Every organization faces a daunting task in establishing and strengthening its security function. With the increasing movement to e-commerce and 7/24 operation, the many global challenges and op-portunities facing every industry, and the increasing need for secure information and information systems, an organization's security function will need to be world-class to survive. For many the task will be all the more difficult because of past under-funding of the security area.
Plan to spend some time surfing the following web sites; they provide common sense guidelines, leading reports, links to other web-site information and numerous other documents that will assist all security functions. Given the criticality of the issue, perhaps a few of your staff should also be investigating emerging security practices and establishing outreach programs with key business managers in your organization in order to ensure that security is effective on the front lines.
www.infowar.com/
Informational warfare has been active for a long time. This site is an enlightening, if disturbing, source of information on emerging threats and security risks. Protection against hackers, terrorism and espionage, Internet crime, viruses, denial of service attacks, etc., will be improved after exploring this site. Plan on visiting this location often - new issues emerge almost every week.
csrc.nist.gov/
The Computer Security Resource Clearinghouse (CSRC) is designed to collect and disseminate computer security information and resources to help managers, systems administrators, users, and security professionals better protect their data and systems. This site achieves all of the above and more. While it would take a lifetime to read everything, I suggest that when investigating any security issues that you are facing, plan to visit this site first. It's a key site to bookmark.
www.cse-cst.gc.ca/cse/english/home_1.html
The Communications Security Establishment (CSE) is a federal government-led agency that delivers Information Technology Security (ITS) solutions to the Government of Canada. Its web site includes a repository of best practice information that will assist all organizations.
www.isaca.org/
The Information Systems Audit and Control Association (ISACA) is well on its way to achieving its vision of being a recognized global leader in IT governance, control and assurance. This site continues to add new guidelines, management studies, and research papers. ISACA has also recently added an online service called the Global Information Repository (GIR) to assist visitors in exploring various Business and IT control issues.
Recent Reports Supporting Security Management
This month I have identified several papers to assist management in their efforts to strengthen their organization's security function.
1. GASSP - Generally Accepted System Security Principles (Version 2.0) (International Information Security Foundation)
web.mit.edu/security/www/gassp1.html
2. Guide for Developing Security Plans for Information Technology Systems (NIST Computer Security Online Special Publications)
csrc.nist.gov/nistpubs/Planguide.PDF
3. Managing the Security of Information (An Executive Guide)
(International Federation of Accountants - IFAC)
www.ifac.org/StandardsAndGuidance/InformationTechnology/ManagingSecurityOfInfo.html
4. Information Security Management - Practices of Leading Organizations (US General Accounting Office - Executive Guide)
www.gao.gov/special.pubs/pdf_sing.pdf
5. Information Security Risk Assessment Guide - Practices of Leading Organizations (US General Accounting Office - Exposure Draft)
www.gao.gov/special.pubs/ai99139.pdf
6. A Guide to Security Risk Management for Information Technology Systems (MG-2) (Communications Security Establishment - CSE)
www.cse-cst.gc.ca/cse/english/Manuals/mg2int-e.htm
Dan Swanson is a management consultant with LGS Group in Winnipeg. He specializes in audit and management consulting and can be reached at dswanson@lgs.ca