(No Ratings Yet)
Loading ...Dan Swanson’s Security Resources: #5
This week I wanted to highlight two significant security initiatives, the CERT resiliency engineering research project and the CERT Governing for Enterprise Security (GES) initiative. I also wanted to point out some landmark security guidance (the CIAO/IIA series) with the initial “call to action” paper being released at the White House on April 17, 2000. As always, I have also included a couple of miscellaneous resources too.
Enjoy.
Good luck and have another great week.
Dan Swanson
Dswanson_2005 at yahoo.com
1. CERT®’s Resiliency Engineering Research
The cornerstone of their research is the development of the CERT® Resiliency Engineering Framework. The framework is the foundation for a process improvement approach to security and business continuity. It establishes an organization’s resiliency engineering process: a collection of essential capabilities that an organization performs to ensure that its important assets—people, information, technology, and facilities—stay productive in supporting business processes and services. The framework serves as a foundation from which an organization can measure its current competency, set improvement targets, and establish plans and actions to close any identified gaps. As a result, the organization repositions and repurposes its security and business continuity activities and takes on a process improvement mindset that helps to keep these activities productive in the long run.
2. Governing for Enterprise Security Implementation Guide
This guidance is designed to help business leaders implement an effective program to govern information technology (IT) and information security.
• Article 1: Characteristics of Effective Security Governance (pdf)
• Article 2: Defining an Effective Enterprise Security Program (ESP) (pdf)
• Article 3: Enterprise Security Governance Activities (pdf)
3. The Center for Education and Research in Information Assurance and Security (CERIAS) is currently viewed as one of the world’s leading centers for research and education in areas of information security that are crucial to the protection of critical computing and communication infrastructure. http://www.cerias.purdue.edu/
4. Guide 6: Managing and Auditing IT Vulnerabilities
The IIA has released its sixth guide in its Global Technology Audit Guide (GTAG®) series, Managing and Auditing IT Vulnerabilities. The 24-page guide was developed to help CAEs and internal auditors ask the right questions of IT security staff when assessing the effectiveness of their vulnerability management processes. The guide recommends specific management practices to help an organization achieve and sustain higher levels of effectiveness and efficiency and illustrates the differences between high- and low-performing vulnerability management efforts.
5. Auditing security using the PCI standard and related guidance - (Because personal information must be protected)
We need to protect personal information much more than ever before and extensive help from the PCI Security Standards Council and numerous other organizations does exist.
http://www.auditnet.org/articles/DSIA200…
6. The CIAO/IIA series of board level security guidance reports
The Institute of Internal Auditors (IIA) has published a series of three board-level guidance reports focusing on information security that focuses on assigning responsibilities to the board, management, and internal audit, and providing guidance to board directors.
• Information Security Management and Assurance: A Call to Action for Corporate Governance
• Information Security Governance: What Directors Need to Know
• Building, Managing, and Auditing Information Security
