NIST Draft Special Publication 800-100: Information Security Handbook: A Guide for
Managers This Information Security Handbook provides a broad overview of information security program elements
to assist managers in understanding how to establish and implement an information security program.
The purpose of this publication is to inform members of the information security management team
[agency heads, chief information officers (CIO), senior agency information security officers (SAISO),
and security managers] about various aspects of information security that they will be expected to
implement and oversee in their respective organizations. This handbook summarizes and augments a number
of existing National Institute of Standards and Technology (NIST) standard and guidance documents and
provides additional information on related topics.
RFC 2196 - Site Security Handbook This handbook is a guide to developing computer security policies
and procedures for sites that have systems on the Internet. The
purpose of this handbook is to provide practical guidance to administrators
trying to secure their information and services. The subjects
covered include policy content and formation, a broad range of
technical system and network security topics, and security incident
20 Critical Internet Security Vulnerabilities
The SANS Top 20 is a list of the Internet security vulnerabilities
that are most commonly exploited by hackers. The list defines
an absolute minimum level of security protection for computers
that may be connected to networks. Hundreds of automated attack
programs take advantage of these vulnerabilities, so their elimination
is essential as a first line of defense to protect the privacy
of information stored on systems and to avoid having systems taken
over and used in attacks on other victims.
SANS S.C.O.R.E. SCORE is a cooperative effort between SANS/GIAC and the Center
for Internet Security(CIS). SCORE is a community of security professionals
from a wide range of organizations and backgrounds working to
develop consensus regarding minimum standards and best practice
information, essentially acting as the research engine for CIS.
After consensus is reached and best practice recommendations are
validated, they may be formalized by CIS as best practice and
minimum standards benchmarks for general use by industry at large.
IATRP - INFOSEC Assurance Capability Maturity Model (IA-CMM) Use of the NSA IA-CMM increases an organization’s capability
to provide ongoing support and confidence that its technical work
force is performing according to an established and mature INFOSEC
Assurance process. The goal is to gain relative assurance that
the INFOSEC Assurance process is consistent and repeatable over
Top Ten Web Application Security Vulnerabilities
The OWASP Top Ten is becoming the defacto standard for web application
security. The U.S. Federal Trade Commission strongly recommends
that all companies use the OWASP Top Ten and ensure that their
partners do the same. In addition, the U.S. Defense Information
Systems Agency has listed the OWASP Top Ten as key best practices
that should be used as part of the DOD Information Technology
Security Certification and Accreditation (C&A) Process (DITSCAP).
Guide to Building Secure Web Applications
The original OWASP Guide to Building Secure Web Applications has
become a staple diet for many web security professionals. Over
the last 24 months the initial version has now been downloaded
over 2 million times. The Guide forms the basis for corporate
web security policies for several Fortune 500 companies and is
used in service offerings from many security consulting companies.
The Guide is aimed at architects, developers, consultants and
auditors and is a comprehensive manual for designing, developing
and deploying secure web applications.
Information Infrastructure Protection Handbook - CRN Publications
The overall purpose of the International CIIP Handbook 2004 is
to provide an overview of CII protection practices in several
countries. The book investigates two main questions: 1) What national
approaches are there to CIIP? and 2) What methods and models are
used in the countries surveyed in order to analyze and evaluate
various aspects of CII? The handbook’s target group consists
mainly of security policy analysts, researchers, and practitioners.
The handbook can be used either as a reference work for a quick
overview of the state of the art in CIIP policy formulation and
CIIP methods and models or as a starting point for in-depth research.
Information Security: Risks vs. Cost - CyberGuard
Whether your organization is large or small, a thorough, detailed
information security plan should be part of your security formula.
This article provides some useful information on implementing
a viable plan that not only complies with government regulations,
but also eliminates costly threats.
ISSA: Generally Accepted Information
Security Principles (GAISP) (60 pages)
GAISP’s goal is to collect information security principles that have been proven in practice and accepted
by practitioners, and to document those principles in a single repository – hence the name, Generally
Accepted Information Security Principles. GAISP draws upon established security guidance and standards
to create comprehensive, objective guidance for information security professionals, organizations,
governments, and users.
Assurance Technical Framework (IATF)
The IATF provides defense-in-depth architectural guidance. It was developed to help a broad audience of
users both define and understand their technical needs as well as to select approaches to meet those needs.
The objectives of the IATF include raising the awareness of information assurance (IA) technologies,
presenting the IA needs of information system (IS) users, providing guidance for solving IA issues, and
highlighting gaps between current IA capabilities and needs.
A Survey of Techniques for Security Architecture Analysis
This technical report is a survey of existing techniques which could potentially be used in the analysis
of security architectures. The report has been structured to section the analysis process over three broad
phases: the capture of a specific architecture in a suitable representation, discovering attacks on the
captured architecture, and then assessing and comparing different security architectures. Each technique
presented in this report has been recognised as being potentially useful for one phase of the analysis.
Information Security Control Frameworks
ISACA- COBIT IT Standard for IT Security and
COBIT has been developed as a generally applicable and accepted standard for good Information Technology
(IT) security and control practices that provides a reference framework for management, users, and IS
audit, control and security practitioners.
ISACA - IT Control Objectives for Sarbanes-Oxley Final Document
This document issued by the ITGI reflects the latest thinking on this increasingly global topic. Based on
COBIT control objectives, the authors have designed this publication as an educational resource primarily
for IT control professionals, but CIOs, IT management and assurance professionals will find the information
vitally important and beneficial as well.
NSW Department of Commerce: Information
Security Part 3 - Baseline Controls (70 pages)
The aim of part three of the Information Security guideline is to assist agencies in establishing a
minimum set of controls to protect all or some information assets and to provide a basis for an agency
wide baseline security manual.
The guideline describes the process for the selection of controls, discusses the concept of baseline
security and examines the key information security control classifications, including: Organisational
and management controls; Physical and environmental controls, relating to premises and equipment; Operational controls, such as electronic commerce security and network management; Technical controls,
concerned with access to networks and operating systems.
Common Criteria for IT Security Evaluation (CC)
The Common Criteria defines a language for defining and evaluating information technology security
systems and products. The framework provided by the Common Criteria allows government agencies and other
groups to define sets of specific functional and assurance requirements, called protection profiles.
Information Security Standards
ISO 17799 ISO 17799 is intended to serve as a single reference point for identifying the range of controls
needed for most situations where information systems are used in industry and commerce, and to be
used by large, medium and small organizations.
The Sarbanes-Oxley Act mandates a number of reforms to enhance
corporate responsibility, enhance financial disclosures and combat
corporate and accounting fraud, and created the "Public Company
Accounting Oversight Board," also known as the PCAOB, to
oversee the activities of the auditing profession.