CobiT®. 4.0: Complimentary Webcast:  Major Update to International Standard,  Helps Businesses Increase IT Value, Decrease Risk  full story...

Visible operations and the expertise of IP Service implemented ops - full story...

IT Governance: Business in the Driver's Seat - MKS is selected by BNSF as a primary compliance tool The need for independent detective controls within Change/Configuration Management full story...

Proving Control of the Infrastructure: Tripwire full story...

OnGuardOnline.gov provides practical tips from the federal government and the technology industry to help you be on guard against Internet fraud, secure your computer, and protect your personal information. full story...

Application Lifecycle Framework offers 'no problem' for local developers Serena in New Zealand full story...

IIA full story...

COSO - ERM full story...

ISACA - Harmonization full story...

CobiT®.University - full story...

An Introduction to Visible Ops full story...

ITSM Best Practices Online™ full story...

Securities and Exchange Commission logo

  Federal Trade Commission logo

United States Postal Inspection Service logo 

Homeland Security logo 

Department of Commerce logo 

OnGuard Online™ - Your Safety Net 

advertise1 

Tripwire

mks

IP Services

GTAGChangePatch

Enterprise Management and IT

ITSM

Homerun!Internal Control and Control Self Assessment 

(HIPAA, Sarbanes-Oxley, Basel II, FISMA)

CobiT®.On Line from ISACA and ITGI and Methodware's CobiT® Advisor 3rd Ed

Grandslams go to the teams producing harmonziation and synergy across standards and regulatory requirements.

 CobiT®.components include

Other works based on the CobiT®.framework include:

Most substantial contributions and writings for IT Enterprise Management with links and summary of concept:

Aligning COBIT, ITIL and ISO 17799 for Business Benefit: A Management Briefing from the IT Governance Institute and the Office of Government Commerce
ISACA and IT Governance Institute in conjunction with the Office of Government Commerce, 2005, hyperlink
Aligning COBIT, ITIL and ISO 17799 for Business Benefit
Aligning COBIT, ITIL and ISO 17799 for Business Benefit

Found within Executive Summary, the document states: "To achieve alignment of best practice to business requirements, formal processes in support of good IT governance should be used. The OGC provides management guidance in its Successful Delivery Toolkit (www.ogc.gov.uk/sdtoolkit/) and ITGI provides the IT Governance Implementation Guide.

As summarized by ISACA on 11/7/2005 "This management briefing is the result of a joint study, initiated by the IT Governance Institute (ITGI) and UK government’s Office of Government Commerce (OGC), in response to the growing significance of best practices to the IT industry and the need for senior business and IT managers to better understand the value of IT best practices and how to implement them. Specific practices, such as COBIT, ITIL and ISO 17799 are addressed in this report, sharing a hierarchy of guidance materials. Specific practices and standards such as ITIL and ISO 17799 cover discrete areas and can be mapped up to the COBIT Framework, thus providing a hierarchy of guidance materials. This document shows how they all interrelate.

The briefing suggests how implementation should be tailored, prioritized and planned to achieve effective use. To achieve alignment of best practice to business requirements it is recommended that COBIT be used at the highest level, providing an overall control framework based on an IT process model that should generically suit every organization. Specific practices and standards such as ITIL and ISO 17799 cover discrete areas and can be mapped up to the COBIT Framework, thus providing a hierarchy of guidance materials.

The ITGI and OGC plan, as part of future updates to their best practices, to further align terminology and content of their respective works.

Office of Government Commerce
As explained by the OGC: a UK government organization responsible for procurement and efficiency improvements in the UK public sector. OGC has produced world-class best practice guidance, including PRINCE (project management), MSP (Managing Successful Programs) and ITIL (IT service management). ITIL is used throughout the world and is aligned with the ISO/IEC 20000 international standard in service management. www.ogc.gov.uk

COBIT Mapping: Mapping ISO/IEC 17799: 2000 With COBIT
AKA: CobiT® Mapping, Author(s) Copyright © 2005 Information Systems Audit and Control Association ISACA®, Date of 2004
COBIT Mapping: Mapping ISO/IEC 17799: 2000 With COBIT
Information Systems Audit and Control Association ® (ISACA)
COBIT Mapping: Mapping ISO/IEC 17799: 2000 With COBIT
Information Systems Audit and Control Association ® (ISACA)
Summary of Standard [Copyright ISACA] ISO/IEC 17799:2000-The Code of Practice for Information Security Management is an international standard, based on BS 7799-1. It is presented as best practice for implementing information security management. As COBIT is an internationally recognized standard for control of governance of IT and ISO 17799 is equally recognized and established in the field of information security management, these two standards do not compete against each other, in fact they are mutually complementary. COBIT by its nature is broader and ISO/IEC 17799 tends to be deeper in the area of security.

A high-level mapping, COBIT Mapping: Overview of International IT Guidance was published by ITGI in 2003. In this first publication, a broad overview was presented of several standards for IT governance, including ISO/IEC 17799:2000, in relation to COBIT. Objectives of ISO/IEC 17799 were mapped on a high level with control objectives of COBIT. For the detailed mapping, ISO/IEC 17799 was split to small pieces of information (information requirements). These information requirements of ISO/IEC 17799 were mapped in detail to the COBIT control objectives. Almost 1,000 information requirements were mapped to 316 COBIT control objectives. The detailed mapping document describes how these two standards are inter-related and how all detailed requirements of ISO/IEC 17799:2000 can be integrated with COBIT.[image available at www.isaca.org]The mapping document provides a very good overview of both standards, COBIT as well as ISO/IEC 17799:2000.  The paper is a profound source of information for all stakeholders responsible for, and interested in, IT governance, information security management and their respective controls. It provides clear insights as to how COBIT and ISO/IEC 17799 interrelate and fit together.

