Computer Security

When I started in this field that we now call cybersecurity, we called it Data Security and Privacy.  In these seventy years it has had a number of names as has what we now call information technology or IT.  

I like to think of what I do as Computer Security, the art and science of keeping the computer safe, using it safely, using it to preserve its contents, and assuring its results.  

In the late eighties or early nineties, I chaired the ISSA committee that undertook to define the Professional Body of Knowledge, that is the scope and content of the knowledge that information system security professionals expected of one another, the knowledge that defined and limited the profession.  If memory serves, after extensive consideration and discussion we organized the knowledge into thirteen domains.  Today those have been combined, refined, and reduced to: 

• Security and Risk Management: Governance, legal/regulatory compliance, ethics, threat modeling, and business continuity.
• Asset Security: Protection of data assets, data classification, and retention.
• Security Architecture and Engineering: Secure engineering processes, security models, cryptography, and physical security.
• Communication and Network Security: Secure network design, components, and communication channels.
• Identity and Access Management (IAM): Physical/logical access control, managing user identity, and authentication.
• Security Assessment and Testing: Vulnerability assessment, penetration testing, and security auditing.
• Security Operations: Incident response, disaster recovery, digital forensics, and investigations.
• Software Development Security: Security in the software lifecycle, secure coding guidelines, and software configuration management.

The same content, more efficient expression.  Keep in mind that the field and the body of knowledge simply are. that is to say, they exist independent of any all attempts to describe them. They are what this blog is all about.