Introtake #001
Taxonomy! June 2024
The primary language in information security is, arguably, English. And, for those of us that do not have English as our first language we will find that documentation written in our separate languages still carry forward words and acronyms. And yes, there sure are a lot of acronyms!
So I wanted to light a torch for the word Taxonomy: The fact is that our use of a common set of words, the ever expanding list of information security technical terms, has helped us communicate effectively across the globe / cloud. And we seek to be effective, our area of interest and expertise is rapidly changing and has been integrated throughout our society.
I think we've been fortunate to have idealistic, government and private organizations that help develop and share standards, best practices and registries for our area of interest. The Common Vulnerabilities and Exposures (CVE) system and the Common Weakness Enumeration category system are both examples that allow us to quickly share and improve on knowledge to remediate issues with our tech.
We use these identifiers when we approach vendors to check on their work to address vulnerabilities. And we can hold them responsible.
The terms, acronyms, RFCs and more have given us a mapping to find information. If you search for information on 5G you can find that in English but most likely also in your own language.
I have to mention the ISO organization which provides us with great tools in the form of standards that help us establish and align around catalogs of best practices. I’m just so frustrated that they are not available for free, surely there must be a better way to fund the standardization activities.
I've worked a lot with ISO27001, Information Security Management System and the set of controls it lists in Annex A, better described for implementation in ISO27002. I have found great benefit in that these two documents are mapped into other management and control frameworks. This lets us tap into advice from other organizations, such as NIST CSF, SOC2 and the Norwegian NCSC. It also allows for audits and maturity work to be performed against the management and control system an organization has chosen to use.
By mapping standards and control/management frameworks we can avoid maintaining a collection of policies or procedures for each of the regulations or standards a global organization is asked to comply with.
Fun Facts:
I think the following helps prove my point that information security is a global activity even if a lot of information is written in English:
- The first SMS (Short Message System) / text message was sent in France over a European invention called GSM (Global System for Mobile Communications).
- GSM succeeded the world's first automatic mobile phone service; Nordic Mobile Technology (NMT)
- And we listen to our podcasts via Bluetooth, a tech that is named after a Danish King.
Read more:
- https://en.wikipedia.org/wiki/ - Taxonomy CVE CWE SMS GSM
- https://www.nist.gov - NIST Cyber Security Framework (CSF) 2.0
- https://www.nsm.no - NSMs Grunnprinsipper for IKT sikkerhet v2.1
- https://www.iso.org - iso.org > sectors > IT Technologies
- https://www.mitre.org - MITRE ATT&CK!®️ MITRE D3FEND™️
- https://www.ericsson.com/en/about-us/history/changing-the-world/the-nordics-take-charge/the-launch-of-nmt
- https://en.wikipedia.org/wiki/Bluetooth