Security and Security Programs

The Security Audit Universe...the "final frontier"

Any valid comparative technology standard points to work by NIST and CISW. One of the more fascinating achievements in Security and frameworks is the resulting standards of ISO/IEC 15408 International Standard ; Common Criteria for Information Technology Security Evaluations (CC2.2.v3). Seven government organizations, known as “Common Criteria Project Sponsoring Organizations” grant ISO/IEC a non-exclusive license to provide the standards for purchase: ISO/IEC 15408-1:2005 Ed. 2 Where any product of the following types is used in performance of audited control functions, using the Common Criteria Evaluation portal will save a lot of time in understanding that products relative application of acceptable security protocol. Certification for products is available at

Access Control Devices and Systems
Boundary Protection Devices and Systems
Databases
Data Protection
Detection Devices and Systems
ICs, Smart Cards and Smart Card related Devices and Systems
Key Management Systems
Network and Network related Devices and Systems
Operating systems
Other Devices and Systems

Note: Product evaluation results in certification and explanation of product compliance with acknowledge best practice and industry standards for certification as required by any type of company or branch of government or international service. Tripwire Manager 3.0 with Tripwire for Servers 3.0, Tripwire Manager 3.0 with Tripwire for Servers Check Point Edition 3.0, a product heavily supported by the IIA has listed certification since 2003.

NIST Special Publication 800-18, Guide for Developing Security Plans for Information Technology Systems NIST Special Publication 800-14 Generally Accepted Principles and Practices for Securing Information Technology Systems, as provided by the National Institute of Standards and Technology NIST Special Publication are Special Publication 800-12, The Computer Security Handbook; and NIST Special Publication 800-26, The Security Self-Assessment Guide for Information Technology Systems NIST Special Publication 800-68 Guidance for Securing Microsoft Windows XP Systems for IT Professionals: Security Configuration Checklist NIST Special Publication 800-30, Risk Management Guide for Information Technology Systems divides recommendations for Infomation technology risk into three broad categories
Management Security	Operational Security	Management Security
Assignment of responsibilities Continuity of support Incident response capability Periodic review of security controls Personnel clearance and background investigations Risk assessment Security and technical training Separation of duties System authorization and reauthorization System or application security plan	Control of air-borne contaminants (smoke, dust, chemicals) Controls to ensure the quality of the electrical power supply Data media access and disposal External data distribution and labeling Facility protection (e.g., computer room, data center, office) Humidity control Temperature control Workstations, laptops, and stand-alone personal computers	Technical Security Communications (e.g., dial-in, system interconnection, routers) Cryptography Discretionary access control Identification and authentication Intrusion detection Object reuse System audit
British Standard 7799 Part 1and 2 are being phased out as British Standards Institute's high-level securityframework and code of practice. Organizations seeking conformity assessment will required to align with the newer BSI 27000 series. Note that the ISO 17799:2000 and ISO/IEC 17799:2005 are not certification standards unless adopted by the BSI, and are then available for assessment by a CASCO and not an ISO body.
BS ISO/IEC 27001:2005 (BS 7799-2:2005)
Corporate Information Security Working Group: Report of the Best Practices and Metrics Teams
Governing for Enterprise Security Networked Systems Survivability Program
OCTAVE Information Security Risk Evaluation
CobiT®. Security Baseline: An Information Security Survival Kit (Members Only)
FFIEC Information Technology Examination Handbook
Global Technology Audit Guide (GTAG) Information Technology Controls (IIA has several GTAG titles)
Enterprise Risk Management--Integrated Framework
I Governing for Enterprise Security Networked Systems Survivability Program

.Security - Physical Access and Change Management

Means we have policy and process for access by group, by role. by data owner, by relative risk, and can respond as needed to changes in requirements and urgency based in appropriate boundaries within stated policy.

