Aug 16 2017
The following sources are recommended references for ongoing management and implementation of Governance, Risk and Compliance:
COSO (https://www.coso.org) – The COSO model defines internal control as “a process, effected by an entity’s board of directors, management and other personnel, designed to provide reasonable assurance of the achievement of objectives in the following categories: Effectiveness and efficiency of operations, Reliability of financial reporting, and Compliance with applicable laws and regulations.
COBIT https://www.isaca.org) – COBIT is a good-practice framework created by international professional association ISACA for information technology management and IT governance. COBIT provides an implementable “set of controls over information technology and organizes them around a logical framework of IT-related processes and enablers.”
ITIL (https://www.axelos.com) – ITIL, formally an acronym for Information Technology Infrastructure Library, is a set of detailed practices for IT service management (ITSM) that focuses on aligning IT services with the needs of business.
CMMI (http://cmmiinstitute.com) – The Capability Maturity Model Integration is a process model that provides a clear definition of what an organization should do to promote behaviours that lead to improved performance. With five “Maturity Levels” or three “Capability Levels,” the CMMI defines the most important elements that are required to build great products, or deliver great services, and wraps them all up in a comprehensive model.
ISO 15504 (https://www.iso.org/standard/60555.html) – The ISO 15504 is the reference model for the maturity models (consisting of capability levels which in turn consist of the process attributes and further consist of generic practices) against which the assessors can place the evidence that they collect during their assessment, so that the assessors can give an overall determination of the organization’s capabilities for delivering products (software, systems, and IT services).
ISO 20000 (https://www.iso.org/standard/51986.html) – The ISO 20000 is a service management system (SMS) standard. It specifies requirements for the service provider to plan, establish, implement, operate, monitor, review, maintain and improve an SMS. The requirements include the design, transition, delivery and improvement of services to fulfil agreed service requirements.
ISO 27000 (https://www.iso.org/isoiec-27001-information-security.html) – The ISO/IEC 27000 family of mutually supporting information security standards (also known as the ISO 27000 series) is developed and published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) to provide a globally recognised framework for best-practice information security management (ISMS).
ISO 31000 (https://www.iso.org/iso-31000-risk-management.html) – ISO 31000 is a family of standards relating to risk management codified by the International Organization for Standardization. The purpose of ISO 31000 is to provide principles and generic guidelines on risk management. ISO 31000 seeks to provide a universally recognized paradigm for practitioners and companies employing risk management processes to replace the myriad of existing standards, methodologies and paradigms that differed between industries, subject matters and regions.
NESA (http://www.nesauae.org) – The National Electronic Security Authority, is a government body tasked with protecting the UAE’s critical information infrastructure and improving national cyber security.
NIST 800-53 (https://nvd.nist.gov/800-53) – NIST Special Publication 800-53 is part of the Special Publication 800-series that reports on the Information Technology Laboratory’s (ITL) research, guidelines, and outreach efforts in information system security, and on ITL’s activity with industry, government, and academic organizations.
OWASP (https://www.owasp.org/) – The Open Web Application Security Project, an online community, produces freely-available articles, methodologies, documentation, tools, and technologies in the field of web application security.
PCI DSS (pcisecuritystandards.org) – The Payment Card Industry Data Security Standard (PCI-DSS) is an information security standard for organizations that handle branded credit cards from the major card schemes.
Critical Security Controls (https://uk.sans.org/critical-security-controls) – The CIS Critical Security Controls are a recommended set of actions for cyber defense that provide specific and actionable ways to stop today’s most pervasive and dangerous attacks. A principal benefit of the Controls is that they prioritize and focus a smaller number of actions with high pay-off results. The Controls are effective because they are derived from the most common attack patterns highlighted in the leading threat reports and vetted across a very broad community of government and industry practitioners.
SDLC (https://en.wikipedia.org/wiki/Systems_development_life_cycle) – The systems development life cycle (SDLC), also referred to as the application development life-cycle, is a term used in systems engineering, information systems and software engineering to describe a process for planning, creating, testing, and deploying an information system. The systems development lifecycle concept applies to a range of hardware and software configurations, as a system can be composed of hardware only, software only, or a combination of both.
Comments Off on Links