Sunday, November 15, 2009
Governance Surveys and Trends
PWC Information Security Survey - http://www.pwc.com/en_GX/gx/information-security-survey/pdf/pwcsurvey2010_report.pdf
Monday, October 5, 2009
Saturday, September 12, 2009
Wednesday, August 19, 2009
Tuesday, July 28, 2009
Saturday, June 6, 2009
Relevant Websites
http://www.fst.net.au/Index.aspx - Financial Services Technology Media
http://csrc.nist.gov/ - Computer Security Research Centre
http://www.darkreading.com/
http://www.banktech.com/
http://www.bankinfosecurity.com/
http://www.beastorbuddha.com/
http://risky.biz/
http://www.grc.com/securitynow.htm
http://www.thisweekintech.com/
http://itradio.com.au/?page_id=2
http://searchsecurity.techtarget.com.au/
http://www.ozprinciple.com/index.php
http://www.complianceandprivacy.com/
http://www.noticebored.com/
http://blogs.itworldcanada.com/security/
http://www.brighttalk.com/
http://risktech.financetech.com/
http://www.itbusinessedge.com/cm/blogs/defrangesco
http://www.ameinfo.com/corporate_it_security/ - Security in the EMEA region
http://www.databreaches.net/ - Office of Inadequate Security
http://www.govinfosecurity.com/ - Latest government information security news
http://www.net-security.org/ - Daily Security News site
http://www.securecomputing.net.au/
http://www.infosecisland.com/
https://cfo.executiveboard.com/public/ThirdPartyRiskManagementResourceCenter.aspx - Third Party Risk Management Resource Centre
www.burtongroup.com/guest/default.aspx - Free IT Research
http://csrc.nist.gov/publications/PubsFIPS.html/
https://www.isfsecuritystandard.com/SOGP07/index.htm/ - Standard of good practice for Information Security
http://csrc.nist.gov/ - Computer Security Research Centre
http://www.darkreading.com/
http://www.banktech.com/
http://www.bankinfosecurity.com/
http://www.beastorbuddha.com/
http://risky.biz/
http://www.grc.com/securitynow.htm
http://www.thisweekintech.com/
http://itradio.com.au/?page_id=2
http://searchsecurity.techtarget.com.au/
http://www.ozprinciple.com/index.php
http://www.complianceandprivacy.com/
http://www.noticebored.com/
http://blogs.itworldcanada.com/security/
http://www.brighttalk.com/
http://risktech.financetech.com/
http://www.itbusinessedge.com/cm/blogs/defrangesco
http://www.ameinfo.com/corporate_it_security/ - Security in the EMEA region
http://www.databreaches.net/ - Office of Inadequate Security
http://www.govinfosecurity.com/ - Latest government information security news
http://www.net-security.org/ - Daily Security News site
http://www.securecomputing.net.au/
http://www.infosecisland.com/
https://cfo.executiveboard.com/public/ThirdPartyRiskManagementResourceCenter.aspx - Third Party Risk Management Resource Centre
www.burtongroup.com/guest/default.aspx - Free IT Research
http://csrc.nist.gov/publications/PubsFIPS.html/
https://www.isfsecuritystandard.com/SOGP07/index.htm/ - Standard of good practice for Information Security
Wednesday, May 27, 2009
Security Metrics
http://www.securitymetrics.org
"Security Metrics - Replacing Fear, Uncertainty, and Doubt" by Andrew Jaquith - Addison-Wesley.http://www.youtube.com/watch?v=dFsbqGJ3qEY - Security Metrics: A Beginner's Guide
Wednesday, May 6, 2009
Vulnerability Scanners
Nessus
GFI LanGuard
Qualys
Rapid 7 NeXpose
Catbird (service)
Acunetix Web Vulnerability Scanner (detects SQL Injection, XSS, etc.)
Secunia CSI (Corporate Software Inspector - informs about missing patches for thousands of third party programs on Windows platform)
Retina
Microsoft Baseline Security Analyzer
CoreImpact
ISS Internet Scanner
Saint
McAfee - Foundstone
nCircle - IP360
Saint Corp – Saint
Critical Watch - Fusion VM
NeXpose
System Scanner-Assuria
http://www.netiq.com/products/vsm/default.asp
http://www.scmagazineus.com/Best-policy-management-solution/article/130876/
http://www.outpost24.com
GFI LanGuard
Qualys
Rapid 7 NeXpose
Catbird (service)
Acunetix Web Vulnerability Scanner (detects SQL Injection, XSS, etc.)
