This page offers only a small glimpse at the vast array of resources and guidance available for reliability, security, efficiency, and the many other positive attributes associated with managing information and related technologies.

Example works by Charles Le Grand and associates:

• Information Technology Controls Co-written with Alan S. Oliphant.  Guide resulted from an IIA project in partnership with the American Institute of Certified Public Accountants (AICPA), Center for Internet Security (CIS), Carnegie Mellon University Software Engineering Institute (CMU SEI), Financial Executives International (FEI), International Federation of Accountants (IFAC), Information Systems Security Association (ISSA), National Association of Corporate Directors (NACD), and the SANS Institute.  Project team included more than 120 participants representing 20 countries.  Initial publication of The IIA's Global Technology Audit Guide series, 2005. Available free at www.theiia.org/technology

• Software Security Assurance - This guide explains the prevention, detection, and correction of security vulnerabilities in the source code for Internet-facing systems.  This refereed research work contains an executive summary and management checklist, audit program and guide, and extensive bibliography.  Published 2005.  Sponsored by Ounce Labs, it is available free at www.ouncelabs.com/audit

• Building a Culture of Compliance for a Culture of Confidence - This report is about understanding compliance and compliance management adequately to ensure YOUR organization gets it right and turns compliance from a burden to a benefit.  It: describes a Culture of Compliance as an integral part of the organization’s ethics; describes the elements of compliance that are common to all of its instances throughout the organization; suggests a plan to manage and coordinate the common elements of compliance so they can produce efficiencies, consistency, improved reliability and assurance, and result in increased stakeholder confidence; identifies the key elements of a system to coordinate compliance management; and provides an Executive Checklist to assist you in assessing your organization’s culture of compliance.  Sponsored by IBS America it is available free on their web site with a companion piece, How to Build and Maintain a Culture of Compliance.  See www.ibs-us.com.  Contact us for the latest guidance on compliance management tailored to your unique business needs.

• Information Security Governance and Assurance - Facilitating the implementation and maintenance of manageable, verifiable security and controls in organizations that depend on technology.  Originally written for a SANS Institute conference presentation, this work is available free at www.theiia.org/technology - click IT Security, and scroll to Articles

• Information Security Management and Assurance: A Call to Action for Corporate Governance Co-authored by Thomas R. Horton, Charles H. Le Grand, William H. Murray, Willis DJ. Ozier, and Donn B. Parker.  Part one of a three-volume set of reports resulting from a project by The IIA in partnership with the American Institute of Certified Public Accountants (AICPA) and the Information Systems Audit and Control Association (ISACA) for the U.S. Critical Infrastructure Assurance Office. Part one published April, 2000 and presented at the White House.  Parts two (Information Security Governance - What Directors Need to Know) and three (Building, Managing, and Auditing Information Security) published 2001.  Available free at www.theiia.org/technology - click IT Security and scroll to Books.

• PC Management Best Practices: A Study of the Total Cost of Ownership, Risk, Security, and Audit Co-authored with Mark Salamasick, CIA, CISA, CSP.  Sponsored by Intel.  Published 2003 by The IIA.  See www.theiia.org.  Search for PC Management or click Publications and Bookstore

• Systems Auditability and Control (SAC) Reports A series of publications by The IIA Research Foundation under the direction of Charles H. Le Grand.  Project included: establishing the paradigm for contents (covering all areas of information and systems management, control, security, auditing, and assurance); coordinating a project team with more than 2000 participants representing more than 400 organizations.  Published 1991 and 1994 by The IIA.  See www.theiia.org and search for Systems Auditability and Control.

References:

1. Basel II: Revised international capital framework – Basel Committee on Banking Supervision, Bank for International Settlements, http://www.bis.org/publ/bcbsca.htm
2. BITS Framework: Managing Technology Risk for Information Technology (IT) Service Provider Relationships – Financial Services Roundtable (FSR), http://www.bitsinfo.org
3. BS 7799 – Parts 1 & 2, Code of Practice for Information Security Management (British Standards Institute), http://www.bsi.org.uk
4. CA SB 1386 (the “You’ve Been Hacked” Act), http://info.sen.ca.gov/pub/01-02/bill/sen/sb_1351-1400/sb_1386_bill_20020926_chaptered.html
5. Change and Patch Management Controls: Critical for Organizational Success, Global Technology Audit Guide, The Institute of Internal Auditors, Inc. http://www.theiia.org/index.cfm?doc_id=4706
6. CISSP and SSCP Open Study Guides web site, http://www.cccure.org
7. CobiT – Control Objectives for Information and Related Technologies (ISACA), http://www.isaca.org
8. Common Criteria, http://www.commoncriteriaportal.org
9. Consensus Benchmark Scoring Tools, http://www.cisecurity.org
10. The Corporate and Auditing Accountability, Responsibility, and Transparency Act of 2002, Public Law 107-204 – 107^th Congress, the “Sarbanes-Oxley Act of 2002”. http://frwebgate.access.gpo.gov/cgi-bin/getdoc.cgi?dbname=107_cong_public_laws&docid=bf:publ204.107.pdf
11. Corporate Information Security Working Group, Best Practices and Metrics Team, report to the U.S. House of Representatives, Technology Subcommittee, November 17, 2004, www.CISecurity.org

