The MESSI List
Sources for MESSI (Managerial and Executive Security Systems Information)
· Consider using “FIND” to get the links you need.
· This list aims to provide ideas regarding security systems to management or technologists needing to interact with management or leadership of an organization. It includes technical sources too.
· Thanks go to past students from one college and three universities, Bachelor’s to Master’s and Doctoral students.
· This list has no specific order at this stage.
· Should you discover another source that is important or have related ideas, please mail these to [email protected] – do not provide embargoed, items for sale, marketing based, or confidential items.
· This file is version: September twenty nineteen and includes input from students at multiple universities. This revision was organized by John, thank you John. Please share your interesting sources!
Recent Updates:
NIST Cybersecurity Framework (CSF): https://www.nist.gov/cyberframework
NIST Special Publication 800-63B (Digital Identity Guidelines Authentication and Lifecycle Management): https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-63b.pdf
Global Security Reports
(Annual reports, including strategies, available for download from the top three audit companies: PWC, E&Y, and the top network company, Cisco)
PWC:
2018 - Digital Trust Insights
https://www.pwc.com/us/en/services/consulting/cybersecurity/digital-trust/2018-insights.html
REPORT: https://www.pwc.com/us/en/services/consulting/assets/pwc-journey-to-digital-trust.pdf
Key Findings from Digital Insights Report:
2018 - Strengthening digital society against cyber shocks: https://www.pwc.com/us/en/cybersecurity/assets/pwc-2018-gsiss-strengthening-digital-society-against-cyber-shocks.pdf
2018 - Revitalizing privacy and trust in a data-driven world: https://www.pwc.com/us/en/cybersecurity/assets/revitalizing-privacy-trust-in-data-driven-world.pdf
-------------------------------------------------------------------------------------------------------
2017— Moving forward with Cybersecurity and Privacy: http://www.pwc.com/gx/en/information-security-survey/assets/gsiss-report-cybersecurity-privacy-safeguards.pdf
E&Y:
Is cybersecurity about more than protection?: EY Global Information Security Survey 2018 –19
2017-18 Cybersecurity regained: preparing to face cyber attacks: 20th Global Information Security Survey 2017–18
2015—Creating trust in the digital World: EY’s Global Information Security Survey 2015:
Cisco:
2018: https://www.cisco.com/c/m/en_au/products/security/offers/annual-cybersecurity-report-2018.html
2017 Midyear Report: https://www.cisco.com/c/m/en_au/products/security/offers/midyear-cybersecurity-report-2017.html
2017 Annual Report: https://www.cisco.com/c/m/en_au/products/security/offers/annual-cybersecurity-report-2017.html
Other Reports
OWASP
Open Web Application Security Project with ideas, top 10, code samples, and ideas. The core objective is safe code through improved security within application software. https://www.owasp.org/index.php/Main_Page See WebGoat for a testing solution at https://www.owasp.org/index.php/Category:OWASP_WebGoat_Project
Georgia Tech:
Emerging Cyber Threats Report 2016:
ISACA:
State of Cybersecurity 2019: https://www.isaca.org/info/state-of-cybersecurity-2019/index.html
State of Cybersecurity 2018: https://cybersecurity.isaca.org/csx-resources/state-of-cybersecurity-2018
Part 2: https://cybersecurity.isaca.org/csx-resources/state-of-cybersecurity-2018-part-2
State of Cybersecurity 2017: https://cybersecurity.isaca.org/csx-resources/state-of-cyber-security-2017
State of Cybersecurity: Implications for 2016
http://www.isaca.org/cyber/Documents/state-of-cybersecurity_res_eng_0316.pdf
State of Cybersecurity: Implications for 2015
http://www.isaca.org/cyber/Documents/State-of-Cybersecurity_Res_Eng_0415.pdf
Strategic/Executive Reports
McKinsey:
Perspectives on transforming cybersecurity [Digital McKinsey and Global Risk Practice March 2019]
GDPR compliance since May 2018: A continuing challenge (July 2019)
A new posture for cybersecurity in a networked world (March 2018)
Digital and Risk A new posture for cyber risk in a networked world (March 2018) https://www.mckinsey.com/de/~/media/mckinsey/locations/europe%20and%20middle%20east/deutschland/publikationen/2018%20compendium/a%20new%20posture%20for%20cybersecurity%20in%20a%20networked%20world/kompendium_03_cyberrisk-2.ashx
Cyber risk measurement and the holistic cybersecurity approach (November 2018)
Global goods trade has declined sharply, but global flow of data has spiked: http://www.mckinsey.com/business-functions/digital-mckinsey/our-insights/digital-globalization-the-new-era-of-global-flows
Any organization that is going to rely on “Big Data” – Protect it! - http://www.mckinsey.com/insights/mgi/research/technology_and_innovation/big_data_the_next_frontier_for_innovation
NIST:
Small Business Information Security: The Fundamentals - NIST
https://csrc.nist.gov/publications/detail/nistir/7621/rev-1/final
(An excellent brief overview that also includes cost/benefit data)
PWC:
Monetizing data while respecting privacy (2016): https://www.pwc.com/us/en/increasing-it-effectiveness/publications/assets/pwc-monetizing-data-while-respecting-privacy.pdf
How well does your industry defend against elementary phishing campaigns?
