EISSAF

Bibliography from Dissertation

2011-10-25T21:47:00.003-04:00

1. Smithsonian Institute. Vote: The Machinery of Democracy. [Online] 0 0, 2004. [Cited: September 16, 2006.] http://americanhistory.si.edu/vote/votingmachine.html.

2. Jones, Douglas W. Douglas W. Jones Illustrated Voting Machines History. [Online] 2003. [Cited: January 15, 2005.] http://www.cs.uiowa.edu/~jones/voting/pictures/#punchcard.

3. Election Data Services, Inc. 2004 Election Day Survey Report. Washington DC : Election Assistance Commission, 2005. EAC Requested Consultaion Services Report.

4. Kohno, Tadayoshi, Stubblefield, Adam and Rubin, Aviel D. Analysis of an Electronic Voting System. s.l. : IEEE Computer Society Press, 2004. IEEE Symposium on Security and Privacy.

5. U.S. Department of Defense Federal Voting Assistance Program. eVoting Initiatives. [Online] December 2005. [Cited: September 22, 2006.] http://www.fvap.gov/services/evoting.html.

6. GAO. Federal Efforts to Improve Security and Reliability of Electronic Voting Systems are Under Way, but Key Activities Need to Be Completed. s.l. : Government Accountability Office, September, 2005. p. 102, Report to Congressional Requester. GAO-05-956.

7. Gritzalis, Dimitris. Secure Electronic Voting. s.l. : Springer, 2003. 978-1-4020-7301-4.

8. Damgard, Ivan, Jurik, Mads and Nielsen, Jesper Buus. A Generalizion of Pallier's Public-Key System with Applications to Electronic Voting. Lecture Notes in Computer Science. s.l. : Springer Verlag, 2003, Vol. 1992, pp. 119 - 136.

9. Baudron, O., et al. Practical Multi-Candidate Election System. New Port : ACM Press, 2001. ACM Sympossium on Principles of Distributed Computing. pp. 274-283.

10. Boneh, Dan and Golle, Philippe. Almost Entirely Correct Mixing with Applications to Voting. Washington DC : ACM Press, 2002. CSC '02.

11. Cramer, Ronald, Gennaro, Rosario and Schoenmakers, Berry. [ed.] Walter Fumy. A Scenario and Optimally Efficient Multi-Authority Election Scheme. Berlin Heidelberg : Springer-Verlag, 1997. EUROCRYPT '97. pp. 103-118.

12. The Open Group. The Open Group Architectural Framework. The Open Group. [Online] 8.1, December 19, 2003. [Cited: January 15, 2004.] URL : http://www.opengroup.org/pubs. http://www.opengroup.org/pub.

13. Zachman, John A. A framework for Information System Architecture. 3, s.l. : IBM, 1987, IBM Systems Journal, Vol. 26, pp. 276 - 296.

14. Sowa, J. F and Zachman, A. J. Extending and Formalizing the framework for Information System Architecture. 3, 1992, IBM System Journal, Vol. 31, pp. 590 - 616.

15. Heaney, Jody. Security for Enterprise Engineering : Weathering Storms. 2, Washington DC : MITRE Corporation, 2003, Vol. 7.

16. The Open Group. The Open Group Architectural Framework. s.l. : The Open Group, 2003.

17. The US Department of Defense. DoD Architectural Framework version 1.0 Volume 1: Definition and Guidelines. 1 s.l. : US Department of Defense, February 9, 2004. Vol. 1.

18. US Department of Defense. Department of Defense Trusted Computer System Evaluation Criteria. s.l. : Department of Defense, 1985. Department of Defense Standard. DoD 5200.28-STD.

19. US-NIST, et al. Common Criteria. 2005.

20. Gollmann, Dieter, Massacci, Fabio and Yautsiukhin, Artsiom. Quality of Protection: Security Measurements and Metrics. s.l. : Springer, 2006. 0-387-29016-8.

21. Casola, Valentino, et al. A SLA evaluation methodology in Service Oriented Architectures. [ed.] Dieter Gollmann, Fabio Massacci and Artsiom Yautsiukhim. Quality of Protection, Security Measurements and Metrics. s.l. : Springer, 2006, pp. 119 - 130.

22. Lundin, Reine, et al. Using Guesswork as a Measure for Confidentilality for Selectively Encrypted Messages. [ed.] Dieter Gollmann, Fabio Massacci and Artsiom Yautsiukhin. Quality of Protection, Security Measurements and Metrics. s.l. : Springer, 2006, pp. 173 - 184.

23. Atzeni, Andrea and Torino, Antonio. Why to adopt a security metric? A brief Survey. [book auth.] Dieter Gollmann, Fabio Massacci and Artsiom Yautsiukhim. Quality of Protection, Security Measurements and Metrics. s.l. : Springer, 2006, pp. 1 -12.

24. Fair Isaac Corporation. A discussion of Data Analysis, Prediction and Decision Techniques. s.l. : Fair Isaac Corporation, 2004.

25. Albanese, Claudio and Campolieti, Guiseppe. Advanced Derivatives Pricing and Risk Management, Theory , Tools , and Hands-On Programming Applications. Burlington : Elsevier Academic Press, 2006.

26. Fine, Terrence L. Probability and Probabilistic Reasoning for Electrical Engineering. New Jersey : Prentice Hall, 2006. 780-130-205919.

27. Clemen, Robert T and Reilly, Terence. Correlations and Copulas for Decision and Risk Analysis. 2, s.l. : Institute of Operational Research and Management Sciences, February 1999, Management Science, Vol. 45, pp. 208 - 224.

28. Zachman, John A. A framework for Information System Architecture. 3, s.l. : IBM, 1987, IBM Systems Journal, Vol. 26, pp. 276-292.

29. Vicente, Aceituno, Canal. Information Security Management Maturity Model. s.l. : Institute of Security and Open Methodologies, 2005.

30. Institute, IT Governance. ISACA. http://www.itgi.org. [Online] 4.0, January 9, 2006. [Cited: January 12, 2006.] http://www.isaca.org.

31. Hansche, Susan, Berti, John and Hare, Chris. Official (ISC)2 Guide to the CISSP Exam. s.l. : Auerbach Publications, 2004. 0-8493-1707-X.

32. Zhao, Houlin. Security in Telecommunications and Information Technology. International Telecommunications Union. Geneva : International Telecommunications Union, December 2003. p. 89, An ITU-T X Series Manual.

33. The European Parliament and The Council of European Union. Official Journal of the European Communities. Europa. [Online] July 31, 2002. [Cited: February 13, 2007.] http://europa.eu.int/eur-lex/pri/en/oj/dat/2002/l_201/l_20120020731en00370047.pdf.

34. US Department of Justics. USDOJ : FOAI : Overview of the Privacy Act of 1974. USDOJ. [Online] [Cited: February 13, 2007.] http://www.usdoj.gov/oip/04_7_1.html.

35. Zou, Cliff Changchun, et al. Monitoring and Early Warning for Internet Worms. Washington DC : ACM, 2003.

36. Hall, David L. and McMullen, Sonya A. H. Mathematical Techniques in Multisensor Data Fusion. Second. Norwood : Artech House, 2004. 1-58053-335-3.

37. Asante-Duah, Kofi, D. Hazardous Waste Risk Management. Florida : Lewis Publishers, 1993. 0-87371-570-5.

38. Wikipedia. Measure. Wikipedia. [Online] http://en.wikipedia.org/wiki/Measure_theory.

39. Dudley, R M. Real Analysis and Probability. New York : Cambridge University Press, 2002.

40. Feller, William. An Introduction to Probability Theory and Its Applications. Princton : John Wiley & Sons, 1970. Vol. II. 780-471-257097.

41. Parker, Tom, et al. Stealing The Network : How to own a continent. [ed.] Kevin Mitnick. Rockland : Syngress, 2004. 1-931836-05-1.

42. Swanson, Marianne, et al. Security Metrics Guide for Information Technology Systems. Computer Security, NIST ITL. Gaithersburg : National Institute of Science and Technology, 2003. NIST Special Publication. SP 800-55.

43. GAO. Information Security : Department of Homeland Sceurity faces Challenges in fulfilling Statutory Requirements. United States Government Accountability Office. Washington DC : US Government Accountability Office, 2005. Statement of The Director, Gregory C. Wilshusen. GAO-05-567T.

44. aughn, Rayford B, Henning, Ronda and Siraj, Ambareen. Information Assurance Measures and Metrics - State of Practice and Proposed Taxonomy. V s.l. : IEEE, 2002. Proceedings of the 36th Hawai International Conferences on System Sciences. 0-7695-1874-5/03.

45. JP Morgan. RiskMetrics - Technical Document. Fourth [ed.] Jacques Longerstae and Martin Spencer. New York : Morgan Guarantee Trust Company of New York, 1996.

46. Artzner, Philippe, et al. Coherent Measure of Risk. 3, s.l. : Blackwell Publishing, July 1999, Mathematical Finance, Vol. 9, pp. 203 - 228.

