Go home

So hot its nearly on fire
IT Audit FAQ
Web resources

Links to information resources on the webThere is plenty of useful, high-quality information on the Internet relating to IT governance, information security etc. The trouble is, much of it is buried under an even larger amount of irrelevant and low-quality stuff. The links on this page direct you to some of our favourite public resources available on the Internet. These are not endorsements or advertisements - we have no control over them. We also maintain a growing collection of links to information security and other web resources relating to the monthly topics covered by our innovative information security awareness service, NoticeBored.

Information security & ISO/IEC 27000 resources

Hot link To find out about the ISO/IEC 27000-series information security management standards, please visit our informational site ISO27001security.com or, if you speak Spanish, try www.ISO27000.es

Hot linkCERIAS is our first choice for general information security resources, including their own massive collection of hyperlinks.

Hot linkCERT-CC, the Computer Emergency Response Team Coordination Center at Carnegie Mellon University’s Software Engineering Institute, is an authoritative source of news on information security incidents and has a wealth of advice to support security managers dealing with incidents in progress. It also publishes weekly Cyber Security Bulletins with info on new information security vulnerabilities.

Hot linkThe Honeynet Project is a fascinating experiment researching the techniques actually used by real-world hackers by luring them to carefully engineered and managed websites. The research methods and results demonstrate the extreme degree of technical sophistication and diligence required to keep up with the game. Take a good look if your technical skills are up to it: it helps if you are a TCP/IP guru.

WindowSecurity dotcom provides Windows security news, articles, tutorials, software listings and reviews for Windows system administrators and power users.

The Network Security Library contains hundreds of articles, FAQs, white papers and books on network security, gathered from various sources throughout the industry.

The World Bank’s information security manual offers nearly 300 pages of well-written good practice advice officially intended for the developing world. It is structured differently but covers broadly similar information security management topics to ISO/IEC 27002.

The Computer Security Institute, based in San Francisco, publish an annual survey of computer crime and security in conjunction with the FBI. Other significant surveys are published by Ernst And Young, PricewaterhouseCoopers, Gartner and the Information Security Forum to name but a few (wouldn’t it be good if these groups co-operated on joint surveys across an even broader population? Some hope!).

Rob Slade from British Columbia is an enormously prolific and entertaining writer on viruses and other information security topics. He maintains a good hyperlinked information security glossary and reviews a huge number of information security books. His book reviews are sharp as broken glass - not so much beating about the bush as beating about the head. Check Rob’s reviews before buying your information security books on-line from Amazon.

Fred Cohen’s site has lots of information on information warfare and many other aspects of information security. Read the “50 ways” papers for some quick tips on things to avoid if you want to keep your systems secure.

The Business Continuity Institute provides advice and guidance to its members but also has some public information for those interested in contingency planning and corporate governance.

The Information Systems Security Association is a professional body representing information security specialists - join ‘the global voice of information security’!

[IT] governance resources

James Governor (great name!) has proposed having IT Boards to govern the IT function in similar fashion to Exec Boards governing corporations. Many mature organizations already have IT Architecture or IT Infrastructure Committees tasked with guiding the technical strategy but extending this to include IT governance is an interesting thought.

The Open Compliance and Ethics Group’s mission is “to help organizations align their governance, compliance and risk management activities to drive business performance and promote integrity”.

There are signs (at long last!) that IT governance is finally reaching the Boardroom, largely in response to Sarbanes-Oxley. Infosec professionals have done a pretty poor job of highlighting the competitive advantages of proactively managing information security risks but the threat of legal action is having an effect. No carrot, all stick.

The IT Governance Institute, an ISACA spin-off, published a collection of papers relating to IT governance including suggested Board agendas and other tools to help raise your organization’s awareness of the issues involved (including COBIT and ValIT).

The European Corporate Governance Institute has a wealth of information on corporate governance including downloadable versions of the Higgs, Turnbull, Cadbury & other governance reports.

SOX-online, the largest collection of Sarbanes-Oxley materials on the web, includes songs and jokes about SOX. See, some accountants and auditors are human after all!

IT audit resources

Hot linkwww.auditnet.org Jim Kaplan’s website includes ASAP (Auditors Sharing Audit Programmes), a collection of audit programmes (checklists) that can be useful to get you going on a new topic. Jim also maintains an enormous and well-structured collection of hyperlinks, with a special focus on sites for IT audit and related professions.

ISACA caters primarily for IT auditors, although there is a wide overlap with information security management and it now styles itself as an IT governance body.

Institute of Internal Auditors, a professional body representing all internal auditors (not just IT auditors!) - their IT Audit bulletin board is a good place to post practical questions and answers on IT audit topics.

Google and AltaVista (amongst many other search engines) are wonderful tools for researching any topic, especially once you get the hang of the search syntax. The Google Toolbar makes it easy to search from any page and Google Alert tracks changes in the results of standard Google searches that you often repeat.

Bridging resources

... sorry, we don’t know of any really good bridging links. Maybe the topic is too new or more likely we haven’t spent enough time searching. If you know of any good bridging links, please let us know.

A well-written piece in Fast Company magazine describes a kind of team-building course organised as a ‘thinking expedition’. The tutors help students break out of constrained ways of thinking by explaining different types of corporate strategy: Level One is effectiveness - doing the right things. Level Two is efficiency - doing things right. Level Three is improving - doing the right things better. Level Four is cutting - doing away with things. Level Five is copying - doing things other people are doing. Level Six is different - doing things no one else is doing. And Level Seven is impossible - doing things that can’t be done.  [Level 4 is definitely worth remembering when management propose to automate established business processes. “Do we still need this process?”].

Testing software security resources

Professor Cem Kaner along with Hung Q Nguyen and Jack Falk, wrote The Bible on software testing: “Testing Computer Software” originally published in 1988 and reprinted/republished several times since. This outstanding best seller describes the process of software testing from the real-world perspective of professional test managers. It covers the corporate politics that surround testing, describes how to set up a test lab and includes a superb checklist of ‘things worth testing’. Best of all, it brings a touch of humour to an otherwise very dry subject. Nguyen has also written “Testing Applications on the Web”, another extremely useful book full of practical tips for testers.

There’s a very useful FAQ on software testing and quality assurance.

If you would like to practice your testing skills, this website links to a dummy web application.

Infosec news sites and eZines

Hot linkRISKS is an excellent digest of news stories relating to risk, most of which in fact are IT risks. RISKS has been running for as long as I can remember. It often reports interesting news from somewhat obscure sources (local papers etc.) that other lists miss. You are requested to read RISKS as a newsgroup (comp.risks or equivalent), otherwise send an email to risks-request@csl.sri.com with one-line body  subscribe

Hot linkThe Information Security News (ISN) mailing list is an excellent way to keep up with, well, I guess you’d call it information security news through about six carefully selected emails a day, hyperlinked to the original sources. To subscribe, send an email to majordomo@attrition.org with  subscribe isn  in the body.

SC Magazine has information security news and product reviews. It has US, UK and Asia/Pacific editions.

Security Magazine has lots of news and information on physical security, including a large buyers’ guide (that’s a large guide for buyers, not necessarily a guide for large buyers).

Infosecuritymag dotcom is an eZine (web-based magazine) specializing in information security.

IT Security dotcom carries information security news, free news digest/newsletters, and comprehensive security product listings. The Clinic offers sage advice on information security issues submitted by visitors and answered by a panel of experts.

The Register is an irreverent British eZine with an interesting, often tongue-in-cheek slant on the IT news. Its information security section has plenty of examples of breaches caused by human and technological failures.

The Data Administration Newsletter carries interesting articles on a broad range of IT topics, occasionally including information security and other IT governance issues.

Add your links

Please contact IsecT to suggest additional Internet resources (i.e. add URLs) or tell us about broken links. Rather than list hundreds of links, we’d prefer to stick to the best: if your favourite site is not yet listed, please let us know and we’ll happily check it out. Reciprocal links from relevant partners are always welcome, of course!

Copyright © 2008 IsecT Ltd.