The MESSI List

Sources for MESSI (Managerial and Executive Security Systems Information)

· Consider using “FIND” to get the links you need.

· This list aims to provide ideas regarding security systems to management or technologists needing to interact with management or leadership of an organization. It includes technical sources too.

· Thanks go to past students from one college and three universities, Bachelor’s to Master’s and Doctoral students.

· This list has no specific order at this stage.

· Should you discover another source that is important or have related ideas, please mail these to [email protected] – do not provide embargoed, items for sale, marketing based, or confidential items.

· This file is version: September twenty nineteen and includes input from students at multiple universities. This revision was organized by John, thank you John. Please share your interesting sources!

Recent Updates:

NIST Cybersecurity Framework (CSF): https://www.nist.gov/cyberframework

NIST Special Publication 800-63B (Digital Identity Guidelines Authentication and Lifecycle Management): https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-63b.pdf

Global Security Reports

(Annual reports, including strategies, available for download from the top three audit companies: PWC, E&Y, and the top network company, Cisco)

PWC:

2018 - Digital Trust Insights

https://www.pwc.com/us/en/services/consulting/cybersecurity/digital-trust/2018-insights.html

REPORT: https://www.pwc.com/us/en/services/consulting/assets/pwc-journey-to-digital-trust.pdf

Key Findings from Digital Insights Report:

2018 - Strengthening digital society against cyber shocks: https://www.pwc.com/us/en/cybersecurity/assets/pwc-2018-gsiss-strengthening-digital-society-against-cyber-shocks.pdf

2018 - Revitalizing privacy and trust in a data-driven world: https://www.pwc.com/us/en/cybersecurity/assets/revitalizing-privacy-trust-in-data-driven-world.pdf

-------------------------------------------------------------------------------------------------------

2017— Moving forward with Cybersecurity and Privacy: http://www.pwc.com/gx/en/information-security-survey/assets/gsiss-report-cybersecurity-privacy-safeguards.pdf

E&Y:

Is cybersecurity about more than protection?: EY Global Information Security Survey 2018 –19

https://www.ey.com/Publication/vwLUAssets/ey-global-information-security-survey-2018-19/$FILE/ey-global-information-security-survey-2018-19.pdf

2017-18 Cybersecurity regained: preparing to face cyber attacks: 20th Global Information Security Survey 2017–18

https://eyfinancialservicesthoughtgallery.ie/wp-content/uploads/2018/01/GISS-2017-%E2%80%93-High-Resolution.pdf

2015—Creating trust in the digital World: EY’s Global Information Security Survey 2015:

http://www.ey.com/Publication/vwLUAssets/ey-global-information-security-survey-2015/$FILE/ey-global-information-security-survey-2015.pdf

Cisco:

2018: https://www.cisco.com/c/m/en_au/products/security/offers/annual-cybersecurity-report-2018.html

2017 Midyear Report: https://www.cisco.com/c/m/en_au/products/security/offers/midyear-cybersecurity-report-2017.html

2017 Annual Report: https://www.cisco.com/c/m/en_au/products/security/offers/annual-cybersecurity-report-2017.html

Other Reports

OWASP

Open Web Application Security Project with ideas, top 10, code samples, and ideas. The core objective is safe code through improved security within application software. https://www.owasp.org/index.php/Main_Page See WebGoat for a testing solution at https://www.owasp.org/index.php/Category:OWASP_WebGoat_Project

Georgia Tech:

Emerging Cyber Threats Report 2016:

http://www.iisp.gatech.edu/sites/default/files/documents/2016_georgiatech_cyberthreatsreport_onlinescroll.pdf

ISACA:

State of Cybersecurity 2019: https://www.isaca.org/info/state-of-cybersecurity-2019/index.html

State of Cybersecurity 2018: https://cybersecurity.isaca.org/csx-resources/state-of-cybersecurity-2018

Part 2: https://cybersecurity.isaca.org/csx-resources/state-of-cybersecurity-2018-part-2

State of Cybersecurity 2017: https://cybersecurity.isaca.org/csx-resources/state-of-cyber-security-2017

State of Cybersecurity: Implications for 2016

http://www.isaca.org/cyber/Documents/state-of-cybersecurity_res_eng_0316.pdf

State of Cybersecurity: Implications for 2015

http://www.isaca.org/cyber/Documents/State-of-Cybersecurity_Res_Eng_0415.pdf

Strategic/Executive Reports

McKinsey:

Perspectives on transforming cybersecurity [Digital McKinsey and Global Risk Practice March 2019]

https://www.mckinsey.com/~/media/McKinsey/McKinsey%20Solutions/Cyber%20Solutions/Perspectives%20on%20transforming%20cybersecurity/Transforming%20cybersecurity_March2019.ashx

