Home page logo
/

educause logo Educause Security Discussion mailing list archives

Re: checklists/auditing within the IT department
From: "Harris, Michael C." <HarrisMC () HEALTH MISSOURI EDU>
Date: Fri, 12 Dec 2008 08:45:24 -0600

Below is the set of links I hand out the first day of the InfoSec class I teach here University of Missouri, 

 

For the mid term of the class the students each pick a framework area and make themselves the class expert on that area 
(NIST, COBIT, 17799 HIPAA etc) then as a final they as a group produce a cross walk of the security frameworks, which 
hey present to our local Infraguard chapter and state security team members as their judges.  Here is a link to last 
year's copy. http://web.missouri.edu/~harrismc/8435/crosswalk_w_07/SuperCrossWalk%2005-01-07.xls  since the class has a 
health science focus it is keyed to the HIPAA element numbers.

 

 

 

Security links handout HMI 8435 

 

First A Lexicon to all the Information security terms and acronyms

      http://csrc.nist.gov/acroymn.html

 

Good security overview & executive review

http://www.cert.org/archive/pdf/05tn023.pdf

 

NIST Publications http://csrc.nist.gov/publications/nistpubs/

NIST Drafts http://csrc.nist.gov/publications/drafts.html

      

      Best of the NIST...

      NIST 800-66 Guide for implementing HIPAA  

      NIST 800-53 Recommended security Controls

            Recommended Security Controls (the main reference standard-mh)

            http://csrc.nist.gov/publications/nistpubs/800-53/SP800-53.pdf

            Annex 1: Consolidated Security Controls-Low Baseline 

            http://csrc.nist.gov/publications/nistpubs/800-53/800-53-annex1.pdf

            Annex 2: Consolidated Security Controls-Moderate Baseline

            http://csrc.nist.gov/publications/nistpubs/800-53/800-53-annex2.pdf

            Annex 3: Consolidated Security Controls-High Baseline 

            http://csrc.nist.gov/publications/nistpubs/800-53/800-53-annex3.pdf

      NIST 800-55 Security Metrics Guide

      http://csrc.nist.gov/publications/nistpubs/800-55/sp800-55.pdf

      NIST 800-26 Security Self assessment guide

      http://csrc.nist.gov/publications/nistpubs/800-26/sp800-26.pdf

      NIST 800-70 Security Configuration Checklist program

      http://csrc.nist.gov/checklists/download_sp800-70.html

      Guidance for Securing Microsoft Windows XP Systems for IT Professionals: 

A NIST Security Configuration checklist

      http://csrc.nist.gov/itsec/download_WinXP.html

 

NIST - Computer Security Resource Center

      http://csrc.nist.gov/index.html

 

NIST - Draft publications

http://csrc.nist.gov/publications/drafts.html

 

ISF Information security standard

      http://www.isfsecuritystandard.com/pdf/standard.pdf

 

FDA  21 CFR 11 re electronic signature standard

      http://www.fda.gov/ora/compliance_ref/part11

      http://www.fda.gov/ora/compliance_ref/part11/FRs/background/pt11finr.pdf

 

FIPS  http://csrc.nist.gov/publications/fips/index.html

      FIPS 200 Minimum Security Requirements for Federal Information Systems

      http://csrc.nist.gov/publications/fips/fips200/FIPS-200-final-march.pdf

      FIPS 199 Standards for Security Categorization of Federal Information Systems

      http://csrc.nist.gov/publications/fips/fips199/FIPS-PUB-199-final.pdf

      FIPS 191 Guideline for The Analysis of Local Area Network Security 

      http://csrc.nist.gov/publications/fips/fips191/fips191.pdf

      

Summary Federal acts amendments and rules

      http://csrc.nist.gov/policies/index.html

 

SANS  Internet storm center   http://isc.sans.org <http://isc.sans.org/> 

      Library & Reading room  http://www.sans.org/rr/

      Policy project          http://www.sans.org/resources/policies/

 

FISMA Federal Information Security Management Act 

      http://csrc.nist.gov/sec-cert/index.html

 

FASP Federal agency security best practices

      http://csrc.nist.gov/fasp/

 

HIPAA http://www.hipaa.org/ 

      http://www.hhs.gov/ocr/hipaa/

      WEDI - SNIP http://www.wedi.org/

 

