Home Page Submissions Content About the Founder Contact Us
Secure Your Computer
Personal Security
Disaster Preparedness
Homeland Security
Security Awareness Tips
Security Awareness Program
Security Awareness Training
INFOSEC Professional
INFOSEC Auditing
Risk Management
Insider Threat
Incident Response
Free Resources
Security Awareness Day


Information Security Auditing

US-CCU Cyber-Security Check List
The US Cyber Consequences Unit (CCU) has developed a Cybersecurity Checklist to help federal agencies and industry to determine the possible consequences of risks posed by the current state of their IT systems; the list also offers suggestions for mitigating those risks. The list asks 478 questions about hardware software, networks, automation, humans and suppliers. The checklist has not yet received DHS approval. CCU is funded by DHS and aims to provide the government with accurate assessments of the consequences of cyber attacks. "The new lists shifts the focus from perimeter security to internal systems monitoring and maintenance".

SANS ISO 17799 Audit Checklist
This 7799 checklist can be used to audit an organisation's information security posture. This checklist does not provide vendor specific security considerations. Instead it provides a generic checklist of security considerations. It is 47 pages long. Definitely worth a look.

ISACA IS Standards, Guidelines and Procedures for Auditing and Control Professionals
IS Auditing Standards are mandatory requirements for certification holders’ reports on the audit and its findings. IS Auditing Guidelines and Procedures are detailed guidance on how to follow those standards. The IS Auditing Guidelines are guidance an IS auditor will normally follow with the understanding that there may be situations where the auditor will not follow that guidance. In this case, it will be the IS auditor's responsibility to justify the way in which the work is done. The procedure examples show the steps performed by an IS auditor and are more informative than IS Auditing Guidelines. The examples are constructed to follow the IS Auditing Standards and the IS Auditing Guidelines and provide information on following the IS Auditing Standards. To some extent, they also establish best practices for procedures to be followed.

NSA INFOSEC Assessment Methodology (IAM)
The IAM consists of a standard set of activities required to perform an INFOSEC assessment. In other words, the methodology explains the depth and breadth of the assessment activities that must be performed to be acceptable within the IATRP. The IAM "sets the bar" for what needs to be done for an activity to be considered a complete INFOSEC Assessment.

Payment Card Industry Security Audit Procedures and Reporting
This document is used to verify that a site is in compliance with the PCI Data Security Standard and to create a Report on Compliance.

Payment Card Industry Self-Assessment Questionnaire
The questionnaire is divided into twelve sections. Each section focuses on a specific area of security, based on the requirements included in the PCI Data Security Standard.

OSSTMM - Open Source Security Testing Methodology Manual by Pete Herzog
The Open Source Security Testing Methodology Manual (OSSTMM) is an open standard methodology for performing security tests. When you use an internal testing methodology, you leverage the brain trust of a handful of security experts. The OSSTMM is powerful because it provides the collective best practices, legal, and ethical concerns of the global security testing community.

Protiviti - Guide to Internal Audit: Frequently Asked Questions About the NYSE Requirements and Developing an Effective Internal Audit Function (66 pages)
Protiviti has released the final version of its comprehensive internal audit resource guide. This publication contains 69 frequently asked questions and answers about internal audit, including details on the new NYSE internal audit rule and creating and maintaining an effective internal audit function. It also details how PCAOB Auditing Standard No. 2, which has been approved by the SEC, allows for the work of internal auditors to be relied upon to an extent by the external auditor.

Protiviti - Guide to the Sarbanes-Oxley Act: Internal Control Reporting Requirements - Third Edition Updated to reflect PCAOB Auditing Standard No. 2 (189 pages)
Protiviti has revised its highly regarded resource guide on Section 404 of the Sarbanes-Oxley Act. The third edition of Protiviti's popular Section 404 publication addresses the effects of changes arising from the SEC's final rules released in June 2003, and as amended by the Commission's extension of these rules released in February 2004. It also includes a wealth of detailed information on PCAOB Auditing Standard No. 2. and its impact on Section 404 compliance efforts. In all, this comprehensive guide contains 88 new questions and well over 100 pages of new or substantially revised material.

IT Examination Handbook - FFIEC
Financial institutions protect their information by instituting a security process that identifies risks, forms a strategy to manage the risks, implements the strategy, tests the implementation, and monitors the environment to control the risks. Examiners may use this booklet when evaluating the financial institution’s risk management process, including the duties, obligations, and responsibilities of the service provider for information security and the oversight exercised by the financial institution.

Continuous Auditing: Implications for Assurance, Monitoring, and Risk Assessment - IIA (44 pages)
This guide focuses on assisting Chief Audit Executives identify what must be done to make effective use of technology in support of continuous auditing and highlights areas that require further attention. It provides continuous audit guidance that will benefit the organization by significantly reducing instances of error and fraud, increasing operational efficiency, and improving bottom-line results through a combination of cost savings and a reduction in overpayments and revenue leakage.

GAO Technology Assessment - Cybersecurity for Critical Infrastructure
The GAO conducted this technology assessment on the use of cybersecurity technologies for CIP in response to a request from congressional committees. This assessment addresses the following questions: (1) What are the key cybersecurity requirements in each of the CIP sectors? (2) What cybersecurity technologies can be applied to CIP? (3) What are the implementation issues associated with using cybersecurity technologies for CIP, including policy issues such as privacy and information sharing?

BITS Financial Institution Shared Assessments Program (FISAP)
The FISAP Program is a groundbreaking new process for financial institutions to evaluate the security controls of their IT service providers.

Copyright 2003 - 2008 - USSecurityAwareness.org - All rights reserved - Legal Notices