GDPR compliance since May 2018: A continuing challenge (July 2019)

https://www.mckinsey.com/business-functions/risk/our-insights/gdpr-compliance-after-may-2018-a-continuing-challenge

A new posture for cybersecurity in a networked world (March 2018)

https://www.mckinsey.com/business-functions/risk/our-insights/a-new-posture-for-cybersecurity-in-a-networked-world

Digital and Risk A new posture for cyber risk in a networked world (March 2018) https://www.mckinsey.com/de/~/media/mckinsey/locations/europe%20and%20middle%20east/deutschland/publikationen/2018%20compendium/a%20new%20posture%20for%20cybersecurity%20in%20a%20networked%20world/kompendium_03_cyberrisk-2.ashx

Cyber risk measurement and the holistic cybersecurity approach (November 2018)

https://www.mckinsey.com/business-functions/risk/our-insights/cyber-risk-measurement-and-the-holistic-cybersecurity-approach

Global goods trade has declined sharply, but global flow of data has spiked: http://www.mckinsey.com/business-functions/digital-mckinsey/our-insights/digital-globalization-the-new-era-of-global-flows

Any organization that is going to rely on “Big Data” – Protect it! - http://www.mckinsey.com/insights/mgi/research/technology_and_innovation/big_data_the_next_frontier_for_innovation

NIST:

Small Business Information Security: The Fundamentals - NIST

https://csrc.nist.gov/publications/detail/nistir/7621/rev-1/final

(An excellent brief overview that also includes cost/benefit data)

PWC:

Monetizing data while respecting privacy (2016): https://www.pwc.com/us/en/increasing-it-effectiveness/publications/assets/pwc-monetizing-data-while-respecting-privacy.pdf

How well does your industry defend against elementary phishing campaigns?

https://www.pwc.com/us/en/services/consulting/cybersecurity/defend-phishing-campaign.html

Inside the discovery phase of a cyberattack – and what you can do to counter it

https://www.pwc.com/us/en/services/consulting/cybersecurity/cyberattack-lifecycle-discovery-phase.html

Mapping and managing cyber risks from third parties and beyond

https://www.pwc.com/us/en/services/consulting/cybersecurity/third-party-risks.html

Boosting the resiliency of third-party technology service providers

https://www.pwc.com/us/en/services/consulting/cybersecurity/third-party-tech.html

ISACA:

(Registration is required to view the following reports)

A business model for Security: http://www.isaca.org/Knowledge-Center/Research/ResearchDeliverables/Pages/Business-Model-for-Information-Security.aspx

The Risk IT Framework: http://www.isaca.org/Knowledge-Center/Research/ResearchDeliverables/Pages/The-Risk-IT-Framework.aspx

United States Federal Government:

The current key Executive action and strategy for Cyber issues:

A focus on networks, risk, and critical infrastructure. This includes the Cybersecurity Framework. https://www.whitehouse.gov/presidential-actions/presidential-executive-order-strengthening-cybersecurity-federal-networks-critical-infrastructure/

Governance & Roles

NACD:

A broad vision of governance from Board Level: http://www.nacdonline.org/

ISACA:

ISACA Goverance and Roles

https://www.isaca.org/Certification/CGEIT-Certified-in-the-Governance-of-Enterprise-IT/Prepare-for-the-Exam/Study-Materials/Documents/Developing-a-Successful-Governance-Strategy.pdf

COBIT 2019 Publications and Resources

http://www.isaca.org/COBIT/Pages/COBIT-2019-Publications-Resources.aspx

CSO Online:

What is a CSO: http://www.csoonline.com/article/221739/what-is-a-chief-security-officer-

Top cyber security certifications: Who they're for, what they cost, and which you need:

https://www.csoonline.com/article/3116884/top-cyber-security-certifications-who-theyre-for-what-they-cost-and-which-you-need.html

DHHS:

Information Security Index: http://www.hhs.gov/ocio/securityprivacy/index.html

Ponemon Institute:

(Many relevant sources: privacy, governance, cost, health, and business cases)

Data Security: http://www.ponemon.org/data-security

2019 Ponemon Institute Study on the Cyber Resilient Organization

https://www.ibm.com/account/reg/us-en/signup?formid=urx-37792&cm_mmc=Search_Google-_-Security_Resilient-_-WW_NA-_-%2Bponemon_b_OV64453&cm_mmca1=000024FH&cm_mmca2=10006542&cm_mmca7=9002168&cm_mmca8=kwd-377907906217&cm_mmca9=_k_CjwKCAjwtajrBRBVEiwA8w2Q8Ld0TNo7ky6wY7AontUHygysJo6ejb0KmwqjVbTR-NE1HvlJkuQJ6xoCWtUQAvD_BwE_k_&cm_mmca10=326203471649&cm_mmca11=b&gclsrc=aw.ds&&gclid=CjwKCAjwtajrBRBVEiwA8w2Q8Ld0TNo7ky6wY7AontUHygysJo6ejb0KmwqjVbTR-NE1HvlJkuQJ6xoCWtUQAvD_BwE