User Access Management

access

Define and concur on objectives, key business drivers, requirements and constraints
Define roles and handoffs in the process
Define process flow (current and desired)
Define metrics to demonstrate progress toward objectives and key business drivers Identify technology and implementation plan to support and enforce the above
Determine phases and pilot groups
Define implementation plan (proposed SOW) Identify and assign implementation resources

Tripwiresolution

File Integrity for Mission-Critical Systems

Close the Gaps in Infrastructure Integrity

Assuring the integrity of your IT infrastructure means more than intrusion detection. Unauthorized changes made by internal staff have been shown to cause 20 times more downtime than infiltrations by external hackers. No matter what the source, uncontrolled change increases risk to everything from agency programs to national security. Tripwire change detection solutions provide a single point of control for detecting all changes across IT infrastructure including heterogeneous servers, desktops, routers, switches, firewalls and load balancers.

Achieve Compliance with Government Regulations

By providing an audit trail of change across the IT infrastructure, Tripwire change detection solutions significantly reduce time and costs associated with achieving regulatory compliance. Government agencies use Tripwire solutions to support diverse compliance initiatives including FISMA, DITSCAP, National Strategy to Secure Cyberspace (NSSC), and OMB and NIST standards.

Tripwire is Common Criteria Certified and recommended as a best practice by SANS, CERT, and leading security advisory groups. Tripwire is also featured on page 30 of the NSA's 60-Minute Security Guide, which you can download here.

Tripwire change detection solutions have been implemented in almost every Federal Cabinet-level Agency. Click here to view the list.

Open-Source Security Testing Methodology Manual International equivalent ISO 17799) for information security testing. ... TCP/IP networks. VRRP. Virtual Router Redundancy Protocol RFC 2338

OSSTMM - Open Source Security Testing Methodology Manual by Pete Herzog

The Open Source Security Testing Methodology Manual (OSSTMM) is a peer-reviewed methodology for performing security tests and metrics. The OSSTMM test cases are divided into five channels (sections) which collectively test: information and data controls, personnel security awareness levels, fraud and social engineering control levels, computer and Telecommunications networks, wireless devices, mobile devices, physical security access controls, security processes, and physical locations such as buildings, perimeters, and military bases.

The OSSTMM focuses on the technical details of exactly which items need to be tested, what to do before, during, and after a security test, and how to measure the results. New tests for international best practices, laws, regulations, and ethical concerns are regularly added and updated.

Provided here is the latest public release. To receive OSSTMM development status, notes, and betas, become part of the team. Subscribe now to join the ISECOM Gold or Silver Team or contact us at osstmm@isecom.org with how you can help OSSTMM development and earn a place on the core development team.

Note of influence: © 2004, Balwant Rathore, Open Information Systems Security Group (www.oissg.org), Date: 12/25/2004 Page 925 of 1054, Information Systems Security Assessment Framework (ISSAF) Draft 0.1

ITIL and Visible Ops - IMCA and ITPI

Visible Ops Visible Ops: Starting ITIL in four practical and auditable steps – is getting rave reviews. If you need practical guidance on how to jumpstart ITIL or IT control projects – this book is for you. Get control of your infrastructure. Increase security and auditability. Increase service levels. Decrease costs.© 2003-2005 by ITPI

Configuration Managment and CMDB (explore Procedure Guidelines and Assets Baselines)

Cendura
TripWire
Approva Bizrights
Ecora

Legal and Regulatory Factors affect configuration requirements:

NIST's Information Technology Laboratory recently published NIST Special Publication (SP) 800-83, Guide to Malware Incident Handling and Prevention: Recommendations of the National Institute of Standards and Technology. The guide assists organizations and users in planning and implementing security programs to prevent potential malware incidents and to limit damage from unforeseen incidents that might occur.

Written by Peter Mell of NIST and Karen Kent and Joseph Nusbaum of Booz Allen Hamilton, NIST SP 800-83 discusses the different types of malware and recommends prevention and incident handling techniques. The appendices provide additional resources on malware prevention and handling methods, and include detailed techniques and scenarios. A glossary of the many specialized terms used in the guide, a list of acronyms, and an extensive reference list of print and online resources are also provided. The publication is available in electronic format from NIST's website:

