Phoenix business and systems process

Security and Security Programs

The Security Audit Universe...the "final frontier"

Any valid comparative technology standard points to work by NIST and CISW. One of the more fascinating achievements in Security and frameworks is the resulting standards of ISO/IEC 15408 International Standard ; Common Criteria for Information Technology Security Evaluations (CC2.2.v3). Seven government organizations, known as “Common Criteria Project Sponsoring Organizations” grant ISO/IEC a non-exclusive license to provide the standards for purchase: ISO/IEC 15408-1:2005 Ed. 2 Where any product of the following types is used in performance of audited control functions, using the Common Criteria Evaluation portal will save a lot of time in understanding that products relative application of acceptable security protocol. Certification for products is available at

Access Control Devices and Systems
Boundary Protection Devices and Systems
Databases
Data Protection
Detection Devices and Systems
ICs, Smart Cards and Smart Card related Devices and Systems
Key Management Systems
Network and Network related Devices and Systems
Operating systems
Other Devices and Systems

Note: Product evaluation results in certification and explanation of product compliance with acknowledge best practice and industry standards for certification as required by any type of company or branch of government or international service. Tripwire Manager 3.0 with Tripwire for Servers 3.0, Tripwire Manager 3.0 with Tripwire for Servers Check Point Edition 3.0, a product heavily supported by the IIA has listed certification since 2003.

Note Sections for GLBA and FFIEC/ FDIC are at bottom of this page

NIST Released 3 Security Publications / Standards. 1. 2nd Public Draft Special Publication 800-96, PIV Card / Reader Interoperability Guidelines. URL to view / download this document: http://csrc.nist.gov/publications/drafts.html#sp800-96 NIST is pleased to announce the release of Draft Special Publication 800-96 (SP 800-96), PIV Card / Reader Interoperability Guidelines. The SP 800-96 is available for a two week public comment period. The document provides guidelines for interaction between any card and any reader in the PIV system. It covers contact and contactless readers for logical access as well readers for physical access. The comment period closes at 5:00 EST on Friday, August 11th, 2006. 2. Special Publication 800-85B, PIV Data Model Conformance Test Guidelines. URL to view / download this document: http://csrc.nist.gov/publications/nistpubs/index.html#sp800-85B NIST is pleased to announce the release of NIST SP 800-85B, PIV Data Model Conformance Test Guidelines. This document provides Derived Test Requirements and Test Assertions for testing all data on the PIV Card. The requirements and assertions cover the following PIV Specifications - SP 800-73-1, SP 800-76 and SP 800-78. In addition it also provides tests for verifying the PKI certificates on the PIV card for conformance to Certificate Profiles in FICC-SSP subcommittee document. The guidelines are to be used by the developers of software modules, PIV card issuers, and entities performing conformance tests. 3. 2nd Public Draft 800-53 Revision 1, Recommended Security Controls for Federal Information Systems. URL to view / download this document: http://csrc.nist.gov/publications/drafts.html#sp800-53-Rev1 NIST is pleased to announce the release of Special Publication 800-53, Revision 1 (Second Public Draft), Recommended Security Controls for Federal Information Systems. SP 800-53, Revision 1 is available for a one-month public comment period. The comment period closes on August 25, 2006. NIST Special Publication 800-18, Guide for Developing Security Plans for Information Technology Systems NIST Special Publication 800-14 Generally Accepted Principles and Practices for Securing Information Technology Systems, as provided by the National Institute of Standards and Technology NIST Special Publication are Special Publication 800-12, The Computer Security Handbook; and NIST Special Publication 800-26, The Security Self-Assessment Guide for Information Technology Systems NIST Special Publication 800-68 Guidance for Securing Microsoft Windows XP Systems for IT Professionals: Security Configuration Checklist NIST Special Publication 800-30, Risk Management Guide for Information Technology Systems divides recommendations for Infomation technology risk into three broad categories
Management Security		Operational Security	Management Security
Assignment of responsibilities Continuity of support Incident response capability Periodic review of security controls Personnel clearance and background investigations Risk assessment Security and technical training Separation of duties System authorization and reauthorization System or application security plan		Control of air-borne contaminants (smoke, dust, chemicals) Controls to ensure the quality of the electrical power supply Data media access and disposal External data distribution and labeling Facility protection (e.g., computer room, data center, office) Humidity control Temperature control Workstations, laptops, and stand-alone personal computers	Technical Security Communications (e.g., dial-in, system interconnection, routers) Cryptography Discretionary access control Identification and authentication Intrusion detection Object reuse System audit

