IST-456 Security Management




These Web-based resources are provided as value-added for IST-456. The resources have been compiled by DR. Gerry Santoro, often with the aid of IST-456 students. The resources are optional reading. They are roughly arranged into categories, although in some cases the categorization may be rough. These resources are obtained from government sources, industry sources, Web sites and white papers. I will constantly add resources to this site. Contributions are always welcomed!


An excellent source of information is the SANS Information Security Reading Room. Some of the papers are listed in the topics below.


Penn State Resources


         Penn State Center for Cyber-Security, Information Privacy and Trust -

         Penn State Cyber-Security Lab -



US Government Resources


NOTE: Some of these, such as NIST documents, may be listed below in topical areas.


         NSA Information Assurance advice and resources -

         US Computer Emergency Readiness Team --

         Complete list of NIST Information Security Publications --

         NICCS National Initiative for Cybersecurity Careers and Studies -



Hacking Educational Resources


Security professionals must understand how systems are attacked and compromised in order to effectively protect those systems. Following is a list of Web sites that provide learning resources for ethical hacking.


         Hack This Site -

         Hack This! -

         Hack in the Box -

         Hack a Day -

         Evil Zone -




General Resources


         A Risk Maagement Reading List --

         US Computer Emergency Readiness Team --

         Security Tube --

         IT Security White Papers --


Security Blogs

         Bruce Schneier Crypt-O-Gram --

         Secure State Blog --

         Krebs on Security --




Planning for Security and Contingencies


         Contingency Planning Guide for Federal Information Systems --

         Guide for Developing Security Plans for Federal Information Systems --

         Computer Security Incidents: Assessing, Managing, And Controlling The Risks - ITL Security Bulletin --

         Techniques for System and Data Recovery - ITL Security Bulletin --

         System and Network Security Acronyms and Abbreviations --

         Guide to Integrating Forensic Techniques into Incident Response --

         Office of the President of the United States: International Strategy for Cyberspace --



Information Security Policy


         Guide to Protecting the Confidentiality of Personally Identifiable Information (PII) --

         Information Security Guide For Government Executives --

         Commercial product Security Policiers Made Easy --



Developing the Security Program


         Building an Information Technology Security Awareness and Training Program --

         An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule --

         Implementing an Effective IT Security Program (SANS) --

         Creating the Effective Security Awareness Program --

         Building a Security Awareness Program --

         Success Strategies for Security Awareness --



Security Management Models


         Minimum Security Requirements for Federal Information and Information Systems --

         Standards for Security Categorization of Federal Information and Information Systems --

         An Overview Of The Common Criteria Evaluation And Validation Scheme - ITL Security Bulletin --

         Systemic Security Management: The ICIIP Model --



Security Management Practices


         Guide for Security-Focused Configuration Management of Information Systems --

         Technical Guide to Information Security Testing and Assessment --

         IT Security Metrics - ITL Security Bulletin --

         Information Security Continuous Monitoring for Federal Information Systems and Organizations --

         Security Guide for Interconnecting Information Technology Systems --

         Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach --

         Comparison of Security Management Practices --

         Information Security Program Guide for State Agencies California Office of Information Security and Privacy Protection --



Risk Management: Identifying and Controlling Risk


         Recommended Security Controls for Federal Information Systems and Organizations --

         Specification for Asset Identification 1.1 --

         Secure Hash Standard (SHS) --

         GIAC G2700 Certified ISO-27000 Specialist --

         ISO-2700 Central --

         History of ISO-27000 Standards --

         Many resources for IST-27000 Standards --


         ESIS Open Source Executive Security Information System -

         Consulare Wiki for ESIS -

         Security for Cloud Computing 10 Steps to Ensure Success -

         Comparison between ISO-27005, Octave and NIST SP 800-30 -



         Why the Emerging ISO-27000 Series are vital for Business Resilience --

         GIAC G2700 Certified ISO-27000 Specialist --

         ISO-2700 Central --

         History of ISO-27000 Standards --

         Many resources for IST-27000 Standards --

         ISO/IEC 27001 2013 Plain English Introduction -

         ISO/IEC 27002 2013 Old versus New -

         ISO/IEC 27002 2013 Translated into Plain English -

         Moving from ISO/IEC 27001:2005 to ISO/IEC 27001:2013 -







Vulnerabilities and Threats


         The Common Vulnerability Scoring System (CVSS) and Its Applicability to Federal Agency Systems --

         Computer Attacks: What They Are and How to Defend Against Them - ITL Security Bulletin --

         Guide to Malware Incident Prevention and Handling --

         National Vulnerability Database: Helping Information Technology System Users And Developers Find Current Information About Cyber Security Vulnerabilities - ITL Security Bulletin --

         Creating A Program To Manage Security Patches And Vulnerabilities: NIST Recommendations For Improving System Security - ITL Security Bulletin --

         Norton Cybercrime Report 2011 --


Protection Mechanisms


         Guidelines for Securing Wireless Local Area Networks (WLANs) --

         Guidelines on Security and Privacy in Public Cloud Computing --

         Guide to Intrusion Detection and Prevention Systems (IDPS) --

         Guidelines on Firewalls and Firewall Policy --

         Biometrics - Technologies for Highly Secure Personal Authentication - ITL Security Bulletin --

         Guide to SSL VPNs --

         Advanced Encryption Standard --

         Guidelines for the Selection and Use of Transport Layer Security (TLS) Implementations --

         Federal Agency Use of Public Key Technology for Digital Signatures and Authentication --

         Guideline for Implementing Cryptography in the Federal Government --

         DoD Cyber Protecg Network Security Game --

         TLS Transport Layer Security --

         SSL Certificates --
 Free Online Antivirus, Spyware and Firewall reviews --


Personnel and Security


         CompTIA+ Practice Exams --

         CompTIA Certification --

         CISSP Certification --

         CISSP Practice Test --



Security Law and Ethics


         The Legal System and Ethics in Information Security (SANS) --

         Legal, Ethical and Professional Issues in Information Security --

         Information Security Law and Ethics --,d.dmQ

         Computer Ethics --

         An Analysis of Ethics as a Foundation of Information Security in Distributed Systems --

         GIAC Code of Ethics --

         ISSA Code of Ethics --

         ISC2 Code of Ethics --

         SANS IT Code of Ethics --