It is especially useful for IT and information security managers with the responsibility to address these issues when implementing COBIT, ISO/IEC 17799 or both. This paper is a valuable source and useful guideline for implementation of these standards in organizations, independent of their size, geography or industry. It will help to improve completeness and quality and reduce cost of such implementations.  The high-level overview mapping paper, which was a precursor to this research, is posted for complimentary download at http://www.isaca.org/Content/ContentGroups/Research1/Deliverables/AligningCOBIT,ITIL.pdf

Applicable To:
[ISACA] CIOs, CFOs, information security managers, auditors, and those involved in corporate and IT governance need a framework to compare international standards and guidance for managing the IT function. This document offers a global overview of the following important international standards and guidance for IT control and IT security in relationship to COBIT: COSO, ITIL, ISO/IEC 17799:2000, ISO/IEC 13335, ISO/IEC 15408, TickIT and NIST 800-14. It can serve as a road map to implementing guidance supporting IT governance. For each of the international standards/guidance examined, the document provides a classification, a short overview of the contents and the business driver for implementing the guidance, and the risks of noncompliance.

In 1998, the IT Governance Institute was established and began its in-depth study of IT governance, focusing its work on the COBIT framework, its processes, control objectives and maturity models. COBIT's components combine to ensure that an organization's information assets remain consistent, reliable and secure, while fully supporting the enterprise's business processes-bridging the gaps among business risks, control needs and technical issues. COBIT is therefore a breakthrough IT governance tool that helps enterprises meet their objectives by facilitating the understanding and management of information

IT Control Objectives for Sarbanes-Oxley
Laws enforced by or aligned to this source P.L. 107-204 P.L. 107-347, Publisher:      ITGI
IT Control Objectives for Sarbanes-Oxley
IT Control Objectives for Sarbanes-Oxley
Summary: This information is under ISACA and ITGI Copyright: "Recent events have ushered in a new era in the history of business, characterized by a firm resolve to increase corporate responsibility. The Sarbanes-Oxley Act of 2002 was created to restore investor confidence in US public markets, which were devastated by business scandals and lapses in corporate governance.
Despite all the publicity surrounding the Sarbanes-Oxley Act of 2002, relatively little attention has focused specifically on the role of information technology (IT) in the financial reporting process. This is unfortunate, given that the accuracy and timeliness of financial reporting is, at most companies, heavily dependent on a well-controlled IT environment.

Many of the IT professionals being held accountable for the quality and integrity of information generated by their IT systems are not well versed in the intricacies of internal control, which is critical when dealing with the requirements of Sarbanes-Oxley. This is not to suggest that risk is not being managed by IT, but rather that it may not be formalized or structured in a way required by an organization’s management or its auditors.

The IT Governance Institute, Information Systems Audit and Control Association and the contributors of IT Control Objectives for Sarbanes-Oxley have designed this publication primarily as a reference for executive management and IT control professionals, including IT management and assurance professionals, when evaluating an organization's IT controls required by the US Sarbanes-Oxley Act of 2002.

Substantially important are the list of contributors and range of resources used to create this report:

References
COBIT 3rd Edition©, IT Governance Institute, Rolling Meadows, Illinois, USA, July 2000
Committee of Sponsoring Organizations of the Treadway Commission (COSO), www.coso.org
Common Criteria and Methodology for Information Technology Security Evaluation, CSE (Canada), SCSSI (France), BSII
(Germany), NLNCSA
(Netherlands), CESG (United Kingdom), NIST (USA) and NSA (USA), 1999
Exposure Draft Enterprise Risk Management Framework, Committee of Sponsoring Organizations of the Treadway
Commission (COSO), USA,
July 2003
“Final Rule: Management’s Reports on Internal Control Over Financial Reporting and Certification of Disclosure in Exchange
Act Periodic Reports,” Release Nos. 33-8238; 34-47986; IC-26068; File Nos. S7-40-02; S7-06-03, US Securities and
Exchange Commission, USA, June 2003, <http://www.sec.gov/rules/final/33-8238.htm>
Internal Control—Integrated Framework, Committee of Sponsoring Organizations of the Treadway Commission (COSO),
AICPA, New York, USA, 1992
ISO IEC 17799, Code of Practice for Information Security Management, International Organization for Standardization (ISO),
Switzerland, 2000
IT Infrastructure Library (ITIL), British Office of Government Commerce (OCG), Central Computer and Telecommunications
Agency (CCTA), London, UK, 1989
Moving Forward—A Guide to Improving Corporate Governance Through Effective Internal Control, Deloitte & Touche LLP, 2003
Public Company Accounting Oversight Board, Proposed Auditing Standard: “An Audit of Internal Control Over Financial

Reporting Performed in Conjunction with an Audit of Financial Statements,” Release No. 2003-17, Rulemaking Docket Matter No. 008, USA, 7 October 2003
“Taking Control, A Guide to Compliance with Section 404 of the Sarbanes-Oxley Act of 2002,” Deloitte & Touche LLP, 2003
“The Sarbanes-Oxley Act of 2002, Strategies for Meeting New Internal Control Reporting Challenges,”
PricewaterhouseCoopers LLP, 2003
“The Standard of Good Practice for Information Security,” Information Security Forum, 2003
“Understanding the Independent Auditor’s Role in Building Trust,” PricewaterhouseCoopers LLP, 2003

Also Significant is the range of contribution and review recognized by ITGI on this product:

Note the contribution of PwC, Crowe Chizek, RBC Financial Group, Deloitte & Touche, Financial Executives Institute-
Research Foundation (FERF), Ernst & Young, Protiviti, META Group, Q Alliance, RBC Financial Group, demonstrating highest levels of rank and talent in Banking, Audit, Enterprise IT Consulting, from Industries ranging areas such as Manufacturing, Insurance and  Air Travel, (Electrolux, Great-West Life Assurance Company, Waveset Technologies, New Zealand Air). Contributions include individuals who experience regulatory mandates in the USA, Canada, Singapore, Tokyo, Argentina, Australia, United Kingdom, Luxembourg, and Belgium

Christopher Fox, CA, PricewaterhouseCoopers LLP, USA
Paul A. Zonneveld, CISA, CISSP, CA, Deloitte & Touche LLP, Canada
The expert reviewers, whose comments helped shape the final document
Neil Anderson, CISA, CA, MBA, Electrolux AB, USA
Sean Ballington, CISA, CA, PricewaterhouseCoopers LLP, USA
Don Caniglia, CISA, Crowe Chizek LLP, USA
Sally Chan, CMA, PAdm, ACIS, RBC Financial Group, Canada
Tom Church, Deloitte & Touche LLP, USA
Pamela A. Fredericks, CISM, CISSP, Forsythe Solutions, USA
John Gimpert, CPA, Deloitte & Touche LLP, USA
Gary Hardy, CISA, IT Winners Ltd., UK
Edward L. Hill, Protiviti Inc, USA
Audrey Katcher, CISA, CPA, PricewaterhouseCoopers LLP, USA
Pierre Lapointe, CA, Deloitte & Touche LLP, Canada
Jennifer Laudermilch, CISA, CPA, PricewaterhouseCoopers LLP, USA
Elsa Lee, CISA, MA, CSQA, Crowe Chizek LLP, USA
William Levant, Deloitte & Touche LLP, USA
William Malik, CISA, Waveset Technologies, USA
Tiffany McCann, Financial Executives Institute-Research Foundation (FERF), USA
Todd McGowan, CISA, CPA, Deloitte & Touche LLP, USA
Therese E. Michael, PricewaterhouseCoopers LLP, USA
Robert G. Parker, CISA, FCA, CMC, Deloitte & Touche LLP, Canada

Application Management AKA: ITIL, Best Practice for Application Management
BS15000 Code of Practice (PD0005)
Author(s) Office of Government Commerce (OGC), with primary contributions from the United Kingdom, the United States, and the
Netherlands Publisher: The Stationary Office (TSO); ITIL label is owned by the Office of Government Commerce (OGC) of the UK
Edition Second Impression 2003 Crown Copyright 2002
TSO Online Bookshop - Application Management Manual
The Business Process (Quiet) Revolution;
TSO Publishing Services & Document Services
OGC - Home
OGC - IT Infrastructure Library (ITIL)
Summary quoted from  <http://www.tsoshop.co.uk/bookstore.asp?FO=1159966&Action=Book&From=SearchResults&ProductID=0113308663>, is
published by TSO, and is the property of OGC:

"Application Management is part of the seven book ITIL series from OGC that guides business users through the planning, delivery and management of quality IT services. This publication covers the software development life cycle and provides details on business change with the emphasis on clear requirement definitions and implementation to meet business users' needs.

Key features:

ITIL is closely aligned with the BSI standard BS 15000 and Code of Practice (PD0005)
An approach adopted by organizations such as Microsoft, IBM, Barclays, HSBC, Proctor & Gamble, British Airways and Guinness"

Summary quoted from 'Best Practice for Application Management,' published by TSO and is the property of OGC:

"Application Management' addresses the complex subject of managing applications from the initial business need, through the Application Management lifecycle, up to and including retirement.  In addition, 'Application Management' includes the interaction with IT Service Management disciplines contained the 'Service Delivery', 'Service Support' and 'ICT Infrastructure Management'.  This book places a strong emphasis on ensuring that IT projects and strategies are tightly aligned with those of the business throughout the applications lifecycle. 

Applicable To:
Quoted from 'Best Practice for Application Management,' published by TSO and is the property of OGC:
"The target audience for this book is broad and encompasses a wide range of IT professions including:

How Used:
Organizations and departments involved with application design, development, maintenance, support and/or management could use this framework to maximize service quality by managing the application lifecycle to align with business objectives.

As explained by the OGC: a UK government organization responsible for procurement and efficiency improvements in the UK public sector. OGC has produced world-class best practice guidance, including PRINCE (project management), MSP (Managing Successful Programs) and ITIL (IT service management). ITIL is used throughout the world and is aligned with the BS15000 standard.

Business Perspective
AKA: ITIL, Best Practice for the Business Perspective
Laws enforced by or standards aligned to this source BS15000
Author(s) Office of Government Commerce (OGC), Publisher: ITIL label is owned by the Office of Government Commerce (OGC) of the UK Government, Edition         Nov 2004            Date of Copyright 2005
TSO Online Bookshop - Business Perspective Volume 1
TSO Online Bookshop - ITIL
Summary of Standard or
Business Perspective Volume 1
"For IT to bring the greatest possible benefits to a business, IT practitioners must develop a deep understanding of their organization’s key principles and requirements. Business Perspective Volume 1 performs a vital task. Given that there is absolute dependence of business on IT, it ensures that Best Practice flows from Information Services provision into the organization as a whole. It will help IS personnel align their activities with the needs of the business in order to deliver the greatest benefits, such as:

Contribution to business objectives
Developing IT services in line with those objectives
Assisting the business exploit their IT resource to the maximum
Helping to build an integrated culture within the business
Enabling change and innovation for business advantage

Building on the foundations already laid down in ITIL, this book will be of enormous interest to all IS managers and anyone interested in fully their exploiting IT resource to deliver business benefits.

