fyi and files.
THE resource summary for Auditing Information Security.
I welcome any and all of your favorite resources.
Enjoy,
Dan
www.securitybenchmark.com
http://finance.groups.yahoo.com/group/Dans_SECemails/
http://finance.groups.yahoo.com/group/Dans_CCCemails/
"The most important contribution management needs to make in the 21st
century is to increase the productivity of knowledge work & the knowledge
worker." - Peter F. Drucker
The 2006 Mid Canada Information Technology Conference
www.midcanitc.com
=======================================================
To: Dans_SECemails@yahoogroups.com
From: "Dan Swanson" <dswanson_2005@yahoo.com>
Date: Tue, 27 Dec 2005 13:24:52 -0000
Subject: Auditing Information Security (The Resource Summary)
Do it now - Tomorrow never comes.
Your time is the greatest gift you can give someone.
True wisdom is to live in the present, plan for the future, and profit from the
past.
___________________________________________________________
1. Some excellent resources to assist your efforts in
auditing security are available at Gideon's web site.
http://ussecurityawareness.org/highres/infosec-auditing.html
2. Do you ever use a "virtual" CSO or CISO?
- Check this one out.
www.bsag-cso.com
3. Planning your Security Audit program? - Some GAO guidance.
Management Guide for IS Security Auditing
http://www.gao.gov/special.pubs/mgmtpln.pdf
4. Don't forget to also evaluate your physical security efforts?
http://www.tbs-sct.gc.ca/ia-vi/policies-politiques/gas-gvs/gas-gvs_e.asp
5. The CISWG list of notable references to support security and audit efforts
is available at The United States Cyber Security Reference List.
reform.house.gov/UploadedFiles/Best%20Practices%20Bibliography.pdf
6. Below is a copy of my recent auditing information security
resource email, i.e. the above items are additions to my resource summary
(below).
7. Finally, I always welcome resource recommendations -
please email them to "dswanson_2005@yahoo.com" - thanks.
Enjoy,
Dan
____________________________________________________________________
Adversity introduces a man to himself. ? Seneca, Roman Statesman and
Philosopher ( 5 BC - 65 AD )
Life's challenges are not supposed to paralyze you, they're supposed to help
you discover who you are. ? Bernice Johnson Reagon, African American Composer
Singer and Cultural Historian (1942- )
Each choice we make causes a ripple effect in our lives.
When things happen to us, it is the reaction we choose that can create the
difference between the sorrows of our past
and the joy in our future. ? Chelle Thompson, Editor of Inspiration Line
Nothing in this world can take the place of persistence. Talent will not;
nothing is more common than unsuccessful people with talent. Genius will not;
unrewarded genius is almost a proverb. Education will not; the world is full of
educated derelicts. Persistence and determination alone are omnipotent. The
slogan `press on' has solved and always will solve the problems of the human
race. ? Calvin Coolidge
==========================================================
Auditing security is complex, challenging, and not for the uninformed -
"Avoiding IS Icebergs".
infosecuritymag.techtarget.com/articles/october00/features3.shtml
==========================================================
fyi and files - (& I think this resource email is a real keeper).
A) A lot of queries have been circulating lately (on the various listservs)
regarding how to audit security.
In my view:
1) We need to have a plan,
2) We need to have an understanding of our technical environment,
3) We need to know what to ask for, and & perhaps most importantly,
4) We need to know what we are doing !!!
B) I am not a technical IT Auditor so leave those responses
to people who live this stuff everyday (thanks to Mike Hines and numerous
others). I do however believe that security auditing needs to be planned (& for
the long term), take
into consideration the never ending changing technical environment, and
"compliment" but not replace management's responsibility to ensure their
controls are operating properly.
C) While now getting somewhat dated I still point out the October 2000 Iceberg
article - (i.e. to the new people who
are just starting out - in tackling security audits).
D) Finally, I've also provided below a variety of leading
edge resources regarding security and its control and
auditing of (same) which I've accumulated over time.
hope you enjoy.
Sincerely,
Dan
==============================================================
Auditing information security can provide additional assurance and
recommendations for improvement - check out:
Avoiding IS Icebergs
infosecuritymag.techtarget.com/articles/october00/features3.shtml
==============================================================
"Beware of thinkers whose mind function only when they are fueled by a
quotation" - (E. M. Cioran).
How to Become an Information Security Professional
A great article
http://www.itmanagersjournal.com/article.pl?sid=05/11/15/2027247
===================================================
(finally) - provided below is an summary of leading
security resources to also consider.
===================================================
SEC 008/2005 - Disaster awaits the security
complacent board ? (Thomas R. Horton)
fyi and consideration,
When people are highly motivated, it's easy to accomplish
the impossible. And when they're not, it's impossible to accomplish the easy.
? Bob Collings
If you tell people where to go, but not how to get there, you'll be amazed at
the results. ? Gen. George Patton
Praise does wonders for the sense of hearing. ? Unknown
In everyone's life, at some time, our inner fire goes out. It is then burst
into flame by an encounter with another human being. We should all be thankful
for those people who
rekindle the inner spirit. ? Albert Schweitzer
Information security is a Board issue.
Has it been discussed with your Board lately?
1. Information Security Oversight: Essential Board Practices
http://www.nacdonline.org/publications/pubDetails.asp?
pubID=138&user=D0888270C5AF46508BEC8472906F87C3
This publication is a captivating mix of relevant survey data,
interviews and essential practices. Learn four steps each board should adopt to
avoid the hazards of leaving information
inadequately protected from cyber criminals. Review the questions each board
should ask to determine inherent risks. Discover the potential liabilities and
other woes that might befall corporate boards and management who show too
little involvement in safeguarding the security and privacy of corporate-held
information. lessons include identifying vulnerabilities, mitigating damages,
establishing controls, educating officers and employees, and resolving issues.
The guidance was sponsored by KPMG's Audit Committee Institute and published in
collaboration with the Institute of Internal Auditors and the Critical
Infrastrucrure Assurance Office of the U.S. Department of Commerce.
2. Numerous excellent resources to assist your information security efforts are
available at:
a. http://www.theiia.org/index.cfm?doc_id=3061
b. http://www.theiia.org/index.cfm?doc_id=131
c. http://www.theiia.org/index.cfm?doc_id=2458
d. http://www.theiia.org/itaudit/
e. http://www.theiia.org/itaudit/?fuseaction=reflibhome
3. A series of three CIAO reports produced by The IIA
provide further board level guidance.
? Information Security Management and Assurance: A Call
to Action for Corporate Governance
http://www.theiia.org/download.cfm?file=22398
? Information Security Governance: What Directors Need to Know
http://www.theiia.org/download.cfm?file=7382
? Building, Managing, and Auditing Information Security
http://www.theiia.org/download.cfm?file=33288
4. Finally, SEI continues to produce excellent guidance regarding information
security - check that out at:
http://www.cert.org/nav/index_green.html
http://www.cert.org/csirts/
http://www.cert.org/archive/pdf/05tn023.pdf
http://www.cert.org/governance/ges.html
Enjoy,
Sincerely,
Dan
========================================================
Finally, the Information Security Benchmark web site has
it all. Check it out at:
http://www.securitybenchmark.com/
========================================================
---------------------------------
Relax. Yahoo! Mail virus scanning helps detect nasty viruses!
