Taxonomy of Operational Cyber Security Risk
This week Bruce Schneier mentioned a document published in December 2010 by CERT, at Carnegie Mellon University's Software Engineering Institute. I hadn't been aware of this previously.
The Taxonomy of Operational Cyber Security Risks is part of CERT's work on resilience management. It identifies and organises sources of operational risk to information and technology assets that have consequences affecting the confidentiality, availability or integrity of information or information systems.
The taxonomy is based around four classes: actions of people, systems and technology failures, failed internal processes, and external events.
The taxonomy complements the previous the Department of Homeland Security (DHS) Risk Lexicon and also discusses harmonisation with the Federal Information Security Management Act of 2002 (FISMA 2002), security guidance contained within the National Institute of Standards and Technology (NIST) Special Publications series, and the threat profile concept contained within the CERT Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE) method.
The mapping of NIST SP 800-53 Rev 3 controls to the taxonomy subclasses and elements in Appendix 3 is especially useful.
For those in the field of operational defense of applications, there is currently a discussion in the OWASP Defenders community' mailing list about creating a Top 10 for operational web application security risks. Ryan Barnett's initial message is here, and the discussion continues here, here, and here. Contribute your thoughts.
Posted on: 16 August 2011 at 10:23 hrs
Comments are filtered automatically and should appear shortly after they been checked.