Information security management

 The SANS Internet Storm Center’s Handler’s Diary provides a wonderful source of up-to-date information on current Internet security threats, aimed at information security managers, information technologists and power users. If you are in one of these select groups, consider setting your browser’s home page to the latest Handler’s Diary page to keep up with current events at least once daily.

 Rob Slade from British Columbia is an enormously prolific and entertaining writer on viruses and other information security topics. He maintains a good hyperlinked information security glossary and reviews a huge number of information security books. His book reviews are sharp as broken glass - not so much beating about the bush as beating about the head - no holds barred. Check Rob’s reviews before buying your information security books, perhaps from Amazon.com, or for that matter before writing one of your own.

 The Computer Security Handbook (4^th edition) edited by Seymour Bosworth and Mich Kabay (~$99 from Amazon) is the recommended course text in at least one Masters degree in information assurance.

The Official (ISC)² guide to the CISSP CBK, edited by Harold Tipton and Kevin Henry (2006 edition, ~$53 from Amazon) is the best available source of information on what is in the Common Body of Knowledge against which CISSP candidates are examined. [We’ll be reviewing this book soon.]

A collection of security checklists (also known as baseline standards, platform hardening guides etc.) is available at NIST’s Computer Security Resource Center.

Papers on security management at the Carnegie Mellon Software Engineering Institute are worth a look. 

Security Management magazine from ASIS and CSO Magazine from CXO Media Inc. are aimed directly at security managers, information security managers, chief security officers, chief information security officers and others with an interest in managing information security risks.

The Information Security Forum is effectively a trade association for information security managers. The ISF Standard of Good Practice for Information Security [6.7 Mb] is a useful benchmark and their regular Information Security Status Surveys provide insight to the issues underlying the statistics. It’s a real shame that ISF membership is effectively restricted to large multinationals due to their outrageously high fees.

The World Bank InfoDev project published an information technology security handbook of nearly 300 pages of well-written good practice advice. According to the authors, it focuses on the needs of “individuals, small businesses, governments and system and network administrators in developing countries” although the guidance seems equally applicable anywhere. It emphasizes commonplace security technologies such as antivirus and firewalls rather than security awareness, but at least ‘security culture’ gets a (brief) mention.

Risk management

 Tom Peltier’s book Information Security Risk Analysis (2^nd edition, ~$64 from Amazon) is a practical guide to the process by an excellent author.

The IT Compliance Institute’s auditors’ checklist for reviewing enterprise risk management practices [access requires free registration] includes advice for auditees as well as auditors.

The Society for Risk Analysis has interests in risk assessment, risk characterization, risk communication, risk management, and policy relating to risk, covering risks to human health and the environment, both built and natural, threats from physical, chemical, and biological agents and from a variety of human activities as well as natural events. Information security is clearly not the only risk out there!

The US Department of Defense clearly faces serious information security risks. According to a presentation about security policies by ex-military man and honeynet guru Lance Spitzner, the DoD recognizes seven ‘levels’ of threat.

Information security risk management standards, methods & tools

 An encyclopaedia of ‘internal [IT] threats’ from Promisec in fact details technical vulnerabilities (not threats!) in common P2P software such as Skype, remote support programs etc.

 International standard ISO/IEC 27002 (originally called BS7799 part 1) is probably the most widely accepted information security management standard with around 4,500 organizations having been certified against the accompanying specification standard ISO/IEC 27001 (originally BS7799 part 2). ISO/IEC 27005 is a new ISO/IEC standard, published at the end of June 2008, covering information security risk management, specifically. It replaces the third part of BS7799 and part of ISO TR 13335. Read more about the ISO/IEC 27000-series information security standards.

 A number of risk analysis methods are outlined and linked from the ISO27k FAQ. ENISA published useful info on a number of risk management methods and tools (check the drop-down menus on the left).

 Bruce Schneier’s Beyond Fear (~$17 from Amazon) explains and promotes risk analysis techniques. Whilst some Amazon reviewers heavily criticize Schneier’s loose use of particular terms they consider sacred, most agree that he does have a knack of simplifying complex issues for a lay audience.

 As with NIST’s other Special Publications, the 55-page SP 800-30 Risk Management Guide for Information Technology Systems is well-written and serves as a useful reference.

 Australia/New Zealand standard AS/NZ 4360:2004 provides a generic guide to managing risk in a wide range of activities, decisions or operations. An accompanying handbook is also available. Together they provide generic guidance for establishing and implementing effective risk management processes in any organization. They demonstrate how to establish the proper context, and then how to identify, analyze, evaluate, treat, communicate and monitor risks. They are globally respected, not just in Australasia.

