Showing posts with label External Reference. Show all posts
Showing posts with label External Reference. Show all posts
Guide for Applying the Risk Management Framework to Federal Information Systems
[External Reference]
[Computer Systems Security]
[Standards]
[Security Management]
[Risk Management]
[NIST]
Guide for Applying the Risk Management Framework to Federal Information Systems
NIST 800-37
Introduction
Organizations depend on information technology and the information systems that are developed from that technology to successfully carry out their missions and business functions. Information systems can include as constituent components, a range of diverse computing platforms from high-end supercomputers to personal digital assistants and cellular telephones. Information systems can also include very specialized systems and devices (e.g., telecommunications systems, industrial/process control systems, testing and calibration devices, weapons systems, command and control systems, and environmental control systems). Federal information and information systems are subject to serious threats that can have adverse impacts on organizational operations (including mission, functions, image, and reputation), organizational assets, individuals, other organizations, and the Nation by compromising the confidentiality, integrity, or availability of information being processed, stored, or transmitted by those systems. Threats to information and information systems include environmental disruptions, human or machine errors, and purposeful attacks. Cyber attacks on information systems today are often aggressive, disciplined, well-organized, well-funded, and in a growing number of documented cases, very sophisticated. Successful attacks on public and private sector information systems can result in serious or grave damage to the national and economic security interests of the United States. Given the significant and growing danger of these threats, it is imperative that leaders at all levels of an organization understand their responsibilities for achieving adequate information security and for managing information system-related security risks.
The full document is available through the following link:
http://csrc.nist.gov/publications/nistpubs/800-37-rev1/sp800-37-rev1-final.pdf
CLOUD COMPUTING: A REVIEW OF FEATURES, BENEFITS, AND RISKS, AND RECOMMENDATIONS FOR SECURE, EFFICIENT IMPLEMENTATIONS
[External Reference]
[Computer Systems Security]
[Standards]
[Cloud Computing]
[NIST]
CLOUD COMPUTING: A REVIEW OF FEATURES, BENEFITS, AND RISKS, AND RECOMMENDATIONS FOR SECURE, EFFICIENT IMPLEMENTATIONS
NIST 800-146
Executive Summary
Cloud computing allows computer users to conveniently rent access to fully featured applications, to software development and deployment environments, and to computing infrastructure assets such as network-accessible data storage and processing.
This document reprises the NIST-established definition of cloud computing, describes cloud computing benefits and open issues, presents an overview of major classes of cloud technology, and provides guidelines and recommendations on how organizations should consider the relative opportunities and risks of cloud computing. Cloud computing has been the subject of a great deal of commentary. Attempts to describe cloud computing in general terms, however, have been problematic because cloud computing is not a single kind of system, but instead spans a spectrum of underlying technologies, configuration possibilities, service models, and deployment models. This document describes cloud systems and discusses their strengths and weaknesses.
Depending on an organization's requirements, different technologies and configurations are appropriate. To understand which part of the spectrum of cloud systems is most appropriate for a given need, an organization should consider how clouds can be deployed (deployment models), what kinds of services can be provided to customers (service models), the economic opportunities and risks of using cloud services (economic considerations), the technical characteristics of cloud services such as performance and reliability (operational characteristics), typical terms of service (service level agreements), and the security opportunities and risks (security).
The full document is available through the following link:
http://www.thecre.com/fisma/wp-content/uploads/2012/05/sp800-146.pdf
A Framework for Assessing and Improving Enterprise Architecture Management (Version 2.0)
[External Reference]
[Computer Systems Security]
[Standards]
[Security Management]
[Software Architecture]
[Enterprise Architecture]
A Framework for Assessing and Improving Enterprise Architecture Management (Version 2.0)
GAO-10-846G
Why GAO did this study
Effective use of an enterprise architecture (EA) is a hallmark of successful organizations and an essential means to achieving a desired end: having operations and technology environments that maximize institutional mission performance and outcomes. Among other things, this includes realizing cost savings through consolidation and reuse of shared services and elimination of antiquated and redundant mission operations, enhancing information sharing through data standardization and system integration, and optimizing service delivery through streamlining and normalization of business processes and mission operations. Not using an EA can result in organizational operations and supporting technology infrastructures and systems that are duplicative, poorly integrated, unnecessarily costly to maintain and interface, and unable to respond quickly to shifting environmental factors.
To assist organizations in successfully developing, maintaining, and using an EA, GAO is issuing this major update to its Enterprise Architecture Management Maturity Framework. Its purpose is to provide a flexible benchmark against which to plan for and measure EA program maturity. To develop the update, GAO solicited comments from 27 federal departments and agencies, as well as representatives from the private sector, state governments, and academia, and it leveraged its prior experience in applying the framework.