Key Features:

Builds on foundations already laid by ITIL
Designed to complement Volume 2, which focuses on delivering results against a background of change."

Applicable to anyone who leads or wishes to lead in Technology or business using the ITIL framework and achieving excellent in Information Technology.

ICT Infrastructure Management
ITIL, Best Practice for ICT Infrastructure Management
BS15000 and ISO9000
Author(s) Office of Government Commerce (OGC), Publisher: The Stationary Office (TSO); ITIL label is owned by the Office of Government Commerce (OGC) of the UK , Crown Copyright 2003
TSO Online Bookshop - ICT Infrastructure Management Manual
The Business Process (Quiet) Revolution;
TSO Publishing Services & Document Services
OGC - Home
OGC - IT Infrastructure Library (ITIL)
Summary is quoted from <http://www.tsoshop.co.uk/bookstore.asp?FO=1159966&Action=Book&From=SearchResults&ProductID=0113308655>, is published by TSO, and is the property of OGC: "'ICT Infrastructure Management' is part of the seven book ITIL series from OGC that guides business users through the planning, delivery and management of quality IT services. This publication covers network service management, operations management, management of local processors, computer installation and acceptance and systems management.

Key features:

 

"The purpose of this book is to give best practice guidance on the planning, design, deployment and ongoing technical support and management of ICT components and services. Good planning, administration and control are key to ensuring that ICT services provide the information flows necessary to implement the effective Information Systems upon which organizations depend to meet business needs cost-effectively. This book arranges ICTIM in a practical and structured manner. It presents a framework and the processes surrounding that framework, which can be used to develop appropriate, efficient and effective ICTIM for each specific organization"

"The ICT Infrastructure Management book includes:

Quoted from 'Best Practice for 'ICT Infrastructure Management,' published by TSO and is the property of OGC:

Readers should be aiming to ‘adopt and adapt’ the practices described in the book, on a scale appropriate to the size and complexity of their organization, and the services and infrastructure to be managed. It is not essential that all aspects of this book be implemented. It is essential that all aspects are considered and evaluated with reference to the organization and its requirements. Different elements of the book may be used and adapted in different ways to suit the requirements of specific organizations."
How Used:  Organizations and departments involved with application design, engineering, deployment, support and/or operations could use this framework to optimize the information and technology infrastructure by focusing on the management tools essential for developing processes.  As explained by the OGC: a UK government organization responsible for procurement and efficiency improvements in the UK public sector. OGC has produced world-class best practice guidance, including PRINCE (project management), MSP (Managing Successful Programs) and ITIL (IT service management). ITIL is used throughout the world and is aligned with the ISO/IEC 20000 international standard in service management. www.ogc.gov.uk

Information Technology Infrastructure Library
Type:  British Standard AKA: IT Infrastructure Library
Standard Common Reference - BS15000 but in revision to BS27000
Author(s) Office of Government Commerce (OGC) Publisher: ITIL label is owned by the Office of Government Commerce (OGC) of the UK Government Copyright 2005
OGC - IT Infrastructure Library (ITIL)
itSMF Global Homepage
OGC - Home
Summary of Standard or
OGC Web site states: "the key to managing IT services" ITIL (the IT Infrastructure Library) is the most widely accepted approach to IT service management in the world. ITIL provides a cohesive set of best practice, drawn from the public and private sectors internationally. It is supported by a comprehensive qualifications scheme, accredited training organizations, and implementation and assessment tools. The best practice processes promoted in ITIL support and are supported by, the British Standards Institution's standard for IT service Management (BS15000). OGC and itSMF are working together to scope the content of an update to ITIL publications, scheduled for 2006.

The ITIL self assessments are now hosted by itSMF
OGC Answers: http://www.ogc.gov.uk/index.asp?id=1000368&syncNav=1#11

1.1 What is ITIL? ITIL is best practice in IT Service Management, developed by OGC and supported by publications, qualifications and an international user group.

ITIL is intended to assist organizations to develop a framework for IT Service Management. Worldwide, ITIL is the most widely used best practice for IT Service Management.

Current editions of the ITIL library can be purchased in print or CD format or as an intranet license.

1.2 What is meant by ‘IT Service Management’?  IT Service Management is a top-down, business driven approach to the management of IT that specifically addresses the strategic business value generated by the IT organization and the need to deliver a high quality IT service. IT Service Management is designed to focus on the people, processes and technology issues that IT organizations face (this is found on the official OGC web site and was not produced by PB&SP)
OGC Answers: http://www.ogc.gov.uk/index.asp?id=1000368&syncNav=1#11

1.3 Who is ITIL for? ITIL is aimed at:

It will also educate business managers, customers & end-users involved in building good relationships with their IT service providers and any organization that depends on IT Services.
How Used:
As explained by the OGC: a UK government organization responsible for procurement and efficiency improvements in the UK public sector. OGC has produced world-class best practice guidance, including PRINCE (project management), MSP (Managing Successful Programs) and ITIL (IT service management). ITIL is used throughout the world and is aligned with the ISO/IEC 20000 international standard in service management. www.ogc.gov.uk

Planning to Implement Service Management
ITIL, Best Practice for Planning to Implement Service Management
BS15000 Code of Practice (PD0005)
Author(s) Office of Government Commerce (OGC) Publisher: ITIL label is owned by the Office of Government Commerce (OGC) of the UK Government Crown Copyright 2002
TSO Online Bookshop - Planning to Implement Service Management
OGC - Home
Summary: "The aim of this book is to give the reader key issues to be considered when planning for the implementation of IT Service Management. The book explains the steps required to implement or improve IT service provision.