	Detail for detail, these are the leaders and Eagles. Not one group makes claim to work in isolation of the other, and each framework is written with areas specific to industry and common to all. Unquestionably, any person involved in security and compliance needs to own and understand the frameworks known as BS7799 1 and 2... British Standard 7799 Part 1and 2 are being phased out as British Standards Institute's high-level securityframework and code of practice. Organizations seeking conformity assessment will required to align with the newer BSI 27000 series. Note that the ISO 17799:2000 and ISO/IEC 17799:2005 are not certification standards unless adopted by the BSI, and are then available for assessment by a CASCO and not an ISO body.
BS ISO/IEC 27001:2005 (BS 7799-2:2005)
Corporate Information Security Working Group: Report of the Best Practices and Metrics Teams
Governing for Enterprise Security Networked Systems Survivability Program, Julia Allen
OCTAVE Information Security Risk Evaluation
CobiT®. Security Baseline: An Information Security Survival Kit (Members Only)
FFIEC Information Technology Examination Handbook
Global Technology Audit Guide (GTAG) Information Technology Controls (IIA has several GTAG titles)
Enterprise Risk Management--Integrated Framework
Governing for Enterprise Security Networked Systems Survivability Program

Consider the world of implications from Access to Change Management.

Security - Physical Access and Change Management

access

Define and concur on objectives, key business drivers, requirements and constraints
Define roles and handoffs in the process
Define process flow (current and desired)
Define metrics to demonstrate progress toward objectives and key business drivers Identify technology and implementation plan to support and enforce the above
Determine phases and pilot groups
Define implementation plan (proposed SOW) Identify and assign implementation resources

Tripwiresolution

File Integrity for Mission-Critical Systems Close the Gaps in Infrastructure Integrity

Assuring the integrity of your IT infrastructure means more than intrusion detection. Unauthorized changes made by internal staff have been shown to cause 20 times more downtime than infiltrations by external hackers. No matter what the source, uncontrolled change increases risk to everything from agency programs to national security. Tripwire change detection solutions provide a single point of control for detecting all changes across IT infrastructure including heterogeneous servers, desktops, routers, switches, firewalls and load balancers.

Achieve Compliance with Government Regulations

By providing an audit trail of change across the IT infrastructure, Tripwire change detection solutions significantly reduce time and costs associated with achieving regulatory compliance. Government agencies use Tripwire solutions to support diverse compliance initiatives including FISMA, DITSCAP, National Strategy to Secure Cyberspace (NSSC), and OMB and NIST standards.

Tripwire is Common Criteria Certified and recommended as a best practice by SANS, CERT, and leading security advisory groups. Tripwire is also featured on page 30 of the NSA's 60-Minute Security Guide, which you can download here.

Tripwire change detection solutions have been implemented in almost every Federal Cabinet-level Agency. Click here to view the list.

security program

Federal Financial Institutions Examination Council
AKA: FFIEC Examination Handbook
Sometimes searched Information Security IT Examination Handbook
URL Source Data
Federal Financial Institutions Examination Council
FFIEC Information Technology Examination Handbook
FFIEC IT Handbook InfoBase Main Page
Information Security IT Examination Handbook
http://www.ffiec.gov/ffiecinfobase/booklets/information_security/Info_sec_workprogram.doc
Summary:
The Federal Financial Institute Examination Council is the governing body over financial institutions. This site provides field examiners in financial institution regulatory agencies an InfoBase of new regulations and standards.

The structure of the on line Information Security "Booklet" surpasses any other form of presentation I have seen. Writing is clear, and sources are comprehensive. Regulated Federal Reserve Board (FRB), Federal Deposit Insurance Corporation (FDIC), National Credit Union Administration (NCUA), Office of the Comptroller of the Currency (OCC), and Office of Thrift Supervision (OTS), it is hard to imagine that the guidelines used to create the FFIEC framework lack consideration for laws I any industry, public, private or international.

OVERVIEW
Information is one of a financial institution’s most important assets. Protection of information assets is necessary to establish and maintain trust between the financial institution and its customers. Timely and reliable information is necessary to process transactions and support financial institution and customer decisions. A financial institution’s earnings and capital can be adversely affected if information becomes known to unauthorized parties, is altered, or is not available when it is needed.

Information security is the process by which an organization protects and secures systems, media, and facilities that process and maintain information vital to its operations. On a broad scale, the financial institution industry has a primary role in protecting the nation’s financial services infrastructure. The security of the industry’s systems and information is essential to its safety and soundness and to the privacy of customer financial information. Individual financial institutions and their service providers must maintain effective security programs adequate for their operational complexity. These security programs must have strong board and senior management level support, integration of security responsibilities and controls throughout the organization’s business processes, and clear accountability for carrying out security responsibilities. This booklet provides guidance to examiners and organizations on determining the level of security risks to the organization and evaluating the adequacy of the organization’s risk management.

Organizations often inaccurately perceive information security as the state or condition of controls at a point in time. Security is an ongoing process, whereby the condition of a financial institution’s controls is just one indicator of its overall security posture. Other indicators include the ability of the institution to continually assess its posture and react appropriately in the face of rapidly changing threats, technologies, and business conditions. A financial institution establishes and maintains truly effective information security when it continuously integrates processes, people, and technology to mitigate risk in accordance with risk assessment and acceptable risk tolerance levels. Financial institutions protect their information by instituting a security process that identifies risks, forms a strategy to manage the risks, implements the strategy, tests the implementation, and monitors the environment to control the risks.

Member agencies of the Federal Financial Institutions Examination Council (FFIEC) defined such a process-based approach to security in the “Guidelines Establishing Standards to Safeguard Customer Information” to implement section 501(b) of the Gramm–Leach–Bliley Act of 1999 (GLBA). The guidelines afford the FFIEC agencies enforcement options if financial institutions do not establish and maintain adequate information security programs. This booklet follows the same process-based approach, applies it to various aspects of the financial institution’s operations, and serves as a supplement to agency GLBA 501(b) expectations.

Financial institutions may outsource some or all of their information processing. Examiners may use this booklet when evaluating the financial institution’s risk management process, including the duties, obligations, and responsibilities of the service provider for information security and the oversight exercised by the financial institution.

This booklet is one of a series of updates to the 1996 FFIEC Information Systems Examination Handbook. It updates and rescinds the security-related guidance in that handbook, including Chapters 14-16.

SECURITY OBJECTIVES
Information security enables a financial institution to meet its business objectives by implementing business systems with due consideration of information technology (IT)-related risks to the organization, business and trading partners, technology service providers, and customers. Organizations meet this goal by striving to accomplish the following objectives.

Availability—The ongoing availability of systems addresses the processes, policies, and controls used to ensure authorized users have prompt access to information. This objective protects against intentional or accidental attempts to deny legitimate users access to information and/or systems.
Integrity of Data or Systems—System and data integrity relate to the processes, policies, and controls used to ensure information has not been altered in an unauthorized manner and that systems are free from unauthorized manipulation that will compromise accuracy, completeness, and reliability.

Confidentiality of Data or Systems—Confidentiality covers the processes, policies, and controls employed to protect information of customers and the institution against unauthorized access or use.
Accountability—Clear accountability involves the processes, policies, and controls necessary to trace actions to their source. Accountability directly supports non-repudiation, deterrence, intrusion prevention, intrusion detection and legal admissibility of records.
Assurance—Assurance addresses the processes, policies, and controls used to develop confidence that technical and operational security measures work as intended. Assurance levels are part of the system design and include availability, integrity, confidentiality, and accountability. Assurance highlights the notion that secure systems provide the intended functionality while preventing undesired actions.
Appropriate security controls are necessary for financial institutions to challenge potential customer or user claims that they did not initiate a transaction. Financial institutions can accomplish this by achieving both integrity and accountability to produce what is known as non-repudiation. Non-repudiation occurs when the financial institution demonstrates that the originators who initiated the transaction are who they say they are, the recipient is the intended counter party, and no changes occurred in transit or storage. Non-repudiation can reduce fraud and promote the legal enforceability of electronic agreements and transactions. While non-repudiation is a goal and is conceptually clear, the manner in which non-repudiation can be achieved for electronic systems in a practical, legal sense may have to wait for further judicial clarification.