The full document is available through the following link:
http://www.gao.gov/assets/80/77233.pdf
Video: Warriors of the Net
[External Reference]
[Networking]
[Video]
Video: Warriors of the Net
© Copyright 2002 Gunilla Elam, Tomas Stephanson, Niklas Hanberger All rights reserved
"Did you ever wonder how the Internet works? How does a router look like? What color does a IP packet have? How does a IP packet travel through firewall. All the answers and many more can be found in the Warriors of the net move. It is available in many different languages. It is the prefect tool for introducing Internet to novice users. It helps the newcomers visualize how the Net works. " (Warriorsofthe.net n/d)
The video is available on YouTube, with translation to many languages, through the following link:
http://www.youtube.com/user/FrippeMax?feature=watch
References:
Warriorsofthe.net (n/d). The Official Warrirors of The Net Site. Retrieved on January 25, 2013, from:
http://warriorsofthe.net/
NIST Standards on How to Secure Operating Systems
[External Reference]
[Computer Systems Security]
[Standards]
[Security Management]
[OS Security]
[NIST]
NIST Standards on How to Secure Operating Systems
NIST 800-70 v2
National Checklist Program Repository (NCP)
A full featured guide tool with checklists and security benchmarks for all operating systems and devices (from mainframes to mobile devices). It is based on the NIST 800-70 v2 standard. A must have reference source for the security professional.
The link for the National Checklist Program Repository is:
http://web.nvd.nist.gov/view/ncp/repository
Recommended Security Controls for Federal Information Systems and Organizations
[External Reference]
[Computer Systems Security]
[Standards]
[Security Management]
[NIST]
Recommended Security Controls for Federal Information Systems and Organizations
NIST 800-53 v3
Introduction
The Need For Security Controls to Protect Information and Information Systems
The selection and implementation of appropriate security controls for an information system4 or a system-of-systems5 are important tasks that can have major implications on
the operations6 and assets of an organization7 as well as the welfare of individuals and the
Nation. Security controls are the management, operational, and technical safeguards or countermeasures employed within an organizational information system to protect the confidentiality, integrity, and availability of the system and its information. There are several important questions that should be answered by organizational officials when addressing the security considerations for their information systems:
- What security controls are needed to adequately mitigate the risk incurred by the use of information and information systems in the execution of organizational missions and business functions?
- Have the selected security controls been implemented or is there a realistic plan for their implementation?
- What is the desired or required level of assurance (i.e., grounds for confidence) that the selected security controls, as implemented, are effective8 in their application?
The answers to these questions are not given in isolation but rather in the context of an effective information security program for the organization that identifies, mitigates as deemed necessary, and monitors on an ongoing basis, risks9 arising from its information and information systems. The security controls defined in this publication and recommended for use by organizations in protecting their information systems should be employed in conjunction with and as part of a well-defined and documented information security program. The program management controls (Appendix G), complement the security controls for an information system (Appendix F) by focusing on the organization-wide information security requirements that are independent of any particular information system and are essential for managing information security programs.
The full document is available through the following link:
http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final_updated-errata_05-01-2010.pdf
Computer Securitye Incident Handling Guide
[External Reference]
[Computer Systems Security]
[Standards]
[Security Management]
[Incident Handling]
[NIST]
Computer Security Incident Handling Guide
NIST 800-61 v2
Abstract
Computer security incident response has become an important component of information technology (IT) programs. Because performing incident response effectively is a complex undertaking, establishing a successful incident response capability requires substantial planning and resources. This publication assists organizations in establishing computer security incident response capabilities and handling incidents efficiently and effectively. This publication provides guidelines for incident handling, particularly for analyzing incident-related data and determining the appropriate response to each incident. The guidelines can be followed independently of particular hardware platforms, operating systems, protocols, or applications.