Secunia CSI (Corporate Software Inspector - informs about missing patches for thousands of third party programs on Windows platform)
Retina
Microsoft Baseline Security Analyzer
CoreImpact
ISS Internet Scanner
Saint
McAfee - Foundstone
nCircle - IP360
Saint Corp – Saint
Critical Watch - Fusion VM
NeXpose
System Scanner-Assuria
http://www.netiq.com/products/vsm/default.asp
http://www.scmagazineus.com/Best-policy-management-solution/article/130876/
http://www.outpost24.com
Tuesday, April 28, 2009
Governance Risk and Compliance Tools
http://www.moduloriskmanager.com/home.jsp
http://www.ca.com/au/products/subcategory.aspx?id=8019
http://www.sai-global.com/compliance/default.htm
http://www.brighttalk.com/channels/1044/view - Global Compliance Channel
http://www.ca.com/au/products/subcategory.aspx?id=8019
http://www.sai-global.com/compliance/default.htm
http://www.brighttalk.com/channels/1044/view - Global Compliance Channel
Friday, April 24, 2009
Wednesday, March 18, 2009
Wednesday, March 4, 2009
Key Management
This is a thread from a LinkedIn discussion (Information Security Community)
You should definitely check out NIST Key Management Guideline:
What are the important aspects of an encryption key management policy?
Please feel free to post any thoughts on what you believe should be included in an encryption key management policy. Thanks in advance.
- What are the elements of a good backup policy? Is keeping keys in escrow enough? Or is a more immediately available backup needed as well?
- What kind of physical and logical access controls (or other measures) should be implemented around the keys to prevent unauthorized access, modification, duplication, or destruction of the keys?
- What are the elements of a good process for destroying keys that are old or may have been compromised? Should keys be periodically updated and replaced to further mitigate the threat of unauthorized duplicates?
- What are the best software solutions in the marketplace for managing encryption keys? What aspects of a software solution are most important?
- Who should be the ultimate approver for access to the keys? Particularly if the software owner and database owner are not the same person/group; which group should own the keys, related processes, and approval role?
You should definitely check out NIST Key Management Guideline:
http://www.linkedin.com/redirect?url=http%3A%2F%2Fcsrc%2Enist%2Egov%2Fgroups%2FST%2Ftoolkit%2Fkey_management%2Ehtml&urlhash=J9SW&_t=tracking_disc
Especially SP 800-57 Part 2, Recommendation for Key Management - Part 2: Best Practices for Key Management Organizations:
http://www.linkedin.com/redirect?url=http%3A%2F%2Fcsrc%2Enist%2Egov%2Fgroups%2FST%2Ftoolkit%2Fdocuments%2FSP800-57Part2April2005%2Epdf&urlhash=7bVc&_t=tracking_disc
And SP 800-57, Part 3 DRAFT Recommendation for Key Management, Part 3: Application-Specific Key Management Guidance:
http://www.linkedin.com/redirect?url=http%3A%2F%2Fcsrc%2Enist%2Egov%2Fpublications%2Fdrafts%2F800-57-part3%2FDraft_SP800-57-Part3_Recommendationforkeymanagement%2Epdf&urlhash=vRs3&_t=tracking_disc
With regards to your questions: Detailed specification of controls really depend on the risk posture. I.e. it's very different for personal finance data and for nuclear arms control. Besides it's unrealistic to expect same techniques to work universally in different applications/platforms.
As for the user interface aspect of key management PGP is the gold standard:
http://www.linkedin.com/redirect?url=http%3A%2F%2Fwww%2Epgp%2Ecom%2Fproducts&urlhash=dceX&_t=tracking_disc
Tuesday, March 3, 2009
Business Continuity
- http://training.fema.gov/emiweb/IS/is139lst.asp
- http://www.cpaccarolinas.org/Symposium07/07Presentations/PresentationWS2-Zino_ExerciseBrief.pdf
- http://www.bcphelp.com/docs/Courses.doc
- http://www.ccep.ca/index.shtml
- Exercise Evaluation and Improvement Planning - https://hseep.dhs.gov/support/VolumeIII.pdf
- Exercise Design (Independent Study Guide) - www.ncsu.edu/ehs/BCP/planning_templates/design_evaluation.php
- FEMA Exercise Evaluation Course - http://training.fema.gov/EMIWeb/STCourses/
Subscribe to:
Comments (Atom)