A handy set of examples of information security threats and vulnerabilities are given in a guideline from the Australian New South Wales Department of Commerce Office of Information and Communications Technology, part of the Department’s Information Security Guideline for NSW Government - Part 1 - Information Security Risk Management. When analyzing information security risks, it is worthwhile consulting checklists of this nature to ensure that a broad range of possible scenarios is considered.

The Institute of Risk Management (IRM) is a global body representing professionals concerned with all forms of risk. Their risk management standard is a free download.

A section of the Federal Financial Institutions Examination Council’s (FFIEC) IT handbook covers information security risk assessment. FFIEC is an “interagency body empowered to prescribe uniform principles, standards, and report forms for the federal examination of financial institutions”.

IAM (INFOSEC Assessment Methodology) “consists of a standard set of activities required to perform an INFOSEC assessment. In other words, the methodology explains the depth and breadth of the assessment activities that must be performed to be acceptable within the IATRP” [which presumably means the NSA’s INFOSEC Assurance and Training Program - the website is a mess of alphabet soup].

FAIR (Factor Analysis of Information Risk) is a method for analyzing information security risks. Despite some rather provocative comments about the novelty and quality of the method, it seems to be a conventional albeit fairly rigorous risk analysis process.

An information security risk management handbook from the Security Officers Management and Analysis Project (SOMAP) is a high level outline on risk management, both in general and specifically in relation to information security. It aims to describe “how to plan, implement and manage an information security risk strategy and ISMS (Information Security Management System) activities.” It is loosely structured around ISO/IEC 27001/2. The accompanying SOMAP Information Security Risk Assessment Guide focuses on risk management in greater depth than the handbook.

Practical Threat Analysis (PTA) is described by the vendor as “a calculative threat modeling methodology and software technology that assist computer security analysts and software developers in managing the risks in their systems and building an appropriate risk mitigation policy.” PTA is free for students, researchers,  independent security analysts and software developers who figure out what ‘calculative’ means.

US CERT issues a handy email update of vulnerabilities announced in the previous week. They mention patches, workarounds and other actions to help mitigate risk.

The Information Security Forum has developed and documented at least three information security risk analysis methods (FIRM, SARA and SPRINT). Citicus ONE is an award-winning software package based on the FIRM method.

OCTAVE (Operationally Critical Threat, Asset, and Vulnerability Evaluation) is a “risk-based strategic assessment and planning technique for security” developed by Carnegie Mellon University’s Software Engineering Institute.

Federal Information Processing Standard Publication (FIPS PUB) 199 defines US Government Standards for Security Categorization of Federal Information and Information Systems, as mandated by the Federal Information Security Management Act (FISMA) of 2002.

CRAMM, formerly a UK Government risk management method, is now owned by Insight Consulting, part of Siemens.

The Threat and Risk Assessment Working Guide is a 132-page Canadian Government Communications Security Establishment paper describing [parts of] the information security risk management process.

A 78-page sample Business Impact Analysis report by Gartner shows just how detailed a BIA can get.  [Whether this level of detail helps a business manage its risks cost-effectively is however debatable!]

Information Security Management Maturity Model (ISM-cubed) is a developing method that seeks to apply ISO 9000-style quality management and capability maturity model processes to information security management. The latest papers on the site date from 2007, so the project may have lapsed :-(

The US Postal Service published what some have described as the most comprehensive security manual on the web. Here’s another from Australia. Our own Information Security Policy Manual is a quicker option if you can afford $295 for a ‘clean’ generic manual based on ISO/IEC 27002.

ISO 21827:2002 describes a Capability Maturity Model for systems security engineering, in other words a benchmark for comparing and improving the organization’s competence in this area. The systems security engineering capability maturity model provides a structured framework for benchmarking and improving information security.

The IT Infrastructure Library (ITIL) describes best practices for managing IT services. In How ITIL can improve information security, the benefits of ITIL on service quality are emphasized specifically in relation to information security management. ITIL stresses what processes should be adopted both within IT and in to manage relationships with the IT user departments. 

A number of organizations (including many IT auditors) are using ISACA’s COBIT framework to structure or review their information security management, as part of the IT management structures.

Outsourcing Information Security (~$76 from Amazon) has a broader remit than the title suggests. The bulk of the book gives sound advice on outsourcing in general.

---

Related NoticeBored links collections

Incident management, IT Operations and contingency planning

NB: we do not necessarily endorse or agree with the third party websites accessible through the links. Use at your own risk. Please let us know about new or broken links.