There are several ongoing, long-term security efforts worth examining. The National Institute of Standards and Technology (NIST) has published hundreds of guidance documents relating to all aspects of information security over the years. Just as importantly, they consistenly maintain the currency of their guidance. The Center for Internet Security (CIS) has developed dozens of consensus-based security benchmark checklists that can be used for securing various technologies commonly in place, in most organizations. CIS tools have been a world wide standard in “hardening” various technologies. And the U.S. Department of Homeland Security Build-Security-In (BSI) initiative is truly amazing, its an endless source of advice and guidance and needs to be visited frequently as new items are added regularly.
As always, I have also included a few topic-specific resources.
Good luck and have another great week.
1. Build Security In (BSI)
As part of the Software Assurance program, Build Security In (BSI) is a project of the Strategic Initiatives Branch of the National Cyber Security Division (NCSD) of the Department of Homeland Security (DHS). The Software Engineering Institute (SEI) was engaged by the NCSD to provide support in the Process and Technology focus areas of this initiative. The SEI team and other contributors develop and collect software assurance and software security information that helps software developers, architects, and security practitioners to create secure systems.
2. The Computer Security Division (CSD) of the National Institute of Standards and Technology (NIST), including the Federal Information Security Management Act (FISMA) library.
The mission of NIST’s Computer Security Division is to improve information systems security by:
• Raising awareness of IT risks, vulnerabilities and protection requirements, particularly for new and emerging technologies;
• Researching, studying, and advising agencies of IT vulnerabilities and devising techniques for the cost-effective security and privacy of sensitive Federal systems;
• Developing standards, metrics, tests and validation programs:
o to promote, measure, and validate security in systems and services
o to educate consumers and
o to establish minimum security requirements for Federal systems
• Developing guidance to increase secure IT planning, implementation, management and operation.
3. The SANS (SysAdmin, Audit, Network, Security) Institute
SANS is one of the most trusted and by far the largest source for information security training and certification in the world. It also develops, maintains, and makes available at no cost, the largest collection of research documents about various aspects of information security, and it operates the Internet’s early warning system, Internet Storm Center.
4. CERT’s Resiliency Engineering Research
The cornerstone of their research is the development of the CERT