INFORMATION SECURITY PROGRAM NIST Special Publication 800-100: Information Security Handbook: A Guide for Managers This Information Security Handbook provides a broad overview of information security program elements to assist managers in understanding how to establish and implement an information security program. The purpose of this publication is to inform members of the information security management team [agency heads, chief information officers (CIO), senior agency information security officers (SAISO), and security managers] about various aspects of information security that they will be expected to implement and oversee in their respective organizations. This handbook summarizes and augments a number of existing National Institute of Standards and Technology (NIST) standard and guidance documents and provides additional information on related topics. RFC 2196 - Site Security Handbook This handbook is a guide to developing computer security policies and procedures for sites that have systems on the Internet. The purpose of this handbook is to provide practical guidance to administrators trying to secure their information and services. The subjects covered include policy content and formation, a broad range of technical system and network security topics, and security incident response. SANS Top 20 Security Risks The SANS Top 20 is a consensus list of vulnerabilities that require immediate remediation. It is the result of a process that brought together dozens of leading security experts. They come from the most security-conscious government agencies in the UK, US, and Singapore; the leading security software vendors and consulting firms; the top university-based security programs; the Internet Storm Center, and many other user organizations. SANS S.C.O.R.E. SCORE is a cooperative effort between SANS/GIAC and the Center for Internet Security(CIS). SCORE is a community of security professionals from a wide range of organizations and backgrounds working to develop consensus regarding minimum standards and best practice information, essentially acting as the research engine for CIS. After consensus is reached and best practice recommendations are validated, they may be formalized by CIS as best practice and minimum standards benchmarks for general use by industry at large. NSA IATRP - INFOSEC Assurance Capability Maturity Model (IA-CMM) Use of the NSA IA-CMM increases an organization’s capability to provide ongoing support and confidence that its technical work force is performing according to an established and mature INFOSEC Assurance process. The goal is to gain relative assurance that the INFOSEC Assurance process is consistent and repeatable over time. OWASP Top Ten Web Application Security Vulnerabilities The OWASP Top Ten is becoming the defacto standard for web application security. The U.S. Federal Trade Commission strongly recommends that all companies use the OWASP Top Ten and ensure that their partners do the same. In addition, the U.S. Defense Information Systems Agency has listed the OWASP Top Ten as key best practices that should be used as part of the DOD Information Technology Security Certification and Accreditation (C&A) Process (DITSCAP). OWASP Guide to Building Secure Web Applications The original OWASP Guide to Building Secure Web Applications has become a staple diet for many web security professionals. Over the last 24 months the initial version has now been downloaded over 2 million times. The Guide forms the basis for corporate web security policies for several Fortune 500 companies and is used in service offerings from many security consulting companies. The Guide is aimed at architects, developers, consultants and auditors and is a comprehensive manual for designing, developing and deploying secure web applications. Critical Information Infrastructure Protection Handbook - CRN Publications (Free) The overall purpose of the International CIIP Handbook 2004 is to provide an overview of CII protection practices in several countries. The book investigates two main questions: 1) What national approaches are there to CIIP? and 2) What methods and models are used in the countries surveyed in order to analyze and evaluate various aspects of CII? The handbook’s target group consists mainly of security policy analysts, researchers, and practitioners. The handbook can be used either as a reference work for a quick overview of the state of the art in CIIP policy formulation and CIIP methods and models or as a starting point for in-depth research. Implementing Information Security: Risks vs. Cost - CyberGuard Whether your organization is large or small, a thorough, detailed information security plan should be part of your security formula. This article provides some useful information on implementing a viable plan that not only complies with government regulations, but also eliminates costly threats. ISSA: Generally Accepted Information Security Principles (GAISP) (60 pages) GAISP’s goal is to collect information security principles that have been proven in practice and accepted by practitioners, and to document those principles in a single repository – hence the name, Generally Accepted Information Security Principles. GAISP draws upon established security guidance and standards to create comprehensive, objective guidance for information security professionals, organizations, governments, and users. Australian DSTO: A Survey of Techniques for Security Architecture Analysis This technical report is a survey of existing techniques which could potentially be used in the analysis of security architectures. The report has been structured to section the analysis process over three broad phases: the capture of a specific architecture in a suitable representation, discovering attacks on the captured architecture, and then assessing and comparing different security architectures. Each technique presented in this report has been recognised as being potentially useful for one phase of the analysis. Security Metrics NIST: SP 800-55: Performance Measurement Guide for Information Security This document is a guide to assist in the development, selection, and implementation of measures to be used at the information system and program levels. These measures indicate the effectiveness of security controls applied to information systems and supporting information security programs. Such measures are used to facilitate decision making, improve performance, and increase accountability through the collection, analysis, and reporting of relevant performance-related data—providing a way to tie the implementation, efficiency, and effectiveness of information system and program security controls to an agency's success in achieving its mission. Corporate Information Security Working Group: Report of the Best Practices and Metrics Teams The Corporate Information Security Working Group (CISWG) was originally convened in November 2003 by Representative Adam Putnam (R-FL). The Best Practices team surveyed