"Applying patches to systems is the most common way of mitigating known vulnerabilities in operating systems and applications. Patch management involves several steps, including assessing the criticality of the patches and the impact of applying or not applying them, testing the patches thoroughly, applying the patches in a controlled manner, and documenting the patch assessment and decision process. It is becoming increasingly challenging to deploy patches quickly enough to prevent incidents—the time from the announcement of a major new vulnerability that is a good candidate for malware-based exploitation to the release of malware targeting that vulnerability has decreased from months to weeks or days. Because it often takes weeks to test new patches properly, it is also often not possible or prudent to deploy patches organization-wide immediately. In some cases, it is safer to use other vulnerability mitigation techniques or threat mitigation instead of patching. In addition, even when a patch has been tested thoroughly and found to be acceptable, it is often challenging to ensure that it is applied to every vulnerable machine in the organization, particularly remote systems (e.g., Telcommuters). Nevertheless, applying patches is one of the most effective ways of reducing the risk of malware incidents, and many instances of malware have succeeded because systems were not patched in a timely manner."

The term malware is used to describe malicious code and malicious software that are covertly inserted into an information technology (IT) system to compromise the confidentiality, integrity, or availability of the data, applications, or operating system, or to annoy or disrupt the systems owner. Malware incidents are a significant external threat to the security of many IT systems, often causing widespread damage and disruption, and forcing users and organizations to carry out extensive, costly efforts to restore system security.
Malware includes five categories of inserted programs: viruses, worms, Trojan horses, malicious mobile code, and blended attacks. Viruses and worms are usually designed to carry out their functions without the user's knowledge. Blended attacks use a combination of techniques to insert malicious programs. Malware also includes other attacker tools such as backdoors, rootkits, and keystroke loggers, and tracking cookies which are used as spyware. Spyware, when inserted into a user's system, threatens personal privacy and enables the attacker to monitor personal activities and to carry out financial fraud.
[...] More Information from the NIST Computer Security Resource Center at http://csrc.nist.gov/publications.
Contact Information: Elizabeth B. Lennon- Writer/Editor, Information Technology Laboratory
National Institute of Standards and Technology 100 Bureau Drive, Stop 8900 Gaithersburg, MD 20899-8900 Telephone (301) 975-2832 Fax (301) 975-2378

"How about a little fire, Scarecrow?"

The Office of Electronic Government and Technology provides updates and overviews of IT legislation under consideration by Congress. Each state has pending legistlation affecting topics such as copyright, security, privacy, and technology use. Be involved. Read and vote. We who understand technology have a responsibility to the masses who don't.

Federal Laws

Privacy Act of 1974, as amended, (5 U.S.C. 552a), [http://www.usdoj.gov/04foia/privstat.htm]
Paperwork Reduction Act of 1995, Title 44 Chapter 35
[http://www.archives.gov/federal_register/public_laws]
Chief Financial Officers Act of 1990, (31 U.S.C. 2512 et seq.) [http://www.gao.gov/policy/12_19_4.pdf] and [http://wwwoirm.nih.gov/itmra/cfoact.html]
Clinger-Cohen Act, P.L. 104-106, Division E, Information Technology Management Reform Act of 1996 [http://www.cio.gov/documents]
Computer Security Enhancement Act of 1997, H.R. 1903 [http://www.fas.org/irp/congress/1997_rpt/h105_243.htm]
Government Paperwork Elimination Act of 1998, P.L. 105-277, Title XVII [http://www.cdt.org/legislations/105th/digsig/govnopaper.html]
FY 2001 Defense Authorization Act (P.L. 106-398) – Title X, subtitle G “Government Information Security Reform” (The Security Act) [http://www.access.gpo.gov/nara/publaw/106publ.htm]
Federal Information Security Management Act (FISMA), P.L. 107-347, Title III, December 2002 [http://www.fedcirc.gov/library/legislation/FISMA.html]
Freedom of Information Act, P.L. 89-487 [http://frwebgate.access.gpo.gov/cgi-bin/getdoc.cgi?dbname=browse_usc&docid=Cite:+5USC552]
Computer Fraud and Abuse Act, P.L. 99-474,
[http://www.alw.nih.gov/Security/FIRST/papers/legal/cfa.txt]
Electronic Signature in Global and National Commerce Act, P.L. 106-229, [http://frwebgate.access.gpo.gov/cgi-bin/getdoc.cgi?dbname=106_cong_public_laws&docid=f:publ229.106.pdf]
Government Information Security Reform Act, P.L. 106-398, [http://frwebgate.access.gpo.gov/cgi-bin/getdoc.cgi?dbname=106_cong_public_laws&docid=f:publ398.106]
Children’s Online Privacy Protection Act of 1998, [http://www.ftc.gov/ogc/coppa1.htm]
Executive Orders/Presidential Decision Directives
Executive Order No. 12046 of March 27, 1978 [no electronic version available]
Executive Order No. 12472 of April 3, 1984 [no electronic version available]
Executive Order No. 13011 of July 16, 1996 [http://www.nara.gov/fedreg/eo_clint.html]
Homeland Security Directive HSPD-7, Critical Infrastructure Identification, Prioritization and Protection [http://www.usda.gov/da/physicalsecurity/hspd.pdf]
Homeland Security Directive HSPD-12, Policy for a Common Identification Standard for Federal Employees and Contractors

