The MESSI List

Sources for MESSI (Managerial and Executive Security Systems Information)


·         Consider using “FIND” to get the links you need.

·         This list aims to provide ideas regarding security systems to management or technologists needing to interact with management or leadership of an organization. It includes technical sources too.

·         Thanks go to past students from one college and three universities, Bachelor’s to Master’s and Doctoral students.

·         This list has no specific order at this stage.

·         Should you discover another source that is important or have related ideas, please mail these to [email protected] – do not provide embargoed, items for sale, marketing based, or confidential items.

·         This file is version: May twenty fourteen and includes input from students at many universities. Please share your interesting sources!  Thanks go out to Paul for the last update.


Recent Updates:

NIST Cybersecurity Framework (CSF):

Small Business


Global Security Reports

(Annual reports, including strategies, available for download from the top three audit companies: PWC, E&Y, and the top network company, Cisco)



2017— Moving forward with Cybersecurity and Privacy:

2014 – Defending yesterday:

2013 – Changing the Game:

2012 – Eye of the Storm:

2012- Eye of the Storm



2015—Creating trust in the digital World: EY’s Global Information Security Survey 2015:$FILE/ey-global-information-security-survey-2015.pdf

2014—Get ahead of cybercrime:

2013 – Under cyber attack: EY’s global information security survey 2013$FILE/EY-GISS-Under-cyber-attack.pdf

2012 – Fighting to close the gap: 15th Annual Global Information Security Survey:$FILE/EY_GISS_2012.pdf

2011 – 14th Annual Global Information Security Survey:









Other Reports



Open Web Application Security Project with ideas, top 10, code samples, and ideas.  The core objective is safe code through improved security within application software.  See WebGoat for a testing solution at



Georgia Tech:

Emerging Cyber Threats Report 2016:

Emerging Cyber Threats Report 2015:

Emerging Cyber Threats Report 2014:

Cyber Security Summit Emerging Cyber Security Threats 2013:

Emerging Cyber Security Threats 2012:

Emerging Cyber Security Threats 2011:



State of Cybersecurity: Implications for 2016

State of Cybersecurity: Implications for 2015


Strategic/Executive Reports



Global goods trade has declined sharply, but global flow of data has spiked:

Any organization that is going to rely on “Big Data” – Protect it! -



Small Business Information Security: The Fundamentals -

(An excellent brief overview that also includes cost/benefit data)



10Minutes: quick PDF’s designed to give key insights on important business issues:

Monetizing data while respecting privacy (2016):

Safeguard Your Sensitive Data (2010):

Positioning business value of information & Security (2008):

Safeguard Your Sensitive Data (2008):

How to align security with your strategic business objectives (2005):



(Registration is required to view the following reports)

A business model for Security:

The Risk IT Framework:


United States Federal Government:

International Strategy for Cyberspace:


Governance & Roles



A broad vision of governance from Board Level:



Governance and Roles:

COBIT 5 exposure draft:

COBIT 5 process reference guide:

COBIT 5 – 5 Essential Facts:

Intro to COBIT 5 (PowerPoint):

COBIT 5 for Information Security (PowerPoint):

VAL IT Framework – Governance of IT Investments:


CSO Online:

What is a CSO:



Information Security Index:

Sample roles:



Ponemon Institute:

(Many relevant sources: privacy, governance, cost, health, and business cases)

Data Security:



The Emerging Role of IT Governance:

Operational IT Governance:




Information Security Handbook:

Inherent and residual risk:



Separation of Duties (SoD):$FILE/EY_Segregation_of_duties.pdf


Internet Security Alliance:

Financial impact analysis of Cyber Risk (2008):

Financial management of cyber risk (2010):

 Sophisticated Management of Cyber Risk (2013):



Risks in the OSI network Stack (An excellent article):


The Register:

Current status of zero-day attacks:




LazarusAlliance: (A Wiki approach)


Information Security, law, governance, frameworks, assessment, etc.

Policy – see



Reading Room:

Policy Project (Best items are at the bottom of the page):

Security Policy Roadmap:

A general overview that introduces the need for business integration:


IRS p1075

Tax Information Security Guidelines - For Federal, State and Local Agencies.

Safeguards for protecting federal tax returns and return information



Federal Bureau of Investigation, Criminal Justice Information Services Division: CJIS Security Policy


Cleveland State University:

A number of policy items:


Department of Housing and Urban Development:

Complete policy (Includes roles):



An introduction to security policies:


IASE: Information Assurance Support Environment.

Broad set of content including awareness, other training, and some technical resources:






ISO Documents (Only a few are free to access):

ISO Standards (Includes security, risk, and more):


UK Government:

Input on IT Security:

European Union (EU) Privacy sources



PCI standards council [PCI-DSS and PA-DSS):


California State:

Privacy standards for the state:


The Committee on National Security Systems (CNSS):

 Links to partners:



Security Development Lifecycle (Don’t confuse with SDLC):



Security Homepage (Various options and the publications in the middle section of the page):

A security Procedure (network perimeter defense):



Guidelines on firewalls (2009):


NIST Publications

These are key to many courses and in general practice.


Special Publications – 800 Series Comnputer Security, 1800 series Cybersecurity practice guides, 500 series are Computewr Systems Technology items


FIPS Publications (Especially FIPS 199 & 200):


Interagency Reports (IR) (Especially IR 7359):


Information Technology Lab (ITL) (Shorter versions of some NIST publications):







CompTIA has several certifications, the focus is hands-on practical content, lkess emphasis on the big picture or depth. Do not underestimate their detail.


PMI (Project Management Institute):

PMI has a wide variety of certifications for Project Managers:



Certified Information Systems Auditor (Certification and Accreditation of Systems):

Certified Information Security Manager:

Certified in the Governance of Enterprise IT:

Certified in Risk and Information Systems Control:



The CISSP exam requires 5 years of experience, 4 with a degree. Experience is in the 10 domains – implying a broad range of IT coverage.

CISSP Overview:



SANS has a range of certificates, mostly focused on engineering and technical areas



Certified Ethical Hacking (CEH):


Security Architecture


Arizona State:

Security Architecture:


Department of Energy (DOE):

DOE Security Architecture:

 DOE Directives on “establishing policies, requirements, responsibilities, and procdures for departmental elements and contractors”:


Internet Security Alliance (ISA):

Social Contract 2.0: A 21st Century Program for Effective Cyber Security (2010):



Management of large infrastructure:



Laws Related to IT Security



U.S. Government IT Security Laws:





IR 7497:

ITL Bulletins:

HIPAA and Information Security:


 HIPAA Information:


Sarbanes-Oxley Act (SOX)



An updated edition of Protiviti’s documents (An excellent, in detailed review):

Protiviti’s document:


A narrow focus from Protiviti:


Sky View:

Background – Accuracy of financial controls (Note COBIT & ISO17799):


Sarbanes Oxley 101:

All the sections of the act and Secition 404 compliance papers (Internal controls):


Gramm-Leach-Bliley Act:

Electronic Privacy Information Center:

In-depth coverage of Gramm-Leach-Bliley Act:

Federal Trade Commission:


Payment Cared Industry Data Security Standard:

PCI DSS Quick Reference Guide:

PCI Compliance Guide:


Federal Information Security Management Act of 2002 (FISMA)




Detailed Overview of FISMA:



Tools:  EnCase at and Oxygen Forensics



 CyberWar News website:


Security News

Dark Reading (You only get a handful of free articles a day, but creating an account is free):

Security Week: