IT Audit - The Institute Of Internal Auditors  


Reference Library: Security Information and Organizations

Information security resources such as computer crime investigators, computer emergency response teams, publications, research and standards organizations, and white papers.

Annual Computer Security Applications Conference
This conference preceded by two days of tutorials explores technology applications in policy issues and operational system requirements; tools and techniques; and systems applications and implementations.
ANSER Institute for Homeland Security
The ANSER Institute for Homeland Security is a nonprofit public-service research organization examining national security challenges and providing education, public awareness programs, and online publications.
Black Hat Briefings
The Black Hat Briefings is a vendor-neutral exchange of information originated to help IT security professionals better understand security risks, threats, and vulnerabilities.
British Standards Institute (BSI)
BSI ensures the views of British industry are represented in international standards bodies.
Canada Office of Critical Infrastructure Protection and Emergency Preparedness
The Office of Critical Infrastructure Protection and Emergency Preparedness reports to the Minister of National Defence, which is responsible for emergency preparedness in Canada.
Canaudit offers technical audits, security reviews, network penetrations, and classes on security, controls, and testing. The Web site provides training schedules, articles, checklists, and tools for download.
CanCERT (Canada)
CanCERT is Canada's national Computer Emergency Response Team. CanCERT is committed to client confidentiality and the improvement of IT security.
CARNet (Croatia)
Representatives from all academic and research institutions constitute CARNet, the only CERT-like team responsible for the whole of Croatia.
Center for Internet Security
CIS helps users, operators, insurers, and auditors reduce risks of e-commerce and operations disruptions with methods and free benchmark tools to improve, measure, monitor, and compare security status of Internet-connected systems.
CERT Coordination Center Intruder Detection Checklist
This checklist provides suggested steps to determine if a system has been compromised.
CERT Coordination Center Recovering From Root Compromise Checklist
This document provides suggested steps to respond to a UNIX root compromise.
CERT Italy
This nonprofit organization, supported by the Department of Computer Science of the University of Milan, is a member of the International Forum of Incident Response and Security Teams (FIRST).
Cipher is the Institute of Electrical and Electronics Engineers' electronic newsletter on security and privacy.
CISSP Open Study Guides
This site contains study guides, document downloads, and reference links to help Certified Information Systems Security Professional (CISSP) candidates master the 10 domains of the Common Body Knowledge included in the certification.
Common Vulnerabilities and Exposures (CVE)
CVE provides a free list of standardized names for information security vulnerabilities and exposures and publishes free IT security newsletters.
Communications Security Establishment (CSE) - Canada
CSE delivers information technology security solutions to the government of Canada, featuring the Common Criteria Evaluation and Certification Scheme third party evaluation and certification service.
Computer Crime Research Center (CCRC)
The Computer Crime Research Center (CCRC) is an international volunteer nonprofit corporation dedicated to education in the field of cyber crime and cyber terrorism prevention and investigation.
Computer Emergency Response Team Coordination Center (CERT)
CERT Coordination Center at Carnegie Mellon University studies Internet security vulnerabilities, provides incident response to victims of attacks, and publishes security alerts.
Computer Security Institute (CSI)
CSI provides education on practical, cost-effective ways to protect an organization's information assets; offers conferences, seminars, and publications; and conducts the annual FBI/CSI Computer Crime survey.
Cross-site Scripting FAQ
This FAQ, written by Xenomorph, explains cross-site scripting, which occurs when attackers use malicious data to attack Web applications. It also shows examples of attacks and suggests ways to protect applications.
CyberAngels is a cyber-neighborhood watch group of IT professionals and law enforcement officers that addresses concerns of parents, needs of children, online abuse, and cyber crime.
Def Con
Def Con represents the underground of computer security and hacking by providing information sharing, news, conferences and other events, links, and tools.
DoD, NSA Rainbow Series - Trusted Computer Systems Evaluation Criteria
The Rainbow Series of books on evaluating "Trusted Computer Systems" according to the The U.S. Department of Defense's (DoD's) National Security Agency includes the Orange Book, DoD Trusted Computer System Evaluation Criteria.
DoxPara Research
DoxPara Research exists as a repository for information security analysis.
This international nonprofit organization provides an independent forum on trusted service provision, digital certificates, and public key infrastructure; e-commerce best practice; wireless messaging; and unified messaging.
EU Dependability Development Support Initiative (DDSI)
This site provides information about DDSI, an 18-month European Union (EU) project that developed critical infrastructure protection assessment plans for EU member nations and others.
EU Safer Internet Programme
The European Union's response to illegal and harmful content on the Internet, the site provides hotlines, filtering and rating systems, newsletters, information on legislation, and other guidance.
