This blog entry was originally written by Mark Chaplinm (@markachaplin)
Note: This post is not complete yet, the actual resource list is too long to be posted in a single entry on this website.
I recently posted a list of IRM resources on the SIRA mailing list, and Bob Rudis asked me to add it as a blog. So here it is (with Anglo-spelling and a couple shameless plugs with collaboration in mind). The list is based on material I have come across over the last couple of years as part of my own personal research activities and my work at the Information Security Forum. I tend to share most resources and links on Twitter as @markachaplin when I come across them and then consolidate later. I am always on the lookout for useful material and contacts (hint).
The purpose of listing the resources, for me, is to act as a reference for helping in various aspects of information risk management and information security, including:
setting up an information risk management framework to align with operational risk management (eg as part of ERM), focus at a business process / business environment level, establish supporting material to facilitate effective information risk analysis and shape the information risk analysis methodology (eg communication, decision making and reporting)
establishing an information risk analysis methodology, following a complete end-to-end information risk analysis process (including preparation, business impact assessment, threat assessment, vulnerability assessment, risk evaluation, risk treatment) and considering the complete lifecycle of information that supports critical business processes
treating information risks, particularly implementing security controls and arrangements for mitigating risks, such as those associated with policy, privacy, legal and regulatory compliance, application and infrastructure protection, business environments, mobile computing, supply chain, systems development, physical security, business continuity and security audit.
Those of you who are Members of the ISF will recognise a number of things above.
The resources listed below are structured around rudimentary categories because I haven’t had time to determine how best they should be grouped. I welcome any suggestions from SIRA members on extending and improving it (eg including more material for other disciplines and from geographical regions other than the usual culprits). Some resources are suited to more than one category and you may find duplicate entries.
Finally, there are three important points I need to make before you read the list:
I do not endorse anything on the list - it is purely a collection of material I have come across
I have not included anything from my employer, but if you are interested in what we do at the Information Security Forum you can get an idea (and some free sample material) at https://www.securityforum.org/downloadresearch
I don’t just regurgitate other people’s work. I am also a research analyst and report author (amongst other things) so understand the pain involved in producing quality reports (or equivalent) to help organisations manage information risk effectively.
I hope you find it useful, and please share any other resources you are aware of. There’s plenty out there.
Current categories used for the list
Business Focused Resources (that may influence information risk)
Vulnerability / Exploit
Incidents, Breaches, Compromises…
Supply Chain Risk Management
Systems / Software Development
Surveys, studies and reports from Vendors
Surveys, studies and reports from non-Vendors
Legislation and regulation
Fraud and Identity Theft
Practices and controls
CERTs, Bulletins and Mailing Lists