I'm leading the Information Security Group in a new organization stucture and responsibilities. One of my top priorities is to establish what we have called a "Security Baseline." This intends to be a methodology that indicates what security elements must be considered in any application to be developed, any package to be implemented or even a server to be configured. Is there any standard framework available that I can use as a starting point?
There are many people who have many opinions on these sorts of things.
There's nothing that covers all aspects in one methodology. Engineering and operations are very different things, and you can't apply one methodology to both.
Donn Parker, one of the most respected names in computer security, has a new book out with his ideas about how we've been doing things wrong for the last three decades. I think it's a must-read. It is called "Fighting computer crime: A new framework for protecting information." You can find it at Amazon.
John Viega and Gary McGraw have an excellent new book on building secure software. You can also find it at Amazon.
Also, there's Ross Anderson's excellent book on Security engineering.While we're at it, Schneier's Secrets and Lies is also a must read.
All of these resources talk about the various methodologies that you might use. Unfortunately, there's no one size that fits all. Not only is development not the same as operations, but the way you operate a bank is not the way you operate a convenience store. Neither of these is the way you operate a military base. When you construct a methodology for yourself, you look at what your assets are, what your threats are, what things you can solve easily (like buying insurance) and so on.
For more information on this topic, visit these other SearchSecurity resources:
Best Web Links: Security standards and guidelines
Best Web Links: Security management
This was first published in April 2002