IT Security
Resources from Other Organizations will assist your various internal audit efforts. The resources from outside the organization are not endorsed by The IIA, but are provided for your assessment on applicability within your organization.

Security Awareness

Security Management

  • Information Security Management References (PDF, 84KB)
  • Information Security Management - BS 7799.2:2002 - Audit Checklist
  • To help corporations protect their information systems and respond to Internet attacks, The Global Council of CSOs (Chief Security Officers) was recently formed to raise awareness of online security issues. The council, a group of 10 senior security executives, brings together expertise from academic, corporate, and government backgrounds to address the broader issues of national security, business continuity, and technology development, emphasizing the need for partnership in the area of cyber security. The charter members of the Global Council of CSOs include top security executives from E-Bay, Bank of America, Citigroup, Oracle, MCI, Microsoft, Motorola, Sun Microsystems, and Washington Mutual, as well as the New York State Office of Cyber Security and Critical Infrastructure.
  • The Standard of Good Practice for Information Security (the Standard) is designed to help any organization, irrespective of market sector, size or structure, keep the risks associated with its information systems within acceptable limits. The Standard has been produced by the Information Security Forum (ISF), an international association of over 250 of the world's leading organizations which fund and co-operate in the development of a practical research program in information security and best practices in IT security and information risk management. The ISF's work probably represents the most comprehensive and integrated set of reports anywhere in the world regarding the process of managing information risk.
  • Security Benchmarks Resource List
  • THE CISSP OPEN STUDY GUIDES (OSG) - Security professionals interested in helping those reading for the CISSP certification are welcome. By the same token, if you need further information concerning the CISSP in your part of the world, e-mail cdupuis@cccure.org.
  • In 2001, the US General Accounting Office (GAO) and the National State Auditors Association (NSAA) released a blueprint on how to establish an information systems security auditing capability. Check out the GAO/NSAA management guideline.

Articles

Books

  • The Information Security Management and Assurance Series: practical guidance in dealing with information security issues at the board level and by internal auditors. Prepared by The IIA in cooperation with the U.S. Critical Infrastructure Assurance Office (CIAO), the National Association of Corporate Directors (NACD), The American Institute of Certified Public Accountants (AICPA), ISACA and a host of other supportive organizations, this series of three reports provides important questions board members should ask about security management in their organizations, and gives answers based on best practices. The three reports in the series are available in PDF format:
  • Systems Assurance and Control (SAC). SAC reports are written for auditors at all levels to address IT issues in management and auditing. SAC, from The IIA Research Foundation, is an extension and enhancement to the landmark Systems Auditability and Control (SAC) reports. SAC is available on CD-ROM. The SAC reports are also an excellent complement to ISACA's CobiT (Control Objectives for Information and Related Technologies). Other books from The IIA and IIA Research Foundation are available through IIA's Bookstore .
    Information Security Oversight: Essential Board Practices is available from the National Association of Corporate Directors (NACD). Learn four essential practices each board should adopt to avoid the hazards of leaving information inadequately protected from cyber criminals. Review the questions each board should ask to determine inherent risks. Discover the potential liabilities and other woes that might befall corporate boards and management who show too little involvement in safeguarding the security and privacy of corporate-held information. Publication sponsored by KPMG's Audit Committee Institute and published in collaboration with The Institute of Internal Auditors and the Critical Infrastructure Assurance Office of the U.S. Department of Commerce.
  • ISACA provides CobiT (Control Objectives for Information and Related Technologies) as well as reports from the IT Governance Institute
    • Board Briefing on IT Governance - This book describes IT governance, outlines why it is important, addresses the role of boards and executive management, and offers tool kits and maturity models for implementing and measuring IT governance enterprise-wide.
    • Information Security Governance: Guidance for Boards of Directors and Executive Management - This report discusses why information security governance is important and outlines questions to ask and steps to take to ensure an effective information security governance program within an enterprise.

Information Security Survey Resources

Click here for information security survey resources.

IT Security Organizations

  • The ITAudit Forum and Reference Library
     
  • The "Security Standard" released by the Information Security Forum (ISF) presents "ISF Standard of Good Practice"
  • The mission of the Center for Internet Security (CIS) is to help organizations around the world effectively manage the risks related to information security. CIS provides methods and tools to improve, measure, monitor, and compare the security status of your Internet-connected systems and appliances, plus those of your business partners.
     
