Home Page Submissions Content About the Founder
Secure Your Computer
Personal Security
Disaster Preparedness
Homeland Security
Security Awareness Tips
Security Awareness Program
INFOSEC Professional
INFOSEC Auditing
Risk Management
Insider Threat
Incident Response
Free Resources
Security Awareness Day


Information Security Auditing

SANS ISO 17799 Audit Checklist
This 7799 checklist can be used to audit an organisation's information security posture. This checklist does not provide vendor specific security considerations. Instead it provides a generic checklist of security considerations. It is 47 pages long. Definitely worth a look.

ISCA IS Standards, Guidelines and Procedures for Auditing and Control Professionals
IS Auditing Standards are mandatory requirements for certification holders’ reports on the audit and its findings. IS Auditing Guidelines and Procedures are detailed guidance on how to follow those standards. The IS Auditing Guidelines are guidance an IS auditor will normally follow with the understanding that there may be situations where the auditor will not follow that guidance. In this case, it will be the IS auditor's responsibility to justify the way in which the work is done. The procedure examples show the steps performed by an IS auditor and are more informative than IS Auditing Guidelines. The examples are constructed to follow the IS Auditing Standards and the IS Auditing Guidelines and provide information on following the IS Auditing Standards. To some extent, they also establish best practices for procedures to be followed.

Audit Templates - AuditNet
The AuditNet templates section contains hundreds of submissions. The concept of AuditNet is a central electronic resource for the audit community that provides a communication link for auditors worldwide. It also provides a network of resources.

NSA INFOSEC Assessment Methodology (IAM)
The IAM consists of a standard set of activities required to perform an INFOSEC assessment. In other words, the methodology explains the depth and breadth of the assessment activities that must be performed to be acceptable within the IATRP. The IAM "sets the bar" for what needs to be done for an activity to be considered a complete INFOSEC Assessment.

Payment Card Industry Security Audit Procedures and Reporting
This document is used to verify that a site is in compliance with the PCI Data Security Standard and to create a Report on Compliance.

Payment Card Industry Self-Assessment Questionnaire
The questionnaire is divided into twelve sections. Each section focuses on a specific area of security, based on the requirements included in the PCI Data Security Standard.

The Information System Security Assessment Framework (ISSAF)
The ISSAF is a peer reviewed structured framework that categorizes information system security assessment into various domains & details specific evaluation or testing criteria for each of these domains. It aims to provide field inputs on security assessment that reflect real life scenarios. ISSAF should primarily be used to fulfill an organization's security assessment requirements and may additionally be used as a reference for meeting other information security needs. ISSAF includes the crucial facet of security processes and, their assessment and hardening to get a complete picture of the vulnerabilities that might exists.

OSSTMM - Open Source Security Testing Methodology Manual by Pete Herzog
The Open Source Security Testing Methodology Manual (OSSTMM) is an open standard methodology for performing security tests. When you use an internal testing methodology, you leverage the brain trust of a handful of security experts. The OSSTMM is powerful because it provides the collective best practices, legal, and ethical concerns of the global security testing community.

Protiviti - Guide to Internal Audit: Frequently Asked Questions About the NYSE Requirements and Developing an Effective Internal Audit Function (66 pages)
Protiviti has released the final version of its comprehensive internal audit resource guide. This publication contains 69 frequently asked questions and answers about internal audit, including details on the new NYSE internal audit rule and creating and maintaining an effective internal audit function. It also details how PCAOB Auditing Standard No. 2, which has been approved by the SEC, allows for the work of internal auditors to be relied upon to an extent by the external auditor.

Protiviti - Guide to the Sarbanes-Oxley Act: Internal Control Reporting Requirements - Third Edition Updated to reflect PCAOB Auditing Standard No. 2 (189 pages)
Protiviti has revised its highly regarded resource guide on Section 404 of the Sarbanes-Oxley Act. The third edition of Protiviti's popular Section 404 publication addresses the effects of changes arising from the SEC's final rules released in June 2003, and as amended by the Commission's extension of these rules released in February 2004. It also includes a wealth of detailed information on PCAOB Auditing Standard No. 2. and its impact on Section 404 compliance efforts. In all, this comprehensive guide contains 88 new questions and well over 100 pages of new or substantially revised material.

IT Examination Handbook - FFIEC
Financial institutions protect their information by instituting a security process that identifies risks, forms a strategy to manage the risks, implements the strategy, tests the implementation, and monitors the environment to control the risks. Examiners may use this booklet when evaluating the financial institution’s risk management process, including the duties, obligations, and responsibilities of the service provider for information security and the oversight exercised by the financial institution.

Continuous Auditing: Implications for Assurance, Monitoring, and Risk Assessment - IIA (44 pages)
This guide focuses on assisting Chief Audit Executives identify what must be done to make effective use of technology in support of continuous auditing and highlights areas that require further attention. It provides continuous audit guidance that will benefit the organization by significantly reducing instances of error and fraud, increasing operational efficiency, and improving bottom-line results through a combination of cost savings and a reduction in overpayments and revenue leakage.

GAO Technology Assessment - Cybersecurity for Critical Infrastructure
The GAO conducted this technology assessment on the use of cybersecurity technologies for CIP in response to a request from congressional committees. This assessment addresses the following questions: (1) What are the key cybersecurity requirements in each of the CIP sectors? (2) What cybersecurity technologies can be applied to CIP? (3) What are the implementation issues associated with using cybersecurity technologies for CIP, including policy issues such as privacy and information sharing?

BITS Financial Institution Shared Assessments Program (FISAP)
The FISAP Program is a new process for financial institutions to evaluate IT service providers. FISAP offers efficiencies and cost savings to financial institutions and service providers through an innovative and comprehensive alternative to current service provider assessment methods.
FISAP FAQs      Agreed Upon Procedures (37 pages)      Supplemental Information Gathering (49 pages)

Copyright 2003 - 2006 - USSecurityAwareness.org - All rights reserved - Legal Notices