47. Gordy, Michael B. A Comparative Anatomy of Credit Risk Models. 1998.

48. Luciano, Elisa. Credit Risk Assesment Via Copulas : Association Invariance and Risk Neutrality. 2005.

49. Burtschell, Xavier, Gregory, Jon and Laurent, Jean Paul. Beyond Gaussian Copula : Stochastic and Local Correlation. s.l. : American Economic Association, 2005, Journal of Economic Literature.

50. Zivot, Eric and Wang, Jiahui. Modeling Financial Time Series With S-Plus. s.l. : Springer Science+Business Media, Inc., 2006. 0-387-27965-2.

51. Schonbucher, Philipp J and Schubert, Dirk. Copula-Dependent Default Risk in Intensity Models. 2001.

52. Coronado, Maria. Comparing Different Methods for Estimating Vale at Risk(VaR) for Actual Non-Linear Portfolios: Emperical Evidence. European Journal of Finance. 2000.

53. Coronado, Maria. Extreme Value Theory(EVT) for Risk Managers: Pitfalls and Opportunities in the Use of EVT in Measuring VaR. Department of Finance, ICADE. Universidad P. Comillas de Madrid. 2002. pp. 1 - 32, Conference Presentation : 5th SGF Conference. Source : http://www.fmpm.ch/docs/5th.htm.

54. Embrechts, Paul, Lindskog, Filip and McNeil, Alexander. Modeling Dependence with Copulas and Applications to Risk Management. 2001.

55. Nelsen, Roger B. Properties and Applications of copulas: A brief survey.

56. Shannon, Claude E. A Mathematical Theory of Communication. The Bell System Technical Journal. 1948, Vol. 27, pp. 379 - 423, 623 - 656. A Reprint Version.

57. Cover, Thomas M and Thomas, Joy A. Elements of Information Theory. s.l. : John Wiley & Sons, 1991. Elements of Information Theory.

58. Joe, Harry. Majorization, Randomness and Dependence for Multivariate Distributions. The Annals of Probability. 1987, Vol. 15, 3.

59. Joe, Harry. Majorization, Entropy and Paired Comparisons. The Annals of Statistics. June 1988, Vol. 16, 2.

60. de la Pena Victor H., Ibragimov Rustam, Sharakhmetov Shaturgun. Characterization of joint distributions, copulas, information, dependence and decoupling, with applications to time series. s.l. : Institute of Mathematical Statistics, 2006. IMS Lecture Notes -Monograph Series - 2nd Lehmann Symposium - Optimality. Vol. 49. 183-209.

61. Joe, Harry. Relative Entropy Measures of Multivariate Dependence. Journal of American Statistical Association. March 1989, Vol. 84, 405, pp. 157 - 164.

62. Natrella, M. Extreme Value Distribution. [book auth.] National Institute of Science and Technology. Engineering Statistics Handbook. s.l. : NIST, 2006, pp. 2930 - 2933.

63. The Mathworks, Inc. Statistics Toolbox Manual. s.l. : The Mathworks Inc., 2006.

64. Weisstein, Eric W. Extreme Value Distribution. MathWorld. [Online] March 24, 2006. [Cited: June 22, 2006.] http://mathworld.wolfram.com/ExtremeValueDistribution.html.

65. Wikipedia. Generalized Extreme Value Distribution. Wikipedia. [Online] [Cited: 10 02, 2006.] http://en.wikipedia.org/wiki/Generalized_extreme_value_distribution.

66. Armstrong, Margaret and Galli, Alain. Sequential Nongaussian Simulation Using FGM Copula. September 18, 2002.

67. Cuvelier, Etienne and Noirhomme-Fraiture, Monique. Clayton copula and mixture decomposition. Brest : ASMDA, 2005. Applied Stochastic Models and Data Analysis (ASMDA). pp. 699 -708.

68. US Department of State. Rights of the People : Individual Freedom and The Bill of Rights. US department of State International Information Programs. [Online] http://usinfo.state.gov/products/pubs/rightsof/vote.htm.

69. EAC TGDC. Voluntary Voting System Guidelines. Gaithesburge : Election Assistance Commission, EAC, 2005. p. 206, Technical Guidelines.

70. Maryland Board of Elections. Voting Systems : Maryland Board of Elections. Maryland Board of elections. [Online] Maryland Board of Elections, March 16, 2006. [Cited: January 26, 2007.] http://sbe2.elections.state.md.us/citizens/voting_systems/index.html.

71. Feldman, Ariel J, Halderman, Alex J and Felten, Edward W. Security Analysis of the Diebold AccuVote-TS Voting Machine. Computer Science, Princetone University. New Jersey : s.n., 2006.

72. Fischer, Eric A. Elections Reforms and Electronic Voting Systems (DREs) : Analysis of Security Issues. Congressional Research and Services, United States Congress. Washington DC : Congressional Research and Services, 2003. CRS Report for Congress. November 2003.

73. Jones, Douglas W. Misassessment of Security in Computer-Based Election Systems. 2, s.l. : RSA Laboratories, 2004, Vol. 7.

74. Genest, Christian and MacKay, Jock. The Joy of Copulas : Bivariate Distributions with Uniform Copulas. The American Statistician. 1986, Vol. 40, 4, pp. 280 - 283.

75. Zheng, Ming and Klein, John P. Estimates of Marginal Survival for Dependent Competing Risks Based on an Assumed Copula. Biometrika. March 1995, Vol. 82, 1, pp. 127 - 138.

76. Whitt, Ward. Bivariate Distributions with Given Marginals. The Annals of Statistics. 1976, Vol. 4, 6, pp. 1280 - 1289.

77. Thomas, Kenneth R. Executive Branch Power to Postpone Elections. Legislative Attorney, American Law Division, United States Congress. Washington DC : Congressional Report Service, 2004. p. 9. By Legislative Athorney, American Law Division. RL32471.

78. Tawn, Jonathan A. Modelling Multivariate Extreme Value Distribution. Biometrika. 1990, Vol. 77, 2, pp. 245 - 253.

79. Spall, James C. Introduction to Stochastic Search and Optimization. s.l. : Wiley & Sons, 2003. 0471330523.

80. Simon, Gary. Multivariate Generalization of Kendall's Tau with Application to Data Reduction. 358, s.l. : American Statistical Association, 1977, Journal of American Statistical Association, Vol. 72, pp. 367 - 376.

81. Segall, Adrian. Stochastic Preocesses in Estimation Theory. IEEE Transactions on Information Theory. May 1976, Vols. IT-22, 3, pp. 275 - 286.

82. Schweizer, B. and Wolff, E. F. On Nonparametric Measures of Dependence for Random Variables. The Annals of Statistics. July 1981, Vol. 9, 4, pp. 879 - 885.

83. Schechter, Stuart E. Towards Econometric Models of the Security Risk from Remote Attacks. s.l. : IEEE Computer Society, 2005, IEEE Security & Privacy, pp. 40 -45. 1540-7993/05.

84. Scarsini, Marco and Venetoulias, Achilles. Bivariate Distributions with Nonmonotone Dependence Structure. 421, s.l. : Ameican Statistical Association, March 1993, Journal of the American Statistical Association, Vol. 88, pp. 338 - 344.

85. SAIC. Risk Assessment Report. Diebold AccuVote-TS Voting System and Processes. Annapolis : Science Applications International Corporation, September2, 2003. Department of Budget and Management Risk Assement Report. SAIC-6099-2003-261.

86. Sacetta, Alessio. Copula Based Monte Carlo Integration in Financial Problems. s.l. : CWPE, 2005.

87. Romano, Claudio. Applying Copula Function to Risk Management. s.l. : Banca Roma, 2002. PhD Thesis.

88. Nelsen, Roger B. Copulas, Characterization, Correlation, and Counterexamples. Mathematics Magazine. 1995, Vol. 68, 3, pp. 193 -198.

89. Mukhopadhyay, Arunabha, et al. e-Risk Management with Insurance: A framework using copula aided Bayesian Belief Network. Hawaii : IEEE Computer Society, 2006. Proceedings of the 39th Hawaii International Conference on System Sciences. 0-7695-2507-5/06.

90. Molife, Rhashed. Using Copulas as a Measure of Dependence Between Competing Cases of Mortality. Faculty of Actuarial Science and Statistics, Sir John Cass Business School, City University of London. 2003. Master Thesis .

91. Melchiori, Mario R. Which Archimedean Copula is the right one? s.l. : Yield Curve E journal, 2003.

92. Melchiori, Mario R. Tools for Sampling Multivariate Archimedean Copulas. s.l. : Yield Curve E-Journal, 2006.

93. Melanie Moses, Dave Didich, Richard Dean. Systems Security for Wireless Systems and Network. s.l. : National Security Agency, 1996. CTIA/IMSEF/97.07.03.

