Meditations
Apr 29th, 2007 by John Gerber
“She is too fond of books, and it has turned her brain.” — Louisa May Alcott
I wanted to post a few more references. Hopefully, I will even find time to read these documents. I have referenced many times in this blog various NIST SP documents. On Friday, they published a guide to NIST information security documents. They describe the document as follows:
In order to make NIST information security documents more accessible, especially to those just entering the security field or with limited needs for the documents, we are presenting the Guide to NIST Computer Security Documents (.pdf). In addition to being listed by type and number, the Guide presents three ways to search for documents: by Topic Cluster, by Family, and by Legal Requirement. This Guide is current through the end of FY 2006.
Information Systems Audit and Control Association (ISACA) has released to its members several documents. For the general public, these documents will be released in May. These document include:
- COBIT 4.1 — To get a quick overview of how COBIT 4.1 differs from 4.0, please see the page titled, “How COBIT 4.1 Changed From 4.0.”
- IT Governance Implementation Guide: Using COBIT and VAL IT, 2nd Edition — I really have not done much with VAL IT. For now, it will be interesting to have as a reference.
- COBIT Control Practices: Guidance to Achieve Control Objectives for Successful IT Governance, 2nd Edition — The guide covers, “control practices provide control approaches consisting of practices that are necessary and sufficient for achieving COBIT control objectives.”
- IT Assurance Guide: Using COBIT — This guide, “provides detailed guidance on how COBIT can be used to support a variety of assurance activities, such as planning, scoping and assessing risks and how an assurance review can be performed for each of the 34 COBIT processes.”
- COBIT Security Baseline, 2nd Edition — This is the guide that I was most interest in. Unfortunately, it will not be available until May 14th. The guide, “helps an organization focus on the essential steps to take by extracting the most important security-related objectives from the COBIT framework.”
This week I paid membership dues to get access to areas on the Open Compliance & Ethics Group (OCEG) site. OCEG has been working with Compliance Week on the Governance, Risk and Compliance (GRC) Illustrated series. OCEG also produces the Foundation “Red Book” which “provides guidance about the core processes and capability to enhance culture and address governance, risk management and compliance requirements. It incorporates the common practices that stand behind some of the most robust programs in the world.” M. E. Kabay from Network World did a nice writeup on the Red Book’s approach to risk management in his article, “OCEG Red Book on risk management.” A final document from OCEG that I want to review is the “Benchmarking Survey Comprehensive Summary Report.”
Finally, in my last post title, “Forensic Resources,” I listed a few other things I will be investigating in the computer forensic arena. Of course, I will also preparing and taking my SANS Security 508 course, System Forensics, Investigation & Response GIAC Certified Forensics Analyst (GCFA) certification exam.
Many times, I feel like the Lloyd Bridges from the movie Airplane. “Looks like I picked the wrong week to quit smoking.” While I might not smoke, nor any of the other things Lloyd’s character choose the wrong week to give up, I did decide to give up hard core caffeine. I went from Pepsi Mountain Dew Code Red to basic green tea. According to Wikipedia’s Caffeine entry, green tea has about half the caffeine of Code Red. That scales me back far enough that I no longer have caffeine headache withdrawals. Maybe one day I will figure out how to get all my work done while getting relatively normal amounts of sleep. One can always dream. Such is the life of a security monk.