Federal Association of Security Officials (Canada)
The Federal Association of Security Officials works with government security organizations and the security industry to organize training and obtain briefings in new developments and new technologies.
Financial Services ISAC (FS/ISAC)
Financial Services Information Sharing and Analysis Center (FS/ISAC) for professionals in banking, securities, and insurance enables timely reporting of security threats, vulnerabilities, incidents, and solutions.
Fingerprinting Port 80 Attacks
This series of articles written by Xenomorph explains how IT security professionals can investigate network attacks by discovering and tracing the attacker's digital fingerprints.
Firewall Product Overview
This site provides descriptions of firewall products, vendors, and resellers.
Fiscal Year 2001 Report to Congress on Federal Government Information Security Reform
The Fiscal Year 2001 Report summarizes the results of security evaluations reported to the U.S. Office of Management and Budget, including common weaknesses, challenges, and frequent questions. [PDF].
Forum of Incident Response and Security Teams (FIRST)
FIRST brings together a variety of computer security incident response teams from government, commercial, and academic organizations to exchange information and coordinate response activities.
Gilmore Commission (U.S.)
The Advisory Panel to Assess Domestic Response Capabilities for Terrorism Involving Weapons of Mass Destruction reports annually to the U.S. Congress about the federal government's ability to respond to terrorist incidents.
Global Internet Project (GIP)
GIP is an international group of senior executives committed to fostering continued growth of the Internet. GIP publications and educational events address commerce, content, privacy, security, governance, and infrastructure.
Guidelines for the Security of Information Systems (OECD)
Guidelines created by the Organisation for Economic Co-operation and Development have been adopted or adapted by the 24 OECD member countries, as well as NIST, GASSPC, IFAC, IIA, NACD, and other organizations.
Guidelines on Securing Public Web Servers (NIST)
NIST published this draft report of Guidelines on Securing Public Web Servers available as of March 2002. [PDF].
Help Net Security
Help Net Security provides an e-mail newsletter, press releases, software, articles, lists of vulnerabilities, virus and antivirus information, downloads, and links to information security sites.
Honeynet Project
This voluntary project studies attacks on unsecured honeypot servers to learn about hacker tactics and tools and provides information about the use of honeypots for information security.
ICSA Labs publishes surveys, industry studies, and buyers' guides; sponsors security consortiums; and shares information with manufacturers, developers, academia, and others.
Information Assurance Advisory Council (IAAC)
IAAC brings together corporate leaders, public policy makers, law enforcement, and the research community to address the challenges of information infrastructure protection and develop policy recommendations.
Information Security Forum (ISF)
ISF is an independent association of organizations concerned with protecting business information and finding practical solutions to information security problems.
Information Security Glossary
This glossary of information security terms and phrases is extracted from the SOS Security Policies offering. This policy set is available as a standard policy and interactive form.
InfoSec News
The InfoSec News e-mail list distributes information security news articles from newspapers, magazines, and online resources to more than 3,000 subscribers worldwide.
This portal for information systems security students and professionals includes categorized links, security and hacking guides, tutorials, news, alerts, search engines, mailing lists, and downloads.
InfraGard is an information and analysis cooperative between the U.S. federal government, businesses, academic institutions, law enforcement, and others dedicated to increasing the security of critical infrastructures.
Institute for Security and Open Methodologies (ISECOM)
ISECOM is a think tank that provides open standards and methodologies, collective information, and tools via the Internet, social venues, and conferences, under open source licenses for free public use.
Institute of Internal Auditors (IIA)
The IIA is the world leader in internal auditing, governance, internal control, IT audit, education, risk management, and security.
International Information Systems Security Certification Consortium (ISC)2
(ISC)2 maintains a common body of knowledge for information security, certifies industry professionals and practitioners, administers training and examinations, and provides continuing education.
Internet Engineering Task Force (IETF)
The IETF community of network designers, operators, vendors, and researchers conducts technical work in its working groups, which are organized by topic such as routing, transport, and security.
Internet Security Alliance
Internet Security Alliance provides a forum for sharing information on information security issues and threats and works to identify and standardize security best practices and solutions.
Internet Storm Center
Internet Storm Center, a free service supported by the SANS Institute, gathers 3 million intrusion detection log entries a day, finds new storms, isolates attacks, and provides authoritative data on the types of attacks.
Introduction to Computer Security
This U.S. National Institute of Standards and Technology handbook provides a broad overview of computer security to help readers develop a sound approach to the selection of appropriate security controls.
