Standards & Guidelines - InfoSec Standards Recommended by Governing Bodies

BSO - British Standards Organization

• BS 7799 - Code of Practice for Information Security Management (Search for BS 7799 / for purchase)
• BSO 7799 Community Portal
  
  
  

ISO - International Organization for Standardization

• ISO/IEC 17799 - Code of Practice for Information Security Management (for purchase)
  ISO/IEC 17799 transforms the British Standard BS 7799, which has been adopted in many countries, into an International Standard and it is expected to become the reference document for codes of good practice to ensure secure and trustworthy e-commerce.

• ISO 17799 Community Portal
  
  
  

NIST - National Institute of Standards and Technology

• SP 800-12 An Introduction to Computer Security: The NIST Handbook
  Provides guidance on the fundamentals of information system security and an introduction to the selection of security controls and services.

• SP 800-16 Information Technology Security Training Requirements: A Role- and Performance-Based Model (Appendix A-D , Appendix E)
  Explains a framework for IT security training requirements and emphasizes results-based learning.

• SP 800-18 Guide for Developing Security Plans for Information Technology Systems
  Discusses developing and updating security plans.

• SP 800-23 Guideline to Federal Organizations on Security Assurance and Acquisition/Use of Tested/Evaluated Products
  Discusses the concept of assurance in the acquisition and use of security products.

• SP 800-24 PBX Vulnerability Assessment - Finding Holes in Your PBX Before Someone Else Does
• SP 800-25 Federal Agency Use of Public Key Technology for Digital Signatures and Authentication
  Assists federal agencies in using PKI for digital signatures and authentication over open networks.

• SP 800-30 Risk Management Guide for Information Technology Systems
  Discusses the risk-based approach to security and provides guidance on conducting risk assessments.

• SP 800-31 Intrusion Detection Systems (IDS)
  Provides information on using and deploying Intrusion Detection Systems.

• SP 800-32 Introduction to Public Key Technology and the Federal PKI Infrastructure
  Advises federal organizations on how to determine if a PKI is appropriate for them and how to use PKI services effectively.

• SP 800-33 Underlying Technical Models for Information Technology Security
  Provides information on IT security engineering principles and concepts for IT systems.

• SP 800-34 Contingency Planning Guide for Information Technology Systems
  Guides organizations in preparing and maintaining IT contingency plans.

• SP 800-36 Guide to Selecting Information Technology Security Products
  Helps organizations select cost-effective and useful products for their IT systems.

• SP 800-37 Guide for the Security Certification and Accreditation of Federal Information Systems
  Describes the fundamental concepts of the certification and accreditation processes, and details the various tasks in the processes.

• SP 800-41 Guidelines on Firewalls and Firewall Policy
  Provides information on using and deploying firewalls.

• SP 800-42 Guideline on Network Security Testing
  Describes available security testing techniques, their strengths and weaknesses, and the recommended frequencies for testing as well as strategies for deploying network security testing.

• SP 800-43 Systems Administration Guidance for Windows 2000 Professional
• SP 800-44 Guidelines on Securing Public Web Servers
• SP 800-45 Guidelines on Electronic Mail Security
• SP 800-48 Wireless Network Security: 802.11, Bluetooth, and Handheld Devices
  Discusses wireless security issues for local area networks, personal area networks, and handheld devices.

• SP 800-50 Building an Information Technology Security Awareness and Training Program
  Provides guidelines to help federal organizations meet their security training responsibilities and build a comprehensive awareness and training program.

• SP 800-53 Recommended Security Controls for Federal Information Systems
  Provides information about selecting security controls to meet the security requirements for the system

• SP 800-55 Security Metrics Guide for Information Technology Systems
  Helps organizations understand the importance of using metrics and developing a metrics program.

• SP 800-61 Computer Security Incident Handling Guide
• SP 800-64 Security Considerations in the Information System Development Life Cycle
  Discusses the analysis of system security requirements and methods for incorporating security into IT procurements.

• SP 800-68 Guidance for Securing Microsoft Windows XP Systems for IT Professionals: A NIST Security Configuration Checklist