IBM

IBM X-Force Threat Intelligence Index (Essential report on today's cyber security landscape)

https://www.ibm.com/security/data-breach/threat-intelligence

How much would a data breach cost your business? (The 2019 Cost of a Data Breach Report explores financial impacts and security measures that can help your organization mitigate costs)

https://www.ibm.com/security/data-breach

The Third Annual Study on the Cyber Resilient Organisation

https://www.ibm.com/downloads/cas/ZD2PL2MK

The Emerging Role of IT Governance:

http://www.ibm.com/developerworks/rational/library/dec07/mueller_phillipson/

IBM IT Governance Approach Business Performance through IT Execution

http://www.redbooks.ibm.com/redbooks/pdfs/sg247517.pdf

Operational IT Governance:

https://www.ibm.com/developerworks/rational/library/may07/cantor_sanders/

Risk

Information Security Handbook:

https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-100.pdf

E&Y:

Separation of Duties (SoD): http://www.ey.com/Publication/vwLUAssets/EY_Segregation_of_duties/$FILE/EY_Segregation_of_duties.pdf

2013 - Identity and access management Beyond compliance

https://www.ey.com/publication/vwluassets/identity_and_access_management_-_beyond_compliance/$file/identity_and_access_management_beyond_compliance_au1638.pdf

Internet Security Alliance:

Internet Security Alliance

Cyber-Risk Oversight

http://isalliance.org/wp-content/uploads/2018/05/Cyber-Risk-Oversight-Handbook.pdf

Financial impact analysis of Cyber Risk (2008): http://isalliance.org/publications/1A.%20The%20Financial%20Impact%20of%20Cyber%20Risk-%2050%20Questions%20Every%20CFO%20Should%20Ask%20-%20ISA-ANSI%202008.pdf

Financial management of cyber risk (2010): http://isalliance.org/publications/1B.%20The%20Financial%20Management%20of%20Cyber%20Risk%20-%20An%20Implementation%20Framework%20for%20CFOs%20-%20ISA-ANSI%202010.pdf

Sophisticated Management of Cyber Risk (2013):

http://isalliance.org/publications/2013-05-28_ISA-AIG_White_Paper-Sophisticated_Management_of_Cyber_Risk.pdf

Cloud Security Alliance

Top Threats to Cloud Computing + Industry Insights

https://downloads.cloudsecurityalliance.org/assets/research/top-threats/treacherous-12-top-threats.pdf

SANS:

Risks in the OSI network Stack (An excellent article): http://www.sans.org/reading_room/whitepapers/protocols/applying-osi-layer-network-model-information-security_1309

The Register:

Current status of zero-day attacks: http://www.theregister.com

Policy

LazarusAlliance: (A Wiki approach)

Homepage: http://horseproject.wiki/index.php/Main_Page

Information Security, law, governance, frameworks, assessment, etc.

Policy – see http://horseproject.wiki/index.php?search=policy&title=Special%3ASearch&go=Go

SANS:

Reading Room: http://www.sans.org/reading_room/

Policy Project (Best items are at the bottom of the page): http://www.sans.org/resources/policies/

Security Policy Roadmap:

http://www.sans.org/reading_room/whitepapers/policyissues/security_policy_roadmap_process_for_creating_security_policies_494?show=494.php&cat=policyissues

A general overview that introduces the need for business integration:

https://www.sans.org/reading-room/whitepapers/policyissues/security-policies-919

IRS p1075

Tax Information Security Guidelines - For Federal, State and Local Agencies.

Safeguards for protecting federal tax returns and return information http://www.irs.gov/pub/irs-pdf/p1075.pdf

DOJ CJIS

Federal Bureau of Investigation, Criminal Justice Information Services Division: CJIS Security Policy http://www.fbi.gov/about-us/cjis/cjis-security-policy-resource-center

Cleveland State University:

A number of policy items: https://www.csuohio.edu/technology-security/technology-policies

Department of Housing and Urban Development:

Complete policy (Includes roles): http://web.archive.org/web/20110304073530/http://www.hud.gov/offices/adm/hudclips/handbooks/admh/2400.25/240025AppAADMH.pdf

Symantec:

An introduction to security policies: http://www.symantec.com/connect/articles/introduction-security-policies-part-one-overview-policies

DOD Cyber Exchange [Public]

Broad set of content including awareness, other training, and some technical resources: https://public.cyber.mil/

https://public.cyber.mil/stigs/downloads/

Standards

ISO:

ISO Documents (Only a few are free to access): http://www.iso27001security.com/html/iso27000.html

