Policy Standards and Frameworks
CIS
Center for Internet Security
The Center for Internet Security (CIS) is a non-profit enterprise whose mission is to help organizations reduce the risk of business and e-commerce disruptions resulting from inadequate technical security controls. CIS members develop and encourage the widespread use of security configuration benchmarks through a global consensus process involving participants from the public and private sectors.
COBiT
more information>
CobIT is an IT governance framework and supporting toolset that allows managers to bridge the gap between control requirements, technical issues and business risks. COBIT enables clear policy development and practices for IT control throughout organizations.
GAGAS
Government Auditing Standards (the "Yellow Book") contains standards for audits of government organizations, programs, activities, and functions, and of government assistance received by contractors, nonprofit organizations, and other nongovernment organizations.
Guide to Assessment of IT General Controls Scope based on Risk (GAIT)
more information>
The IIA's GAIT, focused principally on Sarbanes Oxley, provides guidance to appropriately identify and link COSO constructs of internal control objectives, with assertions, risks and controls, to enable audit and IT practitioners to reach well informed decisions on which controls to include and exclude.
Global Technology Audit Guide (GTAG)
more information>
Written for he chief audit executive, The IIA's GTAG publications provide guidance on information technology. Each guide addresses timely issues related to IT management, control or security.
ISO 17799
more information>
ISO is the developer of International Standards specifying requirements for state-of-the-art products, services, processes, materials and systems. ISO 17999 is focused on controls and practices for information security. Also visit the ISO 17799 Directory at http://www.27002.net/ (see ISO 27000)
ISO 27000 and ISO 27001
The ISO 27000 series of standards promise to cover a larger body of practice. Under way, these developments can be found at http://www.w3j.com/5/index.html. Information on ISO 27001 can be found at http://www.27001-online.com
ITIL
More information
IT Service Management standards from the Office of Government Commerce are focused on the strategic business value delivered by IT through high quality service.
NIST
NIST resources: Computer Security Resource Center
NIST resources: Rainbow Series
NIST's Computer Security Division conducts research, studies and advises agencies of IT vulnerabilities and devising techniques for the cost-effective security and privacy of sensitive Federal systems. NIST also develops standards, metrics, tests and validation programs and has long published guidance about secure IT development, usage, planning, implementation, management and operation.