ISF Standard of Good Practice for Information Security
The Standard is produced by the Information Security Forum to promote good practice in information security, help organizations improve security, and develop practical and effective standards for reducing information risk.
Liberty Alliance
The Liberty Alliance delivers and supports a federated-network identity solution for the Internet that enables single sign-on for consumers and business users.
Log Analysis
Log Analysis provides information and resources about using computer systems log analysis for computer security. The site includes how-to advice, sample logs, and links to log analysis software vendors.
MasterCard Secure Electronic Transactions
The Secure Electronic Transactions (SET) area of MasterCard's Web site provides information about SET and how to be a smart online shopper.
Microsoft Security
The Microsoft Security Web page features strategy information, products, support, guidance, links, bulletins, antivirus, virus alerts, hoaxes and scams, secure applications, training, and downloads.
Microsoft Security Response Center
Microsoft provides this portal to report information security problems or to learn about new security issues.
MIS Audit and Information Security Training
With offices in the United Kingdom, United States, and Asia, MIS provides information security conferences and training seminars on auditing and IT, Web sites, and e-commerce.
National Colloquium for Information Systems Security Education (U.S.)
The Colloquium provides a forum for academia, government, and industry information security experts to discuss and form needed direction in security undergraduate and graduate curricula.
National Security Institute (NSI)
The NSI Web site features industry and product news, computer alerts, travel advisories, a calendar of events, a directory of products and services, and access to a virtual security library.
NIS Security Checklist
This checklist from Auburn University's College of Engineering offers steps to remove security risks, while retaining NIS' administrative advantages.
Norwegian Network for Research & Education CERT
Funded by The Royal Norwegian Ministry of Education and Research, the network provides information security emergency response services to Norway government agencies and UNINETT member organizations.
Open Web Application Security Project
OWASP is a global open source community project of volunteers sharing knowledge on Web application security techniques and issues, as well as building open source software to help developers test or implement security.
Organisation for Economic Co-operation and Development (OECD)
OECD's 30 member countries share a commitment to democratic government and the market economy. OECD Guidelines for the Security of Information Systems have been adopted/adapted by the standards organizations throughout the world.
Peter Davis and Associates Top 10 Security Links
This site provides a top 10 list of security links.
Purdue University Center for Education and Research in Information Assurance and Security (CERIAS)
Purdue's CERIAS provides research, development, and education for the protection of information and information resources, and in the development and enhancement of expertise in information assurance and security. The site includes a hot list of security links.
Revolutionizing HIPAA Secure Remote Access to Extend Beyond Privacy
This report by technology consultant John Vacca discusses methods and technologies for securing and authenticating online access to U.S. Health Insurance Portability and Accountability Act (HIPAA) data. [PDF]
SANS Institute
The SANS Institute is a cooperative research and education organization where system, network, and security professionals share lessons and solutions. provides news, links, and resources on critical technology, processes, and legal issues to help secure networks, data, Web sites, and hardware.
Securing Your UNIX Computer Checklist
This document, written by Lorraine Venner, shows system administrators how to secure their HP-UX systems more effectively.
Security Audit Resource Guide
The reference links on this site are intended to help administrators better evaluate the security of their networks and become familiar with tools that could be used against them.
Security Benchmark
Security Benchmark compiles news and resources about information security from a variety of trade publications. Information is divided into audit, management, and technical sections.
Security Industry Association (SIA)
SIA promotes growth, expansion, and professionalism within the security industry; and provides education, research, technical standards, representation, and defense of members’ interests.
Security Risk Analysis Directory
The Security Risk Analysis Directory explores the elements of risk and introduces the COBRA security risk assessment methodology and tool to help compliance with security policies, external standards, and legislation.
SecurityDocs is a moderated directory of more than 2,100 information security articles, whitepapers, and other documents, in 100 searchable categories based on description, title, and member rating.
SecurityFocus provides information on enterprise security threats, issues alerts of impending cyber attacks worldwide, licenses a vulnerability database, and hosts the Bugtraq security community mailing list.
SHARE Inc. is an independent, volunteer-run association providing IBM customers with user-focused research, education, networking, and a forum to influence the IT industry.
This site provides SQL server performance tuning and optimization tips, an overview of the SQL server security model and security best practices, and information and articles for enhancing audits.
Stay Safe Online
The Stay Safe Online is provided as a public service by the U.S. National Cyber Security Alliance to give users the information needed to secure their home or small business computer.
Swiss Academic and Research Network CERT
Swiss Academic and Research Network CERT (SWITCH CERT) provides computer emergency response services for the SWITCH network and for the networks of member organizations.
