Leading Security Related Resources
__________________________________________
Information Security The ISF Standard of Good Practice for Information Security
The ISF standard is designed to help any organization, irrespective of market sector, size or structure, keep the business risks associated with its information systems within acceptable limits. It is a major tool in improving the quality and efficiency of security controls applied by an organization. http://www.isfsecuritystandard.com/index_ie.htm
CERT® Coordination Center (CERT/CC)
The CERT Coordination Center (CERT/CC), arguably the most widely known group within the CERT Program, addresses risks at the software and system level. Although it was established as an incident response team, the CERT/CC has evolved beyond that, focusing instead on identifying and addressing existing and potential threats, notifying system administrators and other technical personnel of these threats, and coordinating with vendors and incident response teams world wide to address the threats. http://www.cert.org/certcc.html Information Security Handbook: A Guide for Managers. NIST has published a new information security handbook which should be “required reading” for pretty well most everyone involved with IT and/or IT Security although some people can certainly skim many of the sections in this 176 page document.
http://csrc.nist.gov/publications/nistpubs/800-100/sp800-100.pdf Assessing your legal vulnerabilities Businesses face legal risks related to disruptions and disasters: how can these be addressed? By Jay N. Rosenblatt, a business lawyer at the law firm Simpson Wigle LLP. http://www.continuitycentral.com/feature0443.htm CERT® Insider Threat Research
The CERT insider threat research focuses on both technical and behavioral aspects of actual compromises. They produce models, reports, training, and tools to raise awareness of the risks of insider threat and to help identify the factors influencing an insider's decision to act, the indicators and precursors of malicious acts, and the countermeasures that will improve the survivability and resiliency of the organization. http://www.cert.org/insider_threat/ Secure Coding: Principles & Practices
Welcome to the on-line home of Secure Coding: Principles and Practices (O'Reilly, 2003). They provide information about the book and its authors; updated versions of links and tables that appear in the book; and also original supplemental material like op/ed pieces and vulnerability analyses. It's all offered in the spirit of helping us build strong and light "virtual bridges" in the years to come. http://www.securecoding.org/
The Information Systems Security Association (ISSA)
ISSA is a not-for-profit, international organization of information security professionals and practitioners. It provides educational forums, publications and peer interaction opportunities that enhance the knowledge, skill and professional growth of its members. With active participation from individuals and chapters all over the world, the ISSA is the largest international, not-for-profit association specifically for security professionals.
http://www.issa.org/
FREE Trade Magazine Subscriptions and Technical Document Downloads
Browse through this extensive list of trade publications and technical documents by industry and geographic eligibility to find the titles that best match your skills and interests. Simply complete the application form and submit it. Publications are absolutely free to professionals who qualify (this service is provided by ISSA).
http://issa.tradepub.com/
The Open Web Application Security Project (OWASP)
OWASP is dedicated to enabling organizations to develop, purchase, and maintain applications that can be trusted. Their open source projects and local chapters produce free, unbiased, open-source documentation, tools, and standards. The OWASP community also facilitates papers, conferences, local chapters, presentations, and mailing lists. If you're new to application security, try their “getting started guide”.
http://www.owasp.org/index.php/Main_Page
How to become an information security professional
Many years ago, while directing IT operations for a small company on the West Coast, I became aware that our network security was particularly weak. The company was growing at a rapid pace, IT was understaffed, the network was at capacity in a number of ways, and the demands were brutal both in terms of time and technology needs. While I didn't mind the long hours, I did mind that I didn't feel "up to snuff" in terms of selecting technologies that would enable us to expand the network and secure it. I had responsibility for IT and security, but I felt that there were holes in my knowledge. I wanted to fix that. So began my quest to become an information security professional.
http://www.itmanagersjournal.com/article.pl?sid=05/11/15/2027247 Cyberwar - A Threat to Business By Gideon T. Rasmussen, CISSP, CISA, CISM, IAM The threat of cyberwarfare is different from common Internet threats and most organizations are not adequately prepared for it. Corporate defenses typically concentrate on protecting data from theft or alteration. Cyberwarfare also seeks to disrupt critical infrastructure and services. That brings availability, resiliency and incident response into the mix. Expect malicious attacks by determined hackers. They will be well trained and have ample resources. http://www.gideonrasmussen.com/article-14.html The Information Warfare Site (IWS)
IWS is an online resource that aims to stimulate debate about a range of subjects from information security to information operations and e-commerce. It is the aim of the site to develop a special emphasis on offensive and defensive information operations. IWS first went online in December 1999. Since its launch it has undergone a complete redesign and many key texts have been added. In adherence to its founding principles IWS has developed several mailing lists to enable a more interactive debate. http://www.iwar.org.uk/index.htm The Defense-in-Depth Foundational Curriculum handbook discusses information assurance issues and how to address these at both organizational and technical levels. The handbook is written for students ranging from system administrators to CIOs who have some technical understanding of information systems.
http://www.cert. org/archive/ pdf/Defense_ in_Depth092106. pdf
Practices for Securing Critical Information Assets.
A landmark security report – truly a classic. While written before September 11th it remains valid. http://www.ncinfragard.org/pdf/Practices_For_Securing_Critical_Information_Assets.pdf IT Control Objectives for Basel II The exposure draft (ED) of IT Control Objectives for Basel II was released 16 May 2007 on the ISACA and ITGI websites http://www.isaca.org and http://www.itgi.org. It provides a framework for managing information risk in the context of Basel II. In applying this framework, financial services organizations are able to apply recognized processes and controls to the information technology space. The IT control objectives and management processes outlined in it address the role of information technology in operational risk, and the resulting tasks for IT practitioners, internal IT auditors, IT risk managers and information security officers.
http://www.itgi.org/
The Information Security Management Maturity Model (ISM3) The Information Security Management Maturity Model (ISM3, or ISM-cubed) extends ISO9001 quality management principles to information security management (ISM) systems. Rather than focusing on controls, it focuses on the common processes of information security, which are shared to some extent by all organizations. Under ISM3, the common processes of information security are formally described, given performance targets and metrics, and used to build a quality assured process framework. Performance targets are unique to each implementation and depend upon business requirements and resources available.
http://www.ism3.com/
Gary Hinson's web site has a variety of excellent resources
a. For ISO 27000, he maintains a comprehensive page of links at - http://www.iso27001.security.com/html/links.html and b. For IT governance, check out http://www.noticebored.com/html/governance.html The National Strategy to Secure Cyberspace The National Strategy to Secure Cyberspace is part of our overall effort to protect the Nation. It is an implementing component of the National Strategy for Homeland Security and is complemented by a National Strategy for the Physical Protection of Critical Infrastructures and Key Assets. The purpose of this document is to engage and empower Americans to secure the portions of cyberspace that they own, operate, control, or with which they interact. Securing cyberspace is a difficult strategic challenge that requires coordinated and focused
effort from our entire society, the federal government, state and local governments, the private sector, and the American people.
http://www.whitehouse.gov/pcipb/
Risk Assessment and BS7799-3
It's been a busy time for information security professionals, & it's not over yet. ISO 17799 (http://www.itgovernance.co.uk/products/31) has been comprehensively updated, ISO 27001 (http://www.itgovernance.co.uk/products/33) has replaced BS 7799-2:2002 (save £40, buy the two standards together - http://www.itgovernance.co.uk/products/32), and BS7799-3
(http://www.itgovernance.co.uk/products/162) will be published in December. The risk assessment is at the heart of any information security management system, and the new BS7799-3:2005 expands on the risk assessment guidance given in ISO 27001. This is a standard you can't afford to be without - pre-order your copy
(http://www.itgovernance.co.uk/products/162) today for immediate delivery The Computer Security Division (CSD) of the National Institute of Standards and Technology (NIST), including the Federal Information Security Management Act (FISMA) library.
The mission of NIST's Computer Security Division is to improve information systems security by:
- Raising awareness of IT risks, vulnerabilities and protection requirements, particularly for new and emerging technologies;
- Researching, studying, and advising agencies of IT vulnerabilities and devising techniques for the cost-effective security and privacy of sensitive Federal systems;
- Developing standards, metrics, tests and validation programs:
- to promote, measure, and validate security in systems and services
- to educate consumers and
- to establish minimum security requirements for Federal systems
- Developing guidance to increase secure IT planning, implementation, management and operation.
http://csrc.nist.gov/ http://csrc.nist.gov/sec-cert/ca-library.html
Information technology governance - From Wikipedia, (the free encyclopedia)
Information technology governance, IT governance or ICT Governance, is a subset discipline of Corporate governance focused on information technology systems and their performance and risk management. The rising
interest in IT governance is partly due to compliance initiatives (e.g. Sarbanes-Oxley ( USA ) and Basel II ( Europe )), as well as the acknowledgement that IT projects can easily get out of control and profoundly affect the performance of an organization. http://en.wikipedia.org/wiki/Information_technology_governance CSO and CSOonline.com are published by CXO Media Inc., which is an IDG (International Data Group) company. http://www.csoonline.com/
Customer Privacy Microsoft releases guidelines for customer privacy A 49-page document previously kept internally by Microsoft was released at an international privacy professionals' conference in Toronto . The company hopes its Privacy Guidelines for Developing Software Products and Services will spur further industry discussion on the subject. http://cwflyris.computerworld.com/t/935278/21700429/37981/2/
"Secure, Defend and Transform: The Complete E-Business Legal Strategy" by PriceWaterhouseCoopers.
http://www.pwcglobal.com/lu/eng/ins-sol/publ/pwc_legal.pdf
The SANS (SysAdmin, Audit, Network, Security) Institute SANS is one of the most trusted and by far the largest source for information security training and certification in the world. It also develops, maintains, and makes available at no cost, the largest collection of research documents about various aspects of information security, and it operates the Internet's early warning system – (Internet Storm Center). http://www.sans.org/
Welcome to U.S. Security Awareness!
This site is dedicated to increasing security awareness among the general population and the technology community. The Basic Security section is focused to the average person. The Advanced Security section will be of interest to technologists, senior management and legislators. http://www.ussecurityawareness.org/ A web site devoted to Technology Law . http://www.ecomputerlaw.com/articles/listing.php An EComputerLaw newsletter. www.EComputerLaw.com
Auditor Answers: Maintaining Compliance in Home Offices.
Out of sight can’t mean out of mind, when it comes to upholding policies and procedures in the home offices of your workers. What should companies do to maintain compliance standards across a distributed workforce? http://www.itcinstitute.com/display.aspx? ID=2253 Insider Threat Group - Yahoo Groups
The insider threat group provides a forum to discuss resources and techniques to mitigate the threat posed by authorized personnel. Those interested in learning more about insider threat will benefit from the exchange of tips and the opportunity to ask questions. The group is moderated to keep on topic. http://groups.yahoo.com/group/insider-threat Australian Government Information and Communications Technology Security Manual The Australian Government Information and Communications Technology Security Manual (also known as ACSI 33) has been developed by the Defense Signals Directorate (DSD) to provide policies and guidance to Australian Government agencies on how to protect their ICT systems. http://www.dsd.gov.au/library/infosec/acsi33.html
More Information Security Practices Build Security In (BSI) As part of the Software Assurance program, Build Security In (BSI) is a project of the Strategic Initiatives Branch of the National Cyber Security Division (NCSD) of the Department of Homeland Security (DHS). The Software Engineering Institute (SEI) was engaged by the NCSD to provide support in the Process and Technology focus areas of this initiative. The SEI team and other contributors develop and collect software assurance and software security information that helps software developers, architects, and security practitioners to create secure systems. https://buildsecurityin.us-cert.gov/daisy/bsi/home.html CERT®'s Resiliency Engineering Research
The cornerstone of their research is the development of the CERT® Resiliency Engineering Framework. The framework is the foundation for a process improvement approach to security and business continuity. It establishes an organization’s resiliency engineering process: a collection of essential capabilities that an organization performs to ensure that its important assets—people, information, technology, and facilities—stay productive in supporting business processes and services. The framework serves as a foundation from which an organization can measure its current competency, set improvement targets, and establish plans and actions to close any identified gaps. As a
result, the organization repositions and repurposes its security and business continuity activities and takes on a process improvement mindset that helps to keep these activities productive in the long run.
http://www.cert.org/resiliency_engineering/ The Center for Internet Security (CIS) is a non-profit enterprise whose mission is to help Organizations reduce the risk of business and e-commerce disruptions resulting from inadequate technical security controls. CIS members develop and encourage the widespread use of security configuration benchmarks through a global consensus process involving participants from the public and private sectors. The practical CIS Benchmarks support available high level standards that deal with the "Why, Who,
When, and Where" aspects of IT security by detailing "How" to secure an ever widening array of workstations, servers, network devices, and software applications in terms of technology specific controls. CIS Scoring Tools analyze and report system compliance with the technical control settings in the Benchmarks. The CIS Benchmarks and Scoring Tools are available for download free of charge. http://www.cisecurity.org/index.html Process Agnostic Navigational View The process agnostic approach incorporates security into each basic phase of software development. The best practices and methods described are applicable to any and all development approaches as long as they result in the creation of software artifacts. https://buildsecurityin.us-cert.gov/daisy/bsi/438.html
Governing for Enterprise Security Implementation Guide
This guidance is designed to help business leaders implement an effective program to govern information technology (IT) and information security.
· Article 1: Characteristics of Effective Security Governance (pdf) · Article 2: Defining an Effective Enterprise Security Program (ESP) (pdf)
· Article 3: Enterprise Security Governance Activities (pdf)
GAO Executive Guide: Information Security Management: Learning From Leading Organizations. A high priority of the CIO Council is to ensure the implementation of security practices within the Federal government that gain public confidence and protect government services, privacy, and sensitive and national security information. This Executive Guide, "Information Security Management, Learning From Leading Organizations," clearly illustrates how leading organizations are successfully addressing the challenges of fulfilling that goal. These organizations establish a central management focal point, promote awareness, link policies to business risks, and develop practical risk assessment procedures that link security to business needs. This latter point--the need to
link security to business requirements--is particularly important, and is illustrated in a statement of a security manager quoted in the guide: "Because every control has some cost associated with it, every control needs a business reason to be put in place." http://www.gao.gov/special.pubs/cit.html (Its the 3rd item in the GAO list of papers) A Few Good Metrics Information security metrics don't have to rely on heavy-duty math to be effective, but they also don't have to be dumbed down to red, yellow, green. Here are five smart measurements—and effective ways to present them. http://www.csoonline.com/read/070105/metrics.html The Center for Education and Research in Information Assurance and Security The Center for Education and Research in Information Assurance and Security (CERIAS) is currently viewed as one of the world's leading centers for research and education in areas of information security that are crucial to the protection of critical computing and communication infrastructure. http://www.cerias.purdue.edu/
ISO27001 in North America
ISO27001 is the new, international standard of information security best practice. With its origins in ISO17799 and BS7799, ISO27001 is providing comprehensive best-practice advice and guidance to private and public sector organizations around the world on how to design and implement an effective information security management system ('ISMS'). On this site, you can find out how an ISO27001 ISMS can help organizations meet their commercial and business needs for cost-effective information security while at the same meeting their information- related regulatory compliance objectives and positioning them for new and emerging regulations.
http://www.27001.com/default.aspx The Defense-in-Depth Foundational Curriculum handbook discusses information assurance issues and how to address these at both organizational and technical levels. The handbook is written for students ranging from system administrators to CIOs who have some technical understanding of information systems.
http://www.cert.org/archive/pdf/Defense_ in_Depth092106.pdf Guide 6: Managing and Auditing IT Vulnerabilities
The IIA has released its sixth guide in its Global Technology Audit Guide (GTAG®) series, Managing and Auditing IT Vulnerabilities. The 24-page guide was developed to help CAEs and internal auditors ask the right questions of IT security staff when assessing the effectiveness of their vulnerability management processes. The guide recommends specific management practices to help an organization achieve and sustain higher levels of effectiveness and efficiency and illustrates the differences between high- and low-performing vulnerability management efforts. http://www.theiia.org/guidance/technology/gtag/gtag6/
Establishing Wireless Robust Security Networks: A Guide to IEEE 802.11i
By Sheila Frankel, Bernard Eydt, Les Owens, and Karen Scarfone,
NIST Special Publication 800-97
http://csrc. nist.gov/ publications/ nistpubs/ 800-97/SP800- 97.pdf Security Awareness Program Development Guidance
This guidance material includes a white paper Key Considerations for Developing Effective Information and Training Programs that outlines how to successfully and effectively address an information security awareness and training program. Included is an accompanying information security awareness presentation titled The Role of Information Security in Everyday Business. This presentation provides content that can be leveraged for effective security awareness presentations to organizations’ entire workforces, and also can be used to serve as an official launch of the information security awareness and training program in your organization. Also included is an End User Security Awareness presentation
template and video, providing material to help articulate what is involved with building an information security awareness and training program to your management and peers within your company. http://www.microsoft.com/technet/security/understanding/awareness.mspx Auditing security using the PCI standard and related guidance - (Because personal information must be protected) We need to protect personal information much more than ever before and extensive help from the PCI Security Standards Council and numerous other organizations does exist. http://www.auditnet.org/articles/DSIA200704.htm SANS Top-20 Internet Security Attack Targets (2006 Annual Update) http://www.sans.org/top20/ The (ISC)² 2007 Resource Guide for Today's Information Security Professional - Global Edition - provides the latest resources in educational references, year-long events listings and leading industry sponsors all in one handy downloadable reference guide. https://www.isc2.org//cgi-bin/content.cgi?page=920 SANS Software Security Institute (SSI)
The new SANS project has six goals: 1) Allow employers to rate their programmers on security skills so they can be confident that every project has at least one "security master" and all of their programmers understand the common errors and how to avoid them; 2) Provide a means for buyers of software and systems vendors to measure the secure programming skills of the people who work for the supplier; 3) Allow programmers to identify their gaps in secure programming knowledge in the language they use and target education to fill those gaps; 4) Allow employers to evaluate job candidates and potential consultants on their secure programming skills and knowledge; 5) Provide incentive for universities to include secure coding in required
computer science, engineering, and programming courses and 6) Provide reporting to allow individuals and organizations to compare their skills against others in their industry, with similar education or experience or in similar regions around the world.
http://www.sans-ssi.org/
The Center for Internet Security: Global Security Benchmarks for Computers Connected to the Internet - In today's world of e-business and increased networking among companies, standards that define detailed, technical security specifications for computers connected to the Internet are vital to the security of every organization's mission-critical information.
http://www.isaca.org/template.cfm?template=/ContentManagement/ContentDisplay.cfm&ContentID=3515
Security Configuration Checklists Program for IT Products A security configuration checklist (sometimes referred to as a lockdown guide, hardening guide, or benchmark configuration) is essentially a document that contains instructions or procedures for configuring an IT product to a baseline level of security. http://checklists.nist.gov/index.html PCI compliance after the TJX data breach The recent TJX Companies Inc. data breach refocused attention on credit card security, retailers and the Payment Card Industry Data Security Standard (PCI DSS). PCI DSS is to the credit card industry what Sarbanes-Oxley (SOX) has been to publicly held companies. It's pushing them to comply with the PCI Security Standards Council guidelines, the most recent of which was drafted in September 2006. It forces card issuers and processors to invest in the necessary compliance technology and training or face crippling consequences. Those who don't can be heavily fined or barred from issuing or accepting cards from
any council members. And, because the council consists of a consortium of five powerful card companies -- Visa, MasterCard, American Express, Discover and JCB -- not complying can effectively ban a bank from issuing cards or a merchant from accepting them.
http://searchsecurity.techtarget.com/tip/0,289483,sid14_gci1245717,00.html?track=NL-430&ad=581054&asrc=EM_NLT_1088715
- 54 specific checklist items to help assess your audit readiness
- Recommendations for avoiding common PCI compliance failures
- Pointers on audit planning, preparation, testing, and reporting
- Clarification on what auditors want (and don't want) to see
http://www.itcinstitute.com/display.aspx?id=2499
The Systems Security Engineering Capability Maturity Model (SSE-CMM) was developed to advance security engineering as a defined, mature, and measurable discipline. It describes the characteristics essential to the success of an organization's security engineering process, and is applicable to all security engineering organizations including government, commercial, and academic. http://www.issea.org/sse_cmm.asp The International Systems Security Engineering Association (ISSEA)
Established in 1999, the ISSEA is a non-profit professional organization dedicated to the adoption of systems security engineering as a defined and measurable discipline.
http://www.issea.org/
CCCure.Org
The CISSP, SSCP, CISM, CISA, ISSPCS, and SANS GIAC GCFW Open Study Guides web site is dedicated to helping people in achieving their goal of becoming a CISSP, SSCP, CISM, CISA, ISSPCS, or GCFW. Over the years it has become a vast container of resources that can assist you in mastering the domains of the specific Common Body of Knowledge related to each of the above certifications.
http://www.cccure.org/
Switch security Properly configured, switches can add another layer of security to your network. This article provides best practices configurations that should be considered for any organization. The tips within can help isolate systems from hackers, prevent the spread of zero day viruses and prevent unauthorized systems from connecting to your network.
http://isc.sans.org/diary.php?storyid=1583 The CIAO/IIA series of board level security guidance reports
The Institute of Internal Auditors (IIA) has published a series of three board-level guidance reports focusing on information security that focuses on assigning responsibilities to the board, management, and internal audit, and providing guidance to board directors.
· Information Security Management and Assurance: A Call to Action for Corporate Governance
http://www.theiia.org/download.cfm?file=22398
· Information Security Governance: What Directors Need to Know
http://www.theiia.org/download.cfm?file=7382
· Building, Managing, and Auditing Information Security
http://www.theiia.org/download.cfm?file=33288 SCORE
As we started the research for the HIPAA and 17799 projects we came across a number of references to DITSCAP and NITSCAP. The purpose of the system security plan (SSP) is to provide an overview of the security requirements of the system and describe the controls in place or planned, responsibilities and expected behavior of all individuals who access the system. It is a core component of DITSCAP. The system security plan should be viewed as documentation of the structured process of planning adequate, cost-effective security protection for a system. It should reflect input from various managers with responsibilities concerning the system, including information owners, the system operator, and the system security manager. Additional information may be included in the basic plan and the structure and format
organized according to agency needs, so long as the major sections described in this document are adequately covered and readily identifiable. Michael Kirby has developed a tool to help generate an SSP. It is available here on an as is basis, SCORE takes no responsibility for your use of the tool". Try the tool which is at - http://www.sans.org/score/ssp.php
Information Security Governance: Guidance for Boards of Directors and Executive Management 2nd Edition (ISACA) To achieve effectiveness and sustainability in today’s complex, interconnected world, information security must be addressed at the highest levels of the organization, not regarded as a technical specialty relegated to the IT department. http://www.isaca.org/Template.cfm?Section=Home&Template=/ContentManagement/ContentDisplay.cfm&ContentID=24572
Digital Records Management — What Auditors Should Know
As companies continue to decrease their dependence on paper records, internal auditors need to stay ahead of the game by understanding the necessary ingredients to an effective digital records management program.
http://www.theiia.org/itaudit/index.cfm?iid=496&catid=21&aid=2388 Hammer Time: Enforcing Internal Security - by Linda L. Briggs. Having internal rules and regulations in place regarding compliance is important, as is clearly communicating them to employees. But when infractions occur, as they inevitably will, how should you deal with them? http://www.itcinstitute.com/display.aspx?id=2403 Security breach lists are an interesting read and can be useful for:
* Identifying trends in emerging security threats.
* Providing examples of why a control is necessary.
* Citing real world compromises in presentations, etc.
http://www.efortresses.com/refdocs/2006-Breaches-Matrix.pdf
http://www.privacyrights.org/ar/ChronDataBreaches.htm
http://www.cybercrime.gov/cccases.html
Ask the Auditor: Who is Responsible for Information Security?
The Auditor Responds: In short, the board of directors, management (of both staff and business lines), and internal audit functions all have significant roles in auditing information security. The big question for many companies is how these stakeholders should work together to ensure that everything that should be done to protect sensitive data is being done—and that the company’s key assets are protected appropriately. http://www.itcinstitute.com/display.aspx?id=1823 National Institute of Standards and Technology (NIST) Computer Security Resource Center (CSRC) – (See below for their key initiatives) - http://csrc.nist.gov/
a) US Federal Information Processing Standard (FIPS) 200, “Minimum Security Requirements for Federal Information and Information Systems” (PDF): http://csrc.nist.gov/publications/fips/fips200/FIPS-200-final-march.pdf
b) NIST Special Publication (SP) 800-53, “Recommended Security Controls for Federal Information Systems” (PDF): http://csrc.nist.gov/publications/nistpubs/800-53/SP800-53.pdf
c) NIST Special Publication (SP) 800-53A, “Guide for Assessing the Security Controls in Federal Information Systems” (PDF): http://csrc.nist.gov/publications/drafts/SP800-53A-spd.pdf
d) Federal Information Security Management Act (FISMA) Implementation Project: http://csrc.nist.gov/sec-cert/
Security awareness for governance, risk, compliance and business
Information security is a vital element of corporate and IT governance and risk management. It minimizes risks to valuable information assets and maximizes compliance with laws, regulations and standards such as ISO 17799/ISO 27001, HIPAA, SOX, data protection/privacy, software copyright and intellectual property protection, banking industry regulations and many more.
Secure organizations may confidently pursue new business opportunities that would be considered too risky by their insecure peers. Simply put, good security is good business.
NoticeBored helps build a genuine security culture through security awareness
http://www.noticebored.com/index.html
Twelve habits of successful IT professionals.
http://www.educause.edu/ir/library/pdf/erm0613.pdf
Schaser-Vartan Books’ new release, Say What You Do, spells out in layman’s terms the often bewildering differences between policies, procedures and standards — topics that have historically been written about in industry jargon. What sets the book apart is its candidly practical approach, focusing on creating policies that really work rather than pushing theories that break down in the real world. “Armed with this book, you should be able to lead a policy development project at your company from the ground up and from the top down without losing your mind,” says co-author and attorney Marcelo Halpern.
http://home.businesswire.com/portal/site/google/index.jsp?ndmViewId=news_view&newsId=20070417005246&newsLang=en Boardroom Briefing: Business Continuity and Disaster Recovery
Support your crisis management preparations (as something will happen).
Boardroom Briefing: Business Continuity and Disaster Recovery
Second edition of Guide to Business Continuity Management.
This comprehensive resource guide reviews in detail numerous BCM areas and strategies, including an overview of the regulatory landscape, risk assessment and business impact analysis, program design, business alignment, training, testing, maintenance, and compliance monitoring and auditing. Updates to the second edition of Guide to Business Continuity Management include a special introduction that examines two significant issues in the field of BCM: the continuing difficulties caused by devastating hurricane seasons, and the potential business disruption that an avian flu pandemic could cause. Other additions include
industry-specific questions for BCM programs in the manufacturing, retail, healthcare and telecommunications sectors. http://now.eloqua.com/es.asp?s=361&e=FADCF1F859DE4310969DEB6DFB1726D7&elq=54F37758B1AB48F98DD409D0C10064D7 How to establish an effective Computer Security Incident Response Team at: http://www.cert.org/csirts The Canadian Centre for Emergency Preparedness (CCEP)
CCEP is a not-for-profit organization based in Canada & devoted to the promotion of emergency risk management to individuals, communities and organizations, in both government and the private sector, with the aim of reducing the risk, impact and cost of natural, human-induced and technological disasters. CCEP's objectives are to raise awareness of the increasing risks of disasters, promote the need for sound disaster management practices and disseminate information on the availability of professional expertise and resources, including technology.
http://www.ccep.ca/index.html What Should Your Business Continuity Efforts Focus On?
A Reader Asks: Should your business continuity program (BCP) consider the impacts of emerging threats and changing business practices, and what are the key issues involved today?
The Auditor Responds: Short answer – Your BCP and disaster recovery programs should be designed to respond to a wide variety of potential incidents, covering both man-made disasters, such as power-grid or environmental control failures, and natural disasters, such as hurricanes and mass staff outages due to epidemics. The long answer – http://www.itcinstitute.com/display.aspx?ID=2090
Business Continuity Planning Standards and Guidelines Regulatory compliance requirements influence many of the information security practitioner's roles and responsibilities, including the development of a business continuity plan. In this excerpt from Chapter 1: Contingency and Continuity Planning of "Business Continuity and Disaster Recovery for InfoSec Managers," John W. Rittinghouse and James F. Ransome outline the regulatory requirements that should be addressed when establishing and maintaining a business continuity plan. http://go.techtarget.com/r/458182/4842737
Business Continuity Impact Analysis
The Business Impact Analysis (BIA) is the backbone of the entire business continuity exercise or, at least, it should be if handled correctly. Even so, it cannot stand alone and without full support, approval and backing from the highest level of management, the exercise will not achieve its full potential. A well-executed BIA can make the difference between a fully developed, robust business continuity plan, and a mediocre one. http://www.sorm.state.tx.us/Risk_Management/Business_Continuity/bus_impact.php
Business Impact Analysis - http://www.vccs.edu/its/models/bia.htm
BIA Templates at CCEP - http://www.ccep.ca/ccepbcp3.html
- Project Initiation and Management
- Risk Evaluation and Control
- Business Impact Analysis
- Developing Business Continuity Strategies
- Emergency Response and Operations
- Developing Business Continuity
- Training and Awareness
- Maintaining and Exercising Business Continuity Plans
- Public Relations and Crisis Communications
- Coordination with Public
Resources regarding the “Insider Threat” issue Leading resources consolidated by Gideon – truly an excellent repository on an important issue.
http://www.theinsiderthreat.com
The National Cyber Security Alliance (NCSA) is the go-to resource for cyber security awareness and education for home user, small business, and education audiences. A public-private partnership, NCSA sponsors include the Department of Homeland Security, Federal Trade Commission, and many private-sector corporations and organizations. NCSA provides tools and resources to empower home users, small businesses, and schools, colleges, and universities to stay safe online. For more information, and to see the top eight cyber security tips, visit www.staysafeonline.org. FIRST is the global Forum for Incident Response and Security Teams. FIRST is the premier organization and recognized global leader in incident response. Membership in FIRST enables incident response teams to more effectively respond to security incidents - reactive as well as proactive. FIRST brings together a variety of computer security incident response teams from government, commercial, and educational organizations. FIRST aims to foster cooperation and coordination in incident prevention, to stimulate rapid reaction to incidents, and to promote information sharing among members and the community at large. http://www.first.org/
ISO17799 - The ISO 17799 & ISO 27001 Toolkit. The emergence of ISO 17799 is an extremely important development and is re-shaping approaches to information security on a global basis. The ISO 17799 Toolkit is a whole series of key documents and items brought together
http://www.first.org/newsroom/globalsecurity/59458.html Are You Learning From Project to Project?
If you're among the 99 percent of us who fail this simple test—but shouldn't—you could be in a position of weakness, to the detriment of your current and upcoming projects. http://www.nealwhittengroup.com/articles/pmn3-99.asp ChicagoFIRST is a non-profit association dedicated to addressing homeland security and emergency management issues affecting financial institutions and requiring a coordinated response and is a great place to learn what is needed today, increased private/public joint efforts.
https://www.chicagofirst.org/ The DRJ journal leads the industry by providing extensive thought leadership on BCP, DR, and Crisis Management. https://www.drj.com/account/index.php Auditing BCP and DR efforts - THE resource repository.
Various leading resources to support the auditing of BCP and DR programs. http://www.auditnet.org/drp.htm Critical Foundations: Protecting America 's Infrastructures
Final Report from the President's Commission on Critical Infrastructure Protection (PCCIP) http://permanent.access.gpo.gov/lps15260/PCCIP_Report.pdf The Neal Whitten Group specializes in leading the advancement of project management and human resource development by way of products and services of speaking, training, and writing.
http://www.nealwhittengroup.com/ Neal’s “Power Snippets” are truly priceless - http://www.nealwhittengroup.com/snippets.asp
Early Warning Signs of IT Project Failure: The Dominant Dozen.
The postmortem examination of failed IT projects reveals that long before the failure there were significant symptoms or “early warning signs.” This article describes the top 12 people-related and project-related IT project risks, based on “early warning sign” data collected from a panel of 19 experts and a survey of 55 IT project managers. http://www.ism-journal.com/ITToday/projectfailure.pdf
Are You Learning From Project to Project?
If you're among the 99 percent of us who fail this simple test—but shouldn't—you could be in a position of weakness, to the detriment of your current and upcoming projects.
http://www.nealwhittengroup.com/articles/pmn3-99.asp Information Systems Audit and Control Association (ISACA). K-NET contains over 6,000 peer-reviewed web site resources pertaining to knowledge covering IT Governance, Assurance, Security and Control. Full access to K-NET is reserved for association members. Reference items are organized into logical categories of interest and concern. Partial access is possible for non members. http://www.isaca.org/KNET FFIEC Information Technology Examination Handbook
The Federal Financial Institutions Examination Council (FFIEC) Information Technology Examination Handbook (IT Handbook) provides guidance to examiners and financial institutions on the characteristics of an effective information technology (IT) audit function. The examination guidance and procedures in this handbook focuses on IT audit and supplement other, more general, internal and external audit guidance provided by the FFIEC agencies.
http://www.ffiec.gov/ffiecinfobase/html_pages/audit_book_frame.htm
EDPACS: The EDP Audit, Control, and Security newsletter.
