Comparison of IT Risk Assessment and Information Security


International Standards Organization (ISO) 17799/27001:
International standard for testing the effectiveness of most security systems

Control Objectives for Information Technology (COBIT):
http://www.isaca.org/cobit.htm
Developed by IT auditors and made available through the Information Systems Audit and Control Association (ISACA). COBIT provides a framework for assessing a security program, developing a performance baseline, and measuring performance over time.

SysTrust:
http://www.aicpa.org/assurance/systrust/index.htm
Developed by the American Institute of Certified Public Accountants and the Canadian Institute of Chartered Public Accountants. SysTrust provides a framework for evaluating controls for information systems assurance.

Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE):
http://www.cert.org/octave
Developed by the Computer Emergency Response Team at Carnegie Mellon University. OCTAVE provides measures based on accepted best practices for evaluating security programs.

NIST Documents on Risk Assessment:
http://csrc.nist.gov
The US National Institute of Standards and Technology has published several documents that outline frameworks for conducting technology risk assessment and evaluating information security. Two of the most helpful documents are Special Publication 800-26, "Security Self-Assessment Guide for Information Technology Systems," and Special Publication 800-30, "Risk Management Guide for Information Technology Systems."

Other Recommended Web Sites for General Information Security Information:

Industry and Professional Associations (including Academic Institutions)
- CSI (Computer Security Institute): http://www.gocsi.com
- SANS Institute: http://www.sans.org
- CIS (Center for Internet Security): www.cisecurity.org
- FS/ISAC (Financial Services Information Sharing and Analysis Center): www.fsisac.com
- BITS (Technology Subgroup of the Financial Services Roundtable): www.bitsinfo.org
- CERT (Computer Emergency Response Team): www.cert.org
- CERIAS (Center for Education and Research in Information Assurance and Security): www.cerias.purdue.edu
- NT BugTraq: http://www.ntbugtraq.com

U.S. Government and Law Enforcement Organizations
- Federal Computer Incident Response Center (FedCIRC): www.fedcirc.gov
- NIPC (National Infrastructure Protection Center): www.nipc.gov
- Infragard: www.infragard.net
- Computer Crime and Intellectual Property Section (CCIPS) of the U.S. Dept. of Justice: www.cybercrime.gov
- CIAO (Critical Infrastructure Assurance Organization): www.ciao.gov
- National Institute of Standards and Technology: www.nist.gov
- Computer Security Resource Center: csrc.nist.gov
- National Security Agency: www.nsa.gov

Bank Regulatory Agencies
- Federal Deposit Insurance Corporation: www.fdic.gov
- Office of the Comptroller of the Currency: www.occ.treas.gov
- Federal Reserve Board: www.federalreserve.gov
- Basel Committee on Bank Supervision: www.bis.org


Bookmark/Search this post with:
  • Delicious
  • Digg
  • StumbleUpon
  • Propeller
  • Reddit
  • Technorati

User login

Who's new

  • Cilmimabe
  • jutttizeBress
  • roboboboslains
  • Stolenfinche
  • maggelanert

Who's online

There are currently 0 users and 1 guest online.