94. Meester, Steven G. and MacKay, Jock. A Parametric Model for Cluster Correlated Categorical Data. Biometrics. 1994, Vol. 50, 4, pp. 954 - 963.

95. McNeil, Alexander J., Frey, Rudiger and Embrechts, Paul. Quantitative Risk Management : Concepts , Techniques and Tools. s.l. : Princton University Press, 2005.

96. McNeil, Alexander J. and Wendin, Jonathan. Bayesian Inference for Generalized Linear Mixed Models for Portfolio Risk. Jounal of Emperical Finance. October 5, 2005. Submitted Article : No Information about actual publication.

97. Marshall, Albert W. and Olkin, Ingram. Families of Multivariate Distributions. Journal of the American Statistical Association. September 1988, Vol. 83, 403, pp. 834 - 841.

98. Leite da Silva, A. M., et al. Dynamic Security Risk Assessment. s.l. : IEEE, 1999, p. 7. 0-7803-5569-5/99.

99. Koyluogu, Ugur H. and Hickman, Andrew. A Generalized Framework for Credit Risk Portfolio Models. 1998.

100. Klaassen, Chris A.J. and Wellner, Jon A. Efficient Estimation in the Bivariate Normal Copula Model: Normal Margins are Least favorable. Bernoulli. March 1997, Vol. 3, 1, pp. 55 - 77.

101. Ken Lin, Gary Deamer. caBIG Security Technology Evaluation. [ed.] Ken Lin and Gary Deamer. s.l., USA : Booz Allen Hamilton, January 23, 2006. p. 114.

102. Joro, Tarja, Na, Paul and Niu, Anne R. A Simmulation-Based First-To-Default(FTD) Credit Default Swap(CDS) Pricing Approach Under Jump-Diffusion. 2004. Proceedings of the 2004 Winter Simulation Conference.

103. Joe, Harry. Multivariate Extreme-Value Distributions with Applications to Environmental Data. The Canadian Journal of Statistics/La Revue Canadienne de Statistique. 1994, Vol. 22, 1, pp. 47 - 67.

104. Jaynes, Edward Thompson. Probability Theory - The Logic of Science. 1995.

105. Helder Parra Palaro, Luiz Koodi Hotta. Using Conditional Copula to Estimate Value at Risk. 2006, Journal of Data Science, pp. 93-115.

106. Genest, Christian and Rivest, Louis-Paul. Statistical Inference Procedures for Bivariate Archimedean Copulas. Journal of the American Statistical Association. September 1993, Vol. 88, 423, pp. 1034 - 1043.

107. GAO, United States General Accounting Office. Information Security Management : Learning from Leading Organizations. Accounting and Information Division, United States General Accounting Office. Washington DC : GAO, May 1998. p. 68, Executive Guide. GAO/AIMD-98-68.

108. Frederick Chong, Dwayne Taylor. Federated Identity: Scenarios, Architecture, and Implementation. http://msdn.microsoft.com/architecture. [Online] 1, June 1, 2006. [Cited: June 28, 2006.] http://msdn.microsoft.com/architecture/default.aspx?pull=/library/en-us/dnbda/html/federated.asp.

109. Dorofee, Audrey. Managing Information Security Risks Accross the Enterprise. Software Engineering Institute, Carnagie Mellon University. Pittsburgh : Carnagie Mellon University, 2002. p. 60.

110. Daas, Sarat C, Zhu, Yongfang and Jain, Anil K. Validating a Biometric Authentication System: Sample Size Requirements. IEEE Transactions on Pattern Analysis and Machine Intelligence. 2006, Vol. 28, 12.

111. Cwik, J., et al. Conceptual and Statistical problems of sister dependence. 3, s.l. : Biometrika Trust, Dec 1982, Biometrika, Vol. 69, pp. 513 - 520.

112. Coles, Stuart. A sufficiency Property Arising from the Characterization of Extremes of Markov Chains. Bernoulli. 200, Vol. 6, 1, pp. 183 - 190.

113. Carty, Lea V. Moody's Rating Migration and Credit Quality Correltion, 1920-1996. s.l. : Moody's Investors Services, July 1997. p. 25, Global Credit Research : Special Comment.

114. Brunel, Nicolas, Pieczynski, Wojeciech and Derrode, Stephane. Copulas in Vectorial Hidden Markov Chains for Multicomponent Image Segmentation. 2005, pp. II-718 - II-720.

115. Brown, Peter E., et al. The Mathematics of Statistical Machine Translation: Parameter Estimation. 2, s.l. : Association for Computational Linguistics, 1993, Vol. 19.

116. Bretthorst, Larry G. Bayesian Spectrum Analysis and Parameter Estimation. s.l. : Springer-Verlag, 1988. A web pdf version made available by the author after original ran out of print.

117. Ballerini, Rocco. Archimedean Copulas, Exchangeability, and Max-Stability. Journal of Applied Probability. June 1994, Vol. 31, 2, pp. 383-390.

118. Aas, Kjersti. Modelling the dependence structure of financial assets: A Survey of four Copulas. s.l. : Norwegian Computing Center, 2005.

119. Marshall, Albert W. and Olkin, Ingram. A New Method for Adding a Parameter to a Family of Distributions with Application to the Exponential Weibull Families. Biometrika. September 1997, Vol. 84, 3, pp. 641 - 652.

120. Alsina, Claudi, Frank, Maurice J and Schweizer, Berthold. Associative Functions, Triangular Norms and Copulas. Singapore : World Scientific Publishing Co, 2006. 981-256-67-6.

121. Dall'Aglio, G, Kotz, S and Salinetti, G. Advances in Probability Distributions with Given Marginals. [ed.] Hazewinkel M. Dordrecht : Kluwer Academic Publishers, 1991. Vol. 67. 0-7923-1156-6.

122. Nelson, Roger B. An Introduction to Copulas. s.l. : Springer Science+Business Media, Inc, 2006. 0-387-28659-4.

123. Delfs, Hans and Knebl, Helmut. Introduction to Cryptography, Principles and Applications. Heidelberg : Spinger-Verlag, 2002. 3-540-42278-1.

124. Schneier, Bruce. Applied Cryptography. s.l. : John Wiley & Sons, Inc., 1996. 0-471-11709-9.

125. Australian Capital Territory Electoral Commission. ACT Electoral Commission - Electronic Voting. [Online] ACT Electoral Commission, 2004. [Cited: December 20, 2004.] http://www.elections.act.gov.au/pubs.html.

126. Rice, R. E., Schweizer, B. and Sklar, A. When is f(z) = az^2 + bz + c ? The American Mathematical Monthly. April 1980, Vol. 87, 4, pp. 252 - 263.

127. Quesada-Molina, Jose Juan, Rodriquez-Lallena, Jose Antonio and Ubeda-Flores, Manuel. What are copulas. s.l. : Garcia de Galdeano, 2003, Monografias del Semin, Vol. 27, pp. 499-506.

128. Alsina, C and Quesada, J J. Of the Associativity of C(x,y) and x-C(x, 1-y). s.l. : IEEE, 1988, IEEE Transaction of Fuzzy Logic. 0195-623X/88.

129. Brunel, N and Pieczynski, W. Unsupervised Signal Restoration Using Copulas and Pairwise Markov Chains. St. Louis : IEEE, 2003. Proceedings of the 2003 IEEE Workshop on Statistical Signal Processing. pp. 102 - 105. 0-7803-7997-7/03.

130. Cherubini, Umberto, Luciano, Elisa and Vecchiato, Walter. Copula Methods in Finance. s.l. : John Wiley & Sons, 2004. p. 310. 978-0-470-86344-2.

131. Duda, Richard O, Hart, Peter E and Stork, David G. Pattern Classification. s.l. : John Wiley & Sons, 2001.

132. Frees, Edward W. and Valdez, Emiliano A. Understanding Relationships Using Copulas. 1, s.l. : Society of Actuaries, 1999, North America Actuarial Journal, Vol. 2, pp. 1-25.

133. Maybeck, Peter S. Stochastic Models, Estimation and Control. s.l. : Academic Press, 1979. Vol. 1.

134. McNeil, Alexander J and Demarta, Stefano. The t Copula and Related Concepts. 1, s.l. Blackwell Publishing, 2004, International Statistical Review Vol. 73.

People | Policies | Technologies

2011-07-03T18:30:00.003-04:00

Help keep your account safe with the Gmail security checklist - Official Gmail Blog

2010-10-19T05:54:00.000-04:00

Help keep your account safe with the Gmail security checklist - Official Gmail Blog

Approaches to security metrics

2010-07-20T07:57:00.000-04:00

There are three approaches to security metrics; qualitative, quantitative, and hybrid.

A qualitative approach is one where security is measured on a sliding scale of : SECURE -> INSECURE. Various levels or shades of security (or insecurity) can be determined as a measure of some stated policy. A grid/matrix of values can then be designed in such a manner that an aggregation can be obtained for the overall security/insecurity of an enterprise.

