(No Ratings Yet)
Loading ...Dan Swanson’s Security Resources: #6
Have you implemented a security education and awareness program to help educate management and staff on their security responsibilities? Have you organized a process to communicate good practice information to your workforce, particularly to the key IT specialists that are implementing new IT solutions? Have you reached out lately to your DR and BCP professionals regarding recovery processes and plans? Could your organization recover from a significant disaster? This week’s resources provide guidance regarding all these issues and more.
Enjoy.
Good luck and have another great week.
Dan Swanson
Dswanson_2005@yahoo.com
1. Security awareness for governance, risk, compliance and business
Information security is a vital element of corporate and IT governance and risk management. It minimizes risks to valuable information assets and maximizes compliance with laws, regulations and standards such as ISO 17799/ISO 27001, HIPAA, SOX, data protection/privacy, software copyright and intellectual property protection, banking industry regulations and many more.
Secure organizations may confidently pursue new business opportunities that would be considered too risky by their insecure peers. Simply put, good security is good business. NoticeBored helps build a genuine security culture through security awareness
http://www.noticebored.com/index.html
2. Twelve habits of successful IT professionals
http://www.educause.edu/ir/library/pdf/erm0613.pdf
3. Schaser-Vartan Books’ new release, Say What You Do, spells out in layman’s terms the often bewildering differences between policies, procedures and standards — topics that have historically been written about in industry jargon. What sets the book apart is its candidly practical approach, focusing on creating policies that really work rather than pushing theories that break down in the real world. “Armed with this book, you should be able to lead a policy development project at your company from the ground up and from the top down without losing your mind,” says co-author and attorney Marcelo Halpern.
http://home.businesswire.com/portal/site/google/index.jsp?ndmViewId=news_view&newsId=20070417005246&newsLang=en
4. Second edition of Guide to Business Continuity Management
This comprehensive resource guide reviews in detail numerous BCM areas and strategies, including an overview of the regulatory landscape, risk assessment and business impact analysis, program design, business alignment, training, testing, maintenance, and compliance monitoring and auditing. Updates to the second edition of Guide to Business Continuity Management include a special introduction that examines two significant issues in the field of BCM: the continuing difficulties caused by devastating hurricane seasons, and the potential business disruption that an avian flu pandemic could cause. Other additions include industry-specific questions for BCM programs in the manufacturing, retail, healthcare and telecommunications sectors.
http://now.eloqua.com/es.asp?s=361&e=FADCF1F859DE4310969DEB6DFB1726D7&elq=54F37758B1AB48F98DD409D0C10064D7
5. The Canadian Centre for Emergency Preparedness (CCEP)
CCEP is a not-for-profit organization based in Canada & devoted to the promotion of emergency risk management to individuals, communities and organizations, in both government and the private sector, with the aim of reducing the risk, impact and cost of natural, human-induced and technological disasters. CCEP’s objectives are to raise awareness of the increasing risks of disasters, promote the need for sound disaster management practices and disseminate information on the availability of professional expertise and resources, including technology.
http://www.ccep.ca/index.html
Add to: del.icio.us | Digg IT | Furl | Google | magnolia | StumbleIT | Wink | Yahoo! Technorati
(No Ratings Yet) Loading ...Dan Swanson’s Security Resources: #6
Just who is responsible for information security? Are we learning from incidents that have occurred at other organizations? Do we leverage the research that is available from various institutions? Do we take regulations seriously?
This week’s resources discuss all these questions and more.
Enjoy.
Good luck and have another great week.