Key features:

 ITIL is closely aligned with the BSI standard BS 15000 and Code of Practice (PD0005)

An approach adopted by organizations such as Microsoft, IBM, Barclays, HSBC, Proctor & Gamble, British Airways and
Guinness

CD-ROM version with added functionality available

The book provides guidance on alignment of the business needs to IT. It enables the reader to assess if IT service provision is meeting the requirements of the business. Where the business requirements are not being met it details the steps necessary to ensure the IT service provision does meet the current and future needs of the business.

The aim therefore is to give practical guidance in evaluating the current maturity levels of Service Management and on implementing improvement to the processes."

Applicable To:
"Service Management is a generic concept and the guidance in the ITIL books is applicable generically. The guidance is also scaleable - applicable to both small and large organizations. It applies to distributed and centralized systems, whether in-house or supplied by third parties. It is neither bureaucratic nor unwieldy if implemented sensibly and in full recognition of the business needs of the organization."

Security Management
AKA: ITIL, Best Practice for Security Management
Standard met or enforced by aligning to this source
BS15000 aspect of ISO9001 and ISO/IEC 17799:2005, BS7799 now BS27000 series
Author(s) Office of Government Commerce (OGC), Publisher: The Stationary Office (TSO); ITIL label is owned by the Office of Government Commerce (OGC) of the UK, Edition Eighth Impression 2004, and Date of Crown Copyright 1999
TSO Online Bookshop - ITIL Security Management Manual
The Business Process (Quiet) Revolution;
TSO Publishing Services & Document Services
OGC - Home
The National Strategy to Secure Cyberspace
Summary quoted from <http://www.tsoshop.co.uk/bookstore.asp?FO=1159966&Action=Book&From=SearchResults&ProductID=011330014X>, is
Published by TSO, and is the property of OGC:

"Information is one of the most important assets for business. Without it only a few processes are able to perform as intended. The sharing of information with other organizations, which enables quick and automated processing, increases, that importance.

For Information Technology (IT), information is the core of its existence. Anything that threatens information or the processing thereof, will directly endanger the results of the organization. Whether it concerns the accuracy or timeliness of the information, the availability of processing functions or confidentiality, threats that form risks have to be encountered by security. The aspects mentioned are structural for IT. That means that there are structural risks. Structural risks require structural security.

ITIL provides a foundation for the management of the IT Infrastructure. This book builds on that basis and explains how to organize and maintain the management of security of the IT Infrastructure, from the IT manager's point of view." "This book helps organizations in Security Management in a practical, structured manner.  It has elements of a workbook and is meant to be of practical assistance to the reader.  This document is intended to support IT management.  Like quality, information security is a management responsibility.  Confidentiality integrity and availability of services and information have to be assured.  The required effort depends on the demands of the IT users.  For example, in defense environments more emphasis is placed on confidentiality, while in finance the focus will be on integrity and in health care it could be on availability. This book describes the best practices in Security Management.  It is not essential to implement all of the guidance in this
Applicable To: Quoted from 'Best Practice for Security Management,' published by TSO and is the property of OGC" This book in intended for all managers responsible for critical IT processes. This book is also relevant to business managers to help them to define the required security.  It provides assistance in determining what aspects of security need to be included in the SLA.
Different elements of the ITIL Security Management process may be used and adapted in different ways to meet the
IT Director reader's specific situation.  Common sense is essential when implementing Security Management."

How Used:
Organizations and departments involved with providing information security could use this framework to bring value to the services delivered by aligning the security processes to the requirements specified in the SLA. As explained by the OGC: a UK government organization responsible for procurement and efficiency improvements in the UK public sector. OGC has produced world-class best practice guidance, including PRINCE (project management), MSP (Managing Successful Programs) and ITIL (IT service management). ITIL is used throughout the world and is aligned with the ISO/IEC 20000 international standard in service management. www.ogc.gov.uk

Service Delivery AKA: ITIL, Best Practices for Service Delivery.
Author(s) Office of Government Commerce (OGC) Publisher: The Stationary Office (TSO); ITIL label is owned by the Office of Government Commerce (OGC) of the UK, Edition Seventh Impression 2004, Date of Crown Copyright
TSO Online Bookshop - IT Service Management
The Business Process (Quiet) Revolution; Transformation to Process Organization
TSO Publishing Services & Document Services
OGC - Home
OGC - IT Infrastructure Library (ITIL)

Summary quoted from <http://www.tsoshop.co.uk/bookstore.asp?FO=1159966&Action=Book&From=SearchResults&ProductID=0113300174>, is published by TSO, and is the property of OGC:

"Service Delivery is the second element in the new ITIL Infrastructure Library to be published. Service providers need to offer business users adequate support - Service Delivery covers all aspects that must be taken into consideration. Issues covered include Service Level Management, Financial Management for IT Services, IT Service Continuity Management, Availability Management Contingency Planning and Capacity Management. Each component of service delivery is discussed separately in the book. The purpose of Service Delivery is to show the links and the principal relationships between all the Service Management and other Infrastructure Management processes.