Quantitative approach is one where security is measured based on numerical value, grounded on a mathematical formulation; typically based on apriori knowledge of some known/measured occurrence or inferred expectation of security/insecurity and or based on inherent characteristics of the entity (or object) in question. For an enterprise, a grid/matrix of values can be developed for its entities and such developed matrix provide the basis for aggregation to determine the actual(true) security/insecurity of the overall system in a consistent manner acceptable to a collective of experts.

Hybrid approach is a middle ground where a combination of qualitative and quantitative values are used.

All approaches derive their motivation from the likelihood of occurrence of a threat to the system and the value of the cost or consequence of occurrence. Since security is a state of being determined largely by the nature of vulnerability, scope of exposure and expectations of exploit, security and risk can be construed as being directed correlated. Risk can indeed be used as a basis for security measurement. We know that generally,

Risk = Exposure to threats

Risk = Probability of a bad event occurring X The Impact of the event (often described in terms of value)

Note that the probability of occurrence is apriori chance of a system vulnerability being exploited.

Value (asset value) could be tangible or intangible, depending on the nature of the enterprise (or system under consideration). However, for a fully qualitative security metric, it is desirable to develop a valuation mechanism for converting intangible asset value into acceptable tangible cost that can then be used in the evaluation of the associated risks.

For qualitative metric, it is acceptable to use comparative asset values such as high, low, or medium. However, it is essential that in order to compute effective risk to the overall system, asset valuation for intangible assets be done in conjunction with a respected independent observer (evaluator/auditor) to minimize the impact of bias.

happenings.

2008-06-17T10:57:00.000-04:00

Between April and June, I appeared on a radion show to talk about Identity theft and in early June I gave a presentation at the Gartner Security Summit in DC. And then I got a bit more visible on facebook after my Indianapolis IEEE-USA meeting...

Well more importantly, Obama won the Democratic nomination for President in June.

I haven't written anything on this blog on enterprise architecture, business process improbement, security or any of my passion. I have been working on Six Sigma certification, for all its worth and plan to apply for the CGEIT certification. Quite pricey, but I forseee some value in the cartification.

EISSAF

2008-02-16T22:33:00.002-05:00

Enterprise Information Systems Security Architectural Framework (EISSAF) is a holistic security design methodology. It is the collection of resources and design tools for formalizing, visualizing, and modeling an information system security design.

This work includes the definition of information security that captures the objectives and parameters that affect security of information systems in an enterprise. At the heart of the EISSAF is the aggregation of the various architectural components, stakeholders and entity abstractions, entity and data relations and flows. The result is a set of diagrams, definitions and relationships. These are
developed as building blocks for the holistic design of information system security architecture. The objective is to enable enterprises develop, analyze, and measure security designs efficiently and cost-effectively.

Security affects, and is affected by, every component; objects and subjects, of an enterprise. Subjects act on objects. An enterprise consists of people, policies and technologies and there are security requirements (or attributes) for each of these. Also, an enterprise can be modeled hierarchically to account for decision and operational structures. This complex relationship can be visualized in a three dimensional Cartesian plane. The planes of the three dimensional representation are the architectural layers, the architectural perspectives, and the architectural security attributes. This three dimensional view demonstrate the nuance that is often missed in many discussion about security. The fundamental interplay of procedures, system level decisions, technology deployment and end user interaction, in the security of an enterprise. EISSAF capture these interactions.

The EISSAF design framework is organized into basic security attributes, architectural perspectives and enterprise hierarchy, or layers. At each layer, the various perspectives interact and depend on the various attributes. The three dimensional representation in Figure 2.1 present the basic idea.

Figure 2.1 EISSAF Construct in Cartesian Coordinates

The fundamental construct of EISSAF is the organization of an enterprise into four basic layers of organizational abstraction; strategic, business, systems, and operational. Every organization or enterprise consists of three basic components; people, policies, and technologies. These components are represented or can be mapped into the four organizational layers. These components are called perspectives. Security can be defined from these perspectives. A third construct of the EISSAF is what constitutes security. Research points to four essential attributes of a system by which its security is can be described. These four attributes are also the essential requirements information systems security controls are meant to protect. They are privacy, integrity, confidentiality, and availability. The EISSAF construct is presented in Figure 2.2
EISSAF provides a framework for a complete abstraction of the Enterprise Information System. The choice of abstraction is aimed at minimizing redundancy in definitions and constructs thereby improving the measurability. To facilitate clarity and assure consistency, definition of some of the basic constructs of the EISSAF are presented in the upcoming sections.

Figure 2.2 EISSAF construct showing layers, attributes and perspectives

Security Layers (Dimensions)

An architectural layer represents the fundamental hierarchy of architectural organization and depicts layers of details, abstraction and responsibility. EISSAF defines four layers; Strategic Layer, Business Layer, Systems Layer and Operational Layer.

Strategic Security Layer

This is a construct similar to Zachman's [28] layers. The EISSAF strategic layer abstracts the stakeholder's view of the enterprise's vision and objective. The architectural vision is defined, and the goals documented. Enterprise expectations and measures are specified. The output of this layer is the driver for business decisions and thus, the Business Layer. Business leaders and stakeholders always refer to an overarching big-picture or general direction and goals. The strategic layer typically describes two perspectives, people and policies. The technology perspectives are often then left to lower layers in the enterprise architectural development hierarchy.

Principals involved in the Strategic layers often include the enterprise architect, business owner(s) and enterprise stakeholders , regulatory bodies and standard development bodies.

In developing a security architecture (using EISSA), enterprise architects will require answers to layer-specific questions. The answers they obtain then serve as Architectural Development Guides (ADG). ADG help clarify concerns, performance requirements, and security attributes. Different questions will be asked as part of the ADG at different layers, each expected to produce increasing level of detail and abstraction. These answers also serve as basis for performance measure and security metrics computations. This process is the Architectural Development Process, ADP.

The level of details and enterprise abstraction developed as a result of the strategic layer ADP is critical to a successful architectural design. The details may also be used in determining the Maturity level of the enterprise [ [29], [30] ].

The Strategic layer is about enterprise leadership and governance; it is for vision declaration and metric identification. Example Strategic level goals could include:

Democracy – Assure Optimum Voter's Confidence in the Election System and its result
Financial – Maximize customer's privacy and become the most customer friendly Bank in the United States as well as the most functionally efficient.
Most Secure Online Service – Obtain highest industry rating in online-banking security.

The forgoing examples show a big-picture expectation and serve as the basis for performance measures. When the security metric is identified, the enterprise security architecture can then be designed to attain a given metric level or value averaged over a given period or consistent over a specified interval. An example will be "An election with security metric of 0.95, representing 95% errors free in all security attributes combined".

Business Security Layer
The Business or motivation layer addresses the goals in manners that lay out the how to achieve them. The Business layer is driven by the Strategic layer and is often the first design phase in the EISSA ADP. The enterprise's core security compliance requirements are addressed. Potential liabilities and risks associated with various decisions are also determined here. The Business layer often requires all three architectural perspectives; people, policies and technologies. It is common that technology is described with fewer details than at lower levels in the ADP hierarchy. Business Layer concerns itself with operational basis and process motivation. The directions for achieving these are specified and serve as the systems driver (Figure 2.3).

Sample Business Layer operations or objectives:

An Election System business objectives might include :
- Maximize Voter Participation and Confidence by ensuring all eligible voters are able to vote in compliance with the Voting Rights Act of 1959 as amended and re-authorized in 2006.
- Reduce ballot fraud by to less than 1% in subsequent elections.
- Assure 100% accuracy in vote counts by implementing appropriate technologies and procedures.
A financial Enterprise business objectives might include:
- Attain 10 million client level by reducing the customer-turnover to less than 10% from the current level of 50% and increasing new customer targeted advertisement to reach additional 20 million potential customers.
- Enhance Operational Efficiency and eliminate wastes by improving unit productivity and eliminating stove-pipes and bottle necks.

The Business Layer is a fundamental level of performance measure and a feedback point to the strategic as well as lower abstraction layers including the systems and the operational dimension. Objectives are determined by people, governed by policies and achieved by the combination of people, policies, and technologies. Examples of people involved in the Business layers are:

An Organization's C-Level Executives and Business-Leaders
The Federal Election Commission , driven by the legal mandates of the congress
The office of State's Secretary of state, for an election system.
Council Board of Election is also a business level operative for an election.

Business layer policy abstractions may include:

Industry standards such as ISO/IEC 17799 (ISO 2700-2005), aimed at providing operation guidance for achieving specific compliance requirements or mandate.
State Election guidelines, regulations, and procedures
Business layer technologies may include:
An Enterprise Architectural technology or an Enterprise Resource Planning (ERP) tool will be an example Business Layer technology, enabling essential reporting and performance measures.
The Business layer could mandate the use of a technology solution such as internet voting, or touch screen voting. It may not necessarily determine what vendor or what specific protocol to use.
Systems Layer

This can also be called the technology or solutions layer or dimension. This layer addresses enterprise components integration and interrelations with ramifications for effectiveness, performance and security. This is where detailed technology specifications are provided as are details connection and operational protocols. The system layer derives directly from the Business Architecture and is designed with the Enterprise goals in mind.

