The IAM consists of a standard set of activities required to perform an INFOSEC assessment. In other words, the methodology explains the depth and breadth of the assessment activities that must be performed to be acceptable within the IATRP. The IAM "sets the bar" for what needs to be done for an activity to be considered a complete INFOSEC Assessment. Providers who advertise an INFOSEC assessment capability and consumers seeking assistance in performing INFOSEC Assessments should use the IAM as the baseline for their discussions. Because the IAM is a baseline, providers can expand upon it to further meet the needs of the customers. However, any "expansion" must not reduce or interfere with the original intent of any IAM activity.
The IEM consists of a standard set of activities required to perform an INFOSEC evaluation. In other words, the methodology explains the depth and breadth of the evaluation activities that must be performed to be acceptable within the IATRP. The IEM "sets the bar" for what needs to be done for an activity to be considered a complete INFOSEC Evaluation. Providers who advertise an INFOSEC evaluation capability and consumers seeking assistance in performing INFOSEC Evaluations should use the IEM as the baseline for their discussions. Because the IEM is a baseline, providers can expand upon it to further meet the needs of the customers. However, any "expansion" must not reduce or interfere with the original intent of any IEM activity.
Open Source Security Testing Methodology
The Open Source Security Testing Methodology Manual (OSSTMM) is a peer-reviewed methodology for performing security tests and metrics. The OSSTMM test cases are divided into five channels (sections) which collectively test: information and data controls, personnel security awareness levels, fraud and social engineering control levels, computer and telecommunications networks, wireless devices, mobile devices, physical security access controls, security processes, and physical locations such as buildings, perimeters, and military bases.
The OSSTMM focuses on the technical details of exactly which items need to be tested, what to do before, during, and after a security test, and how to measure the results. New tests for international best practices, laws, regulations, and ethical concerns are regularly added and updated.
Open Vulnerability and Assessment Language (OVAL)
Open Vulnerability and Assessment Language (OVAL) is an international, information security, community standard to promote open and publicly available security content, and to standardize the transfer of this information across the entire spectrum of security tools and services. OVAL includes a language used to encode system details, and an assortment of content repositories held throughout the community. The language standardizes the three main steps of the assessment process: representing configuration information of systems for testing; analyzing the system for the presence of the specified machine state (vulnerability, configuration, patch state, etc.); and reporting the results of this assessment. The repositories are collections of publicly available and open content that utilize the language.
Cert OCTAVE Testing Methodology
The Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE®) approach is a risk-based strategic assessment and planning technique for security. OCTAVE is self-directed—a small team of people from the operational (or business) units and the IT department work together to address the security needs of the organization. The team draws on the knowledge of many employees to define the current state of security, identify risks to critical assets, and set a security strategy. In addition, OCTAVE is flexible—it can be tailored for most organizations.
OCTAVE is different from typical technology-focused assessments. It focuses on organizational risk and strategic, practice-related issues, balancing operational risk, security practices, and technology. The OCTAVE approach (pdf) is driven by two of the aspects: operational risk and security practices. Technology is examined only in relation to security practices, enabling an organization to refine the view of its current security practices. By using the OCTAVE approach, an organization makes information-protection decisions based on risks to the confidentiality, integrity, and availability of critical information-related assets.
Information Systems Security Assessment Framework (ISSAF)
The Information Systems Security Assessment Framework (ISSAF) seeks to integrate the following management tools and internal control checklists:
· Evaluate the organizations information security policies & processes to report on their compliance with IT industry standards, and applicable laws and regulatory requirements
· Identify and assess the business dependencies on infrastructure services provided by IT
· Conduct vulnerability assessments & penetration tests to highlight system vulnerabilities that could result in potential risks to information assets
· Specify evaluation models by security domains to :
- Find mis-configurations and rectify them
- Identifying risks related to technologies and addressing them
- Identifying risks within people or business processes and addressing them
- Strengthening existing processes and technologies
- Provide best practices and procedures to support business continuity initiatives
- NIST Special Publication 800-42 Guideline on Network Security Testing
Recommendations of the National Institute of Standards and Technology
The purpose of this document is to provide guidance on network security testing. This document identifies network testing requirements and how to prioritize testing activities with limited resources. It describes network security testing techniques and tools.1 This document provides guidance to assist organizations in avoiding duplication of effort by providing a consistent approach to network security testing throughout the organization's networks. Furthermore, this document provides a feasible approach for organizations by offering varying levels of network security testing as appropriate to the organization's mission and security objectives. The main focus of this document is the basic information about techniques and tools for individuals to begin a network security testing program. This document is by no means all-inclusive. Individuals and organizations should consult the references provided in this document as well as vendor product descriptions and other sources of information.
Government of Canada Publications
IT Security Guidance (ITSG)
This document entitled Threat and Risk Assessment Working Guide provides guidance to an individual (or a departmental team) carrying out a Threat and Risk Assessment (TRA) for an existing or proposed IT system. This document will help determine which critical assets are most at risk within that system, and leads to recommendations for safeguards that will reduce any risks to acceptable levels.
By following the guidance given therein, a TRA can be carried out such that it results in a concise report that:
· defines the IT system under assessment;
· states the aim of the assessment, along with the desired security level to be attained;
· identifies potentially vulnerable parts of the system;
· states the potential impacts of successful threat events on: the IT system; the business functions that the IT system supports; and the applications used carry out the business functions, in terms of confidentiality, integrity and availability; and
· Provides recommendations that would lower the risks to acceptable levels.
The Open Computer Forensics Architecture (OCFA)
The Open Computer Forensics Architecture (OCFA) is a modular computer forensics framework built by the Dutch National Police Agency. The main goal is to automate the digital forensic process to speed up the investigation and give tactical investigators direct access to the seized data through an easy to use search and browse interface. The architecture forms an environment where existing forensic tools and libraries can be easily plugged into the architecture and can thus be made part of the recursive extraction of data and metadata from digital evidence.
The Open Computer Forensics Architecture aims to be highly modular, robust, fault tolerant, recursive and scalable in order to be usable in large investigations that spawn numerous terabytes of evidence data and covers hundreds of evidence items.