ИНФОРМАЦИОННАЯ БЕЗОПАСНОСТЬ

[okun]

Security and Usability

Lorrie Faith Cranor, Simson Garfinkel
Publisher: O'Reilly
Pub Date: August 2005
ISBN: 0-596-00827-9
Pages: 738
Format: chm

Overview
Human factors and usability issues have traditionally played a limited role in security research and secure systems development. Security experts have largely ignored usability issues--both because they often failed to recognize the importance of human factors and because they lacked the expertise to address them.

But there is a growing recognition that today's security problems can be solved only by addressing issues of usability and human factors. Increasingly, well-publicized security breaches are attributed to human errors that might have been prevented through more usable software. Indeed, the world's future cyber-security depends upon the deployment of security technology that can be broadly used by untrained computer users.

Still, many people believe there is an inherent tradeoff between computer security and usability. It's true that a computer without passwords is usable, but not very secure. A computer that makes you authenticate every five minutes with a password and a fresh drop of blood might be very secure, but nobody would use it. Clearly, people need computers, and if they can't use one that's secure, they'll use one that isn't. Unfortunately, unsecured systems aren't usable for long, either. They get hacked, compromised, and otherwise rendered useless.

There is increasing agreement that we need to design secure systems that people can actually use, but less agreement about how to reach this goal. Security & Usability is the first book-length work describing the current state of the art in this emerging field. Edited by security experts Dr. Lorrie Faith Cranor and Dr. Simson Garfinkel, and authored by cutting-edge security and human-computer interaction (HCI) researchers world-wide, this volume is expected to become both a classic reference and an inspiration for future research.

Security & Usability groups 34 essays into six parts:

* Realigning Usability and Security---with careful attention to user-centered design principles, security and usability can be synergistic.
* Authentication Mechanisms-- techniques for identifying and authenticating computer users.
* Secure Systems--how system software can deliver or destroy a secure user experience.
* Privacy and Anonymity Systems--methods for allowing people to control the release of personal information.
* Commercializing Usability: The Vendor Perspective--specific experiences of security and software vendors (e.g., IBM, Microsoft, Lotus, Firefox, and Zone Labs) in addressing usability.
* The Classics--groundbreaking papers that sparked the field of security and usability.

This book is expected to start an avalanche of discussion, new ideas, and further advances in this important field.

Здесь (7,57 Мб) pass: http://netz.ru
Зеркало

 

[okun]

Security+ Fast Pass

James Michael Stewart
Publisher: Sybex, 2004
ISBN: 0782143598
Format: pdf

Introduction
The Security+ certification program was developed by the Computer Technology Industry Association (CompTIA) to provide an industry-wide means of certifying the competency of computer service technicians in basics of computer security. The Security+ certification is granted to those who have attained the level of knowledge and security skills that show a basic competency with security needs of both personal and corporate computing environments.
CompTIA's exam objectives are periodically updated to keep their exams applicable to the most recent developments. However, this isn't a regular occurrence since the foundational elements remain constant even as the higher-end technology advances. The Security+ objectives themselves haven't been altered since the exam came out in 2002.

What Is Security+ Certification?
The Security+ certification was created to offer an introductory step into the complex world of IT security. You only need to pass a single exam to become Security+ certified. However, obtaining this certification doesn't mean you can provide realistic security services to a company. In fact, this is just the first step toward true security knowledge and experience. By obtaining Security+ certification, you should be able to acquire more security experience in order to pursue more complex and in-depth security knowledge and certification.
For the latest pricing on the exam and updates to the registration procedures, call Pro-metric at (866) 776-6387 or (800) 776-4276. You can also goto either www.2test.com or www.prometric.com for additional information or to register online. If you have further questions about the scope of the exams or related CompTIA programs, refer to the CompTIA website atwww.comptia.org.