REGULATORY GUIDANCE, RESOURCES, AND STANDARDS
Financial institutions developing or reviewing their information security controls, policies, procedures, or processes have a variety of sources to draw upon. First, federal laws and regulations address security, and regulators have issued numerous security related guidance documents. Institutions also have a number of third-party or security industry resources to draw upon for guidance, including outside auditors, consulting firms, insurance companies, and information security professional organizations. In addition, many national and international standard-setting organizations are working to define information security standards and best practices for electronic commerce. While no formal industry accepted security standards exist, these various standards provide benchmarks that both financial institutions and their regulators can draw upon for the development of industry expectations and security practices. Some standard-setting groups include the following organizations

The National Institute of Standards and Technology (NIST) at www.nist.gov;
The International Organization for Standardization (ISO) Information technology at www.iso.ch with specific standards such as

The code of practice for information security management (ISO/IEC 17799) and
Information Security -- Security techniques—Evaluation criteria for IT security (ISO/IEC 15408); and
The Information Systems Audit and Control Association (ISACA)—Control Objectives for Information Technology
(CobiT), at www.isaca.org

Gramm-Leach-Bliley Act
Data Privacy and Records Management
Type: United States Federal Law
Codification alt Section: 15 U.S.C. § 6801 AKA:15 U.S.C. § 6801
Law Reference - Most Used P.L. 106-102
Laws enforced by or aligned to this
           15 U.S.C. §§41-58
           Directive 95/46/EC
           15 U.S.C. § 6801
           15 U.S.C..§§ 44-58 Section 5
Supersede by More Association:   Glass Steagall Act of 1933
Author(s) Representatives James Leach, Phil Gramm and …Publisher:            Committees: House Banking and Financial Services and 106th Congress
Date of 11/12/1999
Sometimes searched as: Financial Services Modernization Act of 1999
URL Source Data
Gramm-Leach Bliley Act
FDIC: Important Banking Legislation
Summary of Standard (Mainly as quoting the FDIC, which is where you should go to affirm correct information and gain up to minute information)
[Content found at http://www.epic.org/privacy/glba/] Information that many would consider private--including bank balances and account numbers--is regularly bought and sold by banks, credit card companies, and other financial institutions. The Gramm-Leach-Bliley Act (GLBA), which is also known as the Financial Services Modernization Act of 1999, provides limited privacy protections against the sale of your private financial information. Additionally, the GLBA codifies protections against pretexting, the practice of obtaining personal information through false pretenses. The GLBA primarily sought to "modernize" financial services--that is, end regulations that prevented the merger of banks, stock brokerage companies, and insurance companies. The removal of these regulations, however, raised significant risks that these new financial institutions would have access to an incredible amount of personal information, with no restrictions upon its use. Prior to GLBA, the insurance company that maintained your health records was distinct from the bank that mortgaged your house and the stockbroker that traded your stocks. Once these companies merge, however, they would have the ability to consolidate, analyze and sell the personal details of their customers' lives. Because of these risks, the GLBA included three simple requirements to protect the personal data of individuals: First, banks, brokerage companies, and insurance companies must securely store personal financial information. Second, they must advise you of their policies on sharing of personal financial information. Third, they must give consumers the option to opt-out of some sharing of personal financial information.