The System layer includes definition of systems and module; abstraction articulation of inter-system and intra-system communication protocols for data flow and data transfer. The system layer includes a significant level of implementation details. Consider the business layer as analogous to the main-contractor, then the system layer will be analogous to the sub-contractor. Security profile becomes more apparent, thus this level is suitable to rigorous metric computation. Providing a feedback loop between the system and the business layer improves efficiency.

Security requirements and features are defined clearly at the systems layer. This provides for clear translation for measuring the performance of operational enterprise with respect to the business requirements of the enterprise.

At the Systems layer, people, policies and or technology are represented. Some examples of people at this layer of the EISSAF hierarchy include:

Vendors, Evaluating Entities
Developers, Implementation Engineers
Election Management Personnel

At this layer, policies would typically be in the form of standards, best practices, guidelines, and regulations. Some examples include:

Standards , Recommendations, Best Practices
- CoBiT , ISO/IEC 17799-2005 (2700-2005)
- SSE-CMM
Corporate procedures and guidelines.

System layer technology perspective provides sufficient insight into the operational architectural view. It includes technology specifications, and serve as the operational driver. Some of the systems level technologies include:

Enterprise Network (LAN, WAN, Wireless, Data, Voice, Converged)
Identity Management (Access Control)
Cryptography (Key Management)
Service Audit (Logging, Monitoring)
Recovery/ Availability (Clustering and Back-Up )/Disaster Management
Platforms (Vendors / Systems )
TLS / PKI / AES
TCP / IP , OSI , ISO
Network Architecture / Design / Implementation
Control & Identity Infrastructures
Desktop and Server Management Structures/ Technologies

Figure 2.5 EISSAF Architectural Layers

Operational Security Dimension

Systems layer perspectives drive the operational layer design as shown in Figure 2.5 above. The operational layer is the user-facing layer. This is the last layer of the ADP and the construct include all three Enterprise Architectural perspectives; people, policies and technologies. The Operational dimension is crucial in the EISSAF ADP, in the EISSA modeling and metric simulations. All the vision, mission, and objectives determined at the strategic layer and actualized here. Operational layer architecture often relates to specific events or activities. Emphasis is on technology and people view. The security solutions at the operational layer are directly traceable to the strategic objectives, thus measures computed here are traceable to measures determined at the strategic layer.

A well architected EISSA will include paths for reviewing the operational outputs from the Operational layer into the Systems, Business as well as the Strategic layers. This is important for agility, serving also as the basis for enhancing efficiency, performance and security.

Many enterprises today lack an efficient feedback process. One of the goals of this work is to provide a holistic mechanism for feedback and process improvement. Methodologies such as Six Sigma and Baldrige provide framework for process improvement. EISSAF can be used in support of these other frameworks.

Often Operational layer policies are in the form of procedures, guidelines and instructions. Since they are governed by laws, regulations, and standards their impact and effectiveness can be mapped to the regulations at the strategic layer.

Operational layer people will include personnel directly interfacing with the resulting enterprise. For an election system, these will include; election judges, poll workers, vendor representatives, voters, and potential adversaries.

At the operational layer, technology is definite. Details ranging from network connection types, links and equipments to operating systems and more. For information systems, the most data is available at this layer. Examples of technology views at this layer include

Operating Systems type such as Windows 2003 release 2
Application Server such as Apache 2.2 running on a FreeBSD 6.1 minimal build with OpenSSH 0.9d installed. Other details may also be provided.
Diebold AccuVote TS Direct Recording Election System
Diebold Global Elections Management System
Sequoia Voting System Optech Insight machine
Cisco 4510R switch with 384 optical ports

Each of the technology item identified in the enterprise must map into the system layer technology view architecture. The system layer architecture must map into the business layer. The business layer must also map into the strategic layer. Thus every perspective element in the lower layers must be traceable to a strategic requirement or element.

The EISSAF architectural development process requires feedback between adjacent layers and between all layers. This many-to-many feedback loop improves the visibility and agility of the enterprise. The EISSAF supports feedback through the metric framework. The feedback process is captured in Figure 2.6.

Figure 2.6 EISSAF ADP Hierarchy & Process Feedback

Book Review : Cisco NAC Appliance by Jamey Heary - 2007

2007-08-26T13:14:00.000-04:00

Authors :Jamey Heary, CCIE (Chad Sullivan, CCIE; Jerry Lin, CCIE; Alok Agrawal)
Publisher : Cisco Press
ISBN -13:978-1-58705-306-1
Title : Cisco NAC Appliance : Enforcing Host Security with Clean Access

The Cisco Self Securing Network platform is currently structured around several cornerstone technologies of which the Cisco Clean Access technology is a leading component. The Cisco Clean Access technology is one of several industry wide Network Admission Control (NAC) technologies which rely on a combination of client-server components. The Cisco Clean Access suite includes a client component which could be host-installed applet or a browser based applet that can read basic configuration data from a host machine and communicate compliance to enterprise defined rules/policies which are pre-defined on a clean access server appliance and other coorperating systems. The book, Cisco NAC Appliance is a good guide for administrators deploying this complex set of solutions brought from Perfigo Inc. after Perfigo’s acquisition by Cisco 2006.

The book’s organization and tone is aimed at security architects, security managers and security administrators. While a security architect will better understand the various deployment options and thus the place of the Cisco NAC framework in an enterprise, security managers will get a comprehensive enough view of the Cisco NAC framework to make the judgment call on actual deployment of the infrastructure and of course make decisions on cost/facility and better grapple with the potential cost benefit requests from enterprise’s executive and the security administrator will have a quick guide handbook to help wade through the myriads of documentations from Cisco on its evolving SAFE architecture in general and the NAC framework in particular.

The organization of this book is excellent for the intended audience; six parts covering the basics of host security landscape, design of Cisco NAC appliance, developing a host security policy, the Cisco NAC configuration, some deployment best practices, and of course NAC appliance maintenance and troubleshooting. The six parts are laid out in fifteen accessible chapters spanning more than 500 pages with generous amount of configuration examples and screenshots.

With Cisco now having more than 45% market share in the endpoint access control market, books like these can only increase in importance as a guide to organizations grappling with the decision on what and where to deploy these technologies.

And for this volume, the taste of the pudding remains in the eating. So if you don’t have a copy yet, go grab one (so long as you are interested in some endpoint security solutions now or at some point in the future). As for rating, I’ll give it my best rating so far, four star out of five.

Book Review : Cisco CSA by Chad Sullivan - 2005

2007-08-26T13:13:00.000-04:00

As an endpoint protection solution, Cisco Security agent was a timely product, when it was released 2003, for being one of the industry’s first behavior based host protection solution and thus offering some hope of protection against the widely feared zero-day attack scenario. While the product is considered a great tool, its proper deployment in an enterprise is non-trivial. Hence the value of a book like Cisco Security Agent : Prevent security breaches by protecting endpoint systems with Cisco Security Agent(CSA) , the Cisco host Intrusion Prevention System.

While the books organization is not quit elegant (it leaves the planning and implementation process to the last part while address advanced concepts earlier on), its comprehensive content on the subject makes it a useful book all the same. The seven part book makes the case for Cisco Security Agent (or any endpoint security solution for that matter) in the first part, addresses the CSA architecture in the second and describes the agent installation as well as issues with the local agent in the third. Monitoring and reporting was handled in fourth part while the fifth part addresses CSA analysis in deployment. The author developed policies, implementation and CSA maintenance in part six while the last part (appendixes) addresses integration with other Cisco technologies.

Chad’s narrative while pedestrian provides ample guidance and example to appeal to an enterprise security administrator in a concise manner thereby compressing what could potentially have been a 1000 page manual into a less than 450 pages. Also the overall style of the presentation bellies Chad’s breadth of experience as a network security subject matter expert.

Given the state of enterprise information systems security today, a typical enterprise will need a combination of tools to achieve a secure pasture and this book by Chad Sullivan as well as the Cisco NAC appliance book he helped co-write are very useful guides for organizations planning to develop or deploy a robust and holistic end-point control solutions. While the book is dated (2005), I’ll still recommend it as a buy (even though I expect an update in the near future).

Enterprise Architecture

2007-08-12T16:47:00.000-04:00

Enterprise Architecture is the formal organization (design or layout) of the components, structures and processes required or relevant to the attainment of the goals and visions invested or envisioned in an enterprise.

Often used in the context of information system's applications in an enterprise, Enterprise Architecture is really concerned with all aspects of an enterprise with information technology as a sub-context.

