I saw a t-shirt with the slogan "van life culture."
Isn't that redundant? Doesn't the phrase "van life" imply life*style*? And doesn't lifestyle imply culture? So isn't the T-shirt phrase actually "van culture culture?"
Wednesday, June 17, 2026
SF - 3.09.0 - NIST
SF - 3.09.0 - NIST
NIST is not a framework, but rather simply a reference to the Computer Security Resource Center (http://csrc.nist.gov) of the National Institute of Standards and Technology of the United States government.
It is a truly valuable resource for anyone involved in information security. I tell classes that I facilitate in the United States that they should check it out since it is their tax dollars at work. I tell everyone else that it is available to them, free of charge, and it is not even their tax dollars at work.
One of the factors that makes this both an extraordinary valuable resource, and difficult to describe, is that it is constantly updated. There are a number of older documents and resources that are available on the site, but most of them get updated or replaced fairly regularly. I used to recommend a document numbered 800-37. It was one of the early checklists with, yes, roughly 135 items on it. Subsequently it was replaced by 800-37 version 2, which was a more principle oriented framework, but, unfortunately, to my way of thinking, was less useful. Valuable, yes, but not as useful as the original had been. However, most of the material on this site is very valuable, and it covers an extraordinary range of topics. One of the areas that it covers is looking at tools in the field of forensics. I was privileged to hear the presentation by the person who did the research, one time, and the depth and comprehensiveness of his research was truly astounding. If you know what you are doing, and are in court up against someone who is depending upon evidence gained from a disk image, with this knowledge you can rip their case to shreds.
And all of this is available, at no charge to the user.
Security frameworks (SF) series:
Introduction and ToC: https://fibrecookery.blogspot.com/2026/06/security-frameworks-sf-0000-intro-and.html
Next: TBA
1443
I just noticed that the previous post is the 1,443rd that I have made on the blog.
I probably unconciously noted the similarity to 144, a gross, a dozen squared.
But I kind of automatically factored it, finding that it was the product of a hundred and eleven times thirteen (and 37x3x13).
(Probably nobody else except me finds this interesting.)
SF - 3.06.0 - Graphical Management Frameworks
SF - 3.06.0 - Management Frameworks
There are a few business and management oriented frameworks which I would like to discuss together. First because they are primarily business-oriented frameworks, rather than security oriented frameworks, and secondly because all three of them have a graphical component which makes it easier to discuss when they are visible, or displayed in graphical format.
The first that I would like to mention is the Calder-Moir framework. This is a kind of a two-dimensional breakdown framework, which also appears to have been influenced by the color wheel. There is a radial breakdown of topics, with an outer radial break down some setting and breakdown of the original topics. The inner circle is the conceptual breakdown, most suitable for Board level discussions, while a middle layer breaks down further into management topics, while the outermost layer goes into operational detail, and actually points to a number of other frameworks.
Next is the Balanced Scorecard. The Balanced Scorecard is a kind of a breakdown framework, in that it breaks your business down into four different conceptual areas or categories. For each of these there is a scorecard, given a something of a further breakdown of topic areas within those logic larger topics. The point of the balance scorecard, and it is a very interesting one, is that once you have assessed your business in these four categories, you concentrate your efforts on the area where the scorecard gives you the lowest score. This makes a lot of sense. Once you have found out where you are weakest, shore up that particular area, rather than concentrating your efforts on areas where you do have a more reasonable score already.
Finally, there is the Zachman Framework. This is last on the list, but definitely by no means least. The Zachman Framework is very broadly used and highly regarded in both business and security. Although there is no particular security identification, other than business management, in the Zachman Framework itself, the Zachman Framework has been modified as the Sherwood Applied Business Security Architecture, or SABSA framework.
The Zachman Framework is a a breakdown framework. It forms a two-dimensional grid, where one axis looks at different sizes of business units or contexts within your enterprise, and the other axis generally asks the w5 plus h questions: what, who, why, when, where, and how. The thing is, that when you think about it, and consider it against the phases of system development or project management, with a little re-arrangement you get a very good match. This makes a lot of sense in terms of a breakdown structure, and it is unsurprising that SABSA has been a successful security architecture based upon it. Based upon SABSA, and following the advice of a colleague, I have, myself, use the framework to structure planning tools for both business continuity, and incident response, specifically.
