Jeff Johnson's CAMM work

[genek () tripwiresecurity com (Gene Kim)]

To everyone:  Thank you all for the great information on Jeff Johnson's work
-- in fact, Jeff dropped me a note on Saturday.

(Unfortunately, I wasn't able to send out my reply until today, due to
traveling and troubles with VPN -- but that's another story.  :-)

Does anyone find it just a little amazing that not only did I get all these
great references to CAMM, but I also heard from Jeff himself.  For your
amusement, let me extend an analogy that I gave Gene Spafford seven years
ago:

One afternoon, a wild-eyed and disheveled person walks into a grocery store,
shuffles to the middle of the produce section, and then proceeds to scream
out, "I demand to speak to the inventor of Charmin!  I want to know what
kind of trees you use, and I've got eighteen secret brilliant ideas that you
need me to tell you!  Now!"

Amazingly, numerous fellow customers around him proceed to tell him where he
can find the Charmin inventor (whose name is Bob, by the way), one tells him
Bob's home telephone number, two people promise to convey the note to Bob,
and most amazingly, Bob appears from behind the banana display and actually
engages him in a conversation.

Pretty amazing world we live in, huh?  :-)

Thanks again!

Cheers,
Gene

Gene Kim (mailto:genek () tripwiresecurity com)
Chief Technology Officer
Tripwire, Inc. (http://www.tripwiresecurity.com)
1631 NW Thurman St., 1st Floor
Portland, OR 97209
Office: 503-223-0280
Fax:    503-223-0182 

Tripwire in the news!
http://www.forbes.com/asap/html/99/0615/feat.htm

Tripwire is Linux World Security Editor's Choice!
http://www.wpi.com/linuxworld/lw-ec-winners.html

> -----Original Message-----
> From: Max Vision [mailto:vision () whitehats com]
> Sent: Saturday, December 11, 1999 5:33 AM
> To: Gene Kim
> Subject: Re: IDS: Jeff Johnson's CMM security model -- any pointers?
>
>
> http://xent.ics.uci.edu/FoRK-archive/oct97/0036.html
> http://xent.ics.uci.edu/FoRK-archive/oct97/0039.html
>
> On Fri, 10 Dec 1999, Gene Kim wrote:
>
> > Hey, all...
> >
> > A couple of months back, I was talking with Karen Worstell, and she
> > mentioned some work that Jeff Johnson had done a while 
> back, basically
> > creating something like a Security Capability Maturity Model.
> >
> > Does anyone know where I can find a reference to this, and 
> better yet, know
> > how to reach Jeff Johnson these days?  
> >
> > The model was pretty interesting.  It reminds me of a 
> presentation that I
> > saw from Stephen Katz about the Citicorp ISEM model, which 
> measures the
> > security awareness of an organization, from complacency, awareness,
> > integration, measurement, and continual improvement.  (My 
> paraphrase,
> > unfortunately...)
> >
> > Thanks a bunch...
> >
> > Cheers,
> > Gene
> >
> > ---
> > Gene Kim (mailto:genek () tripwiresecurity com)
> > Chief Technology Officer
> > Tripwire, Inc. (http://www.tripwiresecurity.com)
> > 1631 NW Thurman St., 1st Floor
> > Portland, OR 97209
> > Office: 503-223-0280
> > Fax:    503-223-0182 
> >
> > Tripwire in the news!
> > http://www.forbes.com/asap/html/99/0615/feat.htm
> >
> > Tripwire is Linux World Security Editor's Choice!
> > http://www.wpi.com/linuxworld/lw-ec-winners.html