For 35 years, audit and control professionals have turned to EDPACS, The EDP Audit, Control, and Security newsletter, for helpful and timely guidance.
http://www.informaworld.com/smpp/title~content=t768221793~db=all
Information Systems Security (ISS).
ISS provides essential information for managing the security of a modern, evolving enterprise. It is written for information security managers and other technical managers and staff who are the first-line support responsible for the daily, efficient operation of security policies, procedures, standards, and practices. The journal covers: Access Control; Application Security; Business Continuity and Disaster Recovery Planning; Operations Security; Cryptography; Information Security and Risk Management; Legal, Regulations, Compliance, and Investigations; Physical (Environmental) Security; Security Architecture and Design; and Telecommunications and Network
Security. http://www.informaworld.com/smpp/title~db=all~content=g769589197~tab=toc IT Compliance Institute (ITCi) – “IT Audit Checklist for Information Security”.
This paper, IT Audit Checklist: Information Security, supports an internal audit of the organization’s information security program with guidance on improving information security programs and processes, as well as information on assessing the robustness of your organization’s security efforts. The paper is intended to help IT, compliance, audit, and business managers prepare for an audit of information security and, ultimately, to ensure that the audit experience and results are as productive as possible.
http://www.itcinstitute.com/info.aspx?id=34985
Norwich University Journal of Information Assurance
The NUJIA was created by Norwich University to fill an essential function in the field of information assurance: to publish peer reviewed articles on the practical aspects of information assurance. The mission of the NUJIA is "to advance understanding within the information assurance field by publishing original, high-quality, practical research into the management of information assurance."
http://nujia.norwich.edu/
The Federal Government of Canada (GOC) Internal Audit Guides
Audit of Information Technology Security audit guide
http://www.tbs-sct.gc.ca/Pubs_pol/dcgpubs/tb_h4/01guid01_e.asp
Audit of Security audit guide
http://www.tbs-sct.gc.ca/ia-vi/policies-politiques/gas-gvs/gas-gvs_e.asp
Various other GOC internal audit guides
http://www.tbs-sct.gc.ca/ia-vi/common/guides_e.asp
Management Planning Guide for Information Systems Security Auditing Produced by the National State Auditors Association and the US General Accounting Office. http://www.gao.gov/special.pubs/mgmtpln.pdf Information Technology and the Board - "An Insightful Resource". http://www.deloitte.com/dtt/article/0%2C1002%2Ccid%25253D152626%2C00.html What the Board Needs to Know About IT: Phase II Findings Maximizing performance through IT strategy http://www.deloitte.com/dtt/article/0,1002,sid=36692&cid=151800,00.html
Unplanned Work: The Silent Killer
Find out how unplanned work - those activities not mapped to any project, procedure or change request - is undermining the effectiveness of your IT efforts.
Information technology is a critical part of an organization's internal control and management information system. Ensuring its integrity is an important responsibility for board members. ITAC has compiled 20 key questions about IT that should be asked about: strategic planning and technology, performance and personnel issues, internal control issues, risk and security, information privacy, e-business, availability policies, and legal issue. http://www.cica.ca/index.cfm/ci_id/1000/la_id/1 Managing Change
There is no management activity more misunderstood, abused and ignored than the act of implementing Change. Some have even suggested that the phrase "Change Management" is an oxymoron. The articles available below have a single purpose, to transform the act of Managing Change from something we dread, to something we approach with skill, insight, wisdom and an increased chance of success.
http://www.technobility.com/docs/menu-managing-change.htm ISO 27001 CERTIFICATION GUIDES LAUNCHED
IT Governance Ltd has launched the world’s first practical guides to help company directors and IT project managers understand and achieve certification to ISO 27001, the newly published global certification standard for information security management (replaces BS7799 and complements ISO 17799). In the modern corporate governance climate, ISO 27001 certification will increasingly become a prerequisite for winning new business, thereby accelerating the transfer of IT security issues from the data room to the boardroom. http://www.itgovernance.co.uk/news_detail.aspx?news_id=25
What the Board Needs to Know About IT (The board’s role in leveraging technology as a strategic resource)
In 2006, Deloitte Consulting LLP began a research initiative to explore how boards of directors are approaching information technology (IT). Phase I of this research represents the findings of more than 30 interviews with directors and senior executives. The findings from the Phase I interviews have been captured in the point of view: "What the Board Needs to Know About IT: The Board's Role in Leveraging Technology as a
Strategic Resource."
You can also download "Bringing IT Into the Boardroom," which appeared as a supplement to the Fall 2006 issue of Corporate Board Member magazine. Finally, you can learn about the upcoming Phase II research results on the topic of the board and IT by downloading a preview of the survey results, entitled: “Big Conundrum: Phase II Preliminary Findings.”
For more info on the Deloitte initiative, all the above mentioned documents, and “more”, visit: http://www.deloitte.com/dtt/article/0,1002,sid%3D26562%26cid%3D132853,00.html CERT Launches Podcast Series
The CERT® Program is pleased to announce the launch of its first podcast series, "Security for Business Leaders," available at http://www.cert.org/podcast. The series will provide both general principles and specific starting points for business leaders who want to launch enterprise-wide security efforts, or who want to ensure that their organizations' existing security program is as effective as possible. New podcasts will be available every two weeks.
The newest podcast features Rich Pethia, Director of the CERT Program. Other podcast topics include "Why Leaders Should Care about Security," "The ROI of Security," "Proactive Remedies for Rising Threat," and "Compliance vs. Buy-in." Podcasters can listen to entire conversations, download PDF transcripts, and investigate additional references in show notes.
"Security for Business Leaders" is the first podcast series for the SEI. Information Security Oversight: Essential Board Practices, from the National Association of Corporate Directors (NACD). Learn four steps each board should adopt to avoid the hazards of leaving information inadequately protected from cyber criminals. Review the questions each board should ask to determine inherent risks. Discover the potential liabilities and other woes that might befall corporate boards and management who show too little involvement in safeguarding the security and privacy of corporate-held information. Lessons include identifying vulnerabilities, mitigating damages, establishing controls, educating officers and employees, and resolving issues. Sponsored by KPMG's Audit Committee Institute and published in collaboration with the Institute of Internal Auditors and the Critical Infrastructure Assurance Office of the U.S. Department of Commerce. http://www.nacdonline.org/publications/pubDetails.asp?pubID=138&user=D0888270C5AF46508BEC8472906F87C3 The Language of Compliance
The Language of Compliance is the biggest (3,500+ entries) resource for acronyms, terms, and extended definitions. Authored by Dorian Cougias and Marcelo Halpern it covers the terms found in HIPAA, SOX, GLB, CobiT, ISO 17799 and 27001, BCI, BSI, ISSF, and over 100 other regulatory bodies and standards agencies. http://glossary.unifiedcompliance.com/buy_now/the_language_of_compliance.html Unified Compliance Project (UCP) ITCi's Unified Compliance Project (UCP) is an independent initiative focused on supporting IT compliance management. The UCP parses and reconstructs complex corporate regulations into a holistic IT compliance view.
