Educause Security Discussion mailing list archives
Re: checklists/auditing within the IT department
From: "Harris, Michael C." <HarrisMC () HEALTH MISSOURI EDU>
Date: Fri, 12 Dec 2008 08:45:24 -0600
Below is the set of links I hand out the first day of the InfoSec class I teach here University of Missouri, For the mid term of the class the students each pick a framework area and make themselves the class expert on that area (NIST, COBIT, 17799 HIPAA etc) then as a final they as a group produce a cross walk of the security frameworks, which hey present to our local Infraguard chapter and state security team members as their judges. Here is a link to last year's copy. http://web.missouri.edu/~harrismc/8435/crosswalk_w_07/SuperCrossWalk%2005-01-07.xls since the class has a health science focus it is keyed to the HIPAA element numbers. Security links handout HMI 8435 First A Lexicon to all the Information security terms and acronyms http://csrc.nist.gov/acroymn.html Good security overview & executive review http://www.cert.org/archive/pdf/05tn023.pdf NIST Publications http://csrc.nist.gov/publications/nistpubs/ NIST Drafts http://csrc.nist.gov/publications/drafts.html Best of the NIST... NIST 800-66 Guide for implementing HIPAA NIST 800-53 Recommended security Controls Recommended Security Controls (the main reference standard-mh) http://csrc.nist.gov/publications/nistpubs/800-53/SP800-53.pdf Annex 1: Consolidated Security Controls-Low Baseline http://csrc.nist.gov/publications/nistpubs/800-53/800-53-annex1.pdf Annex 2: Consolidated Security Controls-Moderate Baseline http://csrc.nist.gov/publications/nistpubs/800-53/800-53-annex2.pdf Annex 3: Consolidated Security Controls-High Baseline http://csrc.nist.gov/publications/nistpubs/800-53/800-53-annex3.pdf NIST 800-55 Security Metrics Guide http://csrc.nist.gov/publications/nistpubs/800-55/sp800-55.pdf NIST 800-26 Security Self assessment guide http://csrc.nist.gov/publications/nistpubs/800-26/sp800-26.pdf NIST 800-70 Security Configuration Checklist program http://csrc.nist.gov/checklists/download_sp800-70.html Guidance for Securing Microsoft Windows XP Systems for IT Professionals: A NIST Security Configuration checklist http://csrc.nist.gov/itsec/download_WinXP.html NIST - Computer Security Resource Center http://csrc.nist.gov/index.html NIST - Draft publications http://csrc.nist.gov/publications/drafts.html ISF Information security standard http://www.isfsecuritystandard.com/pdf/standard.pdf FDA 21 CFR 11 re electronic signature standard http://www.fda.gov/ora/compliance_ref/part11 http://www.fda.gov/ora/compliance_ref/part11/FRs/background/pt11finr.pdf FIPS http://csrc.nist.gov/publications/fips/index.html FIPS 200 Minimum Security Requirements for Federal Information Systems http://csrc.nist.gov/publications/fips/fips200/FIPS-200-final-march.pdf FIPS 199 Standards for Security Categorization of Federal Information Systems http://csrc.nist.gov/publications/fips/fips199/FIPS-PUB-199-final.pdf FIPS 191 Guideline for The Analysis of Local Area Network Security http://csrc.nist.gov/publications/fips/fips191/fips191.pdf Summary Federal acts amendments and rules http://csrc.nist.gov/policies/index.html SANS Internet storm center http://isc.sans.org <http://isc.sans.org/> Library & Reading room http://www.sans.org/rr/ Policy project http://www.sans.org/resources/policies/ FISMA Federal Information Security Management Act http://csrc.nist.gov/sec-cert/index.html FASP Federal agency security best practices http://csrc.nist.gov/fasp/ HIPAA http://www.hipaa.org/ http://www.hhs.gov/ocr/hipaa/ WEDI - SNIP http://www.wedi.org/ FERPA Family Educational Rights and Privacy Act Regulations DPT. OF Education FERPA Regulations