The National Association of State Auditors, Comptrollers Treasurers Search Site Map Feedback Privacy Policy Contact Us

About NASACT
Washington Connection
NASACT Roster
News Center
Technical Updates
Information Security Audit
Members Only
Online Resources
NASACT Community
Conferences & Seminars
Home

Calendar of Events
Staff Directory
Survey Central
NASACT BookStore


Control Objectives for Information and related Technology (COBIT) (ISACA: 2000) -- COBIT has been developed as a generally applicable and accepted standard for good Information Technology (IT) security and control practices that provides a reference framework for management, users, and IS audit, control and security practitioners.

Critical Business Issues in the Transformation to Electronic Government (NECCC: December 2000) - This paper describes the critical business issues and best practices that decision-makers, managers, and auditors should be aware of as their governments transform themselves into e-governments.

Defense in Depth (NSA: Undated) - Defense in Depth is a practical strategy for achieving Information Assurance in today's highly networked environments. It is a "best practices" strategy in that it relies on the intelligent application of techniques and technologies that exist today. The strategy recommends a balance between the protection capability and cost, performance, and operational considerations. This paper provides an overview of the major elements of the strategy and provides links to resources that provide additional insight.

Federal Guidelines for the Security Certification and Accreditation of Information Technology Systems (NIST: October 2002) - This publication establishes a standard process, set of activities, general tasks, control objectives, implementation guidelines, and a management structure to certify and accredit systems supporting the executive branch of the federal government.

Federal Information System Controls Audit Manual (FISCAM) (GAO: January 1999) - This manual is intended to assist information system and financial auditors in reviewing controls over the integrity, confidentiality, and availability of data maintained in information systems. The manual covers audit planning and lists specific control techniques and related suggested audit procedures to use when evaluating general and application controls. The audit procedures are stated at a high level and assume that more detailed steps should be developed to fit the specific systems environment. Download appendices 1-4, 10 that allow users to enter data to support the gathering and analysis of audit evidence.

Hi-Risk Series: An Update (GAO: January 2003) - This report discusses GAO's 2003 high-risk list. Information security has been a high-risk since 1997 and was expanded this year to include the homeland security challenge of protecting information systems supporting the federal government as well as the nation's critical infrastructures.

Information Security in State Government Information Technology (NASIRE: Summer 1999) - This is a NASIRE report released in the summer of 1999. States were asked questions about the scope of their efforts, strategies, policies, and technologies related to information security. Thirty-six states responded.

Information Security: Progress Made, But Challenges Remain to Protect Federal Systems and the Nation's Critical Infrastructures (GAO: April 2003) - Significant security weaknesses at 24 major agencies continue to place a broad array of federal operations and assets at risk of fraud, misuse and disruption. GAO identified several challenges that need to be addressed.

Information Security Vulnerability Assessment (North Carolina State Auditor: December 2002) - Contractors working for the Office of the State Auditor successfully penetrated 21 of 22 selected state computer networks as part of testing of computer security. The networks compromised included systems in the executive, legislative and judicial branches.

IS Audit Standards and Guidelines -- Download a comprehensive document containing all of ISACA's standards, guidelines and procedures in Microsoft Word.

Management Planning Guide for Information Systems Security Auditing (NSAA/GAO: December 2001) - This guide is intended to help audit organizations respond to this expanding use of IT and the concomitant risks that flow from such pervasive use by governments. It applies to any evaluative government organization, regardless of size or current methodology. Directed primarily at executives and senior managers, the guide covers the steps involved in establishing or enhancing an information security auditing capability: planning, developing a strategy, implementing the capability, and assessing results.

Protecting Information Systems Supporting the Federal Government and the Nation's Critical Infrastructures (GAO: January 2003) -- This report discusses information security in the federal government and our nation's critical infrastructures such as power distribution, water supply, national defense, and emergency services.

Public-Sector Information Security: A Call to Action for Public-Sector CIOs (NASCIO: October 2002) - This report is helpful and useful to chief information officers at all levels of government as they develop and implement security measures to protect the nation's critical infrastructure. Specifically, the report sets forth 10 recommendations that are critical components to a successful response against cyber-security threats and attacks. The report was built, in part, upon the results of the Forum on Security and Critical Infrastructure Protection, funded by a grant from the IBM Endowment for the Business of Government.

Risk Assessment Guidebook for e-Commerce/e-Government (NECCC: December 2000) - This guidebook has been created to assist auditors and others interested in evaluating the risk factors involved in providing services electronically. It will help auditors identify emerging e-government applications, identify the key risks associated with these applications, and assess the effect of that risk on their audit work.

The National Strategy to Secure Cyberspace (Whitehouse: February 2003) - The National Strategy to Secure Cyberspace is part of the overall effort to protect the United States. The purpose of this document is to engage and empower Americans to secure the portions of cyberspace that they own, operate, control, or with which they interact. Securing cyberspace is a difficult strategic challenge that requires coordinated and focused effort from our entire society, the federal government, state and local governments, the private sector and the American people.

The 60 Minute Network Security Guide (NSA: July 2002) - This security guide was written for the less experienced System Administrator and information systems manager to help them understand and deal with the risks they face. The reader will gain a wider perspective on security in general including security "best practices," and better understand how to reduce and manage network security risk. During the last four years the National Security Agency's Systems Network Attack Center (C4) has released Security Guides for operating systems, applications and systems that operate in the larger IT network. These security guides can be found at the NSA web site.

21 Steps to Improve Cyber Security of SCADA Networks (DOE: September 2002) - The President's Critical Infrastructure Protection Board, and the Department of Energy, have developed the steps outlined here to help any organization improve the security of the digital devices that control modern infrastructures across all industrial sectors. This is a supporting document to the President's National Strategy to Secure Cyberspace.

Your Privacy, Security and Assets Are Just a Few Double-Clicks Away (North Carolina State Auditor: November 2002) - This short paper discusses, among other things, the need for action to protect our information resources, a number of "best practices" for computer security, and eight "imperatives" for leaders in the information age.