5 days to save $500 for SANS Rocky Mountain 2013

SANS InfoSec Reading Room - Standards

<<Reading Room Home
Most of the computer security white papers in the Reading Room have been written by students seeking GIAC certification to fulfill part of their certification requirements and are provided by SANS as a resource to benefit the security community at large. SANS attempts to ensure the accuracy of information, but papers are published "as is". Errors or inconsistencies may exist or may be introduced over time as material becomes dated. If you suspect a serious error, please contact webmaster@sans.org.

Click Here

Featuring 19 papers as of May 25, 2013
PDF Systems Engineering: Required for Cost-Effective Development of Secure Products
By: Dan Lyon (posted on October 8, 2012)
Security of data and systems is critical to consider during development of a complex system, and by taking a systems approach, secure design can be achieved in a cost effective manner.
PDF Security for Critical Infrastructure SCADA Systems
By: Andrew Hildick-Smith (posted on August 24, 2005)
Supervisory Control and Data Acquisition (SCADA) systems and other similar control systems are widely used by utilities and industries that are considered critical to the functioning of countries around the world.
PDF Information Security Gets a Seat at the Table
By: Kent Nabors (posted on April 8, 2004)
A company is a statement of faith between suppliers, employees, investors and customers. If any one or more of those groups decides they don't want to play any more, then the game is over. If a bank loses critical customer information because of a security failure, a financial risk arbitrage maneuver won't help.
PDF An Introduction to Certification and Accreditation
By: Joseph Zadjura (posted on November 19, 2003)
This paper examines the C&A process, offers guidance to helps define the Security Requirements, identify responsible parties and their roles, providing a basic understanding of C&A.
PDF Organizational Information Security from Scratch - A Guarantee for Doing It Right
By: Patrick Jones (posted on October 31, 2003)
The purpose of this document is to provide an overview of an information security infrastructure and a strategy for implementing it.
PDF HIPAA Security Standards v1.2d
By: Daniel Fagin (posted on October 31, 2003)
The focus of this paper is the creation of certain baseline information security standards to protect electronic medical records.
PDF The OSI Model: An Overview
By: Rachelle L. Miller (posted on October 31, 2003)
This paper provides an overview of the Open Systems Interconnection (OSI) reference model which defines a hierarchical architecture that logically partitions the functions required to support system-to-system communication.
PDF The NSA: A Brief Examination of the "No Such Agency"
By: Steven H. Bennett (posted on October 31, 2003)
This paper introduces the National Security Agency (NSA) to the reader and discusses some of the key technologies, methods, and issues that relate to its mission.
PDF The Common Criteria ISO/IEC 15408 - The Insight, Some Thoughts, Questions and Issues
By: Ariffuddin Aizuddin (posted on October 31, 2003)
This paper provides an overview of an international effort called Common Criteria (CC), an IT Security evaluation methodology, developed to define and facilitate consistent evaluations of security products and systems, fostering international recognition and trust in the quality of security products and systems throughout the global economy.
PDF Multilevel Security Networks: An Explanation of the Problem
By: LTGary McKerrow (posted on October 31, 2003)
This paper addresses the current efforts within the Department of Defense (DoD) to develop a Multi-Level Security (MLS) system, although, the same methodology and practice can be applied to other networks with similar requirements.
PDF Collaborative Security Strategies in an Outsourced, Cross-Agency Web System
By: Roopangi Kadakia (posted on October 31, 2003)
This analysis will look at the Certification and Accreditation models, Risk assessment frameworks, and risk management strategies, which can be used in combating new challenges in existing processes and standards.
PDF Internal SLA (Service Level Agreements) for Information Security
By: Eric Hansen (posted on October 31, 2003)
The purpose of this paper is to advocate for the establishment of internal SLAs between the Information Technology team and the Information Security team.
PDF Securing Sensitive Data: Understanding Federal Information Processing Standards (FIPS)
By: Thomas E. Kenworthy (posted on October 31, 2003)
This paper will define FIPS (Federal Information Processing Standards), identify FIPS approved encryption algorithms, and examine some different vendor solutions and their use of these approved algorithms.
PDF A Survey Of Trusted Computing Specifications And Related Technologies
By: Ricard Kelly (posted on October 31, 2003)
This paper seeks to survey the key points of these technologies and provide a framework for suggesting whether a TCPA/TCG or NGSCB architecture will improve security in an environment and where it may reduce security.
PDF TEACH, the DMCA and Distance Education
By: Katie E. Flowers (posted on October 31, 2003)
By reviewing the technological requirements of TEACH, the titles of the DMCA and the history of both acts this paper will show that while TEACH, to date, has not been publicly recognized as an amendment to the DMCA it can truly be viewed as such in the United States with regards to the issue of distance education.
PDF Common Criteria and Protection Profiles: How to Evaluate Information
By: Kathryn Wallace (posted on October 31, 2003)
The purpose of this paper is to discuss the standards of Common Criteria and the security framework provided by the Common Criteria.
PDF The Trusted PC: Current Status of Trusted Computing
By: Christopher Hageman (posted on October 31, 2003)
This paper, focusing on the Trusted Computing Group's standards, will provide an overview of trusted computing as it stands today: its methods, applications, possible pitfalls and current implementations.
PDF The HIPAA Final Security Standards and ISO/IEC 17799
By: Sheldon Borkin (posted on October 31, 2003)
This paper provides a detailed analysis comparing HIPAA Final Security Standards and ISO/IEC 17799, along with an approach to compliance with both standards.
PDF Protection Profile, A Key Concept in The Common Criteria
By: Nor Ramli (posted on October 31, 2003)
This paper will give a description of the roadmap to the Common Criteria (CC) that basically explains the distinct but related parts and how three key CC user groups namely the consumers, developers and evaluators use them.
SANS Reading Room

This track and the Hacker Refresher course by Skoudis really opened my eyes to the amount of vulnerabilities that we face today.
-Stephen De Jong, Equity Office Properties

SANSFIRE 2013 - Washington

Latest Whitepapers

Securing BYOD With Network Access Control, a Case Study
By Lawrence Orans

Event Monitoring and Incident Response
By Ryan Boyle

Dead Linux Machines Do Tell Tales
By James Fung

Latest Tweets

SANS San Francisco 2013 offers 7 courses to boost your Cyber [...]
May 23, 2013 - 3:06 PM

Excellent blog post by @MarkBaggett on pen testing MS SQL vi [...]
May 22, 2013 - 7:39 PM

#appsec "WhatWorks in AppSec: Log Forging" http://t.co/Gsq91O7UAH
May 22, 2013 - 10:00 AM

Contact Us

(301) 654-SANS (7267)
Mon-Fri 9am - 8pm EST/EDT
info@sans.org

"Because of the use of real-world examples it's easier to apply what you learn."
- Danny Hill, Friedkin Companies, Inc.

"The perfect balance of theory and hands-on experience."
- James D. Perry II, University of Tennessee

"SANS always provides you what you need to become a better security professional at the right price."
- Rasik Vekaria, BP