Gramm-Leach-Bliley Act (GLBA).
Title V of the GLBA (sections with financial privacy and pretexting protections).
Applicable To:
As explained by FDIC:
Repeals last vestiges of the Glass Steagall Act of 1933. Modifies portions of the Bank Holding Company Act to allow affiliations between banks and insurance underwriters. While preserving authority of states to regulate insurance, the act prohibits state actions that have the effect of preventing bank-affiliated firms from selling insurance on an equal basis with other insurance agents. Law creates a new financial holding company under section 4 of the BHCA, authorized to engage in: underwriting and selling insurance and securities, conducting both commercial and merchant banking, investing in and developing real estate and other "complimentary activities." There are limits on the kinds of non-financial activities these new entities may engage in. Allows national banks to underwrite municipal bonds.

Restricts the disclosure of nonpublic customer information by financial institutions. All financial institutions must provide customers the opportunity to "opt-out" of the sharing of the customers' nonpublic information with unaffiliated third parties. The Act imposes criminal penalties on anyone who obtains customer information from a financial institution under false pretenses.

Amends the Community Reinvestment Act to require that financial holding companies can not be formed before their insured depository institutions receive and maintain a satisfactory CRA rating. Also requires public disclosure of bank-community CRA-related agreements. Grants some regulatory relief to small institutions in the shape of reducing the frequency of their CRA examinations if they have received outstanding or satisfactory ratings. Prohibits affiliations and acquisitions between commercial firms and unitary thrift institutions.

Makes significant changes in the operation of the Federal Home Loan Bank System, easing membership requirements and loosening restrictions on the use of FHLB funds.

How Used: Also found within <http://www.export.gov/safeharbor/ENFORCEMENTOVERVIEWFINAL.htm>Safe Harbor Enforcement Overview Federal and State "Unfair and Deceptive Practices" Authority and Privacy
[…]
"On November 12, 1999, President Clinton signed the Gramm-Leach-Bliley Act (Pub. L. 106-102, codified at 15 U.S.C. § 6801 et seq.) into law. The Act limits the disclosure by financial institutions of personal information about their customers. The Act requires financial institutions to, inter alia, notify all customers of their privacy policies and practices with respect to the sharing of personal information with affiliates and non-affiliates. The Act authorizes the FTC, the Federal banking authorities and other authorities to promulgate regulations to implement the privacy protections required by the statute. The agencies have issued proposed regulations for this purpose."

Federal Laws

Privacy Act of 1974, as amended, (5 U.S.C. 552a), [http://www.usdoj.gov/04foia/privstat.htm]
Paperwork Reduction Act of 1995, Title 44 Chapter 35
[http://www.archives.gov/federal_register/public_laws]
Chief Financial Officers Act of 1990, (31 U.S.C. 2512 et seq.) [http://www.gao.gov/policy/12_19_4.pdf] and [http://wwwoirm.nih.gov/itmra/cfoact.html]
Clinger-Cohen Act, P.L. 104-106, Division E, Information Technology Management Reform Act of 1996 [http://www.cio.gov/documents]
Computer Security Enhancement Act of 1997, H.R. 1903 [http://www.fas.org/irp/congress/1997_rpt/h105_243.htm]
Government Paperwork Elimination Act of 1998, P.L. 105-277, Title XVII [http://www.cdt.org/legislations/105th/digsig/govnopaper.html]
FY 2001 Defense Authorization Act (P.L. 106-398) – Title X, subtitle G “Government Information Security Reform” (The Security Act) [http://www.access.gpo.gov/nara/publaw/106publ.htm]
Federal Information Security Management Act (FISMA), P.L. 107-347, Title III, December 2002 [http://www.fedcirc.gov/library/legislation/FISMA.html]
Freedom of Information Act, P.L. 89-487 [http://frwebgate.access.gpo.gov/cgi-bin/getdoc.cgi?dbname=browse_usc&docid=Cite:+5USC552]
Computer Fraud and Abuse Act, P.L. 99-474,
[http://www.alw.nih.gov/Security/FIRST/papers/legal/cfa.txt]
Electronic Signature in Global and National Commerce Act, P.L. 106-229, [http://frwebgate.access.gpo.gov/cgi-bin/getdoc.cgi?dbname=106_cong_public_laws&docid=f:publ229.106.pdf]
Government Information Security Reform Act, P.L. 106-398, [http://frwebgate.access.gpo.gov/cgi-bin/getdoc.cgi?dbname=106_cong_public_laws&docid=f:publ398.106]
Children’s Online Privacy Protection Act of 1998, [http://www.ftc.gov/ogc/coppa1.htm]
Executive Orders/Presidential Decision Directives
Executive Order No. 12046 of March 27, 1978 [no electronic version available]
Executive Order No. 12472 of April 3, 1984 [no electronic version available]
Executive Order No. 13011 of July 16, 1996 [http://www.nara.gov/fedreg/eo_clint.html]
Homeland Security Directive HSPD-7, Critical Infrastructure Identification, Prioritization and Protection [http://www.usda.gov/da/physicalsecurity/hspd.pdf]
Homeland Security Directive HSPD-12, Policy for a Common Identification Standard for Federal Employees and Contractors