The full document is available through the following link:
http://csrc.nist.gov/publications/nistpubs/800-61rev2/SP800-61rev2.pdf
Guide to Protecting the Confidentiality of Personally Identifiable Information (PII)
[External Reference]
[Computer Systems Security]
[Standards]
[Security Management]
[NIST]
[PII]
Guide to Protecting the Confidentiality of Personally Identifiable Information (PII)
NIST 800-122
Executive Summary
The escalation of security breaches involving personally identifiable information (PII) has contributed to the loss of millions of records over the past few years.1 Breaches involving PII are hazardous to both individuals and organizations. Individual harms2 may include identity theft, embarrassment, or blackmail. Organizational harms may include a loss of public trust, legal liability, or remediation costs. To appropriately protect the confidentiality of PII, organizations should use a risk-based approach; as McGeorge Bundy3 once stated, ―If we guard our toothbrushes and diamonds with equal zeal, we will lose fewer toothbrushes and more diamonds.‖ This document provides guidelines for a risk-based approach to protecting the confidentiality4 of PII. The recommendations in this document are intended primarily for U.S. Federal government agencies and those who conduct business on behalf of the agencies,5 but other organizations may find portions of the publication useful. Each organization may be subject to a different combination of laws, regulations, and other mandates related to protecting PII, so an organization‘s legal counsel and privacy officer should be consulted to determine the current obligations for PII protection. For example, the Office of Management and Budget (OMB) has issued several memoranda with requirements for how Federal agencies must handle and protect PII. To effectively protect PII, organizations should implement the following recommendations.
The full document is available through the following link:
http://csrc.nist.gov/publications/nistpubs/800-122/sp800-122.pdf
Introduction to Algorithms - MIT Open Courseware
[External Reference]
[Software Development]
[Algorithms]
[MIT]
[Open Courseware]
Introduction to Algorithms - MIT Open Courseware
(FREE COURSE)
Hands down the best course in algorithms and software development! The Massachusetts Institute of Technology (MIT) provides everything from class assignments, book references, lecture videos, code samples and exams!
The course is available FREE OF CHARGE through the following link:
http://ocw.mit.edu/courses/electrical-engineering-and-computer-science/6-046j-introduction-to-algorithms-sma-5503-fall-2005/index.htm
Leiserson, Charles, and Erik Demaine. 6.046J Introduction to Algorithms (SMA 5503),Fall 2005. (Massachusetts Institute of Technology: MIT OpenCourseWare), http://ocw.mit.edu (Accessed 30 Jan, 2013). License: Creative Commons BY-NC-SA
[Software Development]
[Algorithms]
[MIT]
[Open Courseware]
Introduction to Algorithms - MIT Open Courseware
(FREE COURSE)
Hands down the best course in algorithms and software development! The Massachusetts Institute of Technology (MIT) provides everything from class assignments, book references, lecture videos, code samples and exams!
The course is available FREE OF CHARGE through the following link:
http://ocw.mit.edu/courses/electrical-engineering-and-computer-science/6-046j-introduction-to-algorithms-sma-5503-fall-2005/index.htm
Leiserson, Charles, and Erik Demaine. 6.046J Introduction to Algorithms (SMA 5503),Fall 2005. (Massachusetts Institute of Technology: MIT OpenCourseWare), http://ocw.mit.edu (Accessed 30 Jan, 2013). License: Creative Commons BY-NC-SA
Video: Introduction to Software Architecture
[External Reference]
[Software Architecture]
[Video]
Video: Introduction to Software Architecture
By George Fairbanks
A great introductory video on the subject of software architecture.
The video is available on YouTube through the following link:
http://www.youtube.com/watch?v=x30DcBfCJRI&list=PLwjOdSdhcKGBJkcHvG3vZlOhp-Dg2hxTJ&feature=mh_lolz
[Software Architecture]
[Video]
Video: Introduction to Software Architecture
By George Fairbanks
A great introductory video on the subject of software architecture.
The video is available on YouTube through the following link:
http://www.youtube.com/watch?v=x30DcBfCJRI&list=PLwjOdSdhcKGBJkcHvG3vZlOhp-Dg2hxTJ&feature=mh_lolz
An Introduction to Computer Security: The NIST Handbook
[External Reference]
[Computer Systems Security]
[Standards]
[NIST]
An Introduction to Computer Security: The NIST Handbook
NIST 800-12
Purpose
This handbook provides assistance in securing computer-based resources (including hardware, software, and information) by explaining important concepts, cost considerations, and interrelationships of security controls. It illustrates the benefits of security controls, the major techniques or approaches for each control, and important related considerations.
The handbook provides a broad overview of computer security to help readers understand their computer security needs and develop a sound approach to the selection of appropriate security controls. It does not describe detailed steps necessary to implement a computer security program,
provide detailed implementation procedures for security controls, or give guidance for auditing the security of specific systems. General references are provided at the end of this chapter, and references of "how-to" books and articles are provided at the end of each chapter in Parts II, III and IV.
The purpose of this handbook is not to specify requirements but, rather, to discuss the benefits of various computer security controls and situations in which their application may be appropriate. Some requirements for federal systems2 are noted in the text. This document provides advice and guidance; no penalties are stipulated.
