The MESSI List

Sources for MESSI (Managerial and Executive Security Systems Information)

 

·         Consider using “FIND” to get the links you need.

·         This list aims to provide ideas regarding security systems to management or technologists needing to interact with management or leadership of an organization. It includes technical sources too.

·         Thanks go to past students from one college and three universities, Bachelor’s to Master’s and Doctoral students.

·         This list has no specific order at this stage.

·         Should you discover another source that is important or have related ideas, please mail these to [email protected] – do not provide embargoed, items for sale, marketing based, or confidential items.

·         This file is version: May twenty fourteen and includes input from students at many universities. Please share your interesting sources!  Thanks go out to Paul for the last update.

 

Recent Updates:

NIST Cybersecurity Framework (CSF): https://www.nist.gov/cyberframework

Small Business https://www.nist.gov/news-events/news/2016/11/new-nist-guide-helps-small-businesses-improve-cybersecurity

 

Global Security Reports

(Annual reports, including strategies, available for download from the top three audit companies: PWC, E&Y, and the top network company, Cisco)

 

PWC:

http://www.pwc.com/gx/en/consulting-services/information-security-survey/download.jhtml

2017— Moving forward with Cybersecurity and Privacy: http://www.pwc.com/gx/en/information-security-survey/assets/gsiss-report-cybersecurity-privacy-safeguards.pdf

2014 – Defending yesterday: http://www.pwc.com/us/en/retail-consumer/publications/assets/gsiss-report-retail.pdf

2013 – Changing the Game: http://www.pwc.com/gx/en/consulting-services/information-security-survey/assets/2013-giss-report.pdf

2012 – Eye of the Storm: http://www.pwc.pl/en/publikacje/global-state-of-information-security-survey-2012.jhtml

2012- Eye of the Storm http://www.pwc.pl/pl/publikacje/global-state-of-information-security-survey-2012.pdf

 

E&Y:

2015—Creating trust in the digital World: EY’s Global Information Security Survey 2015:

http://www.ey.com/Publication/vwLUAssets/ey-global-information-security-survey-2015/$FILE/ey-global-information-security-survey-2015.pdf

2014—Get ahead of cybercrime: http://www.ey.com/gl/en/services/advisory/ey-global-information-security-survey-2014

2013 – Under cyber attack: EY’s global information security survey 2013 http://www.ey.com/Publication/vwLUAssets/EY_-_2013_Global_Information_Security_Survey/$FILE/EY-GISS-Under-cyber-attack.pdf

2012 – Fighting to close the gap: 15th Annual Global Information Security Survey: http://www.ey.com/Publication/vwLUAssets/GISS2012/$FILE/EY_GISS_2012.pdf

2011 – 14th Annual Global Information Security Survey:

http://www.ey.com/gl/en/services/advisory/2011-global-information-security-survey---seeing-through-the-cloud

 

Cisco:

2013:http://www.cisco.com/web/offer/gist_ty2_asset/Cisco_2013_ASR.pdf

2011:http://www.cisco.com/en/US/prod/collateral/vpndevc/security_annual_report_2011.pdf

2010:http://www.cisco.com/en/US/prod/collateral/vpndevc/security_annual_report_2010.pdf

2009:http://www.cisco.com/en/US/prod/collateral/vpndevc/cisco_2009_asr.pdf

2008:http://www.cisco.com/en/US/prod/collateral/vpndevc/securityreview12-2.pdf

 

Other Reports

 

OWASP

Open Web Application Security Project with ideas, top 10, code samples, and ideas.  The core objective is safe code through improved security within application software. https://www.owasp.org/index.php/Main_Page  See WebGoat for a testing solution at https://www.owasp.org/index.php/Category:OWASP_WebGoat_Project

 

 

Georgia Tech:

Emerging Cyber Threats Report 2016:

http://www.iisp.gatech.edu/sites/default/files/documents/2016_georgiatech_cyberthreatsreport_onlinescroll.pdf

Emerging Cyber Threats Report 2015:

https://www.gtisc.gatech.edu/pdf/Threats_Report_2015.pdf

Emerging Cyber Threats Report 2014:

https://www.gtisc.gatech.edu/pdf/Threats_Report_2014.pdf

Cyber Security Summit Emerging Cyber Security Threats 2013: http://gtsecuritysummit.com/pdf/2013ThreatsReport.pdf

Emerging Cyber Security Threats 2012:

http://cybersafe.unc.edu/reports/emerging_cyber_threats_report2012.pdf

Emerging Cyber Security Threats 2011:

http://www.iqcol.com/docs/Security_Summit_2010.pdf

 

ISACA:

State of Cybersecurity: Implications for 2016

http://www.isaca.org/cyber/Documents/state-of-cybersecurity_res_eng_0316.pdf

State of Cybersecurity: Implications for 2015

http://www.isaca.org/cyber/Documents/State-of-Cybersecurity_Res_Eng_0415.pdf

 

Strategic/Executive Reports

 

McKinsey:

Global goods trade has declined sharply, but global flow of data has spiked: http://www.mckinsey.com/business-functions/digital-mckinsey/our-insights/digital-globalization-the-new-era-of-global-flows

Any organization that is going to rely on “Big Data” – Protect it! - http://www.mckinsey.com/insights/mgi/research/technology_and_innovation/big_data_the_next_frontier_for_innovation

 

NIST:

Small Business Information Security: The Fundamentals - http://csrc.nist.gov/publications/nistir/ir7621/nistir-7621.pdf

(An excellent brief overview that also includes cost/benefit data)

 

PWC:

10Minutes: quick PDF’s designed to give key insights on important business issues:

http://www.pwc.com/us/en/10minutes/data-identity-theft.html

Monetizing data while respecting privacy (2016): https://www.pwc.com/us/en/increasing-it-effectiveness/publications/assets/pwc-monetizing-data-while-respecting-privacy.pdf

Safeguard Your Sensitive Data (2010): http://www.pwc.com/us/en/it-risk-security/assets/high-risk-data-discovery.pdf

Positioning business value of information & Security (2008): http://www.pwc.com/gx/en/information-security-survey/pdf/safeguarding_the_new_currency.pdf

Safeguard Your Sensitive Data (2008): http://rikfairlie.com/resources/Corporate-Writing/safeguard_your_sensitive_data.pdf

How to align security with your strategic business objectives (2005): http://www.pwc.com/en_US/us/it-risk-security/assets/security_atlas_guidebook.pdf

 

ISACA:

(Registration is required to view the following reports)

A business model for Security: http://www.isaca.org/Knowledge-Center/Research/ResearchDeliverables/Pages/Business-Model-for-Information-Security.aspx

The Risk IT Framework: http://www.isaca.org/Knowledge-Center/Research/ResearchDeliverables/Pages/The-Risk-IT-Framework.aspx

 

United States Federal Government:

International Strategy for Cyberspace:

http://www.whitehouse.gov/sites/default/files/rss_viewer/international_strategy_for_cyberspace.pdf

 

Governance & Roles

 

NACD:

A broad vision of governance from Board Level: http://www.nacdonline.org/

                                

ISACA:

Governance and Roles: http://www.isaca.org/Journal/Past-Issues/2009/Volume-1/Pages/The-Role-of-the-IT-Auditor-in-IT-Governance1.aspx

COBIT 5 exposure draft: http://tomx.inf.elte.hu/twiki/pub/Team/CISACourse/COBIT5-Framework-ED-27June2011.pdf

COBIT 5 process reference guide: http://tomx.inf.elte.hu/twiki/pub/Team/CISACourse/COBIT5-Process-Ref-Guide-ED-27June2011.pdf

COBIT 5 – 5 Essential Facts:

http://www.isaca.org/COBIT/Documents/5-Essential-Facts-about-COBIT.pdf

Intro to COBIT 5 (PowerPoint): http://www.isaca.org/COBIT/Documents/COBIT5-Introduction.ppt

COBIT 5 for Information Security (PowerPoint): http://www.isaca.org/COBIT/Documents/COBIT5-and-InfoSec.ppt

VAL IT Framework – Governance of IT Investments: http://www.isaca.org/Knowledge-Center/Val-IT-IT-Value-Delivery-/Documents/Val-IT-Framework-2.0-Extract-Jul-2008.pdf

 

CSO Online:

What is a CSO: http://www.csoonline.com/article/221739/what-is-a-chief-security-officer-

 

DHHS:

Information Security Index: http://www.hhs.gov/ocio/securityprivacy/index.html

Sample roles: https://www.cms.gov/Research-Statistics-Data-and-Systems/CMS-Information-Technology/InformationSecurity/Downloads/IS2P2.pdf

 

 

Ponemon Institute:

(Many relevant sources: privacy, governance, cost, health, and business cases)

Data Security: http://www.ponemon.org/data-security

 

IBM

The Emerging Role of IT Governance:

http://www.ibm.com/developerworks/rational/library/dec07/mueller_phillipson/

Operational IT Governance:

https://www.ibm.com/developerworks/rational/library/may07/cantor_sanders/

 

Risk

 

Information Security Handbook:

Inherent and residual risk: http://ishandbook.bsewall.com/risk/Assess/Risk/inherent_risk.html

 

E&Y:

Separation of Duties (SoD): http://www.ey.com/Publication/vwLUAssets/EY_Segregation_of_duties/$FILE/EY_Segregation_of_duties.pdf

 

Internet Security Alliance:

Financial impact analysis of Cyber Risk (2008): http://isalliance.org/publications/1A.%20The%20Financial%20Impact%20of%20Cyber%20Risk-%2050%20Questions%20Every%20CFO%20Should%20Ask%20-%20ISA-ANSI%202008.pdf

Financial management of cyber risk (2010): http://isalliance.org/publications/1B.%20The%20Financial%20Management%20of%20Cyber%20Risk%20-%20An%20Implementation%20Framework%20for%20CFOs%20-%20ISA-ANSI%202010.pdf

 Sophisticated Management of Cyber Risk (2013):

http://isalliance.org/publications/2013-05-28_ISA-AIG_White_Paper-Sophisticated_Management_of_Cyber_Risk.pdf

 

SANS:

Risks in the OSI network Stack (An excellent article): http://www.sans.org/reading_room/whitepapers/protocols/applying-osi-layer-network-model-information-security_1309

 

The Register:

Current status of zero-day attacks: http://www.theregister.com

 

Policy

 

LazarusAlliance: (A Wiki approach)

Homepage: http://horseproject.wiki/index.php/Main_Page

Information Security, law, governance, frameworks, assessment, etc.

Policy – see http://horseproject.wiki/index.php?search=policy&title=Special%3ASearch&go=Go

 

SANS:

Reading Room: http://www.sans.org/reading_room/

Policy Project (Best items are at the bottom of the page): http://www.sans.org/resources/policies/

Security Policy Roadmap:

http://www.sans.org/reading_room/whitepapers/policyissues/security_policy_roadmap_process_for_creating_security_policies_494?show=494.php&cat=policyissues

A general overview that introduces the need for business integration:

https://www.sans.org/reading-room/whitepapers/policyissues/security-policies-919

 

IRS p1075

Tax Information Security Guidelines - For Federal, State and Local Agencies.

Safeguards for protecting federal tax returns and return information http://www.irs.gov/pub/irs-pdf/p1075.pdf

 

DOJ CJIS

Federal Bureau of Investigation, Criminal Justice Information Services Division: CJIS Security Policy http://www.fbi.gov/about-us/cjis/cjis-security-policy-resource-center

 

Cleveland State University:

A number of policy items: https://www.csuohio.edu/technology-security/technology-policies

 

Department of Housing and Urban Development:

Complete policy (Includes roles): http://web.archive.org/web/20110304073530/http://www.hud.gov/offices/adm/hudclips/handbooks/admh/2400.25/240025AppAADMH.pdf

 

Symantec:

An introduction to security policies: http://www.symantec.com/connect/articles/introduction-security-policies-part-one-overview-policies

 

IASE: Information Assurance Support Environment.

Broad set of content including awareness, other training, and some technical resources: http://iase.disa.mil/Pages/index.aspx

 

 

Standards

 

ISO:

ISO Documents (Only a few are free to access): http://www.iso27001security.com/html/iso27000.html

ISO Standards (Includes security, risk, and more): http://www.praxiom.com/index.htm

 

UK Government:

Input on IT Security: http://www.cesg.gov.uk/

European Union (EU) Privacy sources

http://ec.europa.eu/justice_home/fsj/privacy/index_en.htm

 

PCI:

PCI standards council [PCI-DSS and PA-DSS): https://www.pcisecuritystandards.org/

 

California State:

Privacy standards for the state: http://www.privacy.ca.gov/business/info_sharing.pdf

 

The Committee on National Security Systems (CNSS):

 Links to partners: http://www.cnss.gov/related-sites.html

 

Microsoft:

Security Development Lifecycle (Don’t confuse with SDLC): http://www.microsoft.com/security/sdl/default.aspx

 

NIST:

Security Homepage (Various options and the publications in the middle section of the page): http://csrc.nist.gov/

A security Procedure (network perimeter defense):

http:// www.iwar.org.uk/comsec/resources/fasp/ipdmms-perimeter-security.doc

 

Guidelines on firewalls (2009):

http://csrc.nist.gov/publications/nistpubs/800-41-Rev1/sp800-41-rev1.pdf

 

NIST Publications

These are key to many courses and in general practice.

 

Special Publications – 800 Series Comnputer Security, 1800 series Cybersecurity practice guides, 500 series are Computewr Systems Technology items

 http://csrc.nist.gov/publications/PubsSPs.html

 

FIPS Publications (Especially FIPS 199 & 200): http://csrc.nist.gov/publications/PubsFIPS.html

 

Interagency Reports (IR) (Especially IR 7359): http://csrc.nist.gov/publications/PubsNISTIRs.html

 

Information Technology Lab (ITL) (Shorter versions of some NIST publications): http://csrc.nist.gov/publications/PubsITLSB.html

 

 

 

Certifications

 

CompTIA:

CompTIA has several certifications, the focus is hands-on practical content, lkess emphasis on the big picture or depth. Do not underestimate their detail. https://certification.comptia.org/

 

PMI (Project Management Institute):

PMI has a wide variety of certifications for Project Managers: https://www.pmi.org/certifications

 

ISACA:

Certified Information Systems Auditor (Certification and Accreditation of Systems): http://www.isaca.org/Certification/CISA-Certified-Information-Systems-Auditor/How-to-Become-Certified/Pages/default.aspx

Certified Information Security Manager: http://www.isaca.org/Certification/CISM-Certified-Information-Security-Manager/How-to-Become-Certified/Pages/default.aspx

Certified in the Governance of Enterprise IT: http://www.isaca.org/Certification/CGEIT-Certified-in-the-Governance-of-Enterprise-IT/Pages/How-to-Become-Certified.aspx

Certified in Risk and Information Systems Control: http://www.isaca.org/Certification/CRISC-Certified-in-Risk-and-Information-Systems-Control/Pages/How-to-Become-Certified-CRISC.aspx

 

(ISC)2

The CISSP exam requires 5 years of experience, 4 with a degree. Experience is in the 10 domains – implying a broad range of IT coverage.