All organizations are built on some architectural framework or another, even when the choice is not fully conscious, just like every building or city could be said to have been built on some structural architectural framework, even when the choice has not been conscious, like in many developing nations. However, just like modern society now appreciate the value of a conscious structural architectural developmental process; culminating in the study of architecture in many major colleges and trade institutions, so would society benefit from the conscious application of such faculty to enterprise architecture.

At a Digital Government Summit in 2006, a gentleman from CA used the term Empire Architecture to describe the architectural paradigm required for many modern enterprises, which can be considered really as a combination of complex enterprises; and he is right. Modern Corporations, Government and even educational institutions are indeed an amalgam of complex sub-entities often a singular ultimate bottom line, but disparate intermediate business goals and requirements. Modern Enterprise Architecture thus can be viewed beyond the singular enterprise but also from the perspectives of empire architecture.

However, semantics aside, enterprise architectural practice as it is developing today can support all nature of architectural definitions from single architectures to virtual enterprise architectures and empire architecture. Just like in structural architecture the procedures are essentially the same irrespective of the size or complexity. As a matter of fact, applying the same rigors irrespective of the size is beneficial to an Enterprise Architect who can then leverage lessons learned in one scenario to become better at another.

One problem that faces the the industry though remains the lack of a consistent outlook and the tendency of practitioners to be swayed by the most market-friendly buzzword in place of standardized terminologies which are necessary for a concepts this complex and with such great ramifications for business success. Many continue to use the term solely with software development, when in reality all know it is far beyond software development; just like all know that structural architecture is beyond the walls for a house or more than the trusses for a bridge.

We have developed an architectural framework for information security and will be making public more documentation regarding this framework. We are now working on a project to help harmonized the disparate knowledge and develop a standardized set of frameworks that will incorporate various existing platform for the maximum value to enterprises regardless of size.

For additional information, please send us an email at architect at eissaf dot com.

Book Review

2007-07-24T22:46:00.001-04:00

Title : Security Monitoring with Cisco Security MARS : Threat mitigation system deployment
ISBN-13: 978-1-58705-270-5 . Publisher: Cisco Press
Authors: Gary Hallen, Greg Kellogg

Reviewer: Dr. Wole Akpose, CISSP, D.Eng

Ok, you recently purchased Cisco MARS appliance, now what? Or better yet, you are in the market for a Security Incident Management (SIM) solution or a Security Threat Mitigation (STM) Solution, and are already considering a Cisco solution; you may even be a Cisco network shop. How do you decide, without the pressure of the overbearing sales people over your neck? Well the best answer is to do your research. Read everything you can find online about SIM and STM technologies and research the various vendor solutions out there. You may even take note of Gartner’s reports on the technology or simply hire Gartner. However, one tool you will appreciate in your arsenal is the book by Gary Hellene and Greg Kellogg, Security Monitoring with Cisco Security MARS.

As you may well know, the product now called MARS did not originate in any of Cisco’s R&D lab, but was a product from Perigee Network bought by Cisco in the fall of 2005. The product itself has undergone various upgrades, as has its documentation. But when you need quick answers, or compressed answers about SIM, STM or specifically MARS, the pages of this compact, under 300 pages, book will be your best bet in most cases, as I quickly found out.

The book came in at an opportune times, when I was just fidgeting with our newly installed MARS appliance, and answers that were taking quite long to find, wadding though jungles of pages that constitute the Cisco user manuals and the internet, were soon available after a few minutes of riffling though the book.

Reading the entire book took much less time than to read through the latest Harry Porter release, but it also brought into perspectives many components and nuances of the MARS appliance.

Organized into parts (like most Cisco press books), the book's content is outlined into an introductory section, an operations and forensic section, and what it calls an advanced topic section. The first three chapters that make up the introduction section provide essential background and rationale for deploying an STM or SIM solution in any network. This is one part any prospective SIM solution shopper should be acquainted with. It kind of helps you make the case for the expenditure. Not that you wont find it useful if you already made the purchase, you will be better served if you are fully briefed on the content in this section, as it lays out what you are getting into in some detail. Of course the emphasis is on MARS, a Cisco product, there is enough material here for everyone.

If you are a techie, you already own a MARS box (so you have to live with what you got), and you are not so worried about the business case for security, then, section 2 (Operations and Forensic) is a good place to start. The section begins with basics of securing the appliance itself; runs through rules, reports and queries; details incident investigation and forensics and ends with pertinent instructions on log data archiving and recovery in case something goes wrong with the appliance. Given that the section covers so much materials and is made up of four chapters, its one page volume is a great refresher to the security engineer who just wants to get adequate information to quickly get up and running. You will not become an expert by reading these four chapters, but your understanding of the appliance and appreciation for what can be done will grow after you read it. Also, you should be able to carry out at least 50% of the tasks you will need to carry out with the appliance.

The last section is probably the most fun, but you will do well reading it last. While the book outlines the last section to include just 4 chapters, the three appendices can easily be considered a direct appendage of the materials in this section. The section provides basic instructions on how to integrate MARS with other Cisco security products including the Cisco Security Manager (CSM) in chapter 8, the Cisco Network Admission Control (NAC) solutions in chapter 10, and Cisco MARS enterprise deployment framework in chapter 12. Chapters 9 and 11 present additional operational information on troubleshooting and log management. The appendices includes various system level and command line tools for managing and getting more out of the MARS appliance.

In all, the book is a great buy.

Enterprise !

2007-07-10T18:41:00.000-04:00

What is an enterprise? Here is a billion dollar question, and there seems to be many prospective takers. The MBA types will often describe the word in terms of company size as is evident in many business journals and advertisements; the reserve the word for the largest corporations. In the information technology industry, there is no such consensus. Almost any organization type has been reffered to as enterprise, as are (in growing number) several organizational units. John Zachman, in defining the original Zachman Framework crystalized the concept to an IT audience from the perspective of a major corporation (IBM's typcial client in 1987).

From a purist perspective (which is mine, mostly); various dictionary definitions are in order. At least that has been the crux of much of my definitions so far, and it formed the starting point of my thinking during my dissertation research:

The American Heritage Dictionary has the following to say :

" An undertaking, especially one of some scope, complication, and risk." It goes on to suggest "A business organization".

The Unabridged dictionary has this to say : " A project undertaken or to be undertaken, especially one that is important or difficult or that requires boldness or energy : A plan for such a project; participation or engagement in such projects..."

--- Both cited from Dictionary.com

Other definitions include that of TOGAF which says "An enterprise is any collection of organizations that have a set of common goals or a single bottom line".

The IEEE standard 1471-2000 defined an enterprise as "The fundamental organization of systems, embodied in its components, their relationships teach other and their environment, the principles governing its design and evolution"

In these definitions, we begin to see the picture that Zachman wanted to paint when he developed the concept of Enterprise Architecture in 1987. It was the work of Zachman that spurred all future efforts in the intervening decades since, and the Zachman framework it was that served as the soul of the original TOGAF (inspite of its more elaborate history). However, none of these standard definitions provide a clearer definition that was presented in my dissertation work.

And now here is my definition (see D.Eng dissertation by Adewole Akpose, 2007):

"An Enterprise is an organization of people, policies and technologies towards the attainment of some well defined goals, and or objectives"

Information

2007-07-09T18:58:00.000-04:00

Pardon the long interregnum: In the last 6 months or so since the last installment of the articlets, I have completed my dissertation, defended it successfully, gotten promotion at work(does not feel like it), started a private blog, caused trouble with a blog on educause, presented at the MD Digital Government summit, attended a very boring and ill named Architectural summit at Palm Springs, sat on the IEEE TC obituary and got bored!

Ok, so now I'm back to completing the six articlets I promised.

Information is the ultimate expected result of any set of activities on data. The complexity of these activities may vary widely. From a mathematical point of view, if y=f(x). y is information, and x is data, then f() is a given process or set of processes (or activities) that when applied to data (x) results in information. using the mathematical analogy, we can observe that f(x) could be a simple linear function , the simplest of which is y =x. That is there are cases when data equals information. In practice though, that is not always the case.

There has been many attempts in the past to define information, and the following will be stated to highlight the point:

The Unabridge English Dictionary (dictionary.reference.com) version 1.1 has the following definition " Knowledge communicated or received concerning a particular fact or circumstance; news..."

Another suggestion from the same source " important or useful facts obtained as output from a computer by means of processing input data with a program. "

Synonym of the word include intelligence, knowledge, wisdom...

The WordNet includes the following definition " a collection of facts from which conclusions may be drawn"

The Kernerman English Multilingua Dictionary (Beta Version) has a rather succinct definition " Facts told or knowledge gained or given".

All organizations place premium on information, not data (except in cases where there is confusion about what these mean). People do the same. Information is the important component of the whole knowledge industry. Everything else is a side show.

Information is the result or output of data processing! The primary purpose of modern computer and communication systems is the generation(derivation) and manipulation of information. Information systems are thus the aggregation of resources for achieving the purpose of information generation and manipulation.