The full document is available through the following link:
http://csrc.nist.gov/publications/nistpubs/800-12/handbook.pdf
[Computer Systems Security]
[Standards]
[NIST]
An Introduction to Computer Security: The NIST Handbook
NIST 800-12
Purpose
This handbook provides assistance in securing computer-based resources (including hardware, software, and information) by explaining important concepts, cost considerations, and interrelationships of security controls. It illustrates the benefits of security controls, the major techniques or approaches for each control, and important related considerations.
The handbook provides a broad overview of computer security to help readers understand their computer security needs and develop a sound approach to the selection of appropriate security controls. It does not describe detailed steps necessary to implement a computer security program,
provide detailed implementation procedures for security controls, or give guidance for auditing the security of specific systems. General references are provided at the end of this chapter, and references of "how-to" books and articles are provided at the end of each chapter in Parts II, III and IV.
The purpose of this handbook is not to specify requirements but, rather, to discuss the benefits of various computer security controls and situations in which their application may be appropriate. Some requirements for federal systems2 are noted in the text. This document provides advice and guidance; no penalties are stipulated.
The full document is available through the following link:
http://csrc.nist.gov/publications/nistpubs/800-12/handbook.pdf
Information Security Handbook: A Guide for Managers
[External Reference]
[Computer Systems Security]
[Standards]
[Security Management]
[NIST]
Information Security Handbook: A Guide for Managers
NIST 800-100
Introduction
This Information Security Handbook provides a broad overview of information security program elements to assist managers in understanding how to establish and implement an information security program. Typically, the organization looks to the program for overall responsibility to ensure the selection and implementation of appropriate security controls and to demonstrate the effectiveness of satisfying their stated security requirements. The topics within this document were selected based on the laws and regulations relevant to information security, including the Clinger-Cohen Act of 1996, the Federal Information Security Management Act (FISMA) of 2002, and Office of Management and Budget (OMB) Circular A-130. The material in this handbook can be referenced for general information on a particular topic or can be used in the decision-making process for developing an information security program. National Institute of Standards and Technology (NISTIR) Interagency Report 7298 provides a summary glossary for the basic security terms used throughout this document. While reading this handbook, please consider that the guidance is not specific to a particular agency. Agencies should tailor this guidance according to their security posture and business requirements.
The full document is available through the following link:
http://csrc.nist.gov/publications/nistpubs/800-100/SP800-100-Mar07-2007.pdf
The Security Tools Every Security Professional Should Know About
[External Reference]
[Computer Systems Security]
[Security Tools]
[Networking]
The Security Tools Every Security Professional Should Know About
The full list of security tools is available at:
http://sectools.org/
[Computer Systems Security]
[Security Tools]
[Networking]
The Security Tools Every Security Professional Should Know About
The full list of security tools is available at:
http://sectools.org/
Internet Standards - RFCs
[External Reference]
[Networking]
[Internet]
[RFC]
[Standards]
A complete list of all Internet standards and RFCs.
The list is available at:
http://www.rfc-editor.org/categories/rfc-standard.html
[Networking]
[Internet]
[RFC]
[Standards]
A complete list of all Internet standards and RFCs.
The list is available at:
http://www.rfc-editor.org/categories/rfc-standard.html
Understanding Security Using the OSI Model
[External Reference]
[Networking]
[Computer Systems Security]
[OSI]
Understanding Security Using the OSI Model
Abstract
This paper is written as a guide for those who do not labor through the wee hours
of the morning (yet) studying every new Information Technology (IT) vulnerability. This
paper will provide a breakdown of the OSI (Open Source Interconnection) model, and
using that model, explain some well-known vulnerabilities. The paper will take each
layer of the OSI model (there are seven) and describe a relevant vulnerability with a
solution to that problem area. The reader will become more aware of the vulnerabilities
that exist in the IT environment. More importantly, the reader will be able to use the OSI
model as a guide to simplify the security process.
The full paper is available at:
http://www.sans.org/reading_room/whitepapers/protocols/understanding-security-osi-model_377
[Networking]
[Computer Systems Security]
[OSI]
Understanding Security Using the OSI Model
Abstract
This paper is written as a guide for those who do not labor through the wee hours
of the morning (yet) studying every new Information Technology (IT) vulnerability. This
paper will provide a breakdown of the OSI (Open Source Interconnection) model, and
using that model, explain some well-known vulnerabilities. The paper will take each
layer of the OSI model (there are seven) and describe a relevant vulnerability with a
solution to that problem area. The reader will become more aware of the vulnerabilities
that exist in the IT environment. More importantly, the reader will be able to use the OSI
model as a guide to simplify the security process.
The full paper is available at:
http://www.sans.org/reading_room/whitepapers/protocols/understanding-security-osi-model_377
Subscribe to:
Posts (Atom)