Security Good Practices

This page contains a list of URLs that contain good practice guides, audit procedures and technology standards that are freely available.

  • ISF - The Standard Of Good Practice

    The Standard of Good Practice for Information Security (the Standard) is the foremost authority on information security. It addresses information security from a business perspective, providing a practical basis for assessing an organisation’s information security arrangements.
    The Standard represents part of the ISF's information risk management suite of products and is based on a wealth of material, in-depth research, and the extensive knowledge and practical experience of ISF Members worldwide.
    The Standard is updated at least every two years in order to:
    • respond to the needs of leading international organisations
    • refine areas of best practice for information security
    • reflect the most up-to-date thinking in information security
    • remain aligned with other information security-related standards, such as ISO 27002 (17799), COBIT v4.1 and PCI/DSS
    • include information on the latest ‘hot topics’.
  • NIST - National Institute of Standards and Technology - Publications

    Organizations in all sectors of the economy depend upon information systems and communications networks, and share common requirements to protect sensitive information. ITL works with industry and government to establish secure information technology systems for protecting the integrity, confidentiality, reliability, and availability of information.
    Under FISMA Act of 2002, the Computer Security Division of the Information Technology Laboratory (ITL) develops computer security prototypes, tests, standards, and procedures to protect sensitive information from unauthorized access or modification. Focus areas include cryptographic technology and applications, advanced authentication, public key infrastructure, internetworking security, criteria and assurance, and security management and support.
    These publications present the results of NIST studies, investigations, and research on information technology security issues.
    The publications are issued as Special Publications (Spec. Pubs.), NISTIRs (Internal Reports), and ITL (formerly CSL) Bulletins. Special Publications series include the Spec. Pub. 500 series (Information Technology) and the Spec. Pub. 800 series (Computer Security). Computer security-related Federal Information Processing Standards (FIPS) are also included.
  • NIST - National Institute of Standards and Technology - Special Publications

    Special Publications in the 800 series present documents of general interest to the computer security community. The Special Publication 800 series was established in 1990 to provide a separate identity for information technology security publications. This Special Publication 800 series reports on ITL's research, guidelines, and outreach efforts in computer security, and its collaborative activities with industry, government, and academic organizations.
  • DISA checklists
  • Information Systems Security Assessment Framework (ISSAF)

    The Information Systems Security Assessment Framework (ISSAF) seeks to integrate the following management tools and internal control checklists:
    • Evaluate the organizations information security policies & processes to report on their compliance with IT industry standards, and applicable laws and regulatory requirements
    • Identify and assess the business dependencies on infrastructure services provided by IT
    • Conduct vulnerability assessments & penetration tests to highlight system vulnerabilities that could result in potential risks to information assets
    • Specify evaluation models by security domains to :
      • Find mis-configurations and rectify them
      • Identifying risks related to technologies and addressing them
      • Identifying risks within people or business processes and addressing them
      • Strengthening existing processes and technologies
      • Provide best practices and procedures to support business continuity initiatives
  • OSSTMM - Open Source Security Testing Methodology Manual
  • Center for Internet Security - Benchmarks and Tools
  • NSA - Security Configuration Guides
  • Generally Accepted Information Security Principles (GAISP)


You might also be interested in...