Office of Management & Budget (OMB) Circulars, Bulletins and Memoranda [http://www.whitehouse.gov/omb]

OMB Circular No. A-11 Preparation and Submission of Budget Estimates (05/03)
OMB Circular No. A-123 Management Accountability and Control (06/95)
OMB Circular No. A-127 Policies and Standards for Financial Management Systems (07/93)
OMB Circular No. A-130 Security of Federal Automated Information Resources (Appendix III) (11/00)
OMB Bulletin No. 90-08 (Appendix A) [Security Plans]
M-97-16 Information Technology Architectures (06/18/97)
M-99-05 Instructions on Complying with President’s Memorandum of May 14, 1998 “Privacy and Personal Information in Federal Records” (01/07/99)
M-99-18 Privacy Policies on Federal Web Sites (06/02/99)
M-99-00 Security of Federal Automated Information Resources (06/23/99) M-00-07 Incorporating and Funding Security in Information Systems Inves ments (02/28/00)
M-00-10 OMB Procedures and Guidance on Implementing the Government Paperwork Elimination Act (04/25/00)
M-00-13 Privacy Policies and Data Collection on Federal Web Sites (06/22/01)
M-00-15 OMB Guidance on Implementing the Electronic Signatures in Global and National Commerce Act (09/25/00)
M-01-05 Guidance on Inter-agency Sharing of Personal Data – Protecting Personal data (12/20/00)
M-03-19 Reporting Instructions for the Federal Information Security Management Act and Updated Guidance on Quarterly IT Security Reporting (08/06/03)

National Institute of Standards & Technology (NIST) Federal Information Processing Standards Publications (FIPS) [http://csrc.nist.gov/publications/fips/index.html]

FIPS PUB 31 Guidelines for Automatic Data Processing Physical Security and Risk Management (06/74) FIPS PUB 46-3 Data Encryption Standard (DES); specifies the use of Triple DES (10/99)
FIPS PUB 48 Guidelines on Evaluation of Techniques for Automated Personal Identification (04/77)
FIPS PUB 73 Guidelines for Security of Computer Applications (06/80)
FIPS PUB 74 Guidelines for Implementing and Using the NBS Data Encryption Standard (04/81)
FIPS PUB 81 DES Modes of Operation (12/80)
FIPS PUB 83 Guideline on User Authentication Techniques for Computer Network Access Control
(09/80)
FIPS PUB 87 Guidelines for ADP Contingency Planning (03/81)
FIPS PUB 102 Guideline for Computer Security Certification and Accreditation (09/83)
FIPS PUB 112 Password Usage (05/85)
FIPS PUB 113 Computer Data Authentication (05/85)
FIPS PUB 140-1 Security Requirements for Cryptographic Modules (01/94)
FIPS PUB 140-2 Security Requirements for Cryptographic Modules (06/01)
FIPS PUB 171 Key Management Using ANSI X9.71 (04/92)
FIPS PUB 180-2 Secure Hash Standard (04/95)
FIPS PUB 181 Automated Password Generator (10/93)
FIPS PUB 185 Escrowed Encryption Standard (02/94)
FIPS PUB 186-2 Digital Signature Standard (DSS) (01/00)
FIPS PUB 188 Standard Security Labels for Information Transfer (09/94)
FIPS PUB 190 Guideline for the Use of Advanced Authentication Technology Alternatives (09/94)
FIPS PUB 191 Guideline for the Analysis of Local Area Network Security (11/94)
FIPS PUB 196 Entity Authentication Using Public Key Cryptography (02/97)
FIPS PUB 199 Standards for Security Categorization of Federal Information and Information Systems
FIPS PUB 201 Personal Identification Verification for Federal Employees and Contractors