CISSP Overview: https://www.isc2.org/cissp/default.aspx

 

SANS GIAC

SANS has a range of certificates, mostly focused on engineering and technical areas http://www.sans.org

 

EC-Council:

Certified Ethical Hacking (CEH): http://www.eccouncil.org

 

Security Architecture

 

Arizona State:

Security Architecture: https://aset.az.gov/sites/default/files/p700%20enterprise%20architecture%20policy_1.pdf

 

Department of Energy (DOE):

DOE Security Architecture:

http://energy.gov/sites/prod/files/cioprod/documents/DOE_Security_Architecture.pdf

 DOE Directives on “establishing policies, requirements, responsibilities, and procdures for departmental elements and contractors”: https://www.directives.doe.gov/directives-browse#c8-operator=or&c10=&b_start=0

 

Internet Security Alliance (ISA):

Social Contract 2.0: A 21st Century Program for Effective Cyber Security (2010): http://isalliance.org/publications/2B.%20Social%20Contract%202.0%20-%20A%2021st%20Century%20Program%20for%20Effective%20Cyber%20Security%20-%20ISA%202010.pdf

 

ITIL:

Management of large infrastructure: http://www.itil-officialsite.com/home/home.asp

 

 

Laws Related to IT Security

 

SANS:

U.S. Government IT Security Laws: https://www.sans.org/reading-room/whitepapers/legal/us-government-security-laws-1306

 

Health/HIPAA/HITECH

 

NIST:

IR 7497: http://csrc.nist.gov/publications/PubsNISTIRs.html

ITL Bulletins: http://csrc.nist.gov/publications/PubsITLSB.html

HIPAA and Information Security: https://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/administrative/securityrule/nist80066.pdf

 

 HIPAA Information: http://www.cumc.columbia.edu/hipaa/

 

Sarbanes-Oxley Act (SOX)

 

Protiviti:

An updated edition of Protiviti’s documents (An excellent, in detailed review):

http://web.archive.org/web/20110419212510/http://www.hcca-info.org/Content/NavigationMenu/ComplianceResources/CorporateResponsibility/SarbOxSec404_2nd.pdf

Protiviti’s document: http://www.protiviti.com/en-US/Documents/Resource-Guides/Protiviti_Section_404_FAQ_Guide.pdf

 

A narrow focus from Protiviti:

http://issuu.com/mexicofiscal/docs/protiviti._guide_sox_act._aplications_risks___cont

 

Sky View:

Background – Accuracy of financial controls (Note COBIT & ISO17799): http://readtech.com/pr/sv/SOX.pdf

 

Sarbanes Oxley 101:

All the sections of the act and Secition 404 compliance papers (Internal controls):

http://www.sarbanes-oxley-101.com

 

Gramm-Leach-Bliley Act:

Electronic Privacy Information Center:

In-depth coverage of Gramm-Leach-Bliley Act: https://epic.org/privacy/glba/

Federal Trade Commission:

https://www.ftc.gov/tips-advice/business-center/privacy-and-security/gramm-leach-bliley-act

 

Payment Cared Industry Data Security Standard:

PCI DSS Quick Reference Guide: https://www.pcisecuritystandards.org/documents/PCI%20SSC%20Quick%20Reference%20Guide.pdf

PCI Compliance Guide: https://www.pcicomplianceguide.org/

 

Federal Information Security Management Act of 2002 (FISMA)

 

NIST:

FISMA: http://csrc.nist.gov/drivers/documents/FISMA-final.pdf

Detailed Overview of FISMA: http://csrc.nist.gov/groups/SMA/fisma/overview.html

 

Forensics

Tools:  EnCase at https://www.guidancesoftware.com/ and Oxygen Forensics http://www.oxygen-forensic.com/en/

 

Cyberwar

 CyberWar News website: http://www.cyberwar.news/

 

Security News

Dark Reading (You only get a handful of free articles a day, but creating an account is free): http://www.darkreading.com/

Security Week: http://www.securityweek.com/