Home Page Submissions Content About the Founder
Secure Your Computer
Personal Security
Disaster Preparedness
Homeland Security
Security Awareness Tips
Security Awareness Program
INFOSEC Professional
INFOSEC Auditing
Risk Management
Insider Threat
Incident Response
Free Resources
Security Awareness Day


Information Security Program

NIST Draft Special Publication 800-100: Information Security Handbook: A Guide for Managers
This Information Security Handbook provides a broad overview of information security program elements to assist managers in understanding how to establish and implement an information security program.
The purpose of this publication is to inform members of the information security management team [agency heads, chief information officers (CIO), senior agency information security officers (SAISO), and security managers] about various aspects of information security that they will be expected to implement and oversee in their respective organizations. This handbook summarizes and augments a number of existing National Institute of Standards and Technology (NIST) standard and guidance documents and provides additional information on related topics.

RFC 2196 - Site Security Handbook
This handbook is a guide to developing computer security policies and procedures for sites that have systems on the Internet. The purpose of this handbook is to provide practical guidance to administrators trying to secure their information and services. The subjects covered include policy content and formation, a broad range of technical system and network security topics, and security incident response.

SANS Top 20 Critical Internet Security Vulnerabilities
The SANS Top 20 is a list of the Internet security vulnerabilities that are most commonly exploited by hackers. The list defines an absolute minimum level of security protection for computers that may be connected to networks. Hundreds of automated attack programs take advantage of these vulnerabilities, so their elimination is essential as a first line of defense to protect the privacy of information stored on systems and to avoid having systems taken over and used in attacks on other victims.

SCORE is a cooperative effort between SANS/GIAC and the Center for Internet Security(CIS). SCORE is a community of security professionals from a wide range of organizations and backgrounds working to develop consensus regarding minimum standards and best practice information, essentially acting as the research engine for CIS. After consensus is reached and best practice recommendations are validated, they may be formalized by CIS as best practice and minimum standards benchmarks for general use by industry at large.

NSA IATRP - INFOSEC Assurance Capability Maturity Model (IA-CMM)
Use of the NSA IA-CMM increases an organization’s capability to provide ongoing support and confidence that its technical work force is performing according to an established and mature INFOSEC Assurance process. The goal is to gain relative assurance that the INFOSEC Assurance process is consistent and repeatable over time.

OWASP Top Ten Web Application Security Vulnerabilities
The OWASP Top Ten is becoming the defacto standard for web application security. The U.S. Federal Trade Commission strongly recommends that all companies use the OWASP Top Ten and ensure that their partners do the same. In addition, the U.S. Defense Information Systems Agency has listed the OWASP Top Ten as key best practices that should be used as part of the DOD Information Technology Security Certification and Accreditation (C&A) Process (DITSCAP).

OWASP Guide to Building Secure Web Applications
The original OWASP Guide to Building Secure Web Applications has become a staple diet for many web security professionals. Over the last 24 months the initial version has now been downloaded over 2 million times. The Guide forms the basis for corporate web security policies for several Fortune 500 companies and is used in service offerings from many security consulting companies. The Guide is aimed at architects, developers, consultants and auditors and is a comprehensive manual for designing, developing and deploying secure web applications.

Critical Information Infrastructure Protection Handbook - CRN Publications (Free)
The overall purpose of the International CIIP Handbook 2004 is to provide an overview of CII protection practices in several countries. The book investigates two main questions: 1) What national approaches are there to CIIP? and 2) What methods and models are used in the countries surveyed in order to analyze and evaluate various aspects of CII? The handbook’s target group consists mainly of security policy analysts, researchers, and practitioners. The handbook can be used either as a reference work for a quick overview of the state of the art in CIIP policy formulation and CIIP methods and models or as a starting point for in-depth research.

Implementing Information Security: Risks vs. Cost - CyberGuard
Whether your organization is large or small, a thorough, detailed information security plan should be part of your security formula. This article provides some useful information on implementing a viable plan that not only complies with government regulations, but also eliminates costly threats.

