A chapter of the Federal Financial Institutions Examination Council (FFIEC) Information Technology Examination Handbook (IT Handbook) providing guidance to examiners and financial institutions on audit roles and responsibilities. General action indication ...

A set of key security outcome and practice metrics developed by a team of more than 150 government, private, and academic experts. Metrics cover the following business functions: * Application Security o Number of Applications ...

As technology advances, so do schemes to commit fraud. Therefore, technology can not only be used to perpetrate fraud, but also to prevent and detect it. Using technology to implement real-time fraud prevention and detection programs will enable organizat ...

The Cross-Enterprise Security and Privacy Authorization (XSPA) Profile of the Security Assertion Markup Language (SAML) for Healthcare and the XSPA Profile of the eXtensible Access Control Markup Language (XACML) enable hospitals and other service provide ...

The second edition of the Cloud Security Alliance (CSA) published guidelines for secure cloud computing, including an architectural framework, authoritative definition of cloud computing, and recommendations around cloud security. The CSA report tackles ...

ISO 27001 builds on BS 7799 with much more guidance on information security measurement and metrics. This paper complements the ISO/IEC standard for information security management systems by exploring: 1) security measurement objectives, 2) what security ...

The MetricsCenter is a for-pay service dedicated to providing accessible and mathematically sound security metrics design, derivation, and delivery services to Information Security practitioners. Rigorous quantitative analysis is required to free secur ...

This prudential practice guide (PPG) targets areas where APRA’s ongoing supervisory activities continue to identify weaknesses. Topics addressed include the importance of an overarching framework, systematic IT asset life-cycle management, effective monit ...

This document supports the development, selection, and implementation of measures to be used at the information system and program levels. These measures indicate the effectiveness of security controls applied to information systems and supporting inf ...

This document describes the foundations of metrics, discusses application of these metrics to control system environments, introduces a metrics taxonomy, and suggests usage of metrics to achieve operational excellence. The security metrics work package ...

A framework for businesses, non-profits, and governmental agencies. Considerations should include but not be limited to preventative, containment, and reactive practices and business policies. Key components include: 1. Data Classification 2. A ...

This project supports the US Department of Homeland Security (DHS) Software Assurance Tools and R&D Requirements Identification Program. The objective of part 3, Technology (Tools and Requirements) is the identification, enhancement and development of sof ...

This paper proposes a novel approach to help computing system administrators in monitoring the security of their systems. This approach is based on modeling the system as a privilege graph exhibiting operational security vulnerabilities and on transf ...

This Guide identifies and describes the key characteristics that make up any effective risk assessment methodology, thus providing a common set of criteria for evaluating any given risk assessment methodology against a clearly defined common set of essent ...

ISO/IEC 27004:2009 provides guidance on the development and use of measures and measurement in order to assess the effectiveness of an implemented information security management system (ISMS) and controls or groups of controls, as specified in ISO/IEC 27 ...

A substantive presentation describing definition, souring, application, interpretation, testing, cost effectiveness, calibration, and use of security measurement in a risk context. The presentation also provides insights on related concepts, such as st ...

This book provides guidance on the implementation of ISMS control requirements for auditing existing control implementations to help organizations preparing for certification in accordance with ISO/IEC 27001:2005 Information security management systems. R ...

Factor Analysis of Information Risk (FAIR) provides a framework for understanding, analyzing, and measuring information risk. The outcomes are more cost-effective information risk management, greater credibility for the information security profession, an ...

Information security professionals traditionally had difficulty trying to justify their existence. IT security staff agree there should be some security controls in place, but trying to validate a defense in depth approach is difficult. Organizations ha ...

VerIS is a set of metric definitions designed to provide a common language for describing security incidents in a structured and repeatable manner. The framework's goal is to lay a foundation on which security practitioners can constructively and coop ...