System and Information Security Assurance


This page offers only a brief glimpse of the resources and guidance available for reliability, security, efficiency, and the many other positive attributes associated with managing information and related technologies.

Example works by Charles Le Grand and associates:

Example IT General Controls Audit Program - This overview audit program was designed for a healthcare facility but can easily be adapted for other environments.  Click here to access PDF.  (File also available in MS Word.  Contact

Information Technology Controls - Co-written with Alan S. Oliphant.  Guide resulted from an IIA project in partnership with the American Institute of Certified Public Accountants (AICPA), Center for Internet Security (CIS), Carnegie Mellon University Software Engineering Institute (CMU SEI), Financial Executives International (FEI), International Federation of Accountants (IFAC), Information Systems Security Association (ISSA), National Association of Corporate Directors (NACD), and the SANS Institute.  Project team included more than 120 participants representing 20 countries.  Initial publication of The IIA's Global Technology Audit Guide series, 2005. Available free at

Software Security Assurance - This guide explains the prevention, detection, and correction of security vulnerabilities in the source code for Internet-facing systems.  This refereed research work contains an executive summary and management checklist, audit program and guide, and extensive bibliography.  Published 2005, sponsored by Ounce Labs (now part of IBM, see Click here to access PDF of SSA Framework.

Building a Culture of Compliance for a Culture of Confidence - This report is about understanding compliance and compliance management adequately to ensure YOUR organization gets it right and turns compliance from a burden to a benefit.  It: describes a Culture of Compliance as an integral part of the organization’s ethics; describes the elements of compliance that are common to all of its instances throughout the organization; suggests a plan to manage and coordinate the common elements of compliance so they can produce efficiencies, consistency, improved reliability and assurance, and result in increased stakeholder confidence; identifies the key elements of a system to coordinate compliance management; and provides an Executive Checklist to assist you in assessing your organization’s culture of compliance.  Sponsored by IBS America it is available free on their web site with a companion piece, How to Build and Maintain a Culture of Compliance. See, access "Resources" and "White Papers."  Contact us for the latest guidance on compliance management tailored to your unique business needs.

Information Security Governance and Assurance - Facilitating the implementation and maintenance of manageable, verifiable security and controls in organizations that depend on technology.  Originally written for a SANS Institute conference presentation, this work is available free at - click IT Security, and scroll to Articles

Information Security Management and Assurance: A Call to Action for Corporate Governance - Co-authored by Thomas R. Horton, Charles H. Le Grand, William H. Murray, Willis DJ. Ozier, and Donn B. Parker.  Part one of a three-volume set of reports resulting from a project by The IIA in partnership with the American Institute of Certified Public Accountants (AICPA) and the Information Systems Audit and Control Association (ISACA) for the U.S. Critical Infrastructure Assurance Office. Part one published April, 2000 and presented at the White House.  Parts two (Information Security Governance - What Directors Need to Know) and three (Building, Managing, and Auditing Information Security) published 2001.  Available free at - click IT Security and scroll to Books.

PC Management Best Practices: A Study of the Total Cost of Ownership, Risk, Security, and Audit Co-authored with Mark Salamasick, CIA, CISA, CSP.  Sponsored by Intel.  Published 2003 by The IIA.  See  Search for PC Management or click Publications and Bookstore

Systems Auditability and Control (SAC) Reports A series of publications by The IIA Research Foundation under the direction of Charles H. Le Grand.  Project included: establishing the paradigm for contents (covering all areas of information and systems management, control, security, auditing, and assurance); coordinating a project team with more than 2000 participants representing more than 400 organizations.  Published 1991 and 1994 by The IIA.  See and search for Systems Auditability and Control.


1.        Basel II: Revised international capital framework – Basel Committee on Banking Supervision, Bank for International Settlements,

2.        BITS Framework: Managing Technology Risk for Information Technology (IT) Service Provider Relationships – Financial Services Roundtable (FSR),

3.        BS 7799 – Parts 1 & 2, Code of Practice for Information Security Management (British Standards Institute),

4.        CA SB 1386 (the “You’ve Been Hacked” Act),

5.        Change and Patch Management Controls: Critical for Organizational Success, Global Technology Audit Guide, The Institute of Internal Auditors, Inc.