NIST Special Publications [http://csrc.nist.gov/publications/nistpubs/index.html]

NIST Special Publication 800-2, Public-Key Cryptography
NIST Special Publication 800-3, Establishing a Computer Security Incident Response Capability (CSIRC)
NIST Special Publication 800-4, Computer Security Considerations in Federal Procurements: A Guide for Procurement Initiators, Contracting Officers, and Computer Security Officials
NIST Special Publication 800-4A, Security Considerations in Federal Information Technology Procurements
NIST Special Publication 800-5, A Guide to the Selection of Anti-Virus Tools and Techniques
NIST Special Publication 800-6, Automated Tools for Testing Computer System Vulnerability)
NIST Special Publication 800-7, Security in Open Systems
NIST Special Publication 800-8, Security Issues in the Database Language SQL
NIST Special Publication 800-9, Good Security Practices for Electronic Commerce, Including Electronic Data Interchange
NIST Special Publication 800-10, Keeping Your Site Comfortably Secure: An Introduction to Internet Firewalls
NIST Special Publication 800-11, The Impact of the FCC’s Open Network Architecture on NS/EP Telecommunications Security
NIST Special Publication 800-12, An Introduction to Computer Security: The NIST Handbook
NIST Special Publication 800-13, Telecommunications Security Guidelines for Telecommunications Management Network
NIST Special Publication 800-14, Generally Accepted Principles and Practices for Securing Information Technology Systems
NIST Special Publication 800-15, Minimum Interoperability Specification for PKI components (MISPC), Version 1
NIST Special Publication 800-16, Information Technology Security Training Requirements: A Role- and Performance-Base Model (supersedes NIST Spec Pub. 500-172)
NIST Special Publication 800-17, Modes of Operation Validation System (MOVS): Requirements and Procedures
NIST Special Publication 800-18, Guide for Developing Security Plans for Information Technology Systems
NIST Special Publication 800-19, Mobile Agent Security
NIST Special Publication 800-20, Modes of Operation Validation System for the Triple Data Encryption Algorithm (TMOVS): Requirements and Procedures
NIST Special Publication 800-21, Guideline for Implementing Cryptography in the Federal Government
NIST Special Publication 800-22, A Statistical Test Suite for Random and Pseudorandom Number Generators for Cryptographic Applications
NIST Special Publication 800-23,Guideline to Federal Organizations on Security Assurance and Acquisition/Use of Tested/Evaluated Products
NIST Special Publication 800-24, PBX Vulnerability Analysis: Finding Holes in Your PBX Before Someone Else Does NIST Special Publication 800-25, Federal Agency Use of Public Key Technology for Digital Signatures and Authentication
NIST Special Publication 800-26, Security Self Assessment Guide for Information Technology Systems
NIST Special Publication 800-27, Engineering Principles for IT Security
NIST Special Publication 800-28, Guidelines on Active Content and Mobile Code
NIST Special Publication 800-29, A Comparison of the Security Requirements of Cryptographic Modules in FIPS 140-1 and 140-2
NIST Special Publication 800-30, Risk Management Guide for Information Technology Systems
NIST Special Publication 800-31, Intrusion Detection Systems (IDS)
NIST Special Publication 800-32, Introduction to Public Key Technology and the Federal PKI Infrastructure
NIST Special Publication 800-33, Underlying Technical Models for Information Technology Security
NIST Special Publication 800-34, Contingency Planning Guide for Information Technology Systems
NIST Special Publication 800-35, Guide to IT Security Services
NIST Special Publication 800-36, Guide to Selecting IT Security Products
NIST Special Publication 800-37, Guide for the Security Certification and Accreditation of Federal Information Systems
NIST Special Publication 800-38A, Recommendation for Block Cipher Modes of Operation - Methods and Techniques
NIST Special Publication 800-38B, Recommendation for Block Cipher Modes of Operation: the RMAC Authentication Mode
NIST Special Publication 800-38C, Recommendation for Block Cipher Modes of Operation: the CCM Mode for Authentication and Confidentiality
NIST Special Publication 800-40, Procedures for Handling Security Patches
NIST Special Publication 800-41, Guidelines on Firewalls and Firewall Policy
NIST Special Publication 800-42, Guideline on Network Security Testing
NIST Special Publication 800-43, System Administration Guidance for Windows 2000 Professional
NIST Special Publication 800-44, Guidelines on Securing Public Web Servers
NIST Special Publication 800-45, Guidelines on Electronic Mail Security
NIST Special Publication 800-46, Security for Telcommuting and Broadband Communications
NIST Special Publication 800-47, Security Guide for Interconnecting Information Technology Systems
NIST Special Publication 800-48, Wireless Network Security: 802.11, Bluetooth, and Handheld Devices
NIST Special Publication 800-50, Building an Information Technology Security Awareness and Training Program
NIST Special Publication 800-51, Use of the Common Vulnerabilities and Exposures (CVE) Vulnerability Naming Scheme
NIST Special Publication 800-53, Security Controls for Federal Information Systems
NIST Special Publication 800-53A, Techniques and Procedures for Verifying the Effectiveness of Security Controls in Federal Information Systems
NIST Special Publication 800-55, Security Metrics Guide for Information Technology Systems
NIST Special Publication 800-60, Guide for Mapping Information and Information Types to Security Objectives and Risk Levels
NIST Special Publication 800-61, Computer Security Incident Handling Guide
NIST Special Publication 800-63, Recommendation for Electronic Authentication

