System and Information Security Assurance

Resources

This page offers only a brief glimpse of the resources and guidance available for reliability, security, efficiency, and the many other positive attributes associated with managing information and related technologies.

Example works by Charles Le Grand and associates:

Example IT General Controls Audit Program - This overview audit program was designed for a healthcare facility but can easily be adapted for other environments.  Click here to access PDF.  (File also available in MS Word.  Contact CHL@chlga.com)

Information Technology Controls - Co-written with Alan S. Oliphant.  Guide resulted from an IIA project in partnership with the American Institute of Certified Public Accountants (AICPA), Center for Internet Security (CIS), Carnegie Mellon University Software Engineering Institute (CMU SEI), Financial Executives International (FEI), International Federation of Accountants (IFAC), Information Systems Security Association (ISSA), National Association of Corporate Directors (NACD), and the SANS Institute.  Project team included more than 120 participants representing 20 countries.  Initial publication of The IIA's Global Technology Audit Guide series, 2005. Available free at www.theiia.org/technology

Software Security Assurance - This guide explains the prevention, detection, and correction of security vulnerabilities in the source code for Internet-facing systems.  This refereed research work contains an executive summary and management checklist, audit program and guide, and extensive bibliography.  Published 2005, sponsored by Ounce Labs (now part of IBM, see  http://www-03.ibm.com/software/products/us/en/appscan-source). Click here to access PDF of SSA Framework.

Building a Culture of Compliance for a Culture of Confidence - This report is about understanding compliance and compliance management adequately to ensure YOUR organization gets it right and turns compliance from a burden to a benefit.  It: describes a Culture of Compliance as an integral part of the organization’s ethics; describes the elements of compliance that are common to all of its instances throughout the organization; suggests a plan to manage and coordinate the common elements of compliance so they can produce efficiencies, consistency, improved reliability and assurance, and result in increased stakeholder confidence; identifies the key elements of a system to coordinate compliance management; and provides an Executive Checklist to assist you in assessing your organization’s culture of compliance.  Sponsored by IBS America it is available free on their web site with a companion piece, How to Build and Maintain a Culture of Compliance. See www.ibs-us.com, access "Resources" and "White Papers."  Contact us for the latest guidance on compliance management tailored to your unique business needs.

Information Security Governance and Assurance - Facilitating the implementation and maintenance of manageable, verifiable security and controls in organizations that depend on technology.  Originally written for a SANS Institute conference presentation, this work is available free at www.theiia.org/technology - click IT Security, and scroll to Articles

Information Security Management and Assurance: A Call to Action for Corporate Governance - Co-authored by Thomas R. Horton, Charles H. Le Grand, William H. Murray, Willis DJ. Ozier, and Donn B. Parker.  Part one of a three-volume set of reports resulting from a project by The IIA in partnership with the American Institute of Certified Public Accountants (AICPA) and the Information Systems Audit and Control Association (ISACA) for the U.S. Critical Infrastructure Assurance Office. Part one published April, 2000 and presented at the White House.  Parts two (Information Security Governance - What Directors Need to Know) and three (Building, Managing, and Auditing Information Security) published 2001.  Available free at www.theiia.org/technology - click IT Security and scroll to Books.

PC Management Best Practices: A Study of the Total Cost of Ownership, Risk, Security, and Audit Co-authored with Mark Salamasick, CIA, CISA, CSP.  Sponsored by Intel.  Published 2003 by The IIA.  See www.theiia.org.  Search for PC Management or click Publications and Bookstore

Systems Auditability and Control (SAC) Reports A series of publications by The IIA Research Foundation under the direction of Charles H. Le Grand.  Project included: establishing the paradigm for contents (covering all areas of information and systems management, control, security, auditing, and assurance); coordinating a project team with more than 2000 participants representing more than 400 organizations.  Published 1991 and 1994 by The IIA.  See www.theiia.org and search for Systems Auditability and Control.

References:

1.        Basel II: Revised international capital framework – Basel Committee on Banking Supervision, Bank for International Settlements, http://www.bis.org/publ/bcbsca.htm

2.        BITS Framework: Managing Technology Risk for Information Technology (IT) Service Provider Relationships – Financial Services Roundtable (FSR), http://www.bitsinfo.org

3.        BS 7799 – Parts 1 & 2, Code of Practice for Information Security Management (British Standards Institute), http://www.bsi.org.uk

4.        CA SB 1386 (the “You’ve Been Hacked” Act), http://info.sen.ca.gov/pub/01-02/bill/sen/sb_1351-1400/sb_1386_bill_20020926_chaptered.html

5.        Change and Patch Management Controls: Critical for Organizational Success, Global Technology Audit Guide, The Institute of Internal Auditors, Inc. http://www.theiia.org/index.cfm?doc_id=4706

6.        CISSP and SSCP Open Study Guides web site, http://www.cccure.org

7.        CobiT – Control Objectives for Information and Related Technologies (ISACA), http://www.isaca.org

8.        Common Criteria, http://www.commoncriteriaportal.org

9.        Consensus Benchmark Scoring Tools, http://www.cisecurity.org

10.     The Corporate and Auditing Accountability, Responsibility, and Transparency Act of 2002, Public Law 107-204 – 107th Congress, the “Sarbanes-Oxley Act of 2002”. http://frwebgate.access.gpo.gov/cgi-bin/getdoc.cgi?dbname=107_cong_public_laws&docid=bf:publ204.107.pdf

11.     Corporate Information Security Working Group, Best Practices and Metrics Team, report to the U.S. House of Representatives, Technology Subcommittee, November 17, 2004, www.CISecurity.org

12.     The Dirty Dozen: The Top Web Application Vulnerabilities and How to Hunt Them Down at the Source, Ounce Labs, Inc. http://www.ouncelabs.com

13.     EU Data Protection Directive - Part 1 & Part 2 available in separate PDFs, http://aspe.os.dhhs.gov/datacncl/eudirect.htm, http://europa.eu.int/comm/internal_market/privacy/docs/95-46-ce/dir1995-46_part1_en.pdf, http://europa.eu.int/comm/internal_market/privacy/docs/95-46-ce/dir1995-46_part2_en.pdf

14.     Federal Financial Institutions Examination Council (FFIEC) - FFIEC "Audit IT Examination Handbook," and "FFIEC Audit Examination Procedures", http://www.ffiec.gov

15.     Federal Information Security Management Act of 2002 (FISMA) U.S. Congress, 2002, http://www.fedcirc.gov/library/legislation/FISMA.html

16.     Federal Sentencing Guidelines (US), http://www.ussc.gov/GUIDELIN.HTM

17.     GAISP Generally Accepted Information Security Principles, Currently available: Generally Accepted Systems Security Principles (GASSP) consisting of Pervasive Principles (PP), & Broad Functional Principle (BFP), June, 1999, http://www.issa.org/gaisp.html

18.     GAPP "Generally Accepted Principles and Practices" NIST SP 800-18, "Guide for Developing Security Plans for Information Technology Systems" December 1998 (Marianne Swanson & Barbara Guttman), http://csrc.nist.gov/publications/nistpubs/index.html

19.     A Guide to Building Secure Web Applications, The Open Web Application Security Project (OWASP) http://www.owasp.org

20.     Gramm, Leach, Bliley Act (GLBA) The Financial Modernization Act of 1999, http://www.ftc.gov/privacy/glbact/

21.     Health Information Portability and Accountability Act – HIPAA, http://www.hhs.gov/ocr/hipaa

22.     ICAT Metabase of Common Vulnerabilities and Exposures – National Institute of Standards and Technology (NIST) http://icat.nist.gov/icat_documentation.htm

23.     Improving Security Across the Software Development Lifecycle, National Cyber Security Partnership, http://www.cyberpartnership.org/SDLCFULL.pdf

24.     Information Assurance Technical Framework, Information Assurance Task Force (IATF) National Security Agency Outreach, http://www.iatf.net/framework_docs/version-3_1/index.cfm

25.     Information Security Governance: Guidance for Boards of Directors and Executive Management”, 2001 – IT Governance Institute, http://www.itgi.org

26.     Information Security Management and Assurance: A Call to Action for Corporate Governance, The Institute of Internal Auditors, Inc., April 2000, Part 1 of a 3 volume set of board and executive level guidance on information security and what the leaders are doing about it.  Appendix A of this guide is a board-level description of effective risk management practices featuring quantitative analysis. http://www.theiia.org/index.cfm?doc_id=3061

27.     Information Security Oversight: Essential Board Practices, National Association of Corporate Directors, (NACD), http://www.nacdonline.org/publications/pubDetails.asp?pubID=138&user=6158BBEB9D7C4EE0B9E4B98B601E3716

28.     Information Security Program Elements and Supporting Metrics (sections V-VIII of the Corporate Information Security Working Group, Best Practices and Metrics Team, report to the U.S. House of Representatives, Technology Subcommittee, November 17, 2004) http://www.educause.edu/content.asp?page_id=666&ID=CSD3661&bhcp=1

29.     The Information Technology Baseline Protection Manual, Federal Office for Information Security (BSI) Germany, http://www.bsi.bund.de/english/publications/index.htm

30.     Information Technology Controls, Global Technology Audit Guide, The Institute of Internal Auditors, Inc. http://www.theiia.org/index.cfm?doc_id=4706

31.     Information Technology Security Evaluation Criteria ( ITSEC ) – Harmonised Criteria of France, Germany, the Netherlands, the United Kingdom, Printed and published by the Department of Trade and Industry, London, http://www.cesg.gov.uk/site/iacs/index.cfm?menuSelected=1&displayPage=1

32.     IFAC International Guidelines on Information Technology Management—Managing Information Technology Planning for Business Impact: International Federation of Accountants, New York, 1999, http://www.ifac.org

33.     International Standards for the Professional Practice of Internal Auditing, The Institute of Internal Auditors, Inc., http://www.theiia.org/index.cfm?doc_id=124

34.     ISO 17799 – IT – Code of Practice for Information Security Management, http://www.iso.org/iso/en/CatalogueDetailPage.CatalogueDetail?CSNUMBER=33441&ICS1=35&ICS2=40&ICS3

35.     NIST 800-14 Generally Accepted Principles and Practices for Securing IT Systems, 1996, http://csrc.nist.gov/publications/nistpubs/index.html

36.     NIST 800-27 Engineering Principles for IT Security, http://csrc.nist.gov/publications/nistpubs/index.html

37.     NIST 800-53 - Recommended Security Controls for Federal Info Systems, http://csrc.nist.gov/publications/nistpubs/index.html

38.     NoticeBored - Information security awareness content service, http://www.noticebored.com

39.     Open Compliance and Ethics Group (OCEG) http://www.oceg.org

40.     OpenSourceTesting.org, “Open source tools for software testing professionals. http://opensourcetesting.org

41.     Open Web Application Security Project (OWASP), OWASP Guide to Building Secure Web Applications, http://www.owasp.org/documentation/guide/guide_about.html

42.     The Organization for Economic Cooperation and Development, OECD Guidelines for the Security of Information Systems and Networks (9 pervasive principles for information security upon which several other guides are based.) http://www.oecd.org/document/42/0,2340,en_2649_33703_15582250_1_1_1_1,00.html

43.     Personal Information Protection and Electronic Documents Act (PIPEDA), Canada http://www.privcom.gc.ca/legislation/02_06_01_01_e.asp

44.     Policy statement regarding implementation of auditing standard No. 2, an audit of internal control Over financial reporting performed in Conjunction with an audit of financial Statements, PCAOB Release No. 2005-009, May 16, 2005
http://www.pcaob.com/Standards/Standards_and_Related_Rules/PCAOB%20Release%20No.%202005-009%20-%20AS2%20Policy%20Statement%20-%20May%2016,%202005.pdf

45.     Processes to Produce Secure Software, National Cyber Security Partnership, http://www.cyberpartnership.org/Software%20Pro.pdf

46.     Remediation Fiction and Facts: A Business Based Guide to Remediation Risk Modeling in the Global Marketplace, Internet Security Systems, http://www.iss.net/support/documentation/whitepapers/index.php

47.     Risk Management & Productivity: Addressing the Business Value of Security, Internet Security Systems, http://www.iss.net/support/documentation/whitepapers/index.php

48.     Security at the Next Level – Are your web applications vulnerable, by Caleb Sima, SPI Dynamics, Inc. http://www.spidynamics.com

49.     Seven Steps to Security Awareness, Gary Hinson, http://www.noticebored.com

50.     Staff Statement on Management’s Report on Internal Control Over Financial Reporting, U.S. Securities and Exchange Commission, May 16, 2005, http://sec.gov/info/accountants/stafficreporting.pdf

51.     Standard of Good Practice for Information Security (Information Security Forum), http://www.isfsecuritystandard.com/index_ie.htm

52.     The Ten Most Critical Web Application Security Vulnerabilities, 2004 Update, The Open Web Application Security Project (OWASP) http://www.owasp.org