Office of Management & Budget (OMB) Circulars, Bulletins and Memoranda [http://www.whitehouse.gov/omb]

OMB Circular No. A-11 Preparation and Submission of Budget Estimates (05/03)
OMB Circular No. A-123 Management Accountability and Control (06/95)
OMB Circular No. A-127 Policies and Standards for Financial Management Systems (07/93)
OMB Circular No. A-130 Security of Federal Automated Information Resources (Appendix III) (11/00)
OMB Bulletin No. 90-08 (Appendix A) [Security Plans]
M-97-16 Information Technology Architectures (06/18/97)
M-99-05 Instructions on Complying with President’s Memorandum of May 14, 1998 “Privacy and Personal Information in Federal Records” (01/07/99)
M-99-18 Privacy Policies on Federal Web Sites (06/02/99)
M-99-00 Security of Federal Automated Information Resources (06/23/99) M-00-07 Incorporating and Funding Security in Information Systems Inves ments (02/28/00)
M-00-10 OMB Procedures and Guidance on Implementing the Government Paperwork Elimination Act (04/25/00)
M-00-13 Privacy Policies and Data Collection on Federal Web Sites (06/22/01)
M-00-15 OMB Guidance on Implementing the Electronic Signatures in Global and National Commerce Act (09/25/00)
M-01-05 Guidance on Inter-agency Sharing of Personal Data – Protecting Personal data (12/20/00)
M-03-19 Reporting Instructions for the Federal Information Security Management Act and Updated Guidance on Quarterly IT Security Reporting (08/06/03)

National Institute of Standards & Technology (NIST) Federal Information Processing Standards Publications (FIPS) [http://csrc.nist.gov/publications/fips/index.html]

FIPS PUB 31 Guidelines for Automatic Data Processing Physical Security and Risk Management (06/74) FIPS PUB 46-3 Data Encryption Standard (DES); specifies the use of Triple DES (10/99)
FIPS PUB 48 Guidelines on Evaluation of Techniques for Automated Personal Identification (04/77)
FIPS PUB 73 Guidelines for Security of Computer Applications (06/80)
FIPS PUB 74 Guidelines for Implementing and Using the NBS Data Encryption Standard (04/81)
FIPS PUB 81 DES Modes of Operation (12/80)
FIPS PUB 83 Guideline on User Authentication Techniques for Computer Network Access Control (09/80)
FIPS PUB 87 Guidelines for ADP Contingency Planning (03/81)
FIPS PUB 102 Guideline for Computer Security Certification and Accreditation (09/83)
FIPS PUB 112 Password Usage (05/85)
FIPS PUB 113 Computer Data Authentication (05/85)
FIPS PUB 140-1 Security Requirements for Cryptographic Modules (01/94)
FIPS PUB 140-2 Security Requirements for Cryptographic Modules (06/01)
FIPS PUB 171 Key Management Using ANSI X9.71 (04/92)
FIPS PUB 180-2 Secure Hash Standard (04/95)
FIPS PUB 181 Automated Password Generator (10/93)
FIPS PUB 185 Escrowed Encryption Standard (02/94)
FIPS PUB 186-2 Digital Signature Standard (DSS) (01/00)
FIPS PUB 188 Standard Security Labels for Information Transfer (09/94)
FIPS PUB 190 Guideline for the Use of Advanced Authentication Technology Alternatives (09/94) FIPS PUB 191 Guideline for the Analysis of Local Area Network Security (11/94)
FIPS PUB 196 Entity Authentication Using Public Key Cryptography (02/97)
FIPS PUB 199 Standards for Security Categorization of Federal Information and Information Systems (12/03)

