Security Samizdat

These are several documents and frameworks that I find very useful in the area of Information Security management and consulting. The nice thing about these is their Open Source nature and their comprehensiveness.

Information Security Management Maturity Model v1.20 (PDF) by the ISM3 Consortium

ISM3 offers a practical approach to design, implement and evaluate process-oriented Information Security Management systems. It takes into account different levels of maturity and focuses on the level of security required to fulfill the organizational and business objectives.

Open Information Security Risk Management Handbook v1.0 (PDF) by SOMAP

It describes how to plan, implement and manage an Information Security Risk strategy, including Risk Assessment and Risk Management.

Open Information Security Risk Assessment Guide v1.0 (PDF) by SOMAP

As an extension to the “Open Information Security Risk Management Handbook”, it discusses the management process and the details of the Risk Assessment Workflow. There is even a (Java) tool to support this methodology, called SOBF (Security Officer’s Best Friend).

Open Source Security Testing Methodology Manual v2.2 (PDF) by ISECOM

Excellent resource for those conducting security tests of any kind (security audit, pentest, vulnerability scanning, etc). It describes the technical areas to be addressed in any test, grouped into different channels: “information and data controls, personnel security awareness levels, fraud and social engineering control levels, computer and telecommunications networks, wireless devices, mobile devices, physical security access controls, security processes, and physical locations“.