The U.S. Government Accountability Office (the GAO) The Government Accountability Office (GAO) is an agency that works for Congress and the American people. Congress asks GAO to study the programs and expenditures of the federal government. GAO, commonly called the investigative arm of Congress or the congressional watchdog, is independent and nonpartisan. It studies how the federal government spends taxpayer dollars and advises Congress and the heads of executive agencies about ways to make government more effective and responsive.
www.gao.gov Leading best practice guidance on various management practices - http://www.gao.gov/aac.html
Leading IT and IM guidance - http://www.gao.gov/special.pubs/cit.html Global Technology Audit Guide (GTAG)
The Institute of Internal Auditors (The IIA) is producing a series of publications with guidance on information technology. Written primarily for the chief internal audit executive (CAE) and audit supervisors, the guides address concerns of the board of directors and chief-level executives. Each Global Technology Audit Guide (GTAG) is written in straightforward business language to address timely issues related to information technology management, control, or security. GTAG is a ready resource series for chief audit executives to use in the education of members of the board and audit committee, management, process owners, and others regarding technology-associated risks and recommended practices.
http://www.theiia.org/guidance/technology/gtag/
Avoiding IS Icebergs This article explores the audit's assurance role regarding information security and outlines approaches and methodologies. The article is targeted to the beginner infosec professional, though more experienced practitioners will also find it useful as an update on what's available and in use today. http://infosecuritymag.techtarget.com/articles/october00/features3.shtml Information technology governance - From Wikipedia, (the free encyclopedia) Information technology governance, IT governance or ICT Governance, is a subset discipline of Corporate governance focused on information technology systems and their performance and risk management. The rising
interest in IT governance is partly due to compliance initiatives (e.g. Sarbanes-Oxley ( USA ) and Basel II ( Europe )), as well as the acknowledgement that IT projects can easily get out of control and profoundly affect the performance of an organization. http://en.wikipedia.org/wiki/Information_technology_governance Internet & Computer Ethics for Kids (and Their Parents & Teachers Who Haven't Got a Clue)" written by Winn Schwartau. This important book (for keeping your kids safe) is at:
http://www.thesecurityawarenesscompany.com/chez/chez.php
Insider Risk Management Guide
The threat posed by authorized personnel is well documented by research and court cases. According to ACFE , U.S. organizations loose an estimated $652 billion to fraud annually.
Unfortunately, insider threat is not limited to fraud. There is also sabotage, negligence, human error and exploitation by outsiders to consider. If you have not taken a hard look at insider threat controls in your organization, now is the time. http://searchsecurity.techtarget.com/general/0,295582,sid14_gci1213354,00.html Top Reasons for PCI Audit Failure and How to Avoid Them Today's Payment Card Industry Data Security Standard (PCI DSS) remains as one of the preeminent achievements in the information security industry. However, many merchants and service providers are struggling with the increased complexity associated with the PCI Data Security Standard. Download this white paper and discover:
- Top reasons for PCI audit failure and how to avoid them
- Future considerations for PCI standards
- How to improve security awareness within your organization
- Practical tips for overcoming PCI audits and more
http://go.techtarget.com/r/979467/4842737
Security Absurdity: The Complete, Unquestionable, And Total Failure of Information Security. A long-overdue wake up call for the information security community (by Noam Eppel). http://www.securityabsurdity.com/failure.php Editor’s comment: There are many experts that disagree with the conclusions of the above article.
The British Columbia provincial information security policy (its their security handbook). The B.C. provincial government has issued a first draft of their information security policy and welcomes any and all comments and suggestions (to improve it). http://www.cio.gov.bc.ca/prgs/ManualInformationSecurityPolicyV1.pdf
IT Compliance Institute (ITCi) – “IT Audit Checklist for Risk Management”.
Are you prepared for your next risk management audit? Know what to expect. Note – a brief registration is required (to download the free white paper). http://www.itcinstitute.com/display.aspx?id=2499 Keeping Up Your SOX Compliance and Turning IT into a High Performer by Improving Change Control. Study the extensive benefits of establishing a robust change management and change auditing practices including the latest research by ITPI (IT Process Institute).
http://www.tripwire.com/resources/asset_request.cfm?aid=2184
Managing Enterprise Risk in Today’s World of Sophisticated Threats: A Framework for Developing Broad-Based, Cost-Effective Information Security Programs
http://csrc.nist.gov/sec-cert/rmf-sz.pdf Other NIST white papers - csrc.nist.gov/sec-cert/ca-library.html#fisma-white-paper The Risk Management and Governance (RMG) Board develops practical, easy-to-read documents about governance issues. A review of all the publications is regularly conducted to ensure that they remain current and relevant.
http://www.rmgb.ca/index.cfm/ci_id/243/la_id/1.htm Information Technology Outsourcing - This paper presents a perspective on the matters that an organization addresses when considering IT outsourcing as an option. It is intended to provide topics for the consideration of business managers and auditors when they make or examine outsourcing decisions. http://www.cica.ca/multimedia/Download_Library/Research_Guidance/IT_Advisory_Committee/English/eIToutsourcing0204.pdf 20 Questions Directors Should Ask About Information Technology Outsourcing http://www.rmgb.ca/index.cfm/ci_id/3083/la_id/1.htm The #1 Reason Why Project Managers Fail: TOO SOFT!