Key features:

*Relevant no matter what type or size of organization, be it national government, a multi-national conglomerate or a single office environment with one person providing service support*It is the most widely accepted approach to IT service management in the world"
Applicable To:
Quoted from 'Best Practice for Service Delivery,' published by TSO and is the property of OGC:

"This book is relevant to anyone involved in the delivery or support of IT services. It is applicable to anyone involved in the management or day-to-day practice of Service Management.  It is recognized that there are several way of delivering an IT service, such as in-house, out-sourced and partnership.  Even though this book is written mainly from an in-house service provider's perspective it is generally relevant to all other methods of service provision.  So most of this book is applicable to those involved in out-sourced service provision or working in partnerships.  Business managers should find the book helpful in understanding and establishing best practice IT services and support.  Managers from supplier organizations should also find this book relevant when setting up agreements for the delivery and support of services."
How Used:
Organizations and departments involved with delivering information services could use this framework to optimize user support by focusing on the management of availability, capacity, continuity, finance, and service level. As explained by the OGC: a UK government organization responsible for procurement and efficiency improvements in the UK public sector. OGC has produced world-class best practice guidance, including PRINCE (project management), MSP (Managing Successful Programs) and ITIL (IT service management). ITIL is used throughout the world and is aligned with the

Service Support
Author(s) Office of Government Commerce (OGC) Publisher:       The Stationary Office (TSO); ITIL label is owned by the Office of Government Commerce (OGC) of the UK Edition Date of      Crown Copyright
OGC - Home
Summary of Standard or "The Service Support book is concerned with ensuring that the Customer has access to the appropriate services to support the business functions. Issues discussed in this book are:
Service Desk
Incident Management
Problem Management
Configuration Management
Change Management
Release Management

Software Asset Management
Author(s) Office of Government Commerce (OGC) Publisher: The Stationary Office (TSO); ITIL label is owned by the Office of Government Commerce (OGC) of the UK Edition   Date of Crown Copyright 2003
Software Asset Management, OGC - Publications
ITIL Software Asset Management v.1.0 - published for OGC by TSO
OGC - Home
Summary http://www.tso.co.uk/samdemo/app/frames.htm Software Asset Management (SAM) is the entire infrastructure and processes necessary for the effective management, control and protection of the software assets within an organization, throughout all stages of their lifecycle. SAM principles the overall objective of all SAM processes is that of good corporate governance, namely, the management of an organization’s software assets, including the management of the risks arising from the use of those assets.

The objective of SAM is to manage, control, and protect an organization's software assets, including management of the risks arising from the use of those software assets.

The most important requirement for a SAM project is to have a clear vision and strategy that are owned by senior management. They should be the driver for initiating everything else in SAM, and in particular they drive the processes of creating the business case. This area is discussed in Chapter 3. This vision and strategy should include any overarching vision and strategy for Configuration Management as a whole, i.e. for all of ICT and not limited just to SAM.

Overall policies need to be established and communicated effectively to the entire organization. Corresponding responsibilities also need to be clarified and communicated. These issues are addressed in several places throughout this guide, including in Chapter 4 ‘Organization, Roles and Responsibilities’, Section 5.1 ‘Overall Management Processes’, and Appendix G ‘Example Contents of a Software Policy’.

Detailed processes need to be defined and implemented, including automated capabilities and written procedures. The majority of the content of this guide addresses this area, including, in particular, Chapter 5 ‘Process Overview’ and Chapter 6 ‘Implementation Overview’.

Key messages: Board-level sponsorship and commitment is essential to ensure successful SAM Policies and procedures that are practical and mandatory for everyone touching IT assets (procurement to retirement) must be developed, implemented and monitored for adherence. Once SAM is implemented, there will be ongoing performance of SAM processes with concurrent maintenance of information in the set of SAM databases (which are part of the Configuration Management Database or CMDB in ITIL terminology) that will need to be tackled. SAM should be subject to the same disciplines of Service Management as all ICT services and infrastructure, as discussed in the core ITIL publications. For example, SAM cannot continue to function properly without attention to areas such as continuity of operations and Capacity Management. However, these more general topics are not discussed in detail in this guide.

The basis of any good SAM system is accurate and up-to-date SAM information, together with the processes for control of its accuracy. The SAM databases also provide essential information for the integration of SAM processes with other ICT and business processes. They should be considered logically as a single database, but may consist of several physically separate, but linked, databases. In highly decentralized organizations, each autonomous unit may have its own autonomous database, but there needs to be central collection of some data to achieve some of the greatest benefits of SAM. This area is discussed more in Chapter 4 ‘Organization, Roles and Responsibilities’.

There also needs to be a regular process of review and improvement affecting all areas already addressed. At one level there should be review for compliance with defined policies and procedures and, where appropriate, corrective action. There may be opportunities for improvements in efficiency and effectiveness, and definitions of responsibilities. Vision may also change, perhaps in response to changing market opportunities and threats or technological developments. These issues are briefly addressed in Section 5.1 ‘Overall Management Processes’, but repeating the entire process described above, at least for review purposes, is necessary periodically.

Key message: It is impossible to implement an effective SAM process without the successful design, development, implementation and maintenance of accurate SAM databases, automatically updated from the live infrastructure.