Is This Book for You?
Security+ Past Pass is designed to be a succinct, portable exam review guide that can be used either in conjunction with a more complete study program (Sybex's Security+ Study Guide, 2nd Edition (Sybex, 2004), CBT courseware, classroom/lab environment) or as an exam review for those who don't feel the need for more extensive test preparation. It isn't our goal to give away the answers, but rather to identify those topics on which you can expect to be tested and to provide sufficient coverage of these topics.
Perhaps you've been working with information technologies for years. The thought of paying lots of money for a specialized IT exam-preparation course probably doesn't sound appealing. What can they teach you that you don't already know, right? Be careful, though—many experienced network administrators have walked confidently into the test center only to walk sheepishly out of it after failing an IT exam. After you've finished reading this book, you should have a clear idea of how your understanding of the technologies involved matches up with the expectations of the Security+ test makers.
Or perhaps you're relatively new to the world of IT, drawn to it by the promise of challenging work and higher salaries. You've just waded through an 800-page study guide or taken a class at a local training center. Lots of information to keep track of, isn't it? Well, by organizing the Past Pass book according to CompTIA's exam objectives, and by breaking up the information into concise, manageable pieces, we've created what we think is the handiest exam review guide available. Throw it in your briefcase and carry it to work with you. As you read the book, you'll be able to quickly identify those areas you know best and those that require a more in-depth review.

Здесь (3,64 Мб)
Зеркало

 

[okun]

Security + Exam Guide (Testtaker's Guide Series)

Christopher A. Crayton
Charles River Media © 2003
416 pages
ISBN:1584502517
Format: chm

Back Cover
The Security+ Exam Guide provides exam candidates with the concepts, objectives, and test-taking skills needed to pass on their first attempt. Instead of covering every computer security topic, this book isolates those topics most likely to be addressed on the exam. Written by an experienced network administrator and CompTIA certified instructor, the book draws upon subject expertise and teaching experience to provide everything test takers need to know for successful test taking.

KEY FEATURES

• Covers all domains and objectives for Security+, CompTIA’s newest certification exam
• Provides chapter review questions and a complete cumulative practice exam
• Guides the reader through the entire Security+ certification process from start to finish
• Explains the test structure in detail, with useful exam and study techniques
• Teaches the process of scheduling an exam and what to expect when you get to the test site
• Written by an experienced network administrator and CompTIA certified instructor with an established record of teaching success

About the Author
Christopher A. Crayton is the author of A+ Adaptive Exams (Test Taker’s Guide Series). He is also a CompTIA certified instructor, and was recognized as “Teacher of the Year” by Keiser College in 2000.

Здесь (1,38 Мб)
Зеркало

 

[okun]

Windows Forensics and Incident Recovery

Harlan Carvey
Publisher : Addison Wesley
Pub Date : July 21, 2004
ISBN : 0-321-20098-5
Pages : 480
Format: chm

Preface
As long as networks of Microsoft Windows systems are managed, administered, and used by people, security incidents will occur. Regardless of whether we're talking about hundreds of corporate Windows workstations and servers or home user systems running Windows XP on broadband connections to the Internet, Windows systems will be attacked, compromised, and used for malicious purposes. This is not to say that only Windows systems will be attacked; rather, Windows systems are highly pervasive throughout the entire computing infrastructure, from home and school systems to high-end e-commerce sites. In contrast to this pervasiveness, information regarding conducting effective incident response and forensic audit activities on Windows systems is limited, to say the least. Attacks may come from insiders who have legitimate physical access to systems and are authorized to use them or from faceless individuals hiding in the shapeless ether of the Internet. Knowing this, anyone who manages or administers Windows systems (including the home user) needs to know how to react when he suspects that an incident has occurred.

When it comes to investigating and resolving computer security incidents, Windows systems lag well behind Linux and *nix systems. This gap can be attributed to a variety of reasons. One reason is a lack of detailed technical knowledge regarding Windows systems themselves on the part of administrators. This lack of understanding may be due at least in part to Microsoft's use of graphical user interfaces (GUIs) to control everything from the installation process to all aspects of system administration. Attackers and malicious users take steps to ensure that their activities remain hidden from view, particularly from the system's GUI tools such as the Event Viewer and the Task Manager. For example, enabling an audit policy requires that the system administrator navigate through multiple layers of the GUI, while an attacker can easily disable (and then reenable, if necessary) that audit policy with a single command line tool (which, incidentally, is provided for free from Microsoft).

Other reasons for the "incident response gap" include a lack of understanding regarding how to use available native and third-party tools to retrieve data and how to interpret the data that is collected from potentially infected or compromised systems. Many useful and powerful tools that mirror the functionality used on Linux systems are not available through either the Microsoft operating system distributions or the Resource Kits. Sites that make these tools available are scattered across the Internet, with no central location cataloguing them. This book was written to aid anyone investigating incidents that occur on Windows systems by providing information regarding the tools and techniques used to respond to incidents and conduct forensic audits.