6.        CISSP and SSCP Open Study Guides web site,

7.        CobiT – Control Objectives for Information and Related Technologies (ISACA),

8.        Common Criteria,

9.        Consensus Benchmark Scoring Tools,

10.     The Corporate and Auditing Accountability, Responsibility, and Transparency Act of 2002, Public Law 107-204 – 107th Congress, the “Sarbanes-Oxley Act of 2002”.

11.     Corporate Information Security Working Group, Best Practices and Metrics Team, report to the U.S. House of Representatives, Technology Subcommittee, November 17, 2004,

12.     The Dirty Dozen: The Top Web Application Vulnerabilities and How to Hunt Them Down at the Source, Ounce Labs, Inc.

13.     EU Data Protection Directive - Part 1 & Part 2 available in separate PDFs,,,

14.     Federal Financial Institutions Examination Council (FFIEC) - FFIEC "Audit IT Examination Handbook," and "FFIEC Audit Examination Procedures",

15.     Federal Information Security Management Act of 2002 (FISMA) U.S. Congress, 2002,

16.     Federal Sentencing Guidelines (US),

17.     GAISP Generally Accepted Information Security Principles, Currently available: Generally Accepted Systems Security Principles (GASSP) consisting of Pervasive Principles (PP), & Broad Functional Principle (BFP), June, 1999,

18.     GAPP "Generally Accepted Principles and Practices" NIST SP 800-18, "Guide for Developing Security Plans for Information Technology Systems" December 1998 (Marianne Swanson & Barbara Guttman),

19.     A Guide to Building Secure Web Applications, The Open Web Application Security Project (OWASP)

20.     Gramm, Leach, Bliley Act (GLBA) The Financial Modernization Act of 1999,

21.     Health Information Portability and Accountability Act – HIPAA,

22.     ICAT Metabase of Common Vulnerabilities and Exposures – National Institute of Standards and Technology (NIST)

23.     Improving Security Across the Software Development Lifecycle, National Cyber Security Partnership,

24.     Information Assurance Technical Framework, Information Assurance Task Force (IATF) National Security Agency Outreach,

25.     Information Security Governance: Guidance for Boards of Directors and Executive Management”, 2001 – IT Governance Institute,

26.     Information Security Management and Assurance: A Call to Action for Corporate Governance, The Institute of Internal Auditors, Inc., April 2000, Part 1 of a 3 volume set of board and executive level guidance on information security and what the leaders are doing about it.  Appendix A of this guide is a board-level description of effective risk management practices featuring quantitative analysis.

27.     Information Security Oversight: Essential Board Practices, National Association of Corporate Directors, (NACD),

28.     Information Security Program Elements and Supporting Metrics (sections V-VIII of the Corporate Information Security Working Group, Best Practices and Metrics Team, report to the U.S. House of Representatives, Technology Subcommittee, November 17, 2004)

29.     The Information Technology Baseline Protection Manual, Federal Office for Information Security (BSI) Germany,

30.     Information Technology Controls, Global Technology Audit Guide, The Institute of Internal Auditors, Inc.

31.     Information Technology Security Evaluation Criteria ( ITSEC ) – Harmonised Criteria of France, Germany, the Netherlands, the United Kingdom, Printed and published by the Department of Trade and Industry, London,

32.     IFAC International Guidelines on Information Technology Management—Managing Information Technology Planning for Business Impact: International Federation of Accountants, New York, 1999,

33.     International Standards for the Professional Practice of Internal Auditing, The Institute of Internal Auditors, Inc.,

34.     ISO 17799 – IT – Code of Practice for Information Security Management,

35.     NIST 800-14 Generally Accepted Principles and Practices for Securing IT Systems, 1996,

36.     NIST 800-27 Engineering Principles for IT Security,

37.     NIST 800-53 - Recommended Security Controls for Federal Info Systems,

38.     NoticeBored - Information security awareness content service,

39.     Open Compliance and Ethics Group (OCEG)

40., “Open source tools for software testing professionals.

