RE: Sources of network security templates or designs

[Sean Donelan <sean () donelan com>]

On Sat, 26 Jun 2010, Tomas L. Byrnes wrote:
> While the DISA STIGs are probably the archetype, you have to start with
> whatever the sponsoring or certifying authority uses, if you need to
> pass some audit later.

True, but even sponsoring and certifying authorities need to get 
information from somewhere.  So where should they get it from?

For example, amex/mastercard/visa/others created PCI security standards; 
and if all you want to do is achieve compliance with those security 
standards that's where you would stop.  But where should the people 
creating the PCI security standards look beyond their own world to find
better ideas to improve the next version?  Replace "PCI" with whatever 
your favorite group is... CAG, SOX, FDCC, etc.


> Those almost always reference NIST docs:
> http://www.nist.gov/itl/publications.cfm?defaultSearch=false&authorlist=
> &keywords=&topics=309&seriesName=&journalName=&datepicker1=&datepicker2=
> #

NIST documents are updated on a regular basis.  If part of your job was 
helping to update NIST documents, are there other resources to consider
when updating those documents?

Are there things in NIST documents you think could be improved?

> For generic sources, I agree with Cymru as a good resource, but my
> favorite is SANS.
>
> http://www.sans.org/reading_room/