Applicable To:
Software Asset Management FROM OGC:
Software is one of the most critical elements of information and communications technologies and most organizations have huge investments in software, whether internally developed or external procured.
However organizations often do not invest commensurate effort into managing these software assets. This guide has been
developed to assist with understanding what Software Asset Management (SAM) is and to explain what is required to perform it effectively and efficiently as identified in industry 'best practice'.
How Used:
As explained by the OGC: a UK government organization responsible for procurement and efficiency improvements in the UK public sector. OGC has produced world-class best practice guidance, including PRINCE (project management), MSP (Managing Successful Programs) and ITIL (IT service management). ITIL is used throughout the world and is aligned with the ISO/IEC 20000 international standard in service management. www.ogc.gov.uk

Applicable To:
Software Asset Management FROM OGC: Software is one of the most critical elements of information and communications technologies and most organizations have huge investments in software, whether internally developed or external procured. However organizations often do not invest commensurate effort into managing these software assets. This guide has been developed to assist with understanding what Software Asset Management (SAM) is and to explain what is required to perform it effectively and efficiently as identified in industry 'best practice'

How Used:
As explained by the OGC: a UK government organization responsible for procurement and efficiency improvements in the UK public sector. OGC has produced world-class best practice guidance, including PRINCE (project management), MSP (Managing Successful Programs) and ITIL (IT service management). ITIL is used throughout the world and is aligned with the ISO/IEC 20000 international standard in service management. www.ogc.gov.uk                                

 

PRINCE2
Author(s) OGC Publisher:                    
PRINCE remains in the public domain and copyright is retained by the Crown. PRINCE is a registered trademark
Edition 2.4 Date of       Latest edition 2005
Welcome to the Official PRINCE2 websiteTSO Online Bookshop - Prince2
Summary of Standard or
As stated on the official OGC web site: PRINCE2 is a process-based approach for project management providing an easily tailored and scaleable method for the management of all types of projects. Each process is defined with its key inputs and outputs together with the specific objectives to be achieved and activities to be carried out.

The method describes how a project is divided into manageable stages enabling efficient control of resources and regular progress monitoring throughout the project. The various roles and responsibilities for managing a project are fully described and are adaptable to suit the size and complexity of the project, and the skills of the organization. Project planning using PRINCE2 is product-based which means the project plans are focused on delivering results and are not simply about planning when the various activities on the project will be done.

A PRINCE2 project is driven by the project's business case which describes the organization's justification, commitment and rationale for the deliverables or outcome. The business case is regularly reviewed during the project to ensure the business objectives, which often change during the lifecycle of the project, are still being met.

There are often different groups of people involved in projects: the customer, one or more suppliers, and of course the user.
PRINCE2 is designed to provide a common language across all the interested parties involved in a project. Bringing customers and suppliers together typically involves contracts and contract management, although these aspects are outside the scope of PRINCE2, the method provides the necessary controls and breakpoints to work successfully within a contractual framework.

Benefits

PRINCE2 is a structured method providing organizations with a standard approach to the management of projects. The method embodies proven and established best-practice in project management. It is widely recognized and understood, and so provides a common language for all participants in the project.

PRINCE2 provides benefits to the organization, as well as the managers and directors of the project, through the controllable use of resources and the ability to manage business and project risk more effectively. PRINCE2 enables projects to have:
A controlled and organized start, middle and end;
Regular reviews of progress against plan and against the Business Case;
Flexible decision points;
Automatic management control of any deviations from the plan;
The involvement of management and stakeholders at the right time and place during the project;
Good communication channels between the project, project management, and the rest of the organization. [End quote]

Notable are the following downloads at: http://www.ogc.gov.uk/prince2/downloads/view.htm
Acceptance Criteria.rtf
Post Project Review Plan.rtf
Business Case.rtf Product Checklist.rtf
Checkpoint Report.rtf
Product Description.rtf
Communication Plan.rtf
Project Approach.rtf
Configuration Item Record Project Brief.rtf
Configuration Management Plan Project Initiation Document.rtf
End Project Report.rtf
Project Issue.rtf
End Stage Report.rtf
Project Mandate.rtf
Exception Report.rtf
Project Plan.rtf
Follow-on Actions.rtf
Project Quality Plan.rtf
Highlight Report.rtf
Quality Log.rtf
Issue Log.rtf Risk Log.rtf
Lessons Learned Log.rtf
Stage Plan.rtf
Lessons Learned Report.rtf
Work Package.rtf
Applicable To:
Project Managers and project management. The US PMI, Project Management Institute (Of SEI and Carnegie Mellon
University) satisfies US need for a compliance based project management framework.
How Used:
The Prince2 Standard is used primarily in the UK and is a product of the OGC.  The OGC describes itself as:
A UK government organization responsible for procurement and efficiency improvements in the UK public sector.  
OGC has produced world-class best practice guidance, including PRINCE (project management), MSP (Managing Successful Programs) and ITIL (IT service management). ITIL is used throughout the world and is aligned with the ISO/IEC 20000 international standard in service management. www.ogc.gov.uk

Governing for Enterprise Security
Author(s) Julia H. Allen James F. Stevens Bradford J. Willke William R. Wilson Publisher: CMU/ SEI
Governing for Enterprise Security
http://www.cert.org/governance/ges.html
http://www.sei.cmu.edu/pub/documents/05.reports/pdf/05tn023.pdf
http://clinton1.nara.gov/White_House/EOP/OMB/html/omb-a130.html
Summary Integrates practice and guidelines from:

Builds on earlier publication "Managing for Enterprise Security", by Richard A. Caralli
Applicable To:
Survivable Enterprise Management
The goal of our survivable enterprise management effort is to help organizations protect and defend themselves. To this end, we have developed risk assessments that help enterprises identify and characterize critical information assets and then identify risks to those assets. Enterprises can use the results of the assessment to develop or refine their overall strategy for securing their networked systems.
The Operationally Critical Threat, Asset, and Vulnerability Evaluation SM (OCTAVE®) is a self-directed approach that gives organizations a comprehensive, repeatable technique for identifying risk in their networked systems and keeping up with changes over time. The method, which may be tailored to fit the needs of the organization, takes into consideration assets, threats, and vulnerabilities (both organizationally and technologically) so that the organization gains a comprehensive view of the state of its systems' security. OCTAVE-S, a version of OCTAVE better suited to smaller organizations, is also available.

