This document provides a linkage between the Shared Assessments Standardized Information Gathering (SIG) Questionnaire and certain federal regulatory requirements and international standards. This linkage is presented in the form of a "map" that highlight ...

As technology advances, so do schemes to commit fraud. Therefore, technology can not only be used to perpetrate fraud, but also to prevent and detect it. Using technology to implement real-time fraud prevention and detection programs will enable organizat ...

Using the IT-CMF, top executives and practitioners can adopt four inter-related strategies and associated maturity curves to help manage and deliver more value from IT. The IT-CMF is the result of the synthesis of leading academic research, industry best ...

This prudential practice guide (PPG) targets areas where APRA’s ongoing supervisory activities continue to identify weaknesses. Topics addressed include the importance of an overarching framework, systematic IT asset life-cycle management, effective monit ...

A set of key security outcome and practice metrics developed by a team of more than 150 government, private, and academic experts. Metrics cover the following business functions: * Application Security o Number of Applications ...

The Building Security In Maturity Model (BSIMM) is designed to help you understand and plan a software security initiative. BSIMM was created through a process of understanding and analyzing real-world data from nine leading software security initiatives. ...

This document supports the development, selection, and implementation of measures to be used at the information system and program levels. These measures indicate the effectiveness of security controls applied to information systems and supporting inf ...

ISO 27001 builds on BS 7799 with much more guidance on information security measurement and metrics. This paper complements the ISO/IEC standard for information security management systems by exploring: 1) security measurement objectives, 2) what security ...

The Cross-Enterprise Security and Privacy Authorization (XSPA) Profile of the Security Assertion Markup Language (SAML) for Healthcare and the XSPA Profile of the eXtensible Access Control Markup Language (XACML) enable hospitals and other service provide ...

This project supports the US Department of Homeland Security (DHS) Software Assurance Tools and R&D Requirements Identification Program. The objective of part 3, Technology (Tools and Requirements) is the identification, enhancement and development of sof ...

This document describes the foundations of metrics, discusses application of these metrics to control system environments, introduces a metrics taxonomy, and suggests usage of metrics to achieve operational excellence. The security metrics work package ...

This paper proposes a novel approach to help computing system administrators in monitoring the security of their systems. This approach is based on modeling the system as a privilege graph exhibiting operational security vulnerabilities and on transf ...

The second edition of the Cloud Security Alliance (CSA) published guidelines for secure cloud computing, including an architectural framework, authoritative definition of cloud computing, and recommendations around cloud security. The CSA report tackles ...

This Guide identifies and describes the key characteristics that make up any effective risk assessment methodology, thus providing a common set of criteria for evaluating any given risk assessment methodology against a clearly defined common set of essent ...

To encourage a more widespread adoption of interoperable health information technology, The American Recovery and Reinvestment Act of 2009 calls for the Office of the National Coordinator (ONC) for Health IT, in consultation with NIST, to recognize a prog ...

A framework for businesses, non-profits, and governmental agencies. Considerations should include but not be limited to preventative, containment, and reactive practices and business policies. Key components include: 1. Data Classification 2. A ...

Effective use of an enterprise architecture (EA) is a hallmark of successful organizations and an essential means to achieving a desired end: having operations and technology environments that maximize institutional mission performance and outcomes. Among ...

This document describes security configuration checklists and their benefits, and it explains how to use the NIST National Checklist Program (NCP) to find and retrieve checklists. The publication also describes the policies, procedures, and general requir ...

The FDIC, with the other FFIEC agencies, has issued the attached guidance, which describes updated supervisory expectations regarding customer authentication, layered security, and other controls in an increasingly hostile online environment. Financial in ...

The Federal Financial Institutions Examination Council (FFIEC) has issued the attached guidance, “Authentication in an Internet Banking Environment.” For banks offering Internet-based financial services, the guidance describes enhanced authentication ...