Security

Download Free IT Risk Assessment Report and Template Toolkit

This templates including Risk Register and IT Control for selected risk criteria such as:
Risk Assessment Matrix:
- Vulnerability
- Threat
- Risk
- Risk Sumary
- Risk Likelihood
- Rating
- Risk
- Impact
- Rating
- Overall Risk Rating
- Analysis ofRelevant Controls and Other Factors
- Recommendations

Complete list of Free Download Open Source Web Application Security Scanner Tools

1. Grabber by Romain Gaucher
http://rgaucher.info/beta/grabber/

Grabber is a web application scanner. Basically it detects some kind of vulnerabilities in your website. Grabber is simple, not fast but portable and really adaptable. This software is designed to scan small websites such as personals, forums etc. absolutely not big application: it would take too long time and flood your network. Grabber is a very small application (currently 2.5kLOC in Python) and the first reason of this scanner is to have a "minimum bar" scanner for the Samate Tool Evaluation Program at NIST. Grabber is also for me a nice way to do some automatics verification on websites/scripts I do. Users should know some things about web vulnerabilities before using this soft because it only tell you what vulnerability it is... not how to solve it.

2. Grendel-Scan by David Byrne and Eric Duprey
http://grendel-scan.com/

Grendel-Scan is an open-source web application security testing tool. It has automated testing module for detecting common web application vulnerabilities, and features geared at aiding manual penetration tests. The only system requirement is Java 5; Windows, Linux and Macintosh builds are available.

3. Paros by Chinotec
http://parosproxy.org/

Paros is for people who need to evaluate the security of their web applications. It is free of charge and completely written in Java. Through Paros's proxy nature, all HTTP and HTTPS data between server and client, including cookies and form fields, can be intercepted and modified.

So basically what is the simplest approach for ITGC? do we should check every changes and modification in our application and infrastructure? or do we should only focus to significant one? The simplest approach is by using minimum requirement by the government/regulation. So here is some scope of ITGC based on Sarbanes Oxley Section 404

Program Development Program Change
Acquire or develop application software The organization's system development life cycle (SDLC) includes security, availability and processing integrity requirements of the organization.

Acquire or develop application software An adequate SDLC methodology has been established to serve as a basis for controlling development and maintenance activities, and the SDLC methodology is consistent with business and end-user strategies and objectