This 'Top Ten' list is intended to promote and publicize the existence of best practice standards, frameworks and guidelines for IT security. Most of the best practices are published by international organizations and governmental entities. Although there is some overlap, the perspectives on IT security, risk and controls vary considerably.
At Continental Audit Services (www.continentalaudit.com), our team of IT auditors is constantly assessing IT risks, reviewing controls and making recommendations. The selection of best practice standards and frameworks is integral to our audit process. We have seen how best practices are implemented in the real world sometimes in contrast to the theory and concepts found in published documentation.
This 'Top Ten' list is intended to be used as a reference for IT auditors, security practitioners, risk managers, compliance professionals, IT administrators, software developers and the broad range of IT professionals. We hope to add value to the overall IT professional community.
1. Best practice source: Control Objectives for Information and related Technology (COBIT)
Description: Generally accepted best practices, processes, measures and indicators for IT governance and control.
2. Best practice source: ISO/IEC 27001 IT Security techniques -- Information security management systems
Description: Comprehensive management system for information security focused on IT risk and controls.
3. Best practice source: Center for Internet Security (CIS) Benchmarks
Description: Best practice standards and benchmarks to control IT risks. The focus is on technical security benchmarks, configurations and metrics.
4. Best practice source: Open Web Application Security Project (OWASP)
Description: Web and application security best practices and tools.
5. Best practice source: US Department of Defense, Security Technical Implementation Guides (STIGs)
Description: Technical configuration standards developed and used by the US Department of Defense. Covers a wide range of technologies.
6. Best practice source: US National Security Agency (NSA) Guides
Description: Technical security configuration guides developed and used by the US National Security Agency covering a wide range of technologies.
7. Best practice source: US Federal Financial Institutions Examination Council's (FFIEC)
Description: Series of 'booklets' covering wide range of technologies and designed for federal auditors to assess compliance with best practices.
8. Best practice source: US National Institute of Standards and Technology (NIST), Computer Security Division, Special Publications (SPs)
Description: Series of publications on security guidelines designed for a wide range of technologies.
9. Best practice source: Committee of Sponsoring Organizations of the Treadway Commission (COSO) Framework
Description: Internal control and risk management framework used in compliance with Sarbanes-Oxley Act of 2002.
10. Best practice source: Information Technology Infrastructure Library (ITIL)
Description: Comprehensive set of best practices for IT services management (problem, change, configuration, incident management), development and operations. Published by UK Office of Government Commerce.