Security frameworks (SF) series:
Introduction and ToC: https://fibrecookery.blogspot.com/2026/06/security-frameworks-sf-0000-intro-and.html
Tuesday, June 16, 2026
SF - 3.03.0 - ITIL
SF - 3.03.0 - ITIL
ITIL is the Information Technology Infrastructure Library. It is, in fact, an actual library, or, at least, a collection of books. At one point it had twenty-nine volumes in it, divided into five sections. One of the books in the library was on security. It was, generally speaking, a set of principles, setting out a number of management guidelines. Because of the importance of management to security, there was an obvious connection to ITIL. Unfortunately, at some point, the security volume of the information technology infrastructure library was discarded.
Initially, the Information Technology Infrastructure Library was an interesting example of how a poorly defined field required a bothersome and arduous certification process. You could get certification in ITIL, but in order to do so you had to jump through a lot of hoops, and write a number of essays, on various topics, which I suppose would prove that you had read various volumes of the library. However, particularly given that ITIL eventually helped influence British standard 15000, and ISO 20000, the ITIL has become more defined, and these days the certification process is much easier.
Security frameworks (SF) series:
Introduction and ToC: https://fibrecookery.blogspot.com/2026/06/security-frameworks-sf-0000-intro-and.html
Trolley problem options
You are the conductor of a trolley. (For the purposes of this exercise, the conductor is the person who throws the switch selecting which track to take. No, I don't know how to drive a trolley, and I don't know how a conductor would throw the switch.)
Ahead of you on the track is a switch. If you do not switch the switch, you will drive over ten people. These ten people are poor.
If you switch the switch, you will drive on an alternate track, and drive over one person. This one person is wealthy. Much wealthier than the collective wealth of the ten people on the original track.
Capitalism states that the wealth of the one wealthy person, whether created or inherited/safeguarded, is greater than the wealth of the ten people, and therefore you should drive over the ten people.
(No, I don't know why none of the people will get out of the way. Maybe they are all female, and have been tied up by Snidely Whiplash. No, I don't know where the ranch is.)
Socialism states that the needs of the many outweigh the needs of the few, and therefore you should drive over the rich person.
(No, I don't know why the trolley has been designed with no brakes.)
(No, I don't know what the economics or business model would be for a trolley which has no brakes, and therefore has no ability to stop and allow passengers to board or disembark.)
At this point, a student, representing agnosticism, asks how you know that the people on the original track are poor, and that the people on the one person on the alternate track is rich.
For the purposes of the exercise we will posit that you have just been handed a telegram giving you all of this information, and confirming that beside the group of ten people is a priest holding a sign that you can easily read from where you are that says "Y" for yes or "N" for no, and that on the alternate track there is a rabbi standing beside the rich person with a similar set of signs. This verifies that the information you have been given in the telegram is correct.
(For the purposes of the exercise there is absolutely no significance to the fact that the person who is verifying the identity of the rich person is Jewish, and that the person verifying the identity of a bunch of poor people is Catholic.)
At this point a student in information security points out that this form of authentication of identity is sadly lacking in verification structures and should not be trusted.
Subsequently, a fatalist says that you can avoid the whole problem of choice by simply jumping from the trolley where you are, thus relieving yourself of the responsibility and moral choice, and leaving the fate of all of the people in the hands of either God or random chance.
An American Christian nationalist now asks whether either the rabbi or the priest is black?
(At this point, the instructor has to go and lie down in a cool, dark room for a while ...)
SF - 2.18.0 - Information Security Forum
SF - 2.18.0 - Information Security Forum
Information Security Forum (ISF)
Standard of Good Practice for Information Security
The Information Security Forum (ISF) originally set out to create a standard of good practice for information security. At least they didn't use the term best practice.
The information security forum divided security into five "aspects," that of security management, critical business applications, computer installations, networks, and systems development. This follows and models three or four of the "domains" of information security originally created by the International Information Systems Security Certification Consortium.
However, the Information Security Forum broke these five "aspects" out into thirty "areas," and (you guessed it) 135 sections. The security forum can still be found, but these days has devolved into a rather standard sales organization for training and educational materials.
Security frameworks (SF) series:
Introduction and ToC: https://fibrecookery.blogspot.com/2026/06/security-frameworks-sf-0000-intro-and.html
Subscribe to:
Posts (Atom)