ISO Standards (Includes security, risk, and more): http://www.praxiom.com/index.htm

UK Government:

https://www.cyberessentials.ncsc.gov.uk/

European Union (EU) Privacy sources

https://ec.europa.eu/info/law/law-topic/data-protection_en

PCI:

PCI standards council [PCI-DSS and PA-DSS): https://www.pcisecuritystandards.org/

California State:

Privacy standards for the state: https://oag.ca.gov/privacy/privacy-laws

The Committee on National Security Systems (CNSS):

Committee on National Security Systems

http://www.cnss.gov/CNSS/issuances/Instructions.cfm

Microsoft:

Security Development Lifecycle (Don’t confuse with SDLC):

https://www.microsoft.com/en-us/securityengineering/sdl

NIST:

Security Homepage (Various options and the publications in the middle section of the page): http://csrc.nist.gov/

Technical Security Standard for Information Technology

http://www.iwar.org.uk/comsec/resources/standards/canada/tssit97e.pdf

Guidelines on firewalls (2009):

http://csrc.nist.gov/publications/nistpubs/800-41-Rev1/sp800-41-rev1.pdf

NIST Publications

These are key to many courses and in general practice.

Special Publications – 800 Series Computer Security, 1800 series Cybersecurity practice guides, 500 series are Computer Systems Technology items

http://csrc.nist.gov/publications/PubsSPs.html

FIPS Publications (Especially FIPS 199 & 200): http://csrc.nist.gov/publications/PubsFIPS.html

Interagency Reports (IR) (Especially IR 7359): http://csrc.nist.gov/publications/PubsNISTIRs.html

Information Technology Lab (ITL) (Shorter versions of some NIST publications): http://csrc.nist.gov/publications/PubsITLSB.html

Certifications

CompTIA:

CompTIA has several certifications, the focus is hands-on practical content, lkess emphasis on the big picture or depth. Do not underestimate their detail. https://certification.comptia.org/

PMI (Project Management Institute):

PMI has a wide variety of certifications for Project Managers: https://www.pmi.org/certifications

ISACA:

Certified Information Systems Auditor (Certification and Accreditation of Systems): http://www.isaca.org/Certification/CISA-Certified-Information-Systems-Auditor/How-to-Become-Certified/Pages/default.aspx

Certified Information Security Manager: http://www.isaca.org/Certification/CISM-Certified-Information-Security-Manager/How-to-Become-Certified/Pages/default.aspx

Certified in the Governance of Enterprise IT: http://www.isaca.org/Certification/CGEIT-Certified-in-the-Governance-of-Enterprise-IT/Pages/How-to-Become-Certified.aspx

Certified in Risk and Information Systems Control: http://www.isaca.org/Certification/CRISC-Certified-in-Risk-and-Information-Systems-Control/Pages/How-to-Become-Certified-CRISC.aspx

(ISC)²

The CISSP exam requires 5 years of experience, 4 with a degree. Experience is in the 8 domains – implying a broad range of IT coverage.

CISSP Overview: https://www.isc2.org/cissp/default.aspx

SANS GIAC

SANS has a range of certificates, mostly focused on engineering and technical areas http://www.sans.org

EC-Council:

Certified Ethical Hacking (CEH): http://www.eccouncil.org

Security Architecture

Arizona State:

Security Architecture: https://aset.az.gov/sites/default/files/p700%20enterprise%20architecture%20policy_1.pdf

Department of Energy (DOE):

DOE Security Architecture:

http://energy.gov/sites/prod/files/cioprod/documents/DOE_Security_Architecture.pdf

DOE Directives on “establishing policies, requirements, responsibilities, and procdures for departmental elements and contractors”: https://www.directives.doe.gov/directives-browse#c8-operator=or&c10=&b_start=0

Internet Security Alliance (ISA):

The Cybersecurity social contract Implementing a Market Based Model for Cybersecurity (2016):

https://gecrisk.com/wp-content/uploads/2016/09/ABonimeBlanc-Cyber-Resilience-Chapter-15-in-ISA-CyberSecurity-Social-Contract-2016-.pdf

Social Contract 2.0: A 21^st Century Program for Effective Cyber Security (2010): http://isalliance.org/publications/2B.%20Social%20Contract%202.0%20-%20A%2021st%20Century%20Program%20for%20Effective%20Cyber%20Security%20-%20ISA%202010.pdf

ITIL:

Management of large infrastructure: http://www.itil-officialsite.com/home/home.asp

Laws Related to IT Security

SANS:

U.S. Government IT Security Laws: https://www.sans.org/reading-room/whitepapers/legal/us-government-security-laws-1306

Security Awareness Compliance Requirements

https://www.sans.org/sites/default/files/2017-12/sans-compliance-requirements.pdf

Health/HIPAA/HITECH