12. The Dirty Dozen: The Top Web Application Vulnerabilities and How to Hunt Them Down at the Source, Ounce Labs, Inc. http://www.ouncelabs.com

13. EU Data Protection Directive - Part 1 & Part 2 available in separate PDFs, http://aspe.os.dhhs.gov/datacncl/eudirect.htm, http://europa.eu.int/comm/internal_market/privacy/docs/95-46-ce/dir1995-46_part1_en.pdf, http://europa.eu.int/comm/internal_market/privacy/docs/95-46-ce/dir1995-46_part2_en.pdf

14. Federal Financial Institutions Examination Council (FFIEC) - FFIEC "Audit IT Examination Handbook," and "FFIEC Audit Examination Procedures", http://www.ffiec.gov

15. Federal Information Security Management Act of 2002 (FISMA) U.S. Congress, 2002, http://www.fedcirc.gov/library/legislation/FISMA.html

16. Federal Sentencing Guidelines (US), http://www.ussc.gov/GUIDELIN.HTM

17. GAISP Generally Accepted Information Security Principles, Currently available: Generally Accepted Systems Security Principles (GASSP) consisting of Pervasive Principles (PP), & Broad Functional Principle (BFP), June, 1999, http://www.issa.org/gaisp.html

18. GAPP "Generally Accepted Principles and Practices" NIST SP 800-18, "Guide for Developing Security Plans for Information Technology Systems" December 1998 (Marianne Swanson & Barbara Guttman), http://csrc.nist.gov/publications/nistpubs/index.html

19. A Guide to Building Secure Web Applications, The Open Web Application Security Project (OWASP) http://www.owasp.org

20. Gramm, Leach, Bliley Act (GLBA) The Financial Modernization Act of 1999, http://www.ftc.gov/privacy/glbact/

21. Health Information Portability and Accountability Act – HIPAA, http://www.hhs.gov/ocr/hipaa

22. ICAT Metabase of Common Vulnerabilities and Exposures – National Institute of Standards and Technology (NIST) http://icat.nist.gov/icat_documentation.htm

23. Improving Security Across the Software Development Lifecycle, National Cyber Security Partnership, http://www.cyberpartnership.org/SDLCFULL.pdf

24. Information Assurance Technical Framework, Information Assurance Task Force (IATF) National Security Agency Outreach, http://www.iatf.net/framework_docs/version-3_1/index.cfm

25. Information Security Governance: Guidance for Boards of Directors and Executive Management”, 2001 – IT Governance Institute, http://www.itgi.org

26. Information Security Management and Assurance: A Call to Action for Corporate Governance, The Institute of Internal Auditors, Inc., April 2000, Part 1 of a 3 volume set of board and executive level guidance on information security and what the leaders are doing about it.  Appendix A of this guide is a board-level description of effective risk management practices featuring quantitative analysis. http://www.theiia.org/index.cfm?doc_id=3061

27. Information Security Oversight: Essential Board Practices, National Association of Corporate Directors, (NACD), http://www.nacdonline.org/publications/pubDetails.asp?pubID=138&user=6158BBEB9D7C4EE0B9E4B98B601E3716

28. Information Security Program Elements and Supporting Metrics (sections V-VIII of the Corporate Information Security Working Group, Best Practices and Metrics Team, report to the U.S. House of Representatives, Technology Subcommittee, November 17, 2004) http://www.educause.edu/content.asp?page_id=666&ID=CSD3661&bhcp=1

29. The Information Technology Baseline Protection Manual, Federal Office for Information Security (BSI) Germany, http://www.bsi.bund.de/english/publications/index.htm

30. Information Technology Controls, Global Technology Audit Guide, The Institute of Internal Auditors, Inc. http://www.theiia.org/index.cfm?doc_id=4706

31. Information Technology Security Evaluation Criteria ( ITSEC ) – Harmonised Criteria of France, Germany, the Netherlands, the United Kingdom, Printed and published by the Department of Trade and Industry, London, http://www.cesg.gov.uk/site/iacs/index.cfm?menuSelected=1&displayPage=1

32. IFAC International Guidelines on Information Technology Management—Managing Information Technology Planning for Business Impact: International Federation of Accountants, New York, 1999, http://www.ifac.org

33. International Standards for the Professional Practice of Internal Auditing, The Institute of Internal Auditors, Inc., http://www.theiia.org/index.cfm?doc_id=124

34. ISO 17799 – IT – Code of Practice for Information Security Management, http://www.iso.org/iso/en/CatalogueDetailPage.CatalogueDetail?CSNUMBER=33441&ICS1=35&ICS2=40&ICS3

35. NIST 800-14 Generally Accepted Principles and Practices for Securing IT Systems, 1996, http://csrc.nist.gov/publications/nistpubs/index.html

36. NIST 800-27 Engineering Principles for IT Security, http://csrc.nist.gov/publications/nistpubs/index.html

37. NIST 800-53 - Recommended Security Controls for Federal Info Systems, http://csrc.nist.gov/publications/nistpubs/index.html

38. NoticeBored - Information security awareness content service, http://www.noticebored.com

39. Open Compliance and Ethics Group (OCEG) http://www.oceg.org

40. OpenSourceTesting.org, “Open source tools for software testing professionals. http://opensourcetesting.org

41. Open Web Application Security Project (OWASP), OWASP Guide to Building Secure Web Applications, http://www.owasp.org/documentation/guide/guide_about.html

42. The Organization for Economic Cooperation and Development, OECD Guidelines for the Security of Information Systems and Networks (9 pervasive principles for information security upon which several other guides are based.) http://www.oecd.org/document/42/0,2340,en_2649_33703_15582250_1_1_1_1,00.html

43. Personal Information Protection and Electronic Documents Act (PIPEDA), Canada http://www.privcom.gc.ca/legislation/02_06_01_01_e.asp

44. Policy statement regarding implementation of auditing standard No. 2, an audit of internal control Over financial reporting performed in Conjunction with an audit of financial Statements, PCAOB Release No. 2005-009, May 16, 2005
    http://www.pcaob.com/Standards/Standards_and_Related_Rules/PCAOB%20Release%20No.%202005-009%20-%20AS2%20Policy%20Statement%20-%20May%2016,%202005.pdf

45. Processes to Produce Secure Software, National Cyber Security Partnership, http://www.cyberpartnership.org/Software%20Pro.pdf

46. Remediation Fiction and Facts: A Business Based Guide to Remediation Risk Modeling in the Global Marketplace, Internet Security Systems, http://www.iss.net/support/documentation/whitepapers/index.php

47. Risk Management & Productivity: Addressing the Business Value of Security, Internet Security Systems, http://www.iss.net/support/documentation/whitepapers/index.php

48. Security at the Next Level – Are your web applications vulnerable, by Caleb Sima, SPI Dynamics, Inc. http://www.spidynamics.com

49. Seven Steps to Security Awareness, Gary Hinson, http://www.noticebored.com

50. Staff Statement on Management’s Report on Internal Control Over Financial Reporting, U.S. Securities and Exchange Commission, May 16, 2005, http://sec.gov/info/accountants/stafficreporting.pdf

51. Standard of Good Practice for Information Security (Information Security Forum), http://www.isfsecuritystandard.com/index_ie.htm

52. The Ten Most Critical Web Application Security Vulnerabilities, 2004 Update, The Open Web Application Security Project (OWASP) http://www.owasp.org

53. Tescom, “The Global Software Assurance Company” http://www.tescom.co.il

54. Trusted Computer System Evaluation Criteria (TCSEC), U.S. Department of Defense, http://www.radium.ncsc.mil/tpep/library/rainbow/5200.28-STD.html

55. Trust Services Criteria; including SysTrust/WebTrust (AICPA), http://www.aicpa.org/trustservices

56. The Visible Ops Handbook, Information Technology Process Institute, http://www.itpi.org

Organizations:

AICPA The American Institute of Certified Public Accountants, www.aicpa.org

WB World Bank, www.worldbank.org