https://www.pwc.com/us/en/services/consulting/cybersecurity/defend-phishing-campaign.html
Inside the discovery phase of a cyberattack – and what you can do to counter it
Mapping and managing cyber risks from third parties and beyond
https://www.pwc.com/us/en/services/consulting/cybersecurity/third-party-risks.html
Boosting the resiliency of third-party technology service providers
https://www.pwc.com/us/en/services/consulting/cybersecurity/third-party-tech.html
ISACA:
(Registration is required to view the following reports)
A business model for Security: http://www.isaca.org/Knowledge-Center/Research/ResearchDeliverables/Pages/Business-Model-for-Information-Security.aspx
The Risk IT Framework: http://www.isaca.org/Knowledge-Center/Research/ResearchDeliverables/Pages/The-Risk-IT-Framework.aspx
United States Federal Government:
The current key Executive action and strategy for Cyber issues:
A focus on networks, risk, and critical infrastructure. This includes the Cybersecurity Framework. https://www.whitehouse.gov/presidential-actions/presidential-executive-order-strengthening-cybersecurity-federal-networks-critical-infrastructure/
Governance & Roles
NACD:
A broad vision of governance from Board Level: http://www.nacdonline.org/
ISACA:
ISACA Goverance and Roles
COBIT 2019 Publications and Resources
http://www.isaca.org/COBIT/Pages/COBIT-2019-Publications-Resources.aspx
CSO Online:
What is a CSO: http://www.csoonline.com/article/221739/what-is-a-chief-security-officer-
Top cyber security certifications: Who they're for, what they cost, and which you need:
DHHS:
Information Security Index: http://www.hhs.gov/ocio/securityprivacy/index.html
Ponemon Institute:
(Many relevant sources: privacy, governance, cost, health, and business cases)
Data Security: http://www.ponemon.org/data-security
2019 Ponemon Institute Study on the Cyber Resilient Organization
IBM
IBM X-Force Threat Intelligence Index (Essential report on today's cyber security landscape)
https://www.ibm.com/security/data-breach/threat-intelligence
How much would a data breach cost your business? (The 2019 Cost of a Data Breach Report explores financial impacts and security measures that can help your organization mitigate costs)
https://www.ibm.com/security/data-breach
The Third Annual Study on the Cyber Resilient Organisation
https://www.ibm.com/downloads/cas/ZD2PL2MK
The Emerging Role of IT Governance:
http://www.ibm.com/developerworks/rational/library/dec07/mueller_phillipson/
IBM IT Governance Approach Business Performance through IT Execution
http://www.redbooks.ibm.com/redbooks/pdfs/sg247517.pdf
Operational IT Governance:
https://www.ibm.com/developerworks/rational/library/may07/cantor_sanders/
Risk
Information Security Handbook:
https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-100.pdf
E&Y:
Separation of Duties (SoD): http://www.ey.com/Publication/vwLUAssets/EY_Segregation_of_duties/$FILE/EY_Segregation_of_duties.pdf
2013 - Identity and access management Beyond compliance
Internet Security Alliance:
Internet Security Alliance
Cyber-Risk Oversight
http://isalliance.org/wp-content/uploads/2018/05/Cyber-Risk-Oversight-Handbook.pdf
Financial impact analysis of Cyber Risk (2008): http://isalliance.org/publications/1A.%20The%20Financial%20Impact%20of%20Cyber%20Risk-%2050%20Questions%20Every%20CFO%20Should%20Ask%20-%20ISA-ANSI%202008.pdf
Financial management of cyber risk (2010): http://isalliance.org/publications/1B.%20The%20Financial%20Management%20of%20Cyber%20Risk%20-%20An%20Implementation%20Framework%20for%20CFOs%20-%20ISA-ANSI%202010.pdf
Sophisticated Management of Cyber Risk (2013):
Cloud Security Alliance
Top Threats to Cloud Computing + Industry Insights
SANS:
Risks in the OSI network Stack (An excellent article): http://www.sans.org/reading_room/whitepapers/protocols/applying-osi-layer-network-model-information-security_1309
The Register:
Current status of zero-day attacks: http://www.theregister.com
Policy
LazarusAlliance: (A Wiki approach)
Homepage: http://horseproject.wiki/index.php/Main_Page
Information Security, law, governance, frameworks, assessment, etc.
Policy – see http://horseproject.wiki/index.php?search=policy&title=Special%3ASearch&go=Go
SANS:
Reading Room: http://www.sans.org/reading_room/
Policy Project (Best items are at the bottom of the page): http://www.sans.org/resources/policies/
Security Policy Roadmap:
A general overview that introduces the need for business integration:
https://www.sans.org/reading-room/whitepapers/policyissues/security-policies-919
IRS p1075
Tax Information Security Guidelines - For Federal, State and Local Agencies.
Safeguards for protecting federal tax returns and return information http://www.irs.gov/pub/irs-pdf/p1075.pdf
DOJ CJIS
Federal Bureau of Investigation, Criminal Justice Information Services Division: CJIS Security Policy http://www.fbi.gov/about-us/cjis/cjis-security-policy-resource-center
Cleveland State University:
A number of policy items: https://www.csuohio.edu/technology-security/technology-policies
Department of Housing and Urban Development:
Complete policy (Includes roles): http://web.archive.org/web/20110304073530/http://www.hud.gov/offices/adm/hudclips/handbooks/admh/2400.25/240025AppAADMH.pdf
Symantec:
An introduction to security policies: http://www.symantec.com/connect/articles/introduction-security-policies-part-one-overview-policies
DOD Cyber Exchange [Public]
Broad set of content including awareness, other training, and some technical resources: https://public.cyber.mil/
https://public.cyber.mil/stigs/downloads/
Standards
ISO:
ISO Documents (Only a few are free to access): http://www.iso27001security.com/html/iso27000.html
ISO Standards (Includes security, risk, and more): http://www.praxiom.com/index.htm
UK Government:
https://www.cyberessentials.ncsc.gov.uk/
European Union (EU) Privacy sources
https://ec.europa.eu/info/law/law-topic/data-protection_en
PCI:
PCI standards council [PCI-DSS and PA-DSS): https://www.pcisecuritystandards.org/
California State:
Privacy standards for the state: https://oag.ca.gov/privacy/privacy-laws
The Committee on National Security Systems (CNSS):
Committee on National Security Systems
http://www.cnss.gov/CNSS/issuances/Instructions.cfm
Microsoft:
Security Development Lifecycle (Don’t confuse with SDLC):
https://www.microsoft.com/en-us/securityengineering/sdl
NIST:
Security Homepage (Various options and the publications in the middle section of the page): http://csrc.nist.gov/
Technical Security Standard for Information Technology
http://www.iwar.org.uk/comsec/resources/standards/canada/tssit97e.pdf
Guidelines on firewalls (2009):
http://csrc.nist.gov/publications/nistpubs/800-41-Rev1/sp800-41-rev1.pdf
NIST Publications
These are key to many courses and in general practice.
Special Publications – 800 Series Computer Security, 1800 series Cybersecurity practice guides, 500 series are Computer Systems Technology items
http://csrc.nist.gov/publications/PubsSPs.html
FIPS Publications (Especially FIPS 199 & 200): http://csrc.nist.gov/publications/PubsFIPS.html
Interagency Reports (IR) (Especially IR 7359): http://csrc.nist.gov/publications/PubsNISTIRs.html
Information Technology Lab (ITL) (Shorter versions of some NIST publications): http://csrc.nist.gov/publications/PubsITLSB.html
Certifications
CompTIA:
CompTIA has several certifications, the focus is hands-on practical content, lkess emphasis on the big picture or depth. Do not underestimate their detail. https://certification.comptia.org/
PMI (Project Management Institute):
PMI has a wide variety of certifications for Project Managers: https://www.pmi.org/certifications
ISACA:
Certified Information Systems Auditor (Certification and Accreditation of Systems): http://www.isaca.org/Certification/CISA-Certified-Information-Systems-Auditor/How-to-Become-Certified/Pages/default.aspx
Certified Information Security Manager: http://www.isaca.org/Certification/CISM-Certified-Information-Security-Manager/How-to-Become-Certified/Pages/default.aspx
Certified in the Governance of Enterprise IT: http://www.isaca.org/Certification/CGEIT-Certified-in-the-Governance-of-Enterprise-IT/Pages/How-to-Become-Certified.aspx
Certified in Risk and Information Systems Control: http://www.isaca.org/Certification/CRISC-Certified-in-Risk-and-Information-Systems-Control/Pages/How-to-Become-Certified-CRISC.aspx
(ISC)2
The CISSP exam requires 5 years of experience, 4 with a degree. Experience is in the 8 domains – implying a broad range of IT coverage.
CISSP Overview: https://www.isc2.org/cissp/default.aspx
SANS GIAC
SANS has a range of certificates, mostly focused on engineering and technical areas http://www.sans.org
EC-Council:
Certified Ethical Hacking (CEH): http://www.eccouncil.org
Security Architecture
Arizona State:
Security Architecture: https://aset.az.gov/sites/default/files/p700%20enterprise%20architecture%20policy_1.pdf
Department of Energy (DOE):
DOE Security Architecture:
http://energy.gov/sites/prod/files/cioprod/documents/DOE_Security_Architecture.pdf
DOE Directives on “establishing policies, requirements, responsibilities, and procdures for departmental elements and contractors”: https://www.directives.doe.gov/directives-browse#c8-operator=or&c10=&b_start=0
Internet Security Alliance (ISA):
The Cybersecurity social contract Implementing a Market Based Model for Cybersecurity (2016):
Social Contract 2.0: A 21st Century Program for Effective Cyber Security (2010): http://isalliance.org/publications/2B.%20Social%20Contract%202.0%20-%20A%2021st%20Century%20Program%20for%20Effective%20Cyber%20Security%20-%20ISA%202010.pdf
ITIL:
Management of large infrastructure: http://www.itil-officialsite.com/home/home.asp
Laws Related to IT Security
SANS:
U.S. Government IT Security Laws: https://www.sans.org/reading-room/whitepapers/legal/us-government-security-laws-1306
Security Awareness Compliance Requirements
https://www.sans.org/sites/default/files/2017-12/sans-compliance-requirements.pdf
Health/HIPAA/HITECH
NIST:
IR 7497: http://csrc.nist.gov/publications/PubsNISTIRs.html
ITL Bulletins: http://csrc.nist.gov/publications/PubsITLSB.html
HIPAA and Information Security: https://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/administrative/securityrule/nist80066.pdf
HIPAA Information: http://www.cumc.columbia.edu/hipaa/
Sarbanes-Oxley Act (SOX)
Protiviti:
An updated edition of Protiviti’s documents (An excellent, in detailed review):
Protiviti’s document: http://www.protiviti.com/en-US/Documents/Resource-Guides/Protiviti_Section_404_FAQ_Guide.pdf
Sarbanes Oxley 101:
All the sections of the act and Secition 404 compliance papers (Internal controls):
http://www.sarbanes-oxley-101.com
Gramm-Leach-Bliley Act:
Electronic Privacy Information Center:
In-depth coverage of Gramm-Leach-Bliley Act: https://epic.org/privacy/glba/
Federal Trade Commission:
https://www.ftc.gov/tips-advice/business-center/privacy-and-security/gramm-leach-bliley-act
Payment Cared Industry Data Security Standard:
PCI DSS Quick Reference Guide: https://www.pcisecuritystandards.org/documents/PCI%20SSC%20Quick%20Reference%20Guide.pdf
PCI Compliance Guide: https://www.pcicomplianceguide.org/
Federal Information Security Management Act of 2002 (FISMA)
NIST:
FISMA: http://csrc.nist.gov/drivers/documents/FISMA-final.pdf
Detailed Overview of FISMA: http://csrc.nist.gov/groups/SMA/fisma/overview.html
Forensics
Tools: EnCase at https://www.guidancesoftware.com/ and Oxygen Forensics http://www.oxygen-forensic.com/en/
Autopsy:
https://www.sleuthkit.org/autopsy/
Cyberwar
CyberWar News website: http://www.cyberwar.news/
Security News
Dark Reading (You only get a handful of free articles a day, but creating an account is free): http://www.darkreading.com/
Security Week: http://www.securityweek.com/