Various examples of project manager actions (or inactions) that are indicative of too-soft behavior are presented. http://www.nealwhittengroup.com/power/sn_ts.htm
PMI’s Library for the Project Management Profession
Located within PMI’s Global Operations Center ( Newtown Square, Pennsylvania , USA ), the Knowledge & Wisdom Center (K&WC) is PMI’s hub for literature and information sources in the field of project management. The K&WC is committed to helping advance project management practice and scholarship by cataloging PMI-published literature, managing PMI’s ever-expanding electronic literature collection, administering the K&WC’s Knowledgebase, and providing information retrieval assistance.
http://www.pmi.org/info/PIR_KWCOverview.asp?nav=0603
Neal Whitten’s No-Nonsense Advice for Successful Projects
Successful projects don't just happen—they are made to happen. This book goes beyond the basics of project management and reveals leading-edge best practices that make all the difference between leading consistently successful projects and playing the victim with troubled projects. http://www.nealwhittengroup.com/ Auditing System Conversions Internal auditors play a valuable role in ensuring that IT investments are well-managed and have a positive impact on an organization. Their assurance role supports senior management, the audit committee, the board of directors, and other stakeholders. Internal auditors need to take a risk-based approach in planning their many activities on IT project audits. With limited audit resources, auditors must focus on the highest-risk project areas, while adding value to the organization. Audit best practices suggest internal auditors should be involved throughout a project's life cycle — not just in post-implementation assessments. http://www.theiia.org/ITAudit/index.cfm?act=itaudit.archive&fid=5495 Early Warning Signs of IT Project Failure: The Dominant Dozen. The postmortem examination of failed IT projects reveals that long before the failure there were significant symptoms or “early warning signs.” This article describes the top 12 people-related and project-related IT project risks, based on “early warning sign” data collected from a panel of 19 experts and a survey of 55 IT project managers. http://www.ism-journal.com/ITToday/projectfailure.pdf Neal Whitten’s Let’s Talk! More No-Nonsense Advice for Project Success In a Q&A format, this book focuses on best-practice project behaviors, answering more than 700 insightful, personal, and sometimes sensitive questions on a broad range of topics, from leadership, communication and culture to accountability, ethics and conflict resolution. http://www.nealwhittengroup.com/pubs.asp Project Management “Reference” Summary (PDF). This reference summary started as an advanced project management college course (project) in the mid 90’s. George has continued to expand and refine the document over the years and it is available free of charge (to help enhance the practice of project management world wide). http://www.theiia.org/iia/download.cfm?file=1326 IT Today.
A monthly IT focused newsletter produced by Auerbach.
http://www.auerbach-publications.com/it_today/default.asp
The IT Process Improvement Institute
The IT Process Institute (ITPI) is an independent research organization that exists to support the professional communities of IT audit, security, and operations professionals. They are dedicated to working with IT leaders to advance the science of IT management. The IT Process Institute has created a unique three-part methodology designed to create and share results-oriented prescriptive guidance with our members including: 1) Research - study top performers and identify the causal link between behavior and results; 2)
Benchmarking - create tools that compare individual organizations to top performers; and 3) Prescriptive Guidance - share content written to help IT organizations become top performers. Their latest benchmarking study results are also truly “insightful” – go to the second link for free access to the “Executive Overview”.
http://www.itpi.org/home/default.php and http://www.itpi.org/home/wp_reg.php
Auditing IT Initiatives - Because an IT Project Failure is NOT An Option.
Key questions to consider:
- Does the proposed IT solution work & will it meet the needs of the organization?
- Does the security aspect of the IT solution work?
- Will the privacy of the organization’s information be maintained?
- Will the staff know how to perform “productively” and accurately?
- Have we done everything necessary to be prepared?
- Are we ready to implement and how do you know it'll work?
http://www.auditnet.org/articles/DSIA200702.htm The Visible Ops Handbook Visible Ops: Starting ITIL in four practical and auditable steps – is getting rave reviews. If you need practical guidance on how to jumpstart ITIL or IT control projects – this book is for you. Get control of your infrastructure; increase security, auditability, and service levels; decrease costs. http://www.itpi.org/home/visibleops2.php Aligning COBIT, ITIL and ISO 17799 for Business Benefit http://www.isaca.org/Template.cfm?Section=Downloads3&CONTENTID=22490&TEMPLATE=/ContentManagement/ContentDisplay.cfm ITGI Issues Val IT—New IT Value Framework Val IT provides the means to measure, monitor and optimize the realization of business value from investment in IT. It complements COBIT from a business and financial perspective and will help all those with an interest in value delivery from IT. This initial series consists of three volumes, available for free download:
Second edition of ISACA Sarbanes-Oxley publication now available
ITGI has released an updated edition of its well-received publication, IT Control Objectives for Sarbanes-Oxley. The first edition, published in 2004, has been downloaded more than 250,000 times. Companies around the world have used it as a tool for evaluating IT controls in support of Sarbanes-Oxley compliance. Experts from many organizations, including the top 10 accounting and professional firms, provided input and direction for the update. IT Control Objectives for Sarbanes-Oxley: The Role of IT in the Design and Implementation of Internal Control Over Financial Reporting, 2nd Edition (PDF, 890K) George Spafford's research site
Be sure to join his Daily News email list published approximately once per week that provides global news coverage of stories about regulatory compliance, security, errors, human factors, outsourcing and technology business. In case you are wondering about the name, it began as a daily newsletter but has slowed up as his schedule has filled up. http://www.spaffordconsulting.com/ IT Audit Checklist for IT Governance and Strategy.
The IT Audit Checklist for IT Governance and Strategy offers: 1) 74 specific checklist items to help assess your audit readiness, 2) A breakdown of suggested management, operational, and technical controls, 3) Clarification on what auditors want (and don't want) to see, and, 4) Pointers regarding audit preparation, testing, and reporting. http://www.itcinstitute.com/display.aspx?id=2499
CIO Canada monthly column by Dan Swanson
Twenty three columns over a thirty month period, including articles regarding risk, governance, internal audit, IT security, IT Management, IT audit, knowledge management, and many more.
Go to the following link, key in Dan Swanson , and then register if asked. http://www.itworldcanada.com/Pages/Docbase/AdvancedSearch.aspx?lid=AdvancedSearch The Faculty of Information Technology
The IT Faculty helps chartered accountants make the best possible use of IT. The faculty represents chartered accountants’ IT-related interests and expertise, and contributes to IT-related public affairs. It keeps people in business up-to-date by providing a range of products, services and publications.
http://www.icaew.co.uk/index.cfm?route=110103
Improving the use of technology
This web page offers only a glimpse at the vast array of resources and guidance available for reliability, security, efficiency, and the many other positive attributes associated with managing information and related technologies. http://www.chlglobalassociates.com/wst_page4.html Managed networks are the future Agencies clearly are interested in outsourcing the management of their network and communications. And the General Services Administration’s Networks government-wide acquisition contract likely will be the lever to get this idea moving more quickly. Agency and vendor experts today said handing over some or all of your network management responsibilities to a managed services provider could provide cost savings, improved security and improved continuity of operations planning. But, experts warned, agency officials must detail to a specific level of granularity their performance expectations.
http://www.gcn.com/online/vol1_no1/43191-1.html
| 
Having problems with message search?
Fill out this form to ensure your group is one of the first to be migrated to the new message search system.
Offline 
Send Email
Online Now 
Follow us on Twitter!
Join us on Facebook!
IT Governance specialises in governance, risk management, compliance and information security.