  • The CISSP Open Study Guides (OSG) in each domain provide online quizzes, security links, security headlines and news, documents, forums, OCSIG alerts, OCSIG news, as well as other resources to help you succeed in obtaining your CISSP certification. Any security professional interested in helping those who are reading for the CISSP certification is welcome. For further information concerning the CISSP in your part of the world, e-mail cdupuis@cccure.org.
     

  • With more than 86,000 constituents in more than 160 countries, ISACA®  is a leading global provider of knowledge, certifications, community, advocacy and education on information systems assurance and security, enterprise governance of IT, and IT-related risk and compliance. Founded in 1969, ISACA sponsors international conferences, publishes the ISACA® Journal, and develops international information systems auditing and control standards. It also administers the globally respected Certified Information Systems Auditor™ (CISA®), Certified Information Security Manager® (CISM®) and Certified in the Governance of Enterprise IT® (CGEIT®) designations. 

    ISACA developed and continually updates the COBIT®, Val IT™ and Risk IT frameworks, which help IT professionals and enterprise leaders fulfill their IT governance responsibilities and deliver value to the business.

  • The SANS Institute (Systems Administration and Network Security) provides training, resources, and certification for professionals dealing with specific issues and environments in information security and management. SANS also supports other global security initiatives such as the Center for Internet Security (see above), the Internet Storm Center, and more.

  • The Computer Security Resource Clearinghouse (CSRC) is designed to collect and disseminate computer security information and resources to help users, systems administrators, managers, and security professionals better protect their data and systems. CSRC is part of the National Institute of Standards and Technology (NIST) Web site; see publications.
     
  • (ISC)2, the International Information Systems Security Certification Consortium
     
  • The CERT Coordination Center (CERT/CC) is a major reporting center for Internet security problems. Staff members provide technical advice and coordinate responses to security compromises, identify trends in intruder activity, work with other security experts to identify solutions to security problems, and disseminate information to the broad community. The CERT/CC also analyzes product vulnerabilities, publishes technical documents, and presents training courses. The CERT/CC is located at the Software Engineering Institute (SEI), a federally funded research and development center (FFRDC) operated by Carnegie Mellon University (CMU).

    The Carnegie Mellon Software Engineering Institute studies Internet vulnerabilities and follows security incidents and published security alerts. It also develops information to help you improve network security and offers courses in managing security incidents.

    United States Computer Emergency Readiness Team (US-CERT)

    US-CERT is a partnership between the Department of Homeland Security and the public and private sectors. Established to protect the nation's Internet infrastructure, US-CERT coordinates defense against and responses to cyber attacks across the nation.

  • Boran Consulting - This Swiss company, founded by Seán Boran, a computer security expert, developer, and systems administrator, has a page devoted to computer and network security. Most impressive is Boran's IT Security Cookbook, which Boran describes as a "self help guide to computer and network security, primarily for security managers, programmers, and system administrators."
     
  • The Terrorism Research Center - This Web page may interest researchers and analysts studying information warfare. The organization provides original research, Internet resources, and other documents and references from government, international, academic and industry sources. A discussion forum on information warfare is also available. Visitors can click on links to U.S. and Canadian government agencies such as the NIPC and the Royal Canadian Mounted Police Information Technology Security Branch and to publications such as the Journal of Infrastructural Warfare.
  • Institute for the Advanced Study of Information Warfare - Designed with the dedicated information surfer in mind, the goal of this Web page is to increase access to timely, accurate and comprehensive material about information warfare and related security issues. Constantly updated, the site is an extensive collection of links to a spectrum of groups, from reports, books, and White House papers to government agencies and fringe publications such as The Hacker Quarterly.
     
  • Strategis - This Canadian government Internet site offers a wealth of information about businesses north of the U.S. border. Created to provide Canadian companies and consumers with direct access to information resources and interactive tools, Strategis allows users to identify new markets, locate business partners, form alliances, find emerging technologies or processes, and assess various risk factors.
     
  • Federal Computer Incident Response Capability (FEDCIRC) - While it's graphically unimpressive, this site is packed with security information and downloadable security tools. You can find tools to scan hosts for vulnerabilities, software patches for operating systems, and ways to detect intrusions.
    • Security management can benefit from an understanding of the "art of war" and by taking a "total defense" approach to security. Many reports are available.
  • The COAST homepage is a treasure trove of security information. Included are an alphabetized list of projects and tools, information on the university's spring seminar, and the COAST archive, which bills itself as "the largest single archive on the Internet of papers, tools, standards, reports, mailing lists, and other information related to computer security, law, incident response, and information protection."
    • Cerias (Purdue University)
    • Computer Operations, Audit and Security Technology (COAST)
    • Also impressive is the site's security hotlist.
  • McAfee Inc. creates computer security solutions that prevent intrusions on networks and protect computer systems from the next generation of blended attacks and threats.
     
