Author: Miki Calero, Chief Security Officer, City of Columbus, Ohio

I have said before and I will say it again: “we are all connected by this Internet thing: your zombie army may be my next DDOS attack.” To manage the risk this threat presents, I will contribute, collaborate, discuss on as many open standard wikis, blogs, boards, and communities as I possibly can. Fortunately, this appears to be a growing mindset.

In the words of Tim Berners-Lee, inventor of the Internet (thing), and W3C Director, “the decision to make the Web an open system was necessary for it to be universal.” This is our paradigm; this universal source of threats to our information assets also enables us to develop the Knowledge, Skills, Tools, and Techniques (KSTTs) to manage their risk. Only through collaboration, contribution, discussion, can we develop these KSTTs into open, universal standards.

Information risk is one area of growing openness and standardization. As the Security Officer’s Management and Analysis Project—SOMAP points out, Information Security is not a competitive issue, and only freely available and cooperatively developed risk management utilities and tools, can potentially lead to better security management, and further development of the whole risk management field.

At the enterprise level, Risk Management Insight’s Factor Analysis of Information Risk—or FAIR—provides a proven model, tools, and processes to improve decision-making. Additionally, The Open Group, a vendor and technology-neutral consortium, began developing a risk analysis standard based on this Creative Commons (CC) licensed work. SOMAP also supports enterprise-level risk management with open source information security risk management tools and utilities such as the Security Officers Best Friend (SOBF Tool), and the Open Risk Model Repository (ORIMOR).

To highlight two sources of open standards at the web application security level, the Open Web Application Security Project—OWASP, stands as an open community focused on improving the security of application software. It offers KSTTs that have been widely adopted and implemented in industry standards such as the Payment Card Industry Data Security Standard (PCI DSS), and Visa’s Payment Application Best Practices (PABP). Similarly, the Web Application Security Consortium (WASC) produces open source and widely agreed upon best-practice security standards for the Web.

With open visibility, open participation, and common benefit among its stated objectives, integration into a Portal of Standards such as OpenStandards.net would promote further contribution, collaboration, discussion of these open information risk standards. After all, we are all connected by the you-know-what, we face the same threats, we manage the risk they present…

This entry was posted on Wednesday, October 17th, 2007 at 10:10 am and is filed under Uncategorized. You can follow any responses to this entry through the RSS 2.0 feed. Both comments and pings are currently closed.