How to implement security?
How to implement security?
Establishing information security governance following ISO/IEC 27001 is an important first step. But how to implement real security?
I’ve started to collect guidelines and standards that can help lifting your security level.
|Security in .NET||Microsoft|
|IT Grundschutz Kataloge||BSI Germany||Very detailed technical controls (over 4000 pages). E.g. – block B 5.27 software development||free|
|OWASP Testing Guide||The OWASP Foundation||Very detailed test guideline addressing all stages of the SDLC|
|OWASP Top 10 - 2017||The OWASP Foundation||Secure web development, top 10 security risks.|
|ArchiMate||The Open Group||A visual language to support TOGAF|
|Cyber essentials||UK National Cyber Security Centre (NCSC)||Very basic controls for each business (internet, devices, data, malware, ...)|
|FEDRAMP||FedRAMP||standardized approach to security for the cloud|
|HIPAA Cyber Security Guidance||HHS.gov||national standards to protect individuals’ electronic personal health information|
|ISF||Information Security Forum||business-orientated focus on current and emerging information security topics. This includes enhanced coverage of the following hot topics: Agile system development, alignment of information risk with operational risk, collaboration platforms, Industrial Control Systems (ICS), information privacy and threat Intelligence.supplier assessments, ...||very comprehensive, but not free|
|ISO/IEC 20000 series|
|ISO/IEC 27000 series|
and BS 17799
|Standards to implement ISMS and security governances||Commercial|
|ISO/IEC/IEEE 42010||ISO/IEC/IEEE 42010 Systems and software engineering — Architecture description is an international standard for architecture descriptions of systems and software.|
|ISPG Practice Guides||Government Chief Information Officer of Honkong||Guides on risk assessments, incident handling, mobile security, cloud computing, office network printers|
|ITIL||best practices in IT service management (ITSM)|
|NIST SP 800 family||NIST||Management framework on information security and guidelines. e.g. NIST SP 800-160 Systems Security Engineering|
|O-TTPS||The Open Group||Open Trusted Technology Provider™ Standard (O-TTPS): Secure development and changes||Free after registration with TOG|
|PCI DSS||PCI Security Standards Council||Standards and supporting materials to enhance payment card data security|
|SANS||SANS||Information Security Policy Templates for network, server and web application security. Includes OWASP risk rating.|
|SCADA Security||Digital Guardian||Collection of papers about SCADA security|
|TOGAF® Standard||The Open Group||Implement secure business and systems architecture||Commercial, 90 day trial available|
|VISP / VICP||Veracode||Veracode Information Security Policy (VISP) and Veracode Information Confidentiality|
|TickITPlus||GAGASQ SQ - Global Association for Software Quality AISBL||Standard for software providers.|