41.     Open Web Application Security Project (OWASP), OWASP Guide to Building Secure Web Applications,

42.     The Organization for Economic Cooperation and Development, OECD Guidelines for the Security of Information Systems and Networks (9 pervasive principles for information security upon which several other guides are based.),2340,en_2649_33703_15582250_1_1_1_1,00.html

43.     Personal Information Protection and Electronic Documents Act (PIPEDA), Canada

44.     Policy statement regarding implementation of auditing standard No. 2, an audit of internal control Over financial reporting performed in Conjunction with an audit of financial Statements, PCAOB Release No. 2005-009, May 16, 2005,%202005.pdf

45.     Processes to Produce Secure Software, National Cyber Security Partnership,

46.     Remediation Fiction and Facts: A Business Based Guide to Remediation Risk Modeling in the Global Marketplace, Internet Security Systems,

47.     Risk Management & Productivity: Addressing the Business Value of Security, Internet Security Systems,

48.     Security at the Next Level – Are your web applications vulnerable, by Caleb Sima, SPI Dynamics, Inc.

49.     Seven Steps to Security Awareness, Gary Hinson,

50.     Staff Statement on Management’s Report on Internal Control Over Financial Reporting, U.S. Securities and Exchange Commission, May 16, 2005,

51.     Standard of Good Practice for Information Security (Information Security Forum),

52.     The Ten Most Critical Web Application Security Vulnerabilities, 2004 Update, The Open Web Application Security Project (OWASP)

53.     Tescom, “The Global Software Assurance Company”

54.     Trusted Computer System Evaluation Criteria (TCSEC), U.S. Department of Defense,

55.     Trust Services Criteria; including SysTrust/WebTrust (AICPA),

56.     The Visible Ops Handbook, Information Technology Process Institute,




AICPA The American Institute of Certified Public Accountants,

ANSI American National Standards Institute,

ASBDC-US The Association of Small Business Development Centers,

BITS - The Technology Group for The Financial Services Roundtable,

BR Business Roundtable,

BSA Business Software Alliance,

BSI British Standards Institute,

BSI - Bundesamt mfr Sicherheit in der Informationstechnik, Federal Office for Information Security (BSI) Germany,

CERT Computer Emergency Response Team,

CIAO Critical Infrastructure Assurance Office (formerly U.S. Dept. of Commerce, now Information Analysis and Infrastructure Protection of the Department of Homeland Security)

CICA Canadian Institute of Chartered Accountants

CIS The Center for Internet Security,

CMU SEI Carnegie Mellon University, Software Engineering Institute,

COSO Committee of Sponsoring Organizations for the Commission on Fraudulent Financial Reporting (Treadway Commission),

DHS Department of Homeland Security,

DISA - Defense Information Systems Agency

FFIEC Federal Financial Institutions Examination Council (USA),

FSR Financial Services Roundtable,

FTC - Federal Trade Commission (USA),

GAISPC Generally Accepted Information Security Principles Committee,

IAIP Information Assurance and Infrastructure Protection Directorate of the U.S. Department of Homeland Security (DHS),

IATF Information Assurance Task Force, National Security Agency Outreach,

ICAEW Institute of Chartered Accountants in England & Wales,

ICC International Chamber of Commerce,

IFAC International Federation of Accountants,

IIA The Institute of Internal Auditors, Inc. (and IIA Research Foundation),

ISECOM The Institute for Security and Open Methodologies,

ISA Internet Security Alliance,

ISACA The Information Systems Audit and Control Association,

ISF Information Security Forum,

ISO International Organization for Standardization,

ISSA Information Systems Security Association,

NACD National Association of Corporate Directors,

NCSA National Cyber Security Alliance,

NCSP National Cyber Security Partnership,

NERC North American Electric Reliability Council

NIST National Institute for Standards and Technology,

NSA National Security Agency,

NVD National Vulnerability Database, NIST (replaced ICAT)

OCEG Open Compliance and Ethics Group,

OWASP Open Web Application Security Project,

OECD Organization for Economic Cooperation and Development,

PCAOB Public Company Accounting Oversight Board,

SANS Systems Administration, Audit, and Network Security Institute,

SEC Securities & Exchange Commission,

SEI Carnegie Mellon University Software Engineering Institute,

SNAC Systems and Network Attack Center (NSA),

US-CERT U.S. Computer Emergency Readiness Team,

WB World Bank,


Secure and Reliable Information Management  |  |  |  | 
Copyright © 2006 Copyright (c) 2005 CHL Global Associates, LLC, All. All Rights Reserved.
    Website Builder