  • You can also find detailed information on viruses at IBM's Antivirus Online page and at Symantec's AntiVirus Research Center, www.sarc.com.
     
  • If you have problems with Windows NT or are worried about security holes, then NTBugtraq.com might be the best place to find help. Be sure to check out both fixes and downloads on the toolbar.
     
  • Fortify - This site, which is free for non-commercial users, offers information on cryptography products designed for Netscape. It offers 128-bit cryptography for Netscape Navigator and Netscape Communicator users.
     
  • Check out SIGNAL's Web site at to read cutting-edge articles on information warfare and infrastructure protection.
     
  • SEC notice 79/2004 Advanced Information Assurance Handbook

Web Site Resources for IT Security

  • The Anti-Phishing Working Group (APWG) is an industry association focused on eliminating the identity theft and fraud that result from the growing problem of phishing and email spoofing.
  • The Identity Theft Resource Center (ITRC), a nonprofit, nationally respected program dedicated exclusively to identity theft It provides consumer and victim support and advises governmental agencies, legislators and companies about this evolving and growing crime.
  • PCWorld - Technology Advice You Can Trust
  • The Dutch Data Protection Authority (Dutch DPA) supervises the compliance with acts that regulate the use of personal data.
  • EDRI-gram is a biweekly newsletter about digital civil rights in Europe. Currently EDRI has 17 members from 11 European countries. European Digital Rights takes an active interest in developments in the EU accession countries and wants to share knowledge and awareness through the EDRI-grams. All contributions, suggestions for content or agenda-tips are most welcome.
  • Federal Association of Security Officers (FASO - Canada)
  • AuditNet - Kaplan's comprehensive KARL (audit resource list) and ASAP (auditors sharing audit programs) site.
  • Internal Auditing World Wide Web (IAWWW)
  • Security World Wide Web Sites
  • Information Systems Security Association (ISSA)
  • Computer Security Institute (CSI)
  • International Computer Security Association (ICSA), see Certification
  • National Institute of Standards and Technology (NIST)
  • Privacy Commissioner of Canada
  • Information and Privacy Commissioner of Ontario
  • The Terrorism Research Center
  • HP's Security Press Site
  • Chief Information Officers Council (CIO) of the U.S. Government
  • Software Engineering Institute
  • IT Policy On-ramp Portal
  • Improving IT Management Practices and Results
  • e.Gov Portal
  • Office of Critical Infrastructure Protection and Emergency Preparedness (Canadian Federal Government)
  • Security Professionals (Forum)
  • (ISC)2, the International Information Systems Security Certification Consortium
  • The National Security Institute's Security Resource Net. This site provides information on a huge list of alerts and warnings, security programs, and potential threats to computer security. It also features links to Information Security and Information Security magazines.
  • Chief Information Officers Council (CIO) of the US Government
  • Effective IM/IT Management Practices and Process at the Canadian Federal CIO Office
  • Other links from the CIO Council:
  • InfoSysSec Information warfare has been active for a long time. This site is a source of information on what the emerging threats and security risks are: protection against hackers, terrorism and espionage, Internet crime, viruses, denial of service attacks, etc. New issues emerge almost every day. Also check Infowar.
  • Corporate Governance at the World Bank - The World Bank has a "global corporate governance forum" initiative or best practices documents, for links.
  • Security Portal - A "Top News" bulletin informs you of security risks, new security technology, and the latest news from vendors. The left-hand navigation bar includes sections on the top security news, access to Hushmail, and forums on security questions. The Security Search button pulls up a page with headings like Virus Research, Vulnerabilities and Cryptography. Be sure to check the White papers section, which includes information on security issues for Linux, UNIX and Windows NT.
  • The Wall Street Journal described Dave Dittrich, a teacher and software engineer at the University of Washington, as "the world's foremost expert on denial-of-service, or DoS, attacks." Besides the information he's compiled on DoS, Dittrich's site explains TCP/IP vulnerabilities, offers a UNIX security checklist, and explains DoS tools. The DoS information Dittrich compiled has received so much attention since the DoS attacks on Yahoo!, ZDNet, and other sites that he's had to create a Web page dedicated to DoS.

Reports

 
© 2010 The Institute of Internal Auditors / 247 Maitland Avenue Altamonte Springs, FL. 32701-4201 USA / +1-407-937-1100 / FAX +1-407-937-1101 • www.theiia.org