USDA Policies & Regulations [http://www.ocionet.usda.gov/ocio/cyber_sec/index.html]

DR 3140-2, USDA Internet Security Policy
DR 3300-1, Telecommunications & Internet Services & Use
DR 3410-1, Information Collection Activity
DR 3080-1, Records Disposition
DM 3200-2, Management: A Project Managers Guide to Applications Systems Life Cycle Management
DM 3500, USDA Cyber Security Manual
OCIO Web Farm Physical Security Standards, Policies & Procedures
Director Central Intelligence Directive (DCID) 1/21; DCID 6/3, Secure Compartmented Information Facility Construction Specifications
Office of Operations, USDA Physical Security Handbook, Chapter 3, Exterior and Interior Protection (Draft)
Interagency Security Committee (ISC) Security Design Criteria for Federal Facilities (Classified Document)

Miscellaneous

DOD Directive 8500.1 Information Assurance (10/02) [http://www.dtic.mil/whs/directives/]
GAO Federal Information System Control Audit Manual (Exposure Draft) (FISCAM) (08/97) [http://www.gao.gov/policy/12_19_6.pdf]
Common Criteria for Information Technology Security Evaluation (Ver. 2.1) (08/99) [http://csrc.nist.gov/cc/ccv20/ccv2list.htm]
Federal CIO Council, Securing Electronic Government (01/01) [http://www.cio.gov]

	Section Links
	Audit Tools

	IT Service Management & ICT Infrastructure Management

	Conformity ISO standards Quality and Documentation

	Enterprise Risk Assessment

	Risk Management Products

	Facilitated Compliance Management™

	Security Management

	Change Management

	Configuration Management

	Performance CAAT Continuous Audit

	Data Retention / Records Management

	Business Process Management

	Business Continuity

	New in ©2006
	Telcom Complexity
	Process Overview

PB&SP will not intentionally embed links designed to capture advertising data. Links to Magazine have cookies that may optionally be blocked. We make no statements beyond our own practice. Link addresses are visible on your lower left tool bar. If you are prompted to accept a cookie, you are no longer on the pbandsp site. IIA, AICPA, COSO and ISACA provide a combination of public and member only documents. Most substantial information is provided based in membership. If you are trying to access needed content and have no membership... JOIN. Please do not contact us with request for information you cannot access via our link. We do not condone distribution outside of membership.