The need for a broader approach to organizational security inspired our work in enterprise security management (ESM). Intended to be an all-encompassing approach to security, ESM considers an organization's mission, strategy, and goals to develop tools and methods for optimizing an organization's security capabilities.

Another component to achieving our goal includes encouraging organizations to develop and maintain an appropriate level of security. This effort is reflected in our work on governance.

How Used:
The CERT® Program is part of the Software Engineering Institute (SEI), a federally funded research and development center at Carnegie Mellon University in Pittsburgh, Pennsylvania. Following the Morris worm incident, which brought 10 percent of internet systems to a halt in November 1988, the Defense Advanced Research Projects Agency (DARPA) charged the SEI with setting up a center to coordinate communication among experts during security emergencies and to help prevent future incidents. This center was named the CERT Coordination Center (CERT/CC).
While we continue to respond to major security incidents and analyze product vulnerabilities, our role has expanded over the years. Along with the rapid increase in the size of the internet and its use for critical functions, there have been progressive changes in intruder techniques, increased amounts of damage, increased difficulty of detecting an attack, and increased difficulty of catching the attackers. To better manage these changes, the CERT/CC is now part of the larger CERT Program, whose primary goals are to ensure that appropriate technology and systems management practices are used to resist attacks on networked systems and to limit damage and ensure continuity of critical services in spite of successful attacks,

C S R C - Guidance Publications Library
Laws enforced by or aligned to this source
P.L. 107-347, Title III
P.L. 107-347
17 U.S.C. §§ 101 - 810
OMB Circular A-130
Author(s) Computer Security Division (CSD) of the Information Technology Laboratory (ITL) Publisher: NIST is an Agency of the U.S. Commerce Department's Technology Administration Edition 10/25/2005 Date of 10/25/2005

C S R C - Guidance / Publications / Library
Checklists / Implementation Guides
Public / Private Security Practices
Federal Agency Security Practices Homepage
NIST ITL home page

Summary:  CSRC Page explains the library this way: Organizations in all sectors of the economy depend upon information systems and communications networks, and share common requirements to protect sensitive information. ITL works with industry and government to establish secure information technology systems for protecting the integrity, confidentiality, reliability, and availability of information. Under FISMA Act of 2002, the Computer Security Division of the Information Technology Laboratory (ITL) develops computer security prototypes, tests, standards, and procedures to protect sensitive information from unauthorized access or modification. Focus areas include cryptographic technology and applications, advanced authentication, public key infrastructure, internetworking security, criteria and assurance, and security management and support. These publications present the results of NIST studies, investigations, and research on information technology security issues.

The publications are issued as Special Publications (Spec. Pubs.), NIST IRs (Internal Reports), and ITL (formerly CSL) Bulletins. Special Publications series include the Spec. Pub. 500 series (Information Technology) and the Spec. Pub. 800 series (Computer Security). Computer security-related Federal Information Processing Standards (FIPS) are also included.

Applicable To:
Sections are listed and described as follows: Please go directly to site as this list is pasted on 10/25/2005 so is immediately not current.

Drafts  This page consists of draft NIST Publications (FIPS, Special Publications) that are either open for public review and to offer comments, or the document is waiting to be approved as a final document by the Secretary of Commerce.

Special Publications: Special Publications in the 800 series present documents of general interest to the computer security community. The Special Publication 800 series was established in 1990 to provide a separate identity for information technology security publications. This Special Publication 800 series reports on ITL's research, guidance, and outreach efforts in computer security, and its collaborative activities with industry, government, and academic organizations.
Federal Information Processing Standards Publications (FIPS PUBS) FIPS publications are issued by NIST after approval by the Secretary of Commerce pursuant to Section 5131 of the Information Technology Management Reform Act of 1996, Public Law 104-106, and the FISMA Act of 2002.

ITL Bulletins ITL Bulletins are published by NIST's Information Technology Laboratory, with most bulletins written by the Computer Security Division. These bulletins are published on the average of six times a year. Each bulletin presents an in-depth discussion of a single topic of significant interest to the information systems community. Not all of ITL Bulletins that are published relate to computer / network security. Only the computer security ITL Bulletins are found here. There is a link provided on this page to get non-computer security ITL Bulletins.

Interagency Reports NIST Interagency Reports (NIST IRs) describe research of a technical nature of interest to a specialized audience. The series includes interim or final reports on work performed by NIST for outside sponsors (both government and nongovernmental). NIST IRs may also report results of NIST projects of transitory or limited interest, including those that will be published subsequently in more comprehensive form.

How to order NIST Publications Order link - If CSRC does not have an electronic copy of the document you are looking for, this would be the page to go to get the information you need to order a copy.

Other NIST Computer Security Division Publications, Documents, and Papers
This page lists publications, papers or documents that the staff of the Computer Security Division has written and are not classified in the publication categories listed above.

History of Computer Security Project:
Early Papers: This list of papers was initially distributed on CD-ROM at NISSC '98. These papers are unpublished, seminal works in computer security. They are papers every serious student of computer security should read. They are not easy to find. The goal of this collection is to make them widely available.

How Used:
CSD Publications:
  - Draft Publications
   - Special Publications
   - FIPS Pubs
   - ITL Security Bulletins
   - NIST IRs

 CSD Focus Areas:
   - Cryptographic Standards & Application
   - Security Testing
   - Security Research /
 Emerging Technologies
   - Security Management & Guidance