US-CCU Cyber-Security Check List
The US Cyber Consequences Unit (CCU) has developed a Cybersecurity Checklist to help federal
agencies and industry to determine the possible consequences of risks posed by the current
state of their IT systems; the list also offers suggestions for mitigating those risks. The
list asks 478 questions about hardware software, networks, automation, humans and suppliers.
The checklist has not yet received DHS approval. CCU is funded by DHS and aims to provide the
government with accurate assessments of the consequences of cyber attacks. "The new lists
shifts the focus from perimeter security to internal systems monitoring and maintenance".
SANS
ISO 17799 Audit Checklist
This 7799 checklist can be used to audit an organisation's information
security posture. This checklist does not provide vendor specific
security considerations. Instead it provides a generic checklist
of security considerations. It is 47 pages long. Definitely worth
a look.
ISACA
IS Standards, Guidelines and Procedures for Auditing and Control
Professionals
IS Auditing Standards are mandatory requirements for certification
holders’ reports on the audit and its findings. IS Auditing
Guidelines and Procedures are detailed guidance on how to follow
those standards. The IS Auditing Guidelines are guidance an IS
auditor will normally follow with the understanding that there
may be situations where the auditor will not follow that guidance.
In this case, it will be the IS auditor's responsibility to justify
the way in which the work is done. The procedure examples show
the steps performed by an IS auditor and are more informative
than IS Auditing Guidelines. The examples are constructed to follow
the IS Auditing Standards and the IS Auditing Guidelines and provide
information on following the IS Auditing Standards. To some extent,
they also establish best practices for procedures to be followed.
NSA INFOSEC Assessment Methodology (IAM)
The IAM consists of a standard set of activities required to perform an INFOSEC assessment. In other
words, the methodology explains the depth and breadth of the assessment activities that must be performed
to be acceptable within the IATRP. The IAM "sets the bar" for what needs to be done for an activity to be
considered a complete INFOSEC Assessment.
Payment
Card Industry Self-Assessment Questionnaire
The questionnaire is divided into twelve sections. Each section focuses on a specific area of security, based
on the requirements included in the PCI Data Security Standard.
OSSTMM - Open Source Security
Testing Methodology Manual by Pete Herzog
The Open Source Security Testing Methodology Manual (OSSTMM) is an open standard methodology for
performing security tests. When you use an internal testing methodology, you leverage the brain trust
of a handful of security experts. The OSSTMM is powerful because it provides the collective best
practices, legal, and ethical concerns of the global security testing community.
Protiviti
- Guide to Internal Audit: Frequently Asked Questions About the
NYSE Requirements and Developing an Effective Internal Audit Function
(66 pages)
Protiviti has released the final version of its comprehensive
internal audit resource guide. This publication contains 69 frequently
asked questions and answers about internal audit, including details
on the new NYSE internal audit rule and creating and maintaining
an effective internal audit function. It also details how PCAOB
Auditing Standard No. 2, which has been approved by the SEC, allows
for the work of internal auditors to be relied upon to an extent
by the external auditor.
Protiviti
- Guide to the Sarbanes-Oxley Act: Internal Control Reporting
Requirements - Third Edition Updated to reflect PCAOB Auditing
Standard No. 2 (189 pages)
Protiviti has revised its highly regarded resource guide on Section
404 of the Sarbanes-Oxley Act. The third edition of Protiviti's
popular Section 404 publication addresses the effects of changes
arising from the SEC's final rules released in June 2003, and
as amended by the Commission's extension of these rules released
in February 2004. It also includes a wealth of detailed information
on PCAOB Auditing Standard No. 2. and its impact on Section 404
compliance efforts. In all, this comprehensive guide contains
88 new questions and well over 100 pages of new or substantially
revised material.
IT Examination Handbook - FFIEC
Financial institutions protect their information by instituting
a security process that identifies risks, forms a strategy to
manage the risks, implements the strategy, tests the implementation,
and monitors the environment to control the risks. Examiners may
use this booklet when evaluating the financial institution’s
risk management process, including the duties, obligations, and
responsibilities of the service provider for information security
and the oversight exercised by the financial institution.
Continuous Auditing: Implications
for Assurance, Monitoring, and Risk Assessment - IIA (44 pages)
This guide focuses on assisting Chief Audit Executives identify what must be done to make effective use of
technology in support of continuous auditing and highlights areas that require further attention. It
provides continuous audit guidance that will benefit the organization by significantly reducing instances
of error and fraud, increasing operational efficiency, and improving bottom-line results through a
combination of cost savings and a reduction in overpayments and revenue leakage.
GAO
Technology Assessment - Cybersecurity for Critical Infrastructure
The GAO conducted this technology assessment on the use of cybersecurity
technologies for CIP in response to a request from congressional
committees. This assessment addresses the following questions:
(1) What are the key cybersecurity requirements in each of the
CIP sectors? (2) What cybersecurity technologies can be applied
to CIP? (3) What are the implementation issues associated with
using cybersecurity technologies for CIP, including policy issues
such as privacy and information sharing?
