|
Standards are essential to good security management. The available data on standards methodology is massive, so we'd like to tighten our focus based on successful experiences. The NIST 800 series documents and FIPS 199 are an excellent starting point. You are likely not a federal organization, but the framework and methodology offered in these documents is useful in any environment. Some of the NIST docs are a bit dated, but they are offering revisions and updates occasionally. Consider the following essential reading, there are many more at NIST Special Publications 800 Series: Guide to NIST Information Security Documents
FIPS 199 - Standards for Security Categorization of Federal Information and Information Systems
800-26 - Security Self-Assessment Guide for Information Technology Systems
800-27 - Engineering Principles for Information Technology Security (A Baseline for Achieving Security)
800-30 - Risk Management Guide for Information Technology Systems
800-31 - Intrusion Detection Systems (IDS)
800-42 - Guideline on Network Security Testing
800-50 - Building an Information Technology Security Awareness and Training Program
800-53 - Recommended Security Controls for Federal Information Systems
800-55 - Security Metrics Guide for Information Technology Systems
SP 800-60 Vol.1 Rev.1 & SP 800-60 Vol.2 Rev.1 - Guide for Mapping Types of Information and Information Systems to Security Categories Recent Guides pertinent to Incident Handling800-83 - Guide to Malware Incident Prevention and Handling
800-86 - Guide to Integrating Forensic Techniques into Incident Response
800-92 - Guide to Computer Security Log Management
800-94 - Guide to Intrusion Detection and Prevention Systems (IDPS)
Guides and BenchmarksThe NSA's Security Configuration Guides are also an excellent resource for hardening systems, including servers, databases, routers, etc. Rather than list them all, simply begin here:
NSA Security Configuration Guides
The CIS Benchmarks are excellent for establishing a strengthened system posture across many platforms. ISOISO Standards provide an excellent framework on your way to achieving compliance with SOX or PCI, or simply ensuring that your environment achieves an accpetable baseline.
Most relevant to our cause are ISO 17799 (soon to be ISO 27002) and ISO 27001.
"ISO 27001 defines the requirements for an Information Security Management System (ISMS) and uses ISO 17799 to indicate suitable information security controls within the ISMS. ISO 27001 incorporates a summary of ISO 17799:2005 controls as an appendix." [1]
There's detailed content on both at ISO 27001 Security.
See also:
The ISO 27001 and ISO 27002 (ISO 17799) Community Forum
The ISO 27000 Directory
ISO27001 Security has released the ISO27k Toolkit:
Toolkit
FMEA Spreadsheet
FAQ
|