(No Ratings Yet)
Loading ...Dan Swanson’s Security Resources: #2
I introduced my security resource education initiative last week (click here if you missed it). Each week, I’ll present six leading resources which will be useful to all information security professionals as well as many IT professionals.
As everyone knows there is no end to the professional development efforts for any professional and this column is dedicated to providing resources that will be useful for all IT security professionals and IT professionals to study and learn.
They are provided to support the improvement of your organization’s security practices and security posture, and always remember, there is no better way to learn than by doing.
The resources provided this week include guidance regarding:
• the insider threat issue,
• leading methods for developing secure Web code,
• what security is truly facing (a war), and
• a Web site dedicated to the ISO27000 security standard series.
Enjoy.
Dan Swanson
Dswanson_2005@yahoo.com
1. CERT® Insider Threat Research
The CERT insider threat research focuses on both technical and behavioral aspects of actual compromises. They produce models, reports, training, and tools to raise awareness of the risks of insider threat and to help identify the factors influencing an insider’s decision to act, the indicators and precursors of malicious acts, and the countermeasures that will improve the survivability and resiliency of the organization.
2. The Open Web Application Security Project (OWASP)
OWASP is dedicated to enabling organizations to develop, purchase, and maintain applications that can be trusted. Their open source projects and local chapters produce free, unbiased, open-source documentation, tools, and standards. The OWASP community also facilitates papers, conferences, local chapters, presentations, and mailing lists. If you’re new to application security, try their “getting started guide”.
3. The Information Warfare Site (IWS)
IWS is an online resource that aims to stimulate debate about a range of subjects from information security to information operations and e-commerce. It is the aim of the site to develop a special emphasis on offensive and defensive information operations. IWS first went online in December 1999. Since its launch it has undergone a complete redesign and many key texts have been added. In adherence to its founding principles IWS has developed several mailing lists to enable a more interactive debate.
4. The Defense-in-Depth Foundational Curriculum handbook discusses information assurance issues and how to address these at both organizational and technical levels. The handbook is written for students ranging from system administrators to CIOs who have some technical understanding of information systems.
5. Gary Hinson’s Web site has a variety of excellent resources. He maintains a comprehensive page of links for ISO 27000 resources and IT governance.
6. GAO Executive Guide: Information Security Management: Learning From Leading Organizations.
A high priority of the CIO Council is to ensure the implementation of security practices within the Federal government that gain public confidence and protect government services, privacy, and sensitive and national security information. This Executive Guide, “Information Security Management, Learning From Leading Organizations,” clearly illustrates how leading organizations are successfully addressing the challenges of fulfilling that goal. These organizations establish a central management focal point, promote awareness, link policies to business risks, and develop practical risk assessment procedures that link security to business needs. This latter point–the need to link security to business requirements–is particularly important, and is illustrated in a statement of a security manager quoted in the guide: “Because every control has some cost associated with it, every control needs a business reason to be put in place.”