FIPS PUB 201 Personal Identification Verification for Federal Employees and Contractors

NIST Special Publications [http://csrc.nist.gov/publications/nistpubs/index.html]

NIST Special Publication 800-2, Public-Key Cryptography
NIST Special Publication 800-3, Establishing a Computer Security Incident Response Capability (CSIRC)
NIST Special Publication 800-4, Computer Security Considerations in Federal Procurements: A Guide for Procurement Initiators, Contracting Officers, and Computer Security Officials
NIST Special Publication 800-4A, Security Considerations in Federal Information Technology Procurements
NIST Special Publication 800-5, A Guide to the Selection of Anti-Virus Tools and Techniques
NIST Special Publication 800-6, Automated Tools for Testing Computer System Vulnerability)
NIST Special Publication 800-7, Security in Open Systems
NIST Special Publication 800-8, Security Issues in the Database Language SQL
NIST Special Publication 800-9, Good Security Practices for Electronic Commerce, Including Electronic Data Interchange
NIST Special Publication 800-10, Keeping Your Site Comfortably Secure: An Introduction to Internet Firewalls
NIST Special Publication 800-11, The Impact of the FCC’s Open Network Architecture on NS/EP Telecommunications Security
NIST Special Publication 800-12, An Introduction to Computer Security: The NIST Handbook
NIST Special Publication 800-13, Telecommunications Security Guidelines for Telecommunications Management Network
NIST Special Publication 800-14, Generally Accepted Principles and Practices for Securing Information Technology Systems
NIST Special Publication 800-15, Minimum Interoperability Specification for PKI components (MISPC), Version 1
NIST Special Publication 800-16, Information Technology Security Training Requirements: A Role- and Performance-Base Model (supersedes NIST Spec Pub. 500-172)
NIST Special Publication 800-17, Modes of Operation Validation System (MOVS): Requirements and Procedures
NIST Special Publication 800-18, Guide for Developing Security Plans for Information Technology Systems
NIST Special Publication 800-19, Mobile Agent Security
NIST Special Publication 800-20, Modes of Operation Validation System for the Triple Data Encryption Algorithm (TMOVS): Requirements and Procedures
NIST Special Publication 800-21, Guideline for Implementing Cryptography in the Federal Government
NIST Special Publication 800-22, A Statistical Test Suite for Random and Pseudorandom Number Generators for Cryptographic Applications
NIST Special Publication 800-23,Guideline to Federal Organizations on Security Assurance and Acquisition/Use of Tested/Evaluated Products
NIST Special Publication 800-24, PBX Vulnerability Analysis: Finding Holes in Your PBX Before Someone Else Does NIST Special Publication 800-25, Federal Agency Use of Public Key Technology for Digital Signatures and Authentication
NIST Special Publication 800-26, Security Self Assessment Guide for Information Technology Systems
NIST Special Publication 800-27, Engineering Principles for IT Security
NIST Special Publication 800-28, Guidelines on Active Content and Mobile Code
NIST Special Publication 800-29, A Comparison of the Security Requirements of Cryptographic Modules in FIPS 140-1 and 140-2
NIST Special Publication 800-30, Risk Management Guide for Information Technology Systems
NIST Special Publication 800-31, Intrusion Detection Systems (IDS)
NIST Special Publication 800-32, Introduction to Public Key Technology and the Federal PKI Infrastructure
NIST Special Publication 800-33, Underlying Technical Models for Information Technology Security
NIST Special Publication 800-34, Contingency Planning Guide for Information Technology Systems
NIST Special Publication 800-35, Guide to IT Security Services
NIST Special Publication 800-36, Guide to Selecting IT Security Products
NIST Special Publication 800-37, Guide for the Security Certification and Accreditation of Federal Information Systems
NIST Special Publication 800-38A, Recommendation for Block Cipher Modes of Operation - Methods and Techniques
NIST Special Publication 800-38B, Recommendation for Block Cipher Modes of Operation: the RMAC Authentication Mode
NIST Special Publication 800-38C, Recommendation for Block Cipher Modes of Operation: the CCM Mode for Authentication and Confidentiality
NIST Special Publication 800-40, Procedures for Handling Security Patches
NIST Special Publication 800-41, Guidelines on Firewalls and Firewall Policy
NIST Special Publication 800-42, Guideline on Network Security Testing
NIST Special Publication 800-43, System Administration Guidance for Windows 2000 Professional
NIST Special Publication 800-44, Guidelines on Securing Public Web Servers
NIST Special Publication 800-45, Guidelines on Electronic Mail Security
NIST Special Publication 800-46, Security for Telcommuting and Broadband Communications
NIST Special Publication 800-47, Security Guide for Interconnecting Information Technology Systems
NIST Special Publication 800-48, Wireless Network Security: 802.11, Bluetooth, and Handheld Devices
NIST Special Publication 800-50, Building an Information Technology Security Awareness and Training Program
NIST Special Publication 800-51, Use of the Common Vulnerabilities and Exposures (CVE) Vulnerability Naming Scheme
NIST Special Publication 800-53, Security Controls for Federal Information Systems
NIST Special Publication 800-53A, Techniques and Procedures for Verifying the Effectiveness of Security Controls in Federal Information Systems
NIST Special Publication 800-55, Security Metrics Guide for Information Technology Systems
NIST Special Publication 800-60, Guide for Mapping Information and Information Types to Security Objectives and Risk Levels
NIST Special Publication 800-61, Computer Security Incident Handling Guide
NIST Special Publication 800-63, Recommendation for Electronic Authentication

