where Security Engineering comes into play), you just might be able to alleviate some of the stress in Security Operations.
There are published resources out there for Security Engineering. These include the following:
1. SSE-CMM: Systems Security Engineering - Capability Maturity Model. Located at http://www.sse-cmm.org/index.html . The website hasn't been updated in a while, which leads to the next resource.
2. ISO/IEC 21827:2008, Information technology - Security techniques - Systems Security Engineering - Capability Maturity Model (SSE-CMM). This standard officially standardized the SSE-CMM. Information available at http://www.iso.org/iso/iso_catalogue/catalogue_ics/catalogue_detail_ics.htm?csnumber=44716
3. International Council on Systems Engineering (INCOSE), Systems Security Engineering Working Group. Information on this working group is available at http://www.incose.org/practice/techactivities/wg/details.aspx?id=securitywg
4. Software Engineering Institute, Carnegie Mellon, CERT, Cyber Security Engineering. http://www.cert.org/sse/
5. NIST SP 800-27 Rev A, Engineering Principles for Information Technology Security (A Baseline for Achieving Security), Revision A. Available at http://csrc.nist.gov/publications/nistpubs/800-27A/SP800-27-RevA.pdf
6. SABSA (Sherwood Applied Business Security Architecture). Enterprise Security Architecture seems to be a missing topic when discussing anything related to information security or cybersecurity. See http://www.sabsa.org/the-sabsa-method.aspx
There are published resources out there for Security Engineering. These include the following:
1. SSE-CMM: Systems Security Engineering - Capability Maturity Model. Located at http://www.sse-cmm.org/index.html . The website hasn't been updated in a while, which leads to the next resource.
2. ISO/IEC 21827:2008, Information technology - Security techniques - Systems Security Engineering - Capability Maturity Model (SSE-CMM). This standard officially standardized the SSE-CMM. Information available at http://www.iso.org/iso/iso_catalogue/catalogue_ics/catalogue_detail_ics.htm?csnumber=44716
3. International Council on Systems Engineering (INCOSE), Systems Security Engineering Working Group. Information on this working group is available at http://www.incose.org/practice/techactivities/wg/details.aspx?id=securitywg
4. Software Engineering Institute, Carnegie Mellon, CERT, Cyber Security Engineering. http://www.cert.org/sse/
5. NIST SP 800-27 Rev A, Engineering Principles for Information Technology Security (A Baseline for Achieving Security), Revision A. Available at http://csrc.nist.gov/publications/nistpubs/800-27A/SP800-27-RevA.pdf
6. SABSA (Sherwood Applied Business Security Architecture). Enterprise Security Architecture seems to be a missing topic when discussing anything related to information security or cybersecurity. See http://www.sabsa.org/the-sabsa-method.aspx
I never thought about the difference between engineering and operations. That is yet another distinction that makes a real difference.
"And yet those people who are experts in policy and politics not technical disciplines still manage to pass rules that make sense"
LOL yea right, when? lol They pass stuff that makes them feel good or to get elected not what makes sense. Health care law, can anyone make sense of it? lol Nancy even admitted she could not lol
LOL yea right, when? lol They pass stuff that makes them feel good or to get elected not what makes sense. Health care law, can anyone make sense of it? lol Nancy even admitted she could not lol
- Keyboard Shortcuts:
- Prev
- Next
- Toggle
