AuditNet®


Dan's Security Management Resources



 

 

 

AuditNet Information Security page for more security resources

Leading Web Sites Supporting Security Management

____________________________________________
 
1. ISSA -- Information Systems Security Association
www.issa.org
 
2. COAST -- Computer Operations, Audit and Security Technology
www.cs.purdue.edu/coast
 
3. CERT -- Computer Emergency Response Team
www.cert.org
 
4. CSI -- Computer Security Institute
www.gocsi.com
 
5. ICSA -- International Computer Security Association (formerly NCSA)
www.icsa.net
 
6. NIST -- National Institute of Standards and Technology
www.nist.gov
____________________________________________
 
____________________________________________________
 
Three Security related articles:
____________________________________________________
 
1. Ask the Auditor: Who is Responsible for Information Security?
 
www.itcinstitute.com/display.aspx?ID=1823
 
2. Auditing Information Security
infosecuritymag.techtarget.com/articles/october00/features3.shtml
 
3. Auditing System Conversions
www.theiia.org/ITAudit/index.cfm?act=itaudit.archive&fid=5495
 
MY TOP 10 LIST - (Information Security Resources). _______________________________________________________
 
1. The Computer Emergency Response Team (CERT) program has developed extensive guidance regarding information security, security management, security governance, and the assessment of risk. CERT is part of the Software Engineering Institute (SEI), a federally funded research and development center at Carnegie
Mellon University. Some of its most interesting resources explore:
2. The Corporate Information Security Working Group (CISWG) has produced guidance on the development of information security metrics and created a definitive summary of information security management references. CISWG is a program formed by Adam H. Putnam, chairman of the Subcommittee on Technology, Information Policy, Intergovernmental Relations & the Census of the Government Reform Committee, of the U.S. House of Representatives. Its publications include:
________________________________________________________
 
 

IT Operations
_____________

The Visible Ops handbook
http://www.itpi.org/visibleops

Change and Patch Management Controls: Critical for Organizational Success
www.theiia.org/technology

Information Technology Process Institute (ITPI) Reading Room
www.itpi.org/home/articles.php

What's Good for Security is Good for Operations: Why Change Auditing
is Key to Operational Stability www.tripwire.com/solutions

20 Questions Directors Should Ask of IT (CICA)
www.cica.ca/index.cfm/ci_id/1000/la_id/1.htm
________
________________________________________________________


Security
________

Governing for Enterprise Security
www.cert.org/governance/ges.html

Management Guide for IS Security Auditing 
www.gao.gov/special.pubs/mgmtpln.pdf

Information Technology Controls (IIA GTAG)
www.theiia.org/technology

Series of three IIA security guidance reports completed for CIAO
a) Information Security Management and Assurance: A Call to Action
for Corporate Governance
b) Information Security Governance: What Directors Need to Know
c) Building, Managing, and Auditing Information Security
www.theiia.org/index.cfm?doc_id=3061

Auditing Information Security
infosecuritymag.techtarget.com/articles/october00/features3.shtml
 
SANS "What Works" Repository - http://www.sans.org/whatworks/

International Systems Security Engineering Association (ISSEA) 
http://www.ISSEA.org

CISSP Study Web Site
www.cccure.org

Professional Security Testers Web Site 
www.professionalsecuritytesters.org
___

IT
___

The Institute of Internal Auditors technology guidance 
www.theiia.org/technology

The IT Process Institute (ITPI)  
http://www.itpi.org/home/default.php

The Carnegie Mellon Software Engineering Institute (SEI) 
www.sei.cmu.edu/

ITIL (the IT Infrastructure Library)
http://www.itil.co.uk/

Tripwire
 http://www.tripwire.com/

SANS Reading Room
http://www.sans.org/rr/

OGC's Successful Delivery Toolkit
http://www.ogc.gov.uk/sdtoolkit/

Forrester
http://www.forrester.com/

U.S. General Accountability Office (GAO) 
www.gao.gov/special.pubs/cit.html

The U.S. CIO Council
http://www.cio.gov/
______________________________________________
 
What is your weakest link?
______________________________________________
  • Have you reviewed your physical security efforts lately?
  • Are You Measuring Facility Protection Efforts?
  • Is your weakest link going to bring your organization down?
  • (always remember the bad guys don't "get you" by coming at you through your "strengths").
  • What kind of risk assessments have you down in the past 3 months?
______________________________________________________________________
 
What are your weakest links and do you have plans to address them?
______________________________________________________________________
 
1. A physical security audit program by Gord Smith.
Proximity, Perimeter and Physical Security Audit Guide
 
2. Homeland Security: Guidance and Standards Are Needed for Measuring the Effectiveness of Agencies' Facility Protection Efforts (GAO-06-612, May 31).
http://www.gao.gov/cgi-bin/getrpt?GAO-06-612
 
 
a) 1 page summary (i.e. the highlights).