http://www.ed.gov/offices/OM/fpco/ferparegs.pdf http://www.ed.gov/policy/gen/guid/fpco/pdf/ferparegs.pdf Family Policy Compliance Office http://www.ed.gov/offices/OM/fpco/ Family Educational Right to Privacy Act. (Buckley Amendment 4/93) http://www.cpsr.org/cpsr/privacy/law/education_records_privacy.txt Council on Law in Higher Education http://clhe.org <http://clhe.org/> PDD-63 Presidential directive 63 http://www.fas.org/irp/offdocs/pdd/pdd63.htm http://www.cybercrime.gov/white_pr.htm http://www.uhuh.com/laws/pdd63.htm GLBA http://www.ftc.gov/privacy/glbact/glbsub1.htm <http://www.ftc.gov/privacy/glbact/glbsub1.htm> http://banking.senate.gov/conf/grmleach.htm <http://banking.senate.gov/conf/grmleach.htm> http://www.epic.org/privacy/glba <http://www.epic.org/privacy/glba> Sarbanes Oxley http://files.findlaw.com/news.findlaw.com/hdocs/docs/gwbush/sarbanesoxley072302.pdf <http://files.findlaw.com/news.findlaw.com/hdocs/docs/gwbush/sarbanesoxley072302.pdf> http://www.soxtoolkit.com <http://www.soxtoolkit.com/> Clinger-Cohen Act of 1996 (40 U.S.C. 1401(3)) http://irm.cit.nih.gov/itmra/itmra96.html http://www.intervista-institute.com/resources/clinger-cohen-act.html Patriot Act (now Patriot II) JCAHO mandates http://www.health-infosys-dir.com/na_desc.htm <http://www.health-infosys-dir.com/na_desc.htm> http://www.health-infosys-dir.com/IM_Strategic_Plans_for_JCAHO.htm <http://www.health-infosys-dir.com/IM_Strategic_Plans_for_JCAHO.htm> PCI - Payment Card Industry mandates Merchant levels defined https://sdp.mastercardintl.com/merchants/merchant_levels.shtml Security standard http://usa.visa.com/download/business/accepting_visa/ops_risk_management/cisp_PCI_Data_Security_Standard.pdf https://sdp.mastercardintl.com/pdf/pcd_manual.pdf Audit procedures https://sdp.mastercardintl.com/doc/pci_audit_procedures.doc Self assessment questionnaire https://sdp.mastercardintl.com/doc/758_pci_self_assmnt_qust.doc Scanning procedures https://sdp.mastercardintl.com/pdf/pcs_manual.pdf Scanning requirements for vendors or self scanners https://sdp.mastercardintl.com/pdf/srv_entire_manual.pdf Wireless risk https://sdp.mastercardintl.com/pdf/wl_entire_manual.pdf Guidelines for Academic Medical Centers on Security and Privacy http://www.aamc.org/members/gir/gasp/amchipaasecurityandprivacyguidelines.pdf http://www.aamc.org/members/gir/gasp/ ITIL http://en.wikipedia.org/wiki/ITIL http://www.ogc.gov.uk/index.asp?id=1000367 ISO 17799, BS7799, ISO 27001 http://www.computersecuritynow.com <http://www.computersecuritynow.com/> http://www.17799.com <http://www.17799.com/> http://17799.macassistant.com <http://17799.macassistant.com/> http://www.27001-online.com <http://www.27001-online.com/> http://27001.denialinfo.com <http://27001.denialinfo.com/> http://www.27005.net <http://www.27005.net/> COBIT http://www.isaca.org/Template.cfm?Section=COBIT_Online&Template=/ContentManagement/ContentDisplay.cfm&ContentID=15633 <http://www.isaca.org/Template.cfm?Section=COBIT_Online&Template=/ContentManagement/ContentDisplay.cfm&ContentID=15633>
Current thread:
- checklists/auditing within the IT department Youngquist, Jason R. (Dec 10)
- <Possible follow-ups>
- Re: checklists/auditing within the IT department Basgen, Brian (Dec 10)
- Re: checklists/auditing within the IT department Aaron Kirby (Dec 10)
- Re: checklists/auditing within the IT department Doug Markiewicz (Dec 11)
- Re: checklists/auditing within the IT department Scott O. Bradner (Dec 11)
- Re: checklists/auditing within the IT department John Ladwig (Dec 11)
- Re: checklists/auditing within the IT department Brad Judy (Dec 11)
- Re: checklists/auditing within the IT department Kathy Bergsma (Dec 12)
- Re: checklists/auditing within the IT department Harris, Michael C. (Dec 12)