Dan Swanson
Dswanson_2005@yahoo.com
1. Ask the Auditor: Who is Responsible for Information Security?
The Auditor Responds: In short, the board of directors, management (of both staff and business lines), and internal audit functions all have significant roles in auditing information security. The big question for many companies is how these stakeholders should work together to ensure that everything that should be done to protect sensitive data is being done—and that the company’s key assets are protected appropriately.
http://www.itcinstitute.com/display.aspx?id=1823
2. SCORE
As we started the research for the HIPAA and 17799 projects we came across a number of references to DITSCAP and NITSCAP. The purpose of the system security plan (SSP) is to provide an overview of the security requirements of the system and describe the controls in place or planned, responsibilities and expected behavior of all individuals who access the system. It is a core component of DITSCAP. The system security plan should be viewed as documentation of the structured process of planning adequate, cost-effective security protection for a system. It should reflect input from various managers with responsibilities concerning the system, including information owners, the system operator, and the system security manager. Additional information may be included in the basic plan and the structure and format organized according to agency needs, so long as the major sections described in this document are adequately covered and readily identifiable. Michael Kirby has developed a tool to help generate an SSP. It is available here on an as is basis, SCORE takes no responsibility for your use of the tool”. Try the tool at http://www.sans.org/score/ssp.php
3. Information Security Governance: Guidance for Boards of Directors and Executive Management 2nd Edition (ISACA)
To achieve effectiveness and sustainability in today’s complex, interconnected world, information security must be addressed at the highest levels of the organization, not regarded as a technical specialty relegated to the IT department.
http://www.isaca.org/Template.cfm?Section=Home&Template=/ContentManagement/ContentDisplay.cfm&ContentID=24572
4. Digital Records Management — What Auditors Should Know
As companies continue to decrease their dependence on paper records, internal auditors need to stay ahead of the game by understanding the necessary ingredients to an effective digital records management program.
http://www.theiia.org/itaudit/index.cfm?iid=496&catid=21&aid=2388
5. Hammer Time: Enforcing Internal Security - by Linda L. Briggs.
Having internal rules and regulations in place regarding compliance is important, as is clearly communicating them to employees. But when infractions occur, as they inevitably will, how should you deal with them?
http://www.itcinstitute.com/display.aspx?id=2403
6. Security breach lists are an interesting read and can be useful for:
* Identifying trends in emerging security threats.
* Providing examples of why a control is necessary.
* Citing real world compromises in presentations, etc.
http://www.efortresses.com/refdocs/2006-Breaches-Matrix.pdf
http://www.privacyrights.org/ar/ChronDataBreaches.htm
http://www.cybercrime.gov/cccases.html
Add to: del.icio.us | Digg IT | Furl | Google | magnolia | StumbleIT | Wink | Yahoo! Technorati
(No Ratings Yet) Loading ...Dan Swanson’s Security Resources: #5
This week I wanted to highlight two significant security initiatives, the CERT resiliency engineering research project and the CERT Governing for Enterprise Security (GES) initiative. I also wanted to point out some landmark security guidance (the CIAO/IIA series) with the initial “call to action” paper being released at the White House on April 17, 2000. As always, I have also included a couple of miscellaneous resources too.
Enjoy.
Good luck and have another great week.
Dan Swanson
Dswanson_2005@yahoo.com
1. CERT®’s Resiliency Engineering Research
The cornerstone of their research is the development of the CERT® Resiliency Engineering Framework. The framework is the foundation for a process improvement approach to security and business continuity. It establishes an organization’s resiliency engineering process: a collection of essential capabilities that an organization performs to ensure that its important assets—people, information, technology, and facilities—stay productive in supporting business processes and services. The framework serves as a foundation from which an organization can measure its current competency, set improvement targets, and establish plans and actions to close any identified gaps. As a result, the organization repositions and repurposes its security and business continuity activities and takes on a process improvement mindset that helps to keep these activities productive in the long run.
2. Governing for Enterprise Security Implementation Guide
This guidance is designed to help business leaders implement an effective program to govern information technology (IT) and information security.
• Article 1: Characteristics of Effective Security Governance (pdf)
• Article 2: Defining an Effective Enterprise Security Program (ESP) (pdf)
• Article 3: Enterprise Security Governance Activities (pdf)
3. The Center for Education and Research in Information Assurance and Security (CERIAS) is currently viewed as one of the world’s leading centers for research and education in areas of information security that are crucial to the protection of critical computing and communication infrastructure. http://www.cerias.purdue.edu/
4. Guide 6: Managing and Auditing IT Vulnerabilities
The IIA has released its sixth guide in its Global Technology Audit Guide (GTAG®) series, Managing and Auditing IT Vulnerabilities. The 24-page guide was developed to help CAEs and internal auditors ask the right questions of IT security staff when assessing the effectiveness of their vulnerability management processes. The guide recommends specific management practices to help an organization achieve and sustain higher levels of effectiveness and efficiency and illustrates the differences between high- and low-performing vulnerability management efforts.
5. Auditing security using the PCI standard and related guidance - (Because personal information must be protected)
We need to protect personal information much more than ever before and extensive help from the PCI Security Standards Council and numerous other organizations does exist.
http://www.auditnet.org/articles/DSIA200704.htm
6. The CIAO/IIA series of board level security guidance reports
The Institute of Internal Auditors (IIA) has published a series of three board-level guidance reports focusing on information security that focuses on assigning responsibilities to the board, management, and internal audit, and providing guidance to board directors.
• Information Security Management and Assurance: A Call to Action for Corporate Governance
• Information Security Governance: What Directors Need to Know
• Building, Managing, and Auditing Information Security
Add to: del.icio.us | Digg IT | Furl | Google | magnolia | StumbleIT | Wink | Yahoo! Technorati
(2 votes, average: 10 out of 10) Loading ...Dan Swanson’s Security Resources: #4
My fourth column provides another diverse collection of leading resources.
This week’s question: “How prepared is your organization?” If you have any concerns on the robustness of your disaster recovery, business continuity, and/or your emergency management capabilities, I’d strongly recommend you check out the Canadian Centre for Emergency Preparedness.
Studying for your CISSP? The CCCure.Org web site is the place to go!
Feeling you need to ramp up your security training efforts? Check out ISC2’s comprehensive educational resource guide.
Finally, have you been questioning who is responsible for information security lately? Study the views of an internal auditor.
Enjoy.
Good luck and have another great week.
Dan Swanson
Dswanson_2005@yahoo.com
1. The (ISC)² 2007 Resource Guide for Today’s Information Security Professional - Global Edition provides the latest resources in educational references, year-long events listings and leading industry sponsors all in one handy downloadable reference guide.
2. The Systems Security Engineering Capability Maturity Model (SSE-CMM) was developed to advance security engineering as a defined, mature, and measurable discipline. It describes the characteristics essential to the success of an organization’s security engineering process, and is applicable to all security engineering organizations including government, commercial, and academic.
3. CCCure.Org The CISSP, SSCP, CISM, CISA, ISSPCS, and SANS GIAC GCFW Open Study Guides Web site is dedicated to helping people in achieving their goal of becoming a CISSP, SSCP, CISM, CISA, ISSPCS, or GCFW. Over the years it has become a vast container of resources that can assist you in mastering the domains of the specific Common Body of Knowledge related to each of the above certifications.
4. Ask the Auditor: Who is Responsible for Information Security?
The Auditor Responds: In short, the board of directors, management (of both staff and business lines) and internal audit functions all have significant roles in auditing information security. The big question for many companies is how these stakeholders should work together to ensure that everything that should be done to protect sensitive data is being done — and that the company’s key assets are protected appropriately.
5. The Canadian Centre for Emergency Preparedness (CCEP) is a not-for-profit organization based in Canada & devoted to the promotion of emergency risk management to individuals, communities and organizations, in both government and the private sector, with the aim of reducing the risk, impact and cost of natural, human-induced and technological disasters. CCEP’s objectives are to raise awareness of the increasing risks of disasters, promote the need for sound disaster management practices and disseminate information on the availability of professional expertise and resources, including technology.
6. What Should Your Business Continuity Efforts Focus On?
A Reader Asks: Should your business continuity program (BCP) consider the impacts of emerging threats and changing business practices, and what are the key issues involved today?
The Auditor Responds (Short answer): Your BCP and disaster recovery programs should be designed to respond to a wide variety of potential incidents, covering both man-made disasters, such as power-grid or environmental control failures, and natural disasters, such as hurricanes and mass staff outages due to epidemics.
