March 2nd, 2005, 05:24 PM
Industry Best Practices: Information/Links?
In my short time as an IT Auditor, one of the main things auditees ask for (besides wondering if I am human) is industry best practices that would assist them in complying with our corporate policies and standards while at the same time allowing them to avoid having to recreate the wheel (oh yes a cliche). Anyway - I was going to suggest some information, and googled some more information, but I thought to also ask here and post what I have found so far. Would anyone have any thoughts on this? I was also going to suggest this community, however many of the auditees may not be an immersed in the technology as many of us are. Then again, and most likely, I am incorrect - so please let me know if there have been best practices already published here. The other reason in posting these is part "trust but verify" in that - just because the below are toted as "best practices" I wanted to run it by this community for verification.
I am looking for best practices for security (workstation, server, network, etc.) along with DRP/BCP. Also as an FYI - I also found sites that cost quite a bit to offer best practices - one item for security cost @$350 for one whitepaper. I will post the free ones I find and ask for others as well. I will also post the sites that are pay-for and mark them as such. Here is what I have so far:
Disaster Recovery Planning (DRP)/Business Continuity Planning (BCP)
Link verified:03MAR2005:Cisco -DRP-Whitepaper: http://www.cisco.com/warp/public/63/disrec.html#topic1
Link verified:03MAR2005:South Carolina Govt DRP Best Practices: http://www.cio.sc.gov/SCEA/DisasterR...tPractices.pdf
Link verified:03MAR2005:MOREnet Security Best Practices: http://www.more.net/security/best/index.html
Link verified:03MAR2005:System Experts Tutorials: http://www.systemexperts.com/tutorial.html
Link verified:03MAR2005:SQL Server Security: http://vyaskn.tripod.com/sql_server_..._practices.htm
Link verified:03MAR2005:Microsoft SQL Server Security: http://www.microsoft.com/technet/pro...ec04.mspx#EDAA
Link verified:03MAR2005:Red Hat/Fedora: http://lwn.net/Articles/123073/
Link verified:03MAR2005:CERT Security Improvement Modules: http://www.cert.org/security-improvement/
Link verified: 03MAR2005:Cisco Networks: http://www.cisco.com/warp/public/126/secpol.html
There is a lot more that I found that I will update if deemed worthy here and look forward to seeing other information/links I have not found yet.
March 2nd, 2005, 06:03 PM
NIST is starting to do some good work.
March 2nd, 2005, 06:30 PM
I'm surprised there is no mention of SANS. They have a wealth of information, and participate in many 'think tanks' and the creation of many standards.
Also, the GIAC white papers could be a HUGE wealth of this sort of information, if one wanted to search through the topics and such...I don't recall how easy it is to find data in that forum, but I know the content should be top notch.
"Data is not necessarily information. Information does not necessarily lead to knowledge. And knowledge is not always sufficient to discover truth and breed wisdom." --Spaf
Anyone who is capable of getting themselves made president should on no account be allowed to do the job. --Douglas Adams (1952-2001)
"...people find it far easier to forgive others for being wrong than being right." - Albus Percival Wulfric Brian Dumbledore
March 2nd, 2005, 06:55 PM