07 Security Testing Bodies and Frameworks

Security Testing Bodies,  Frameworks and Concepts

General Concepts

• Information Security Management  describes activities that relate to the protection of information and information infrastructure assets against the risks of loss, misuse, disclosure or damage. Information security management (ISM) describes controls that an organization needs to implement to ensure that it is sensibly managing these risks.

Australian Frameworks

• PSPF Protective Security Policy Framework from the Australian Government provides the appropriate controls for the Australian Government to protect its people, information and assets, at home and overseas.  Framework available for download.

• Information Security Manual from Australia's Defense Signals Directorate 

• Australian Information Security Association. SANS in Australia.  

American Frameworks

• NIST Standard from USA. It's computer security division  has details of frameworks to use as a basis for security testing.  In particular specific standards exist for logging, mobile devices, BIOSs, wifi, key management, and much more.  A good technical resource on security. 

• SANS is "the most trusted source for computer security training, certification and research". It's  is a private US company that specializes in internet security training. Originally for -  SysAdmin, Audit, Networking, and Security, but now much broader.  See wikipedia entry. 

• 
  

Underlying Computer and IT Frameworks

• COBIT

• ITIL

Taxonimies

• Data Security Taxonomy

• Data Security Management

• Information Security Management

• Penetration Test Management

• Penetration Test Environment Management

Relevant Standards and Bodies

• PCI - Payment Card Industries -  
• ISO 2700x - 
• WASP

PEN Testing Certifications

GIAC - GWAPT and GPEN