US-CCU Cyber-Security Check List
The US Cyber Consequences Unit (CCU) has developed a Cybersecurity Checklist to help federal
agencies and industry to determine the possible consequences of risks posed by the current
state of their IT systems; the list also offers suggestions for mitigating those risks. The
list asks 478 questions about hardware software, networks, automation, humans and suppliers.
The checklist has not yet received DHS approval. CCU is funded by DHS and aims to provide the
government with accurate assessments of the consequences of cyber attacks. "The new lists
shifts the focus from perimeter security to internal systems monitoring and maintenance".
ISO 17799 Audit Checklist
This 7799 checklist can be used to audit an organisation's information
security posture. This checklist does not provide vendor specific
security considerations. Instead it provides a generic checklist
of security considerations. It is 47 pages long. Definitely worth
IS Standards, Guidelines and Procedures for Auditing and Control
IS Auditing Standards are mandatory requirements for certification
holders’ reports on the audit and its findings. IS Auditing
Guidelines and Procedures are detailed guidance on how to follow
those standards. The IS Auditing Guidelines are guidance an IS
auditor will normally follow with the understanding that there
may be situations where the auditor will not follow that guidance.
In this case, it will be the IS auditor's responsibility to justify
the way in which the work is done. The procedure examples show
the steps performed by an IS auditor and are more informative
than IS Auditing Guidelines. The examples are constructed to follow
the IS Auditing Standards and the IS Auditing Guidelines and provide
information on following the IS Auditing Standards. To some extent,
they also establish best practices for procedures to be followed.
NSA INFOSEC Assessment Methodology (IAM)
The IAM consists of a standard set of activities required to perform an INFOSEC assessment. In other
words, the methodology explains the depth and breadth of the assessment activities that must be performed
to be acceptable within the IATRP. The IAM "sets the bar" for what needs to be done for an activity to be
considered a complete INFOSEC Assessment.
OSSTMM - Open Source Security
Testing Methodology Manual by Pete Herzog
The Open Source Security Testing Methodology Manual (OSSTMM) is an open standard methodology for
performing security tests. When you use an internal testing methodology, you leverage the brain trust
of a handful of security experts. The OSSTMM is powerful because it provides the collective best
practices, legal, and ethical concerns of the global security testing community.
IT Examination Handbook - FFIEC
Financial institutions protect their information by instituting
a security process that identifies risks, forms a strategy to
manage the risks, implements the strategy, tests the implementation,
and monitors the environment to control the risks. Examiners may
use this booklet when evaluating the financial institution’s
risk management process, including the duties, obligations, and
responsibilities of the service provider for information security
and the oversight exercised by the financial institution.
Continuous Auditing: Implications
for Assurance, Monitoring, and Risk Assessment - IIA (44 pages)
This guide focuses on assisting Chief Audit Executives identify what must be done to make effective use of
technology in support of continuous auditing and highlights areas that require further attention. It
provides continuous audit guidance that will benefit the organization by significantly reducing instances
of error and fraud, increasing operational efficiency, and improving bottom-line results through a
combination of cost savings and a reduction in overpayments and revenue leakage.
Technology Assessment - Cybersecurity for Critical Infrastructure
The GAO conducted this technology assessment on the use of cybersecurity
technologies for CIP in response to a request from congressional
committees. This assessment addresses the following questions:
(1) What are the key cybersecurity requirements in each of the
CIP sectors? (2) What cybersecurity technologies can be applied
to CIP? (3) What are the implementation issues associated with
using cybersecurity technologies for CIP, including policy issues
such as privacy and information sharing?