Book Review

2007-06-25T19:13:00.000-04:00

Book Review
Authors :Benoit Claise, CCIE
Ralf Wolter
Publisher : Cisco Press
ISBN -13 : 978-1-58705-198-2
Title : Network Management : Accounting and Performance Strategies.
Reviewer : Dr. Wole Akpose, CISSP.

Network management is as much an art as it is a science, and like every knowledge based profession it requires informed access to the most cogent set of information. This is more apt, given the growing plethora of network protocols and technologies even by a single vendor. Wadding through the huge hog of information about appropriate technology solutions require either a long period of experience and direct continuous engagement with various (and increasing number of) technology groups and trade association, an extensive reading habit and lots of practice, or access the most relevant up-to-date source about the primary sets of modern tools. The latter is what the book "Network Management : Accounting and Performance Strategies" by Benoit Claise and Ralf Wolter (from Cisco Press) provides.

The book is a concise treatise on basic set of modern network management tools, protocols and services, mostly with strong IETF standard background, but from a Cisco-centric view.

Today's network managers have to worry about performance, billing, security, and requirement/use trends. Fortunately, tools exist today to help network managers address these concerns, but identifying the appropriate tools from a wide array of options and potentials is always a major challenge. This book organizes that information in a relatively easy to access manner.

Organized into three logical sections, which I characterize as; motivation, technologies, and application scenarios, the book is as thorough, as its arrangement is logical.

If you are wondering why you should buy the book, the first chapter (Understanding the need for Accounting and Performance Management) provides a quick overview of why. It presents fundamentals of network accounting and performance management, clarifying the differences between both while highlighting the overlaps in the technologies and frameworks for both. Operational areas including security, SLA management, QoS billing, capacity planning, availability and voice management are all addressed in enough details to warrant further reading, but also enough to provide a complete picture of the common worries of today's network manager.

Chapter 2, also in the first part, is devoted to data collection methodologies for various operational requirements. such as SLA measurements (using IP SLA in Cisco IOS), determination of meter location (network elements or network-edge-device) and so on. The chapter also provides a detailed expose on network data-collection infrastructure including a brief introduction to basic data collection tools including snmp, netflow and ftp. By the end of the chapter, the reader would be apprised of basic data filtering method as well as security considerations for data integrity and confidentiality (privacy) and how to protect against denial of service.

And while you're wondering if you had enough, chapter 3 rounds off the first part of the book with a review of current network accounting and performance standards and definitions from ITU-T standards and frameworks through IETF and ISO standards as well as popular proprietary frameworks. Some of the standards and definitions addressed include the ITU-T Telecommunications Management Network(TMN) Fault Configuration, Accounting, Performance, and Security (FCAPS) model; the TeleManagement Forum(TMF) eTOM (enhanced Telecom Operations Map); and pertinent IETF RFCs including 2924, 2975 et-cetera. At the end of the chapter, you will be prepared to make informed choices about various data collection, network accounting and performance protocols and technologies. Your next network management purchase will be less of a chore, and you will know what questions to ask of your network administrator as you try to identify what tool sets you may already have or have access to simply by upgrading your network operating system such as Cisco IOS.

For the most part, the first three chapters can be read as a stand alone work by network managers. And from my experience, I'll advice all network managers (particularly those who are not CCIE certified, and do not have more than 15 years experience with networks) to grab a copy. The chapters will give you the desired leap you need to better understand the various options in tools, technologies and solutions. For this reason, the book is a must buy.

The next nine chapters are more intense and geared towards administrators and analysts. Of course, many network managers also wear that hat at some point. The section covers disparate network management frameworks, protocols and tools implemented in various cisco devices and includes a generous amount of cisco IOS commands to get you started. Each chapter is devoted to one set of tools including SNMP and MIBs, RMON, IP Accounting, NetFlow, BGP Policy Accounting, AAA Accounting, NBAR, and IPSLA. If you ask me, this is probably one of the most thorough single collection of these materials in the most pedestrian fashion. That is the material while adequately technical is quite easy to follow and will get you started quickly, empowering you with tools and tricks to help you achieve some of your network management objectives be it for performance management , billing or security management. Of course the book does not replace the various tools out there meant to address these needs, but it simplifies your evaluation process and decisioning. Chapter twelve (the ninth in this part) brings everything in the section together for the reader with a set of comparative tables of all the tools, technologies and frameworks described in the prior chapters of the book.

Part three of the book, which consist of five chapter, is indeed an icing. Each chapter addresses an operational scenario: monitoring scenario, capacity planning scenario, voice scenario, security scenario and billing scenario. In each chapter the authors identify the set of tools most apt for each operational scenario and provide enough motivation for the network administrator / manager such that you can easily start with tools you may already own.

Of course the book is from Cisco press and written by Cisco engineers, so the tools described, their operations, the various devices and the commands are all Cisco based. However, the material covered is generic enough to be useful to all manners of network managers, engineers and administrators. So I am recommending this book as a must have with a rating of at least 4 start out of five. Needless to say, I have it on my shelve.

complete

2007-02-27T23:28:00.000-05:00

The Architectural Framework is complete.

The Security metric is done!

And tomorrow, I defend my dissertation.

So what would I do after that? well give you guys some more gist of the work, I suppose.

Keep coming back for more details.

System

2007-01-22T13:13:00.000-05:00

First we consider the following dictionary definitions of a system

A system is an assemblage or combination of things, parts or components to form a complex or a unitary whole
A group of interacting, interrelated, or independent elements forming a complex whole
A functionally related group of elements....

For our purpose, a system is an collection of components operating together to achieve a unitary objective. Thus a system could be a basic collection of transistors and related devices in a vlsi chip, a complex multipurpose processor, a complete desktop or server computer system, a clustered database system or any other.

This definition should not be confused with that of an Enterprise which we shall define is short order.

A system is an essential outcome of the development of an architecture, it is both a building block as well as an end result.

Security

2007-01-15T22:34:00.000-05:00

Security is a state of being free from danger or risks. It denotes the absence of risk which implies or denotes the absence of threats and or vulnerability. Security is not a meanigful concept without danger or threat, thus a system can not be considered secure or insecure if danger is not defined for the system.

This is an important concept, the fact that security is inherently tied to danger or threat! A system for which threat is defined but for which such threat is not a practical possibility is said to be practically absolutely secure. The converse is true.

Since threat is an indication of danger, a probability of danger, security can be defined as a measure of threat or expossure to danger.

Threat is not meaninful in the absence of an exploitable vulnerability, which is a weakness or potential expossure to danger.

We define security as that which imbues confidence in an enterprise from the perspective of the people involved in the enterprise; owners, stakeholders, investors, regulators, clients, partners, voters, candidates, etcetera.

Architecture (Architectural)

2007-01-15T16:11:00.000-05:00

An Architecture is the fundamental model of a system.

While many Dictionary definitions exists, the American Heritage Dictionary Byzantine definition is probably the most apt for our work, "A style and method of design and construction".

An architecture is a fundamental layout of a system, its components and their relationships-connections to themselves and each other. An architecture enhances the process of system design.

Much of modern architectural motivation derive from civil engineering and structures architectures. Other engineering fields have benefited from the structures imposed by structural-architecture, more so in the field of computer engineering.

In recent years, computer software and services professionals have begun ti rely on architectural-discipline as foundation work in their craft, and deriving exponential benefits of scale.

Designing a complex system without a clear architecture of the system is akin to walking around in Manhattan, blind on Monday at noon and without a guide dog.

While an architecture results in a model, an Architectural Framework results in an Architecture.

In computer engineering and software engineering , several architectural frameworks have been defined, we will consider some of them at the end of this series

Framework

2007-01-15T14:33:00.000-05:00

The Kernerman multilingual dictionary defined a framework as "the basic supporting structure of anything".

Various other dictionaries provide various slants of the definition, but perhaps, one of the more compelling definition, suitable for our work here is provided by the American Heritage dictionary "A set of assumptions, concepts, values, and practices that constitutes a way of viewing reality"

-- Quotes from :Reference.com

Every engineering feat starts with some framework, formalized or otherwise, and frameworks have played and continued to play a very fundamental and important part in the expanding industrial and technology revolution mankind has been blessed with for more than half of a millennium.

Automobile Systems, Aeronautical Systems, Civil Engineering Systems, Electrical Power Systems, Electronic Designs, Communication Systems, and Computer Systems to name a few have benefited tremendously from "well articulated, clear, and concise abstractions of their fundamental building blocks" , which supports modularity and reuse, enabling graduated incremental improvements as well as parameterizable components useful for evaluation and measures.

Every complex system will benefit from the development a formal framework in that rebuilds, updates, upgrades, modularization, and vendor agnostics intrinsics can be supported. In economics terms, formal frameworks supports a robust cost to benefit ratio. At least, it provides a rational framework for measuring same.

Frameworks also have the value that, they support some level of standardization in design, documentation, evaluation, review and support holistic comparison and rational decision making.

This articlet is the first installment of a six series work designed to throw more light into the essence of this journal.