FERPA Family Educational Rights and Privacy Act Regulations

 

      DPT. OF Education FERPA Regulations 

      http://www.ed.gov/offices/OM/fpco/ferparegs.pdf

      http://www.ed.gov/policy/gen/guid/fpco/pdf/ferparegs.pdf

      Family Policy Compliance Office http://www.ed.gov/offices/OM/fpco/

      Family Educational Right to Privacy Act. (Buckley Amendment 4/93)

      http://www.cpsr.org/cpsr/privacy/law/education_records_privacy.txt

      Council on Law in Higher Education http://clhe.org <http://clhe.org/> 

 

PDD-63 Presidential directive 63

      http://www.fas.org/irp/offdocs/pdd/pdd63.htm

      http://www.cybercrime.gov/white_pr.htm

      http://www.uhuh.com/laws/pdd63.htm

 

GLBA http://www.ftc.gov/privacy/glbact/glbsub1.htm <http://www.ftc.gov/privacy/glbact/glbsub1.htm> 

      http://banking.senate.gov/conf/grmleach.htm <http://banking.senate.gov/conf/grmleach.htm> 

      http://www.epic.org/privacy/glba <http://www.epic.org/privacy/glba> 

 

Sarbanes Oxley

      http://files.findlaw.com/news.findlaw.com/hdocs/docs/gwbush/sarbanesoxley072302.pdf 
<http://files.findlaw.com/news.findlaw.com/hdocs/docs/gwbush/sarbanesoxley072302.pdf> 

      http://www.soxtoolkit.com <http://www.soxtoolkit.com/> 

 

Clinger-Cohen Act of 1996 (40 U.S.C. 1401(3))

      http://irm.cit.nih.gov/itmra/itmra96.html

      http://www.intervista-institute.com/resources/clinger-cohen-act.html

 

 

Patriot Act (now Patriot II)

 

JCAHO mandates

      http://www.health-infosys-dir.com/na_desc.htm <http://www.health-infosys-dir.com/na_desc.htm> 

      http://www.health-infosys-dir.com/IM_Strategic_Plans_for_JCAHO.htm 
<http://www.health-infosys-dir.com/IM_Strategic_Plans_for_JCAHO.htm> 

 

 

PCI - Payment Card Industry mandates

      Merchant levels defined

      https://sdp.mastercardintl.com/merchants/merchant_levels.shtml

 

      Security standard

      http://usa.visa.com/download/business/accepting_visa/ops_risk_management/cisp_PCI_Data_Security_Standard.pdf

      https://sdp.mastercardintl.com/pdf/pcd_manual.pdf

Audit procedures https://sdp.mastercardintl.com/doc/pci_audit_procedures.doc

      Self assessment questionnaire

      https://sdp.mastercardintl.com/doc/758_pci_self_assmnt_qust.doc

      Scanning procedures

      https://sdp.mastercardintl.com/pdf/pcs_manual.pdf

      Scanning requirements for vendors or self scanners

      https://sdp.mastercardintl.com/pdf/srv_entire_manual.pdf

      Wireless risk

      https://sdp.mastercardintl.com/pdf/wl_entire_manual.pdf

 

Guidelines for Academic Medical Centers on Security and Privacy

      http://www.aamc.org/members/gir/gasp/amchipaasecurityandprivacyguidelines.pdf

      http://www.aamc.org/members/gir/gasp/

 

ITIL  http://en.wikipedia.org/wiki/ITIL

      http://www.ogc.gov.uk/index.asp?id=1000367

 

ISO 17799, BS7799, ISO 27001

      http://www.computersecuritynow.com <http://www.computersecuritynow.com/> 

      http://www.17799.com <http://www.17799.com/> 

      http://17799.macassistant.com <http://17799.macassistant.com/> 

http://www.27001-online.com <http://www.27001-online.com/> 

http://27001.denialinfo.com <http://27001.denialinfo.com/> 

http://www.27005.net <http://www.27005.net/> 

 

COBIT

http://www.isaca.org/Template.cfm?Section=COBIT_Online&Template=/ContentManagement/ContentDisplay.cfm&ContentID=15633 
<http://www.isaca.org/Template.cfm?Section=COBIT_Online&Template=/ContentManagement/ContentDisplay.cfm&ContentID=15633> 

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault