Standards and Frameworks
Business Model for Information Security
ISACA BMIS
CIS
Center for Internet Security
The Center for Internet Security (CIS) is a non-profit enterprise that delivers security configuration benchmarks through a global consensus process involving participants from the public and private sectors.
CobiT
more information>
CobIT is an IT governance framework and supporting toolset that allows managers to bridge the gap between control requirements, technical issues and business risks. COBIT enables clear policy development and practices for IT control throughout organizations.
CVE (Common Vulnerabilities and Exposures)
more information
CVE is a dictionary of publicly known information security vulnerabilities and exposures.
FFIEC IT Examination HandBook InfoBase
more information>
Resources related to FFIEC IT audits
Guide to Assessment of IT General Controls Scope based on Risk (GAIT)
more information>
The IIA’s GAIT, focused principally on Sarbanes Oxley, provides guidance to appropriately identify and link COSO constructs of internal control objectives, with assertions, risks and controls, to enable audit and IT practitioners to reach well informed decisions on which controls to include and exclude.
Global Technology Audit Guide (GTAG)
more information>
Written for he chief audit executive, The IIA’s GTAG publications provide guidance on information technology. Each guide addresses timely issues related to IT management, control or security.
HIPAA
more information
The Hoint Commission evaluates and accredits healthcare organizations in the United States.
ISO 17799
more information>
ISO is the developer of International Standards specifying requirements for state-of-the-art products, services, processes, materials and systems. ISO 17999 is focused on controls and practices for information security. Also visit the ISO 17799 Directory at http://www.27002.net/ (see ISO 27000) –>
ISO 27000 and ISO 27001
The ISO 27000 series of standards promise to cover a larger body of practice. Under way, these developments can be found at http://www.w3j.com/5/index.html. Information on ISO 27001 can be found at http://www.27001-online.com
ISO 38500
ISO 38500 covers corporate governance of information technology.
More information>
ITIL
More information
IT Service Management standards from the Office of Government Commerce are focused on the strategic business value delivered by IT through high quality service.
NERC
more information
NERC establishes standards and compliance for reliability and critical infrastructure programs in the U.S.
NIST
NVD (Government repository)
NIST resource
NIST’s Computer Security Division conducts research, studies and advises agencies of IT vulnerabilities and devising techniques for the cost-effective security and privacy of sensitive Federal systems. NIST also develops standards, metrics, tests and validation programs and has long published guidance about secure IT development, usage, planning, implementation, management and operation among many other related topics.
NIST
NIST: Risk Management Guide
NIST Risk Management Guide for Information Technology Systems.
PCI
The PCI Security Standards Counceil establishes requirements for merchants and service providers handling credit card information.
See PCI Security Security Standards Council
RiskIT
ISACA RiskIT Framework
Value Framework for Business Technology Management
ISACA ValIT