53.     Tescom, “The Global Software Assurance Company” http://www.tescom.co.il

54.     Trusted Computer System Evaluation Criteria (TCSEC), U.S. Department of Defense, http://www.radium.ncsc.mil/tpep/library/rainbow/5200.28-STD.html

55.     Trust Services Criteria; including SysTrust/WebTrust (AICPA), http://www.aicpa.org/trustservices

56.     The Visible Ops Handbook, Information Technology Process Institute, http://www.itpi.org

 

Organizations:

 

AICPA The American Institute of Certified Public Accountants, www.aicpa.org

ANSI American National Standards Institute, www.ansi.org

ASBDC-US The Association of Small Business Development Centers, www.asbdc-us.org

BITS - The Technology Group for The Financial Services Roundtable, www.bitsinfo.org

BR Business Roundtable, www.businessroundtable.org

BSA Business Software Alliance, www.bsa.org/usa

BSI British Standards Institute, www.bsi.org.uk

BSI - Bundesamt mfr Sicherheit in der Informationstechnik, Federal Office for Information Security (BSI) Germany, www.bsi.bund.de

CERT Computer Emergency Response Team, www.cert.org

CIAO Critical Infrastructure Assurance Office (formerly U.S. Dept. of Commerce, now Information Analysis and Infrastructure Protection of the Department of Homeland Security)

CICA Canadian Institute of Chartered Accountants www.cica.ca

CIS The Center for Internet Security, www.cisecurity.org

CMU SEI Carnegie Mellon University, Software Engineering Institute, www.sei.cmu.edu

COSO Committee of Sponsoring Organizations for the Commission on Fraudulent Financial Reporting (Treadway Commission), www.coso.org

DHS Department of Homeland Security, www.dhs.gov

DISA - Defense Information Systems Agency  www.disa.mil

FFIEC Federal Financial Institutions Examination Council (USA), www.ffiec.gov

FSR Financial Services Roundtable, www.fsround.org

FTC - Federal Trade Commission (USA), www.ftc.gov

GAISPC Generally Accepted Information Security Principles Committee, www.issa.org/gaisp.html

IAIP Information Assurance and Infrastructure Protection Directorate of the U.S. Department of Homeland Security (DHS), www.dhs.gov

IATF Information Assurance Task Force, National Security Agency Outreach,www.iatf.net

ICAEW Institute of Chartered Accountants in England & Wales, www.icaew.co.uk

ICC International Chamber of Commerce, www.iccwbo.org

IFAC International Federation of Accountants, www.ifac.org

IIA The Institute of Internal Auditors, Inc. (and IIA Research Foundation), www.TheIIA.org

ISECOM The Institute for Security and Open Methodologies, http://www.isecom.org

ISA Internet Security Alliance, www.isalliance.org

ISACA The Information Systems Audit and Control Association, www.isaca.org

ISF Information Security Forum, www.securityforum.org

ISO International Organization for Standardization, www.iso.org

ISSA Information Systems Security Association, www.issa.org

NACD National Association of Corporate Directors, www.nacdonline.org

NCSA National Cyber Security Alliance, www.staysafeonline.info

NCSP National Cyber Security Partnership, www.cyberpartnership.org

NERC North American Electric Reliability Council www.nerc.com

NIST National Institute for Standards and Technology, www.nist.gov

NSA National Security Agency, www.nsa.gov

NVD National Vulnerability Database, NIST (replaced ICAT) http://nvd.nist.gov

OCEG Open Compliance and Ethics Group, http://www.oceg.org

OWASP Open Web Application Security Project, http://www.owasp.org

OECD Organization for Economic Cooperation and Development, www.oecd.org

PCAOB Public Company Accounting Oversight Board, www.pcaobus.org

SANS Systems Administration, Audit, and Network Security Institute, www.sans.org

SEC Securities & Exchange Commission, www.sec.gov

SEI Carnegie Mellon University Software Engineering Institute, www.sei.cmu.edu

SNAC Systems and Network Attack Center (NSA), www.nsa.gov/snac

US-CERT U.S. Computer Emergency Readiness Team, www.us-cert.gov

WB World Bank, www.worldbank.org

 

Secure and Reliable Information Management  |  |  |  | 
Copyright © 2006 Copyright (c) 2005 CHL Global Associates, LLC, All. All Rights Reserved.
    Website Builder