Recently someone forwarded me a comprehensive survey of Canadian IT professionals that indicated there was a lack of information security guidance available for IT and security professionals to follow. I strongly disagree with the point of view that more guidance is needed to operate a secure environment and implement secure systems and solutions, although certainly more papers on various challenging subjects would always be beneficial.
Each week over the coming months, I plan to highlight leading security resources and initiatives that will support your efforts to improve security practices within your organization. Each column, I will highlight a half dozen leading security focused resources covering various aspects of information security management.
Finally, people learn in different ways. Some like to read, some like to hear, some like to see, some like to discuss, etc. Whichever method works for you is fine. My approach is to highlight leading resources to people and let them determine what is the best way to digest the knowledge and, more importantly, apply it in the their professional efforts. I have found considering how to apply the general guidance to the specific organizational situation is one of the best ways to obtain a deep understanding of the key concepts, methods, and recommendations being presented by the various resources. In other words -- implementing change is always the best teacher.
Share this posting with your colleagues. Good luck and have a great week.
1. The ISF Standard of Good Practice for Information Security
The ISF standard is designed to help any organization, irrespective of market sector, size or structure, keep the business risks associated with its information systems within acceptable limits. It is a major tool in improving the quality and efficiency of security controls applied by an organization.
2. CERT® Coordination Center (CERT/CC)
The CERT Coordination Center (CERT/CC), arguably the most widely known group within the CERT Program, addresses risks at the software and system level. Although it was established as an incident response team, the CERT/CC has evolved beyond that, focusing instead on identifying and addressing existing and potential threats, notifying system administrators and other technical personnel of these threats, and coordinating with vendors and incident response teams world wide to address the threats.
3. Information Security Handbook: A Guide for Managers
NIST has published a new information security handbook which should be “required reading” for pretty well most everyone involved with IT and/or IT Security although some people can certainly skim many of the sections in this 176 page document.
4. Secure Coding: Principles & Practices
Welcome to the on-line home of Secure Coding: Principles and Practices (O'Reilly, 2003). They provide information about the book and its authors; updated versions of links and tables that appear in the book; and also original supplemental material like op/ed pieces and vulnerability analyses. It's all offered in the spirit of helping us build strong and light "virtual bridges" in the years to come.
5. The Information Systems Security Association (ISSA)
ISSA is a not-for-profit, international organization of information security professionals and practitioners. It provides educational forums, publications and peer interaction opportunities that enhance the knowledge, skill and professional growth of its members. With active participation from individuals and chapters all over the world, the ISSA is the largest international, not-for-profit association specifically for security professionals.
6. Process Agnostic Navigational View
The process agnostic approach incorporates security into each basic phase of software development. The best practices and methods described are applicable to any and all development approaches as long as they result in the creation of software artifacts.
https://buildsecurityin.us-cert.gov/daisy/bsi/438.html