ISSA: Generally Accepted Information Security Principles (GAISP) (60 pages)
GAISP’s goal is to collect information security principles that have been proven in practice and accepted by practitioners, and to document those principles in a single repository – hence the name, Generally Accepted Information Security Principles. GAISP draws upon established security guidance and standards to create comprehensive, objective guidance for information security professionals, organizations, governments, and users.

NSA: Information Assurance Technical Framework (IATF)
The IATF provides defense-in-depth architectural guidance. It was developed to help a broad audience of users both define and understand their technical needs as well as to select approaches to meet those needs. The objectives of the IATF include raising the awareness of information assurance (IA) technologies, presenting the IA needs of information system (IS) users, providing guidance for solving IA issues, and highlighting gaps between current IA capabilities and needs.

Australian DSTO: A Survey of Techniques for Security Architecture Analysis
This technical report is a survey of existing techniques which could potentially be used in the analysis of security architectures. The report has been structured to section the analysis process over three broad phases: the capture of a specific architecture in a suitable representation, discovering attacks on the captured architecture, and then assessing and comparing different security architectures. Each technique presented in this report has been recognised as being potentially useful for one phase of the analysis.

Information Security Control Frameworks

ISACA- COBIT IT Standard for IT Security and Control Practices
COBIT has been developed as a generally applicable and accepted standard for good Information Technology (IT) security and control practices that provides a reference framework for management, users, and IS audit, control and security practitioners.

ISACA - IT Control Objectives for Sarbanes-Oxley Final Document
This document issued by the ITGI reflects the latest thinking on this increasingly global topic. Based on COBIT control objectives, the authors have designed this publication as an educational resource primarily for IT control professionals, but CIOs, IT management and assurance professionals will find the information vitally important and beneficial as well.

NIST SP 800-53: Recommended Security Controls for Federal Information Systems (123 pages)
The purpose of this publication is to provide guidelines for selecting and specifying security controls for information systems supporting the executive agencies of the federal government. The guidelines apply to all components5 of an information system that process, store, or transmit federal information.
Baseline controls - low      Baseline controls - medium      Baseline controls - high

NSW Department of Commerce: Information Security Part 3 - Baseline Controls (70 pages)
The aim of part three of the Information Security guideline is to assist agencies in establishing a minimum set of controls to protect all or some information assets and to provide a basis for an agency wide baseline security manual.
The guideline describes the process for the selection of controls, discusses the concept of baseline security and examines the key information security control classifications, including: Organisational and management controls; Physical and environmental controls, relating to premises and equipment; Operational controls, such as electronic commerce security and network management; Technical controls, concerned with access to networks and operating systems.

Common Criteria for IT Security Evaluation (CC)
The Common Criteria defines a language for defining and evaluating information technology security systems and products. The framework provided by the Common Criteria allows government agencies and other groups to define sets of specific functional and assurance requirements, called protection profiles.

Information Security Standards

ISO 17799
ISO 17799 is intended to serve as a single reference point for identifying the range of controls needed for most situations where information systems are used in industry and commerce, and to be used by large, medium and small organizations.

PCAOB Auditing Standard No. 2: An Audit of Internal Control Over Financial Reporting Conducted in Conjunction With an Audit of Financial Statements
This standard was approved by the Securities and Exchange Commission on June 17, 2004, and is effective for audits of internal control over financial reporting required by Section 404(b) of the Sarbanes-Oxley Act of 2002.

Information Security Legislation

Health Insurance Portability and Accountability Act (HIPAA) 1996
HIPAA provides the first comprehensive Federal protection for the privacy of health information.

Sarbanes-Oxley Act 2002
The Sarbanes-Oxley Act mandates a number of reforms to enhance corporate responsibility, enhance financial disclosures and combat corporate and accounting fraud, and created the "Public Company Accounting Oversight Board," also known as the PCAOB, to oversee the activities of the auditing profession.

Gramm-Leach-Bliley Act (GLBA) 1999
The Gramm-Leach-Bliley Act includes provisions to protect consumers’ personal financial information held by financial institutions.

Copyright © 2003 - 2006 - USSecurityAwareness.org - All rights reserved - Legal Notices