USDA Policies & Regulations [http://www.ocionet.usda.gov/ocio/cyber_sec/index.html]

DR 3140-2, USDA Internet Security Policy
DR 3300-1, Telecommunications & Internet Services & Use
DR 3410-1, Information Collection Activity
DR 3080-1, Records Disposition
DM 3200-2, Management: A Project Managers Guide to Applications Systems Life Cycle Management
DM 3500, USDA Cyber Security Manual
OCIO Web Farm Physical Security Standards, Policies & Procedures
Director Central Intelligence Directive (DCID) 1/21; DCID 6/3, Secure Compartmented Information Facility Construction Specifications
Office of Operations, USDA Physical Security Handbook, Chapter 3, Exterior and Interior Protection (Draft)
Interagency Security Committee (ISC) Security Design Criteria for Federal Facilities (Classified Document)

Miscellaneous

DOD Directive 8500.1 Information Assurance (10/02) [http://www.dtic.mil/whs/directives/]
GAO Federal Information System Control Audit Manual (Exposure Draft) (FISCAM) (08/97) [http://www.gao.gov/policy/12_19_6.pdf]
Common Criteria for Information Technology Security Evaluation (Ver. 2.1) (08/99) [http://csrc.nist.gov/cc/ccv20/ccv2list.htm]
Federal CIO Council, Securing Electronic Government (01/01) [http://www.cio.gov

	Section Links
	Audit Tools

	IT Service Management & ICT Infrastructure Management

	Conformity ISO standards Quality and Documentation

	Enterprise Risk Assessment

	Risk Management Products

	Facilitated Compliance Management™

	Security Management

	Change Management

	Configuration Management

	Performance CAAT Continuous Audit

	Data Retention / Records Management

	Business Process Management

	Business Continuity

	New in ©2006
	Telcom Complexity
	Process Overview

PB&SP will not intentionally embed links designed to capture advertising data. Links to Magazine have cookies that may optionally be blocked. We make no statements beyond our own practice. Link addresses are visible on your lower left tool bar. If you are prompted to accept a cookie, you are no longer on the pbandsp site. IIA, AICPA, COSO and ISACA provide a combination of public and member only documents. Most substantial information is provided based in membership. If you are trying to access needed content and have no membership... JOIN. Please do not contact us with request for information you cannot access via our link. We do not condone distribution outside of membership.