This book arose out of a need that I, and I am sure others, have seen in the Microsoft Windows system administration community. Microsoft's network operating systems, beginning with Windows NT, are designed to be easy to use and manage. These systems come with some very powerful tools. As useful as these tools are to the administrator, they are also very useful to an attacker or to a malicious user. Most system administrators and owners spend their time dealing with Windows operating systems through the GUI, and in doing so, miss many of the important aspects of the operating system that go on "under the hood." For example, the Task Manager does not show the complete path to the executable image for each process, nor does it display the command line used to launch each process. This information is available using third-party tools, which most folks who work with Windows systems may not be familiar with. Therefore, it may be relatively simple to hide an errant process, such as a network backdoor, by renaming the file "svchost.exe" or something similarly innocuous.

Several years ago, I developed a hands-on course for teaching system administrators how to respond to security incidents on Windows 2000 systems. While teaching the course to system administrators at various organizations, I saw the same things that I saw on listservs and on forums on the Internet. During the first break on the first day of the course, I would go around the room and "infect" all of the systems with a "Trojan." This "Trojan" was netcat, renamed to "inetinfo.exe," listening on port 80. When the attendees returned to the room, I'd tell them that I "infected" their systems and challenged them to find it. The purpose of this exercise was not to find out who could find the "Trojan" first but to look at the steps that the attendees would go through in their incident response activities, to look at their "methodology." Invariably, every attendee would examine the contents of the Event Log, comb through the Task Manager, and maybe run netstat –an from a command prompt. All of the systems were connected to the Internet, and the only instructions I would give to the class was that they could not use any of the tools from the course CD that I'd put together. As the course progressed through the rest of the two days, the attendees became familiar with the tools and techniques they could use to retrieve valuable data about a system, as well as how to interpret that data.

I've assembled a good deal of unique content for this book, information that I've developed because I haven't been able to locate it any place else and therefore had to do my own research. For example, when I first began researching NTFS alternate data streams, there wasn't much information available. Over time, research has revealed additional information, which is included in this book. I've included tools that I've developed (written in Perl) and information, results, and insights from my own research. This book also includes information from a variety of sources put together in a single location so that it can be easily referenced.

Unlike other books about incident response, this book is specific to Windows systems. Other books on the subject will present a great deal of information regarding Linux and Unix systems, and in some cases, leave it up to the reader to extrapolate the information to Windows. All of the tools and techniques presented in this book are specific to Windows (NT, 2000, XP, and 2003) systems.

The book is organized so that the reader progresses through an understanding of incidents, what they are and how they can (and do) occur. From there, the reader is guided through developing an understanding of what is required to prevent incidents and how to prepare for them, and then where to look for data and how to analyze that data, should an incident occur. Data hiding and tools used in incident response and live forensic audits are covered at great length, and all of the information presented is specific to Windows operating systems, file systems (i.e., NTFS), and applications (i.e., MS Word, etc.). This information is presented in a progression, each chapter taking the content of the previous chapter further. However, each chapter can also stand on its own, as a reference that the reader can return to time and time again.

The main premise of this book is really very simple. When incidents occur, an entire spectrum of incident response activities can be performed. The lower end of the spectrum involves...well...nothing. No activity. Basically, the incident goes completely unrecognized or is simply ignored. The opposite end of the spectrum consists of those activities that purists think of when they hear the word "forensics": the system is shut down in a forensically sound manner and a bit-level image of the drive is made. All investigative activities are then conducted against that copy. This is usually accompanied by law enforcement involvement and may even lead to prosecution. However, many organizations do not wish to involve law enforcement when an incident occurs and generally conduct non-litigious investigations because they just want to get systems back online and in use. In other cases, potentially compromised systems may be part of an e-commerce infrastructure, in which downtime is measured in hundreds of dollars per minute. In such cases, an investigation will occur, but it will not involve law enforcement or legal prosecution, as the goal is determining what, if anything, happened. These steps may be required to gather information and facts in order to justify further action, such as taking the system down.

In addition, a great deal of extremely valuable information regarding the state of the system is lost when the system is shut down. This information is referred to as "volatile" information, and it includes such things as process information, network connections, clipboard contents, etc. This information can be retrieved, parsed, and analyzed in order to determine first whether an incident has even occurred, and then the extent of the incident. In some cases, enough information may have been collected to show that the incident is manageable, and the system does not have to be taken out of service to be "cleaned." More importantly, the investigator will want to understand how the system was infected or compromised so that shortfalls in security policies can be rectified and other systems protected.

The Perl programming language is used to programmatically demonstrate many of the concepts addressed throughout the book. The underlying premise of the book is to get the reader "under the hood" within the Windows system, that is, to show the reader how to move beyond the simple GUI tools provided with the operating system in order to collect information about the state of the system. Many third-party tools are discussed, and several Perl scripts are provided in order to support this premise. Perl scripts are also used in this book to provide for customization and automation. By customization, we mean that Perl is used to correlate and "massage" the output of various third-party tools in order to present a more complete picture of the data. By automation, we mean that Perl is used in this book to implement a methodology so that the investigator does not have to perform the steps by hand, thereby avoiding mistakes and making the overall process more efficient.

This book guides the reader through information, tools, and techniques that are required to conduct incident response and live forensic audit activities. By providing the necessary background for understanding how incidents occur and how data can be hidden on compromised systems, the reader will have a better understanding of the "why's" and "how's" of incident response and forensic audit activities.

Здесь (7,17 Мб) pass: http://netz.ru
Зеркало

 

[okun]

Security Warrior

Cyrus Peikari, Anton Chuvakin
Publisher : O'Reilly
Pub Date : January 2004
ISBN : 0-596-00545-8
Pages : 552
Format: chm

Overview
When it comes to network security, many users and administrators are running scared, and justifiably so. The sophistication of attacks against computer systems increases with each new Internet worm.

What's the worst an attacker can do to you? You'd better find out, right? That's what Security Warrior teaches you. Based on the principle that the only way to defend yourself is to understand your attacker in depth, Security Warrior reveals how your systems can be attacked. Covering everything from reverse engineering to SQL attacks, and including topics like social engineering, antiforensics, and common attacks against UNIX and Windows systems, this book teaches you to know your enemy and how to be prepared to do battle.

Security Warrior places particular emphasis on reverse engineering. RE is a fundamental skill for the administrator, who must be aware of all kinds of malware that can be installed on his machines -- trojaned binaries, "spyware" that looks innocuous but that sends private data back to its creator, and more. This is the only book to discuss reverse engineering for Linux or Windows CE. It's also the only book that shows you how SQL injection works, enabling you to inspect your database and web applications for vulnerability.

Security Warrior is the most comprehensive and up-to-date book covering the art of computer war: attacks against computer systems and their defenses. It's often scary, and never comforting. If you're on the front lines, defending your site against attackers, you need this book. On your shelf--and in your hands.

This book offers unique methods for honing your information security (infosec) technique.

Здесь (4,5 Мб) pass: http://netz.ru
Зеркало

 

[okun]

CISSP: Certified Information Systems Security Professional
Study Guide 3rd Edition

James Michael, Stewart Ed, Tittel Mike Chapple
Publisher: Sybex, 2005
ISBN: 0-7821-4443-8
Pages: 804
Format: pdf

Introduction
The CISSP: Certified Information Systems Security Professional Study Guide, 3rd Edition offers you a solid foundation for the Certified Information Systems Security Professional (CISSP) exam. By purchasing this book, you’ve shown a willingness to learn and a desire to develop the skills you need to achieve this certification. This introduction provides you with a basic overview of this book and the CISSP exam. This book is designed for readers and students who want to study for the CISSP certification exam. If your goal is to become a certified security professional, then the CISSP certification and this study guide are for you. The purpose of this book is to adequately prepare you to take the CISSP exam. Before you dive into this book, you need to have accomplished a few tasks on your own. You need to have a general understanding of IT and of security. You should have the necessary 4 years of experience (or 3 years if you have a college degree) in one of the 10 domains covered by the CISSP exam. If you are qualified to take the CISSP exam according to (ISC) 2 , then you are sufficiently prepared to use this book to study for the CISSP exam.

Здесь (5,7 Мб) pass: http://netz.ru
Зеркало

 

[Просто прохожий]

Есть много книг по безопасности, в основном по ИТ продуктам, надо?

 

[Psihiatru]

Помогите достать книгу

CISA Certified information System Auditor Study Guide
Sybex, Paperback, Bk&CD edition, Published April 2006, 536 pages, ISBN 0782144381

Прозьба Не путать с 2005-2003 годов !!!!
Спасибо

 

[okun]

Есть много книг по безопасности, в основном по ИТ продуктам, надо?

Просто прохожий, очень интересно посмотреть список...

Также на форуме есть темы:

Книги по безопасности/сетям на Русском

Книги по взлому, безопасности, сетям, Wap на English

 

[Просто прохожий]

Просто прохожий, очень интересно посмотреть список...

Также на форуме есть темы:

Книги по безопасности/сетям на Русском

Книги по взлому, безопасности, сетям, Wap на English

Тяжко, но попробую...

Название: Учебные курсы по информационной безопасности
Автор: Digital Security
Издательство: Digital Security
Год: 2003
Формат: 7 СD
Размер: 15 mb + 13mb bonus
Язык: русский

d1 Практическое применение международного стандарта безопасности информационных
систем ISO 17799

d2 Руководство по управлению информационными рисками корпоративных
информационных систем Internet/Intranet

d3 Коммерческая тайна и экономическая безопасность бизнеса

d4 Практическое руководство по основам правовой защиты информации.
Сборник правовых и технических документов по информационной безопасности.

d5 Администратор безопасности сети

d6 Типовая политика информационной безопасности компании малого и среднего
бизнеса - комплект документов и инструкций

d7 Безопасное web-программирование

http://rapidshare.de/files/21081635/DS.rar.html
http://rapidshare.de/files/21081739/Bonus.rar.html


Учебный официальный материал по курсу М2810
"Основы безопасности сетей".

Язык : Английский

Темы:
Подготовка к защите ресурсов
Формирование базовой линии безопасности
Использование разграничения доступа и аутентификации для обеспечения безопасности информации
Использование криптографии для обеспечения безопасности информации
Использование инфраструктуры шифрования с открытым ключом (PKI) для обеспечения безопасности информации
Обеспечение безопасности приложений и компонентов Интернет
Обеспечение безопасности электронной почты и систем мгновенного обмена сообщениями
Управление безопасностью cлужб каталога и DNS
Обеспечение безопасности передачи данных
Обеспечение и контроль безопасности периметра сети
Управление безопасностью
Обеспечение бесперебойной работы
Реагирование на инциденты, связанные с безопасностью

Болеее подробно о содержании курса можно глянуть на сайте любого авторизированного учебного центра Майкрософт.


http://rapidshare.de/files/16046771/2810A_-_Fundamentals_of_Network_Security.rar.html

По CISSP:
http://s13.turboupload.com/f/622908/1148398047/aeb07075d1a64f89cbfd7525b8e84417/official_cissp.rar

http://s13.turboupload.com/f/622923/1148399137/b984faa7aa1104e20e9d66ad0612be99/Ronald_Krutz.rar

 

[Bersarea]

Железный хакинг

Подробно описано, как и до какого уровня можно усовершенствовать обычное «железо».Энциклопедия поможет вам превратить обыкновенное бытовое устройство в уникальное произведение искусства, и, взяв за основу уже существующие идеи, создать что-то лучшее; расскажет как самым необычайным образом модифицировать множество устройств – от персонального компьютера до сотового телефона.

Криптография без проблем

Комменты авторов:
Криптография в прошлом использовалась лишь в военных целях. Однако сейчас, со становлением информационного общества, она становится центральным инструментом для обеспечения конфиденциальности.

Как стать системным администратором

Содержание:
«Домашние» сети. Cоставные сети. TCP/IP. Адресация в IP-сетях. IP. UDP. TCP.ICMP. Развитие стека TCP/IP. Администрирование операционной системы Microsoft Windows 2000. Локальные сети: Вопросы и ответы. Немного про Internet-Шоу 2000 и значительно больше про домашние сети. Тарелка на крыше или радужные перспективы локалок в провинции.

Как стать хакером

Содержание:
Основы. Internet и Intranet. Хакинг. Руководство для начинающих. Система Unix. Взлом UNIX. Взлом Microsoft Windows 2000. Back Oriffice 2000. Хакерские трюки. Часто задаваемые вопросы

Энциклопедия начинающего хакера

Компьютерный хакинг: история, основные понятия, методы хакинга, сетевой хакинг, взлом компьютера через Internet, основные принципы взлома сетевых операционных систем Windows NT/2000, хакинг UNIX, ftpd и анонимный ftp, вопросы безопасности, советы сетевому администратору, списки типовых команд, оболочки, защита и взлом ICQ…
Телефонный хакинг: устройство АТС и периферийных устройств, модемы и фрикинг, взлом АТС, Blue Box, Red Box, Black Box, беспроводная связь, сотовые системы-двойники, системы сотовых связей и прослушивание, GSM-безопасность…
А также: списки сетевых "улыбок", хакерские словари, пароли, частоты, радиолюбительские диапазоны, методы определения местоположения абонентов, жаргон абонентов и многое другое.

http://fdc-3.download.hemenpaylas.com/03BBAC6209/204547/XAK.rar

Pass: написан на странице скачивания

 

[Просто прохожий]

Криптография без проблем

Комменты авторов:
Настоящая криптография (strong cryptography) должна обеспечивать такой уровень секретности, чтобы вы имели возможность надежно защитить критическую информацию от расшифровки крупными организациями – такими, как мафия, транснациональные корпорации и крупные государства. Настоящая криптография в прошлом использовалась лишь в военных целях. Однако сейчас, со становлением информационного общества, она становится центральным инструментом для обеспечения конфиденциальности.


Пожайлуста, уберите ЭТО. Криптографию, судя даже по этой фразе , по данному материалу учить нельзя!!!
Если вас она интересует обратитесь к Столингсу(там, как мне кажется,очень понятно обьяснено) или к Шнаеру. Ссылка на Шнаера, где то тут проходила.

 

[werwolf33]

Название: Учебные курсы по информационной безопасности
Автор: Digital Security
Издательство: Digital Security
Год: 2003
Формат: 7 СD
Размер: 15 mb + 13mb bonus
Язык: русский

А не выложит ли кто-нибудь это на tempdir или еще какой-нибудь более доступный источник ?

 

[Agran]

ISO 17799:2000 RUS
"Information technology — Code of practice for information security management "

ISO 17799:2000 RUS (1453 KB)

 

[Vik_63]

Ссылка на Шнаера, где то тут проходила.

Ссылка в первом посте. Хотя и у Шнайера есть несколько ошибок в математических выкладках (в основном в первой части - про математические основы).

 

[werwolf33]

Cobit 4

hxxp://www.mytempdir.com/759330
pass: www.netz.ru

 

[victor_p]

готовим Положение об информационной безопасноти в автоматизированных системах. может кто поделится своими наработками. буду очень признателен. большую часть инфы с этой ветки форума забрал. хотелось бы что то по конкретнее.

 

[box_roller]

готовим Положение об информационной безопасноти в автоматизированных системах. может кто поделится своими наработками. буду очень признателен. большую часть инфы с этой ветки форума забрал. хотелось бы что то по конкретнее.

пара примеров политик по ИБ... забирать здесь - http://rapidshare.de/files/24342300/politika_ib.zip.html

 

[victor_p]

кому интересно, здесь представлены проекты неплохих документов http://www.networkdoc.ru.
Может кто еще поделится документами. например, руководящими документами по фонду алгоритмов и программ, или руководящие документы по обработке конфиденциальной информации в автоматизированных системах.

 

[okun]

Syngress
IT Security Project Management
Handbook

Susan Snedaker, Russ Rogers
Paperback: 612 pages
Publisher: Syngress Publishing (June 1, 2006)
Language: English
ISBN: 1597490768
Format: pdf

Book Description

The First and Last Word on Managing IT Security Projects

As the late management guru Peter Drucker once said, "Plans are only good intentions unless they immediately degenerate into hard work." The intent of this book is not to lead you through long, arduous planning processes while hackers are stealing your network out from under you. The intent is to provide you with effective network security planning tools so that you can "degenerate into hard work" as quickly as possible to keep your network secure with the least amount of effort.

Rather than losing sleep at night wondering who's wandering around your network in the dark, you can create a comprehensive security solution for your company that will meet your security needs today and will allow you to address new security requirements in the future. This book is designed to help you do exactly that.

• Analyze the Cost of Prevention Versus Remediation How to determine if preventing a security breach is less costly than fixing it once it occurs.
• Identify the Right Project Management Team Determine who will be affected and make certain they are on board from the start.
• Monitor IT Security Project Quality Many companies must comply with specific monitoring requirements to meet industry or governmental regulations.
• Create a Work Breakdown Structure (WBS) Be sure that your WBS tasks are at the same level by keeping the level of detail consistent.
• Create Reliable Documentation Your documentation should be well defined and completed in as near real time as possible.
• Implement Individual Security Analysis Programs (ISAPs) Testing requires an active "push" against security areas to ensure they don't collapse.
• Close the Issues Log, Change Requests, and Error Reports Addressing known issues in a reasonable manner and documenting those resolutions are important elements of reducing risk.
• Review Legal Standards Relevant to Your Project Failure to understand the legal implications may leave your company at substantial legal risk.
• Walk Through a Complete Plan Includes a step-by-step security project plan for a security assessment and audit project

(4.37 MB)