available information security guidance. It concluded in its March 2004 report that much of this guidance is expressed at a relatively high level of abstraction and is therefore not immediately useful as actionable guidance without significant and often costly elaboration. In a subsequent phase convened in June 2004, the Best Practices and Metrics teams was charged with refining Information Security Program Elements and developing recommended Metrics supporting each of the elements. This report is the result of that effort and represents a resource that will help Board members, managers, and technical staff establish their own comprehensive structure of principles, policies, processes, controls, and performance metrics to support the people, process, and technology aspects of information security. Dan Geer’s Measuring Security Tutorial Dan Geer's Measuring Security Tutorial is a valuable metrics resource. At 346 pages, it contains a wealth of quotes, observations, methodologies and techniques for defining and generating metrics. NISTIR 7564 - Directions in Security Metrics Research (Draft) More than 100 years ago, Lord Kelvin insightfully observed that measurement is vital to deep knowledge and understanding in physical science. During the last few decades, researchers have made various attempts to develop measures and systems of measurement for computer security with varying degrees of success. This paper provides an overview of the security metrics area and looks at possible avenues of research that could be pursued to advance the state of the art. Center for Internet Security: Consensus Information Security Metrics This document contains twenty (20) metric definitions for six (6) important business functions: Incident Management, Vulnerability Management, Patch Management, Application Security, Configuration Management and Financial Metrics. Additional consensus metrics are currently being defined for these and additional business functions. Operating System Hardening Benchmarking Tools - The Center For Internet Security The CIS vulnerability assessment tools provide a quick way to evaluate systems and networks, comparing their security configurations against the CIS benchmark hardening standards. They automatically create reports that guide users and system administrators to secure both new installations and production systems. CIS tools are also effective for monitoring systems to assure that security settings continuously conform with CIS Benchmark configurations. CIS offers tools and benchmark standards for Win2K, NT, Solaris, Linux, HP-UX, Cisco IOS and Oracle databases. Security Recommendation Guides - National Security Agency NSA provides hardening standards for Windows Server 2003, Win2K, WinXP, NT and Cisco IOS. Solaris Hardening Document - Gideon T. Rasmussen "This document details the configuration, hardening, monitoring and vulnerability assessment of the Solaris operating system. It can also be used as a configuration standard, providing a baseline to audit against. It is important to understand the configurations at a granular level to troubleshoot outages. Installs and hardening can be automated with Jumpstart and the Solaris Security Toolkit (respectively)." Physical Security GAO Technologies to Secure Federal Buildings (72 pages) U.S. Army - Physical Security - FM 3-19.30 (317 pages) NIST ADP Physical Security & Risk Management (106 pages) Sun Microsystems Data Center Site Planning Guide (106 pages) Security Policy Templates SANS Security Policy Project WindowSecurity.com Policy & Standards - Internet Security Policy Information Security Control Frameworks ISACA- COBIT IT Standard for IT Security and Control Practices COBIT has been developed as a generally applicable and accepted standard for good Information Technology (IT) security and control practices that provides a reference framework for management, users, and IS audit, control and security practitioners. ISACA - IT Control Objectives for Sarbanes-Oxley Final Document This document issued by the ITGI reflects the latest thinking on this increasingly global topic. Based on COBIT control objectives, the authors have designed this publication as an educational resource primarily for IT control professionals, but CIOs, IT management and assurance professionals will find the information vitally important and beneficial as well. NIST SP 800-53: Recommended Security Controls for Federal Information Systems (188 pages) The purpose of this publication is to provide guidelines for selecting and specifying security controls for information systems supporting the executive agencies of the federal government. The guidelines apply to all components5 of an information system that process, store, or transmit federal information. Baseline controls - low      Baseline controls - medium      Baseline controls - high NSW Department of Commerce: Information Security Guideline V1.1 (111 pages) "This document aims to meet the needs of executives and managers who are accountable for the security of information assets; staff who are responsible for initiating, implementing and or monitoring risk management within their agency; and staff who are responsible for initiating, implementing and or maintaining information security within their agency." Common Criteria for IT Security Evaluation (CC) The Common Criteria defines a language for defining and evaluating information technology security systems and products. The framework provided by the Common Criteria allows government agencies and other groups to define sets of specific functional and assurance requirements, called protection profiles. Information Security Standards ISO 27002 (formerly ISO 17799) ISO 27002 is intended to serve as a single reference point for identifying the range of controls needed for most situations where information systems are used in industry and commerce, and to be used by large, medium and small organizations. PCAOB Auditing Standard No. 2: An Audit of Internal Control Over Financial Reporting Conducted in Conjunction With an Audit of Financial Statements This standard was approved by the Securities and Exchange Commission on June 17, 2004, and is effective for audits of internal control over financial reporting required by Section 404(b) of the Sarbanes-Oxley Act of 2002. Information Security Legislation Health Insurance Portability and Accountability Act (HIPAA) 1996 HIPAA provides the first comprehensive Federal protection for the privacy of health information. Sarbanes-Oxley Act 2002 The Sarbanes-Oxley Act mandates a number of reforms to enhance corporate responsibility, enhance financial disclosures and combat corporate and accounting fraud, and created the "Public Company Accounting Oversight Board," also known as the PCAOB, to oversee the activities of the auditing profession. Gramm-Leach-Bliley Act (GLBA) 1999 The Gramm-Leach-Bliley Act includes provisions to protect consumers’ personal financial information held by financial institutions. INFOSEC List: