Coincident to the Common Criteria thread in this list, the next session of
the U.S. Gov't sponsored IATF may be of interest, particularly to those
accessible to the DC area. The link to the registration site is
http://www.iatf.net; topic description below:

The topic for the 24 January 2003 IATF forum is Protection Profiles Process
and the NIAP. Government acquisition requirements for Information Assurance
(IA) products have been in effect since 1 July 2002. NSTISSP No. 11 requires
the acquisition of IA and IA-enabled IT products that have been evaluated
and validated in accordance with the policy.

This forum will launch a yearlong focus on the development, evaluation, and
use of Protection Profiles (PPs), especially in assisting in systems
certification and accreditation. Have we developed the right PPs, do we need
more, or are there other approaches that should be explored? Come to this
daylong discussion prepared to express your views since we have built in
ample time for discussion with speakers and members.

The morning session will be devoted to plans already underway for developing
and using PPs in the DoD, Civil, Intelligence and commercial communities.
NSA's Information Assurance Director will address Market Convergence. In the
afternoon, we will conduct two interactive panel sessions to promote
discussion on alternative approaches and improvements of PP use from the
perspectives of Common Criteria Testing Laboratories (CCTLs), vendors, and
developers.

The forum will be held at the Kossiakoff Center, Johns Hopkins Applied
Physics Laboratory, 11100 Johns Hopkins Rd, Laurel, MD. Directions, as well
as a detailed agenda, can be found on the IATFF Web Site
(http://www.iatf.net).

REGISTRATION WILL CLOSE THE MORNING OF 24 January 2003. Members who register
after 8:30 A.M. on Wednesday, 22 January 2003, may not have their badges
prepared in advance.
 
Regards - Paul

-----Original Message-----
From: ids-requestmailman.vet.com.au [mailto:ids-requestmailman.vet.com.au]

Sent: Monday, January 13, 2003 8:00 PM
To: idsmailman.vet.com.au
Subject: ids digest, Vol 1 #15 - 1 msg

Send ids mailing list submissions to
        idsmailman.vet.com.au

To subscribe or unsubscribe via the World Wide Web, visit
        http://www.vet.com.au/mailman/listinfo/ids
or, via email, send a message with subject or body 'help' to
        ids-requestmailman.vet.com.au

You can reach the person managing the list at
        ids-adminmailman.vet.com.au

When replying, please edit your Subject line so it is more specific
than "Re: Contents of ids digest..."

Today's Topics:

   1. RE: IDS Common Criteria (Randy Taylor)

--__--__--

Message: 1
Date: Mon, 13 Jan 2003 10:27:11 -0500
To: focus-idssecurityfocus.com, idsmailman.vet.com.au
From: Randy Taylor <gnucharm.net>
Subject: RE: [IDS] IDS Common Criteria

At 07:14 PM 1/10/2003 -0500, Graham, Robert (ISS Atlanta) wrote:
>Common Criteria is for those who believe that "security is a process".
>
>Security is not a process. There is no silver bullet that will protect
>you. The Common Criteria process is not a silver bullet.

Security is very much a process. It has a scope that encompasses
many concepts that are not addressed from the understandably
narrowed focus found in vendor space. Here's just a few of the
many issues I'm dealing with these days:

- User education, awareness, and training
- Security policy - network and physical
- Application data flows
- Firewall rules
- HIDS deployment
- NIDS deployment
- Anti-virus deployment and management
- Incident response
- Router and switch hardening policies
- Life-cycle management of all the above and then some

Without a process view of a system like this, none of it
works together the way it was intended in the initial design.

Bruce Schneier speaks to the "security is a process"
position better than I, but I did want to take a moment to
point out some areas that many folks overlook when they
talk about security. The broad-scope view makes it all look
easy. It's the details that get you killed, figuratively speaking.

I agree there is no single "security silver bullet". If there
was one it certainly would not be Common Criteria. It wouldn't
it be just "IDS", "Firewall", or "Anti-Virus", either. Without a
process-oriented approach to security, the "gun" is in the hands
of the enemy rather than in ours.

Best regards,

Randy
-----
"If you are going to sin, sin against God, not the bureaucracy.
  God will forgive you but the bureaucracy won't."
  --- Hyman Rickover ---

--__--__--

_______________________________________________
ids mailing list
idsmailman.vet.com.au
http://www.vet.com.au/mailman/listinfo/ids

End of ids Digest
_______________________________________________
ids mailing list
idsmailman.vet.com.au
http://www.vet.com.au/mailman/listinfo/ids

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]