The long answer: http://www.itcinstitute.com/display.aspx?ID=2090
Add to: del.icio.us | Digg IT | Furl | Google | magnolia | StumbleIT | Wink | Yahoo! Technorati
(No Ratings Yet) Loading ...Dan Swanson’s Security Resources: #3
There are several ongoing, long-term security efforts worth examining. The National Institute of Standards and Technology (NIST) has published hundreds of guidance documents relating to all aspects of information security over the years. Just as importantly, they consistenly maintain the currency of their guidance. The Center for Internet Security (CIS) has developed dozens of consensus-based security benchmark checklists that can be used for securing various technologies commonly in place, in most organizations. CIS tools have been a world wide standard in “hardening” various technologies. And the U.S. Department of Homeland Security Build-Security-In (BSI) initiative is truly amazing, its an endless source of advice and guidance and needs to be visited frequently as new items are added regularly.
As always, I have also included a few topic-specific resources.
Enjoy.
Good luck and have another great week.
Dan Swanson
Dswanson_2005@yahoo.com
1. Build Security In (BSI)
As part of the Software Assurance program, Build Security In (BSI) is a project of the Strategic Initiatives Branch of the National Cyber Security Division (NCSD) of the Department of Homeland Security (DHS). The Software Engineering Institute (SEI) was engaged by the NCSD to provide support in the Process and Technology focus areas of this initiative. The SEI team and other contributors develop and collect software assurance and software security information that helps software developers, architects, and security practitioners to create secure systems.
2. The Computer Security Division (CSD) of the National Institute of Standards and Technology (NIST), including the Federal Information Security Management Act (FISMA) library.
The mission of NIST’s Computer Security Division is to improve information systems security by:
• Raising awareness of IT risks, vulnerabilities and protection requirements, particularly for new and emerging technologies;
• Researching, studying, and advising agencies of IT vulnerabilities and devising techniques for the cost-effective security and privacy of sensitive Federal systems;
• Developing standards, metrics, tests and validation programs:
o to promote, measure, and validate security in systems and services
o to educate consumers and
o to establish minimum security requirements for Federal systems
• Developing guidance to increase secure IT planning, implementation, management and operation.
3. The SANS (SysAdmin, Audit, Network, Security) Institute
SANS is one of the most trusted and by far the largest source for information security training and certification in the world. It also develops, maintains, and makes available at no cost, the largest collection of research documents about various aspects of information security, and it operates the Internet’s early warning system, Internet Storm Center.
4. CERT’s Resiliency Engineering Research
The cornerstone of their research is the development of the CERT® Resiliency Engineering Framework. The framework is the foundation for a process improvement approach to security and business continuity. It establishes an organization’s resiliency engineering process: a collection of essential capabilities that an organization performs to ensure that its important assets—people, information, technology, and facilities—stay productive in supporting business processes and services. The framework serves as a foundation from which an organization can measure its current competency, set improvement targets, and establish plans and actions to close any identified gaps. As a result, the organization repositions and repurposes its security and business continuity activities and takes on a process improvement mindset that helps to keep these activities productive in the long run.
5. The Center for Internet Security (CIS) is a non-profit enterprise whose mission is to help Organizations reduce the risk of business and e-commerce disruptions resulting from inadequate technical security controls. CIS members develop and encourage the widespread use of security configuration benchmarks through a global consensus process involving participants from the public and private sectors. The practical CIS Benchmarks support available high level standards that deal with the “Why, Who, When, and Where” aspects of IT security by detailing “How” to secure an ever widening array of workstations, servers, network devices, and software applications in terms of technology specific controls. CIS Scoring Tools analyze and report system compliance with the technical control settings in the Benchmarks. The CIS Benchmarks and Scoring Tools are available for download free of charge.
6. Microsoft releases guidelines for customer privacy
A 49-page document previously kept internally by Microsoft was released at an international privacy professionals’ conference in Toronto. The company hopes its Privacy Guidelines for Developing Software Products and Services will spur further industry discussions.