Voting Machine Outrage

2006-09-18T13:17:00.000-04:00

I read with great trepiation the continued near criminal negligence of Diebold and other EVM vendors in the design of their voting machines meant for public elections. The recent report by Princeton University Professor Ed Felten , of demonstrated ease of successfully and covertly tampering with a Diebold Voting Machine and the vote count should send a shock wave through the spine of any one interested in fraud-free election system and the advancement of democracy.

This event, while it provides more fuell for the sensationalists, amidst the glaring incompetence of Diebold (which by the way has been mired in every electronic voting machine controversy since 2003), should draw strategist and policy makers closer to the fundamental issue in electronic voting and other application of computer systems for improved productivity: "Is Security a fundamental goal of the design?"

Day 2 in Boston

2006-09-07T21:09:00.000-04:00

The SCADA and RFID scenarios are lame and do not seem to be coming from someone with enough background information about the various industries and technologies being described. It is worthy of note that many of the doomsday prophets in the information security arena are really sensationalist who have limited knowledge of the industries they depict and more sensational power in their admixture of partial knowledge and confusion.

Ira Winkler claimed to have taken over banks and nuclear facilities' SCADA system? An interesting claim to review.

One thing is for sure, there is a great deal of difference of views in the security industry. The vendor's perspectives often always different than the service provider's perspective and researchers also have their own perspectives which more often than not is increasingly being determined by the perspectives of their sponsor. Everyone's got a bone to grind in the information security space and that does not bode well for the long term goal of providing holistic, effective and cost effective solutions.

Earlier today, John Chambers of Cisco got it right when he said that an architectural approach is required for an holistic security environment, he however missed the point in not seeing an architecture from the purist perspectives not just as an integration of security capabilities in various devices and integrating security into the network infrastructure, but in the development of infrastructure around security as is done with the case of reliability.

Ofcourse, the questions often arise as it did during this long conference, about what constitutes acceptable security. Many in the industry still hold the opinion that security is an immeasurable and intangible concept, more like its intangibility makes it immeasurable, however, it should be understood that every concept remains immeasurable so long as specific characteristics or features are not identified around which metrics can be defined.

Interesting features and characteristics in the information security workspace include but are not limited to :

1. Risk Measures : Annualized, Normalized, Time-Series , etc

2. State Measures : Review of known state and predicted states based on configuration changes or other related, impacting activities

3. Threat Metrics : Based on available information about enterprise and global security incidence and system vulnerability pastures.

Other Measures could also be defined, but the definition of measures will depend on the clear articulation of the security pasture, and this is made clearer in the presence of clear architectures.

Since organizations differ in their implementations, needs and types, their architectural needs will expectedly be different too, however, concepts necessary for developing successful architectures are universal, same as holds true in many other industry including the structural architectural industry. Thus an architectural framework or set of guidelines and rules or procedural standards required for an effective holistic information security architecture will provide a sound starting point.

In the late 1970's Zachman's framework definition resulted into efforts that today drive the implementation of robust integration framework for enterprise Information Technology projects. Organizations relying on Zachman's or some other architectural framework as the foundation of their IT projects and space have reported gains in various business significant areas including productivity gains, cost-effectiveness and agility across the enterprise. Resource re-use, user empowerment and cohesive working environments have also been reported, resulting in the increasing adoption of some framework for other business related goals such as the service oriented architectures, which have as their underlying goals, focus on the consumer.

Security Architectures, will tie in into the other types and provide an engine or driving force if you may for metrics.

One common denominator amongst the various industry players is self preservation and in the ensuing turf battles, the consumer risk loosing not just resources but confidence in the underlying infrastructures as they lies that belies much of the claims and fear mongering gets out in the open.

Some of the questions asked at the IDC conference in Boston indeed raised the question, albeit indirectly, about the relevance of many of the current vendors. Much of the services being touted are either unnecessary or overrated in that the end user/consumer should not need to have to outsource basic operations because someone else can do it better as an enterprise. In many of the managed security space, the consumer transfers the operational risks, but maintains the business risk. The unfortunate thing for many corporations out their is that as they outsource majority of their critical IT functions in the name of managed security, they tremendously increase their exposure footprint and their risk for privacy breach also increases.

In the coming days, I hope to get a list of titles of all security personnel at the Boston event. Reason? A research on what Info security professionals are being referred to are calling themselves in the enterprise. I may extend this in the future to all US enterprise!

Also, I will do a more detailed review on the Boston IDC event in the coming days, time permitting.

The IDG Security Standard Meetings : Sept 6-7

2006-09-06T07:55:00.000-04:00

I arrived in Boston last night and settled in my room. Great View! I am attending the IDG organized Security Standards Meetings at the Haynes Convention Center, Boston.

Apart from the (ISC)2 CPEs, these rounds of meetings is touted as an opportunty for leading Security Decision Makers (that me :)) to interact with the leading Industry Vendors (that will be Microsoft and Cisco?).

Well, a few weeks leading to this, I recieved a mail requesting that attendees write out questions they'll like the buffs from Microsoft (who will hold a special session today) to answer. So I quickly whipped up my pen (no fingers) and typed away some 'complex' questions for the Microsoft Quartet.

Here are the questions :

1. Enterprise Security Best Practices
What does Microsoft See as the greatest Challenge facing Enterprises as efforts in Enterprise Security continue?
- Development of Platforms that drive architectural ideas? Or
- Development of Architectures that drive platform/solution ideas?
And what does Microsoft see as its role in this future?

2. Integration
With is Microsoft’s vision for integrated identity infrastructure , ala single-sign-on, federation, generic-entity-identification and tracking as well as privacy preservation in a compliant enterprise. Will Microsoft transition to a fully standardized identity database structure or retain the Jet Engine based AD database structure?

3. What lessons has Microsoft learnt in the last two years, as it races to meet release deadlines while grappling with its vision of a minimal bug next-generation platform (Vista and Longhorn), all in a business environment that seems more ready to embrace the alternatives and lay much of the blame for widespread security incidences on Microsoft in some way or the other?

Now, you'll wonder why I didn't ask all the other burning questions. Well, we were restricted to 3 questions for starters, and I prefer the big-picture questions...

Ok. I'll continue this later (yeah, I know. I say that alot, don't I).

IEEE Senior Member

2006-07-02T22:10:00.000-04:00

Enterprise Information Systems Security Architectural Framework[EISSAF]

Yesterday I saw a mail from the IEEE and the label including the the notification that my member card is included.

I asked myself why the IEEE will be sending me a membership card for 2006 in July?

Well, I went ahead and opened the mail and alas, it was indeed a 2006 membership card, but a different one from the one I currently carry. The acompanying letters said it all. I have been elevated to Senior Member. This is quite an impressive milestone for me and I was quite happy with the second good news in two weeks.

Last wee I had passed my Candidacy Exam after presenting my Research so far to the Oracles (my Doctoral Advsiory Council).

In the comming months, I will be putting finishing touches to my work and rounding up the documentation. I also hope I can present subsets of the work at various technology forums and to different specialist sub-groups.

I'm still working hard on my dissertation even though I am not writing a lot in my blog.

The offer for more information still holds for those of you interested in the direction of my work so far or just interested in the work in general.

Voting News

2006-06-05T01:44:00.000-04:00

Enterprise Information Systems Security Architectural Framework[EISSAF]

http://online.wsj.com/public/article/SB114739688261250925-rCvhHxbesvMwfZPOe9jvoNFx_Pk_20070512.html?mod=blogs

http://online.wsj.com/public/article/SB114903389207066918-DXGEbMmtrrq6sIes4bmpYqi5ffI_20070530.html?mod=blogs

http://www.washingtonpost.com/wp-dyn/content/article/2006/05/29/AR2006052900816.html

Open Architecture for Secure Electronic Voting.

2006-04-16T10:55:00.000-04:00

Open Architecture for Secure Electronic Voting.

I have followed closely the passing of the HAVA, and some of the development
of the EAC and NIST's role in all these. I have also reviewed much of the
materials in public domain on Electronic Voting and I have come to the
following basic conclusions:

1. Election System is an Enterprise. The United States Election System
can be considered a Virtual Enterprise, crossing multiple jurisdictions, but
the goals of a public election (as against a private sector or other
systems) are the same.

2. Enterprises work best when it adopts a clear Architectural framework

3. Security of any Enterprise System can be conceptualized from an
architectural perspective

4. Development of a quantitative Security metric (or figure of merit,
to use my Advisor's preferred phrase) is imperative to a Holistic Security
Architectural framework, and thus to a Secure Election System (Electronic
and all that)

5. A Security metric for Electronic Voting System will enable consensus
on the actual state of an election system and help the community avoid some
of the pitfalls observed in the 2004 and 2002 elections when DREs where
used.

Hey this is my first

2006-04-10T00:54:00.000-04:00

Hey this is my first mobile blog. It still beats of that blog Is not a dictionary word yet
Wole