EA security


ISO 27001: A new standard for IT security

Information security flaws can create havoc within your business operations. The ISO 27001 standard for information security management systems can help to locate existing security problems and prevent future threats before they prove harmful to your organization. ISO 27001 is the new international standard created by the International Standards Organization for Information Security Management Systems. An ISMS is a planned way to managing an organization's information so that it remains secure, by using the right methodology of people, processes, and IT systems. The best practices for ISMS includes a wide range of planning to ensure business continuity, minimize business damage, and maximize ROI and business opportunities. The standard sets out how the planning process should go and specifies the components that must be identified; people, processes, and pratices are essential. Official known as ISO/IEC 27001:2005, this standard, published last October, will replace the British BS7799-2 and the ISO 17799 standard; the latter may, however, be renumbered ISO 27002, but ISO has not made a final statement regarding ISO 17799 renumbering yet.


On the relationship between Web Services Security and traditional protocols

[May 2, 2005] XML and Web Services security specifications define elements to incorporate security tokens within a SOAP message. We propose a method for mapping such messages to an abstract syntax in the style of Dolev-Yao, and in particular Casper notation. We show that this translation preserves flaws and attacks. Therefore we provide a way for all the methods, and specifically Casper and FDR, that have been developed in the last decade by the theoretical community for the analysis of cryptographic protocols to be used for analysing WS-Security protocols. Finally, we demonstrate how this technique can be used to prove properties and discover attacks upon a proposed Microsoft WS-SecureConversation protocol.

Federal Enterprise Architecture Security and Privacy Profile (FEA SPP)

The Federal Chief Information Officers Council published initial versions of the Federal Enterprise Architecture Security and Privacy Profile (FEA SPP) in July 2004 and July 2005. The current version of the methodology (Version 2.0) was modified based on validation exercises and an assessment of related documents. Validation testing was conducted at two Federal agencies1 to verify the methodology’s utility. Validation consisted of abbreviated applications of the FEA SPP methodology. An assessment of relatively new standards and documents such as Federal Information Processing Standards Publication (FIPS PUB) 199, Standards for Security Categorization of Federal Information and Information Systems; FIPS PUB 200, Minimum Security Requirements for Federal Information and Information Systems; and Data Reference Model (DRM) Version 2.0 have added to the utility of this document. FEA SPP Version 2.0 supersedes previous FEA SPP releases.