Security Survey Directory

Posted on 28 October 2011 by Admin

CSO Online article “The security data and survey directory” contains a good list in this subject.

The directory is divided into categories:

  • Risk Management
  • Attack Vectors
  • Security Spending, Budgets & Priorities
  • Physical Security and Loss Prevention
  • Security Controls
  • Data Security and Data Breaches
  • Software/Application Security
  • Compliance & Governance
  • Business Continuity & Disaster Recovery
  • Social Networking
  • Security Careers, Skills, Salary and Benefits
  • Virtualization & Cloud Computing
Posted in Security Management | Comments Off on Security Survey Directory

Security laws and regulations directory

Posted on 28 October 2011 by Admin

CSO Online article “The security laws, regulations and guidelines directory” contains a good list in this subject. This list is a good starting point when looking which laws and regulation there exist.

  • Broadly applicable laws and regulations
  • Industry-specific guidelines and requirements
  • Key state laws
  • International laws

It contains links into laws and regulations like:

  • Sarbanes-Oxley Act (aka Sarbox, SOX)
  • Payment Card Industry Data Security Standard (PCI DSS)
  • Federal Information Security Management Act (FISMA)
  • North American Electric Reliability Corp. (NERC) standards
  • European Union Data Protection Directive
  • Safe Harbor Act
Posted in Security Management, Security Organizations | Comments Off on Security laws and regulations directory

Another Security Vocabulary bt IETF

Posted on 17 October 2011 by Admin

There exist another vocabulary called “Internet Security Glossary, Version 2”. It is IETF RFC 4949 from 2007.

IETF=Internet Engineering Task Force

Note, in RFC 4949 the definitions might differ from the ITU and ISO definitions.

For example, “information security” is defined as:

$ information security (INFOSEC)
(N) Measures that implement and assure security services in
information systems, including in computer systems (see: COMPUSEC)
and in communication systems (see: COMSEC).

$ COMSEC
(I) See: communication security.

$ communication security (COMSEC)
(I) Measures that implement and assure security services in a
communication system, particularly those that provide data
confidentiality and data integrity and that authenticate
communicating entities.

Usage: COMSEC is usually understood to include (a) cryptography
and its related algorithms and key management methods and
processes, devices that implement those algorithms and processes,
and the lifecycle management of the devices and keying material.
Also, COMSEC is sometimes more broadly understood as further
including (b) traffic-flow confidentiality, (c) TRANSEC, and (d)
steganography [Kahn]. (See: cryptology, signal security.)

Posted in ICT Terminology, Security Terminology, Security Training, Awareness and Reports | Comments Off on Another Security Vocabulary bt IETF

ITU Terms and Definitions

Posted on 16 October 2011 by Admin

ITU (International Telecommunication Union, intro) has online database for terms and definitions for 6 languages. Currently there are more than 100000 terms.

ITU-terms-and-definitions

 

For the term “information security” it can find a match in ITU-T.

  • Term : information security
  • Definition : Security preservation of confidentiality, integrity and availability of information.
  • Source : X.1051 (04), 3.3

 

Note, in ISO 27000 it is defined almost identically as:

  • information security
    • preservation of confidentiality (2.9), integrity (2.25) and availability (2.7) of information
    • NOTE In addition, other properties, such as authenticity (2.6), accountability (2.2), non-repudiation (2.27), and
      reliability (2.33) can also be involved.

 

For the term “cybersecurity” it finds following (ITU-T).

  • Term : cybersecurity
  • Definition : Cybersecurity is the collection of tools, policies, security concepts, security safeguards, guidelines, risk management approaches, actions, training, best practices, assurance and technologies that can be used to protect the cyber environment and organization and user’s assets. Organization and user’s assets include connected computing devices, personnel, infrastructure, applications, services, telecommunications systems, and the totality of transmitted and/or stored information in the cyber environment. Cybersecurity strives to ensure the attainment and maintenance of the security properties of the organization and user’s assets against relevant security risks in the cyber environment. The general security objectives comprise the following:
    – Availability
    – Integrity, which may include authenticity and non-repudiation
    – Confidentiality.
  • Publications :
    ITU-T X.1205 (04/2008)

 

But how about ISO standards? It is much more tricky to find a definition. There is a coming ISO standard 27032, which is applying the definition of information security into cyberspace…

  • Cybersecurity
  • Cyberspace security
    • preservation of confidentiality, integrity and availability of information in the Cyberspace
    • NOTE 1 In addition, other properties, such as authenticity, accountability, non-repudiation, and reliability can also be involved.
    • NOTE 2 Adapted from the definition for information security in ISO/IEC 27000:2009
Posted in ICT Terminology, ITU-T, Security Terminology, Security Training, Awareness and Reports, Telecom Security | Comments Off on ITU Terms and Definitions

ISO Standards, Risk Management and Information Security Vocabularies

Posted on 16 October 2011 by Admin

There are different vocabularies for Information Security. One good reference Risk Management is the ISO Guide 73 from 2009.

For Information Security, one should look ISO 27000 from 2009.

Unfortunately these standards are not free.

For free vocabulary, it is worth to look at ITU definitions.

Posted in ICT Terminology, ISO, Risk Management, Security Terminology, Security Training, Awareness and Reports | Comments Off on ISO Standards, Risk Management and Information Security Vocabularies

ITIL support material

Posted on 16 October 2011 by Admin

The following 3 books (free) are supportive material. Worth to have.

Posted in ICT Leadership and Management, Security Standardization and Practises | Comments Off on ITIL support material

HMG IA Standard No.1 – Technical Risk Assessment (2009)

Posted on 16 October 2011 by Admin

There exist several Risk Assessment methods in addition to related ISO standards. This one from UK goverment contains also a worked example. It is worth to have a quick look.

Document “HMG IA Standard No.1 – Technical Risk Assessment – Issue 3.51, October 2009“.

It is on the CESG site. CESG is the UK Government’s National Technical Authority for Information Assurance (IA).

Other links to CESG IA are:

Posted in ICT Leadership and Management, Risk Management, Security Standardization and Practises | Comments Off on HMG IA Standard No.1 – Technical Risk Assessment (2009)