Systems Security Engineering Capability Maturity Model (SSE-CMM)
The SSE-CMM addresses security engineering activities that span the entire trusted product or secure system life cycle, from concept definition, through development and operations, to decommissioning.
TechRepublic provides information and tools for IT-decision support, including a research index, product and service vendor information, books, CDs, a discussion center, e-newsletters, and downloads.
The Information Warfare Site (IWS)
IWS aims to stimulate debate about subjects from information security to information operations and e-commerce, as well as develop a special emphasis on offensive and defensive information operations.
The ISO 17799 and ISO 27001 User Group
The ISO 17799 and ISO 27001 User Group is a free international online group of members in 40 countries dedicated to providing guidance on information security standards.
The Rule Set Based Access Control (RSBAC) for Linux
RSBAC open-source access control framework for Linux kernels includes access control models such as MAC, RC, and ACL.
Trusted Computing Platform Alliance (TCPA)
TCPA was formed by Hewlett-Packard, IBM, Intel, and Microsoft to improve the trust available within the personal computer. The site offers specifications, news and events, and work groups.
U.S. Commerce Department Information Technology Security Handbook
The U.S. Commerce Department's Information Technology Security Handbook defines policies and responsibilities for the establishment, implementation, maintenance, and oversight of the department's IT security program.
U.S. Department of Homeland Security
The Department of Homeland Security works to ensure the adequacy of the national strategy for detecting, preparing for, preventing, protecting against, responding to, and recovering from terrorist threats or attacks.
U.S. FFIEC Information Security Booklet
This Federal Financial Institutions Examination Council (FFIEC) booklet provides information security guidance for auditors and financial institutions.
U.S. GAO Executive Guide Information Security Management
A U.S. Government Accountability Office (GAO) study of security management practices, endorsed by the CIO Council as best practices. [PDF]
U.S. GAO/NSAA Management Planning Guide for Information Systems Security Auditing
This document from the U.S. Government Accountability Office (GAO) and National State Auditors Association (NSAA) outlines procedures for information systems security audits in federal, state, and local government agencies. [PDF]
U.S. Information Assurance Technology Analysis Center (IATAC)
IATAC, a U.S. Department of Defense Information Analysis Center, is a central source for information and methodologies relating to the continuity of operation of information systems critical to the nation's defense.
U.S. National Institute of Standards and Technology (NIST)
The National Institute of Standards and Technology (NIST) publishes guidelines in many areas of information technology security, control, management, and auditing.
U.S. National Strategy to Secure Cyberspace
The homeland security strategy provides a framework and guidance for national cyberspace security response, threat-reduction, and security awareness programs; government security initiatives; and international cooperation. [PDF]
U.S. NIST Computer Security Resource Center (CSRC)
The National Institute for Standards and Technology's (NIST's) CSRC collects and disseminates computer security information and resources to help users, systems administrators, managers, and security professionals better protect their data and systems.
U.S. Partnership for Critical Infrastructure Security (PCIS)
PCIS is a collaboration of companies, associations, and government agencies that promotes the protection and assurance of communications and information services, energy, financial services, transportation, and vital human services such as health, safety, and water.
This joint venture between the U.S. Department of Homeland Security and Carnegie Mellon University monitors and provides warnings about information security threats and coordinates responses to them.
UK National Infrastructure Security Co-ordination Centre (NISCC)
NISCC is an interdepartmental organization that coordinates and develops critical national infrastructure protection against electronic attacks among UK government agencies and departments and private sector organizations.
University of Cambridge, Dept. of Chemistry, Computer Security Advice
University of Cambridge offers security advice for specific operating system platforms, including configuration details for UNIX, Windows, Macintosh, and antivirus software.
University of Toronto's Computer Security Administration Web Page
This site provides security policies, procedures, and guidelines, as well as a sample disaster recovery plan, links, product reviews, conferences and training, a reference library, and security news.
VeriSign Security Guides
Free guides cover topics including Web site security, online payment processing, building e-commerce sites, server security, Apache servers, public key infrastructure, vulnerability assessment, and wireless communications.
Who Goes There?: Authentication Through the Lens of Privacy
This report from the U.S. National Research Council addresses the privacy impact of authentication technologies such as biometrics and passwords. provides news and features about securing Microsoft Windows systems, including a directory of IT security Web sites, downloadable tools, white papers, and weekly e-mail newsletters.
World Wide Web Consortium (W3C)
W3C develops interoperable technologies to lead the Web to its full potential as a forum for information, commerce, communication, and collective understanding.
XML Web Services Security Forums
The XML Web Services Security Forums (XWSS) offers a way to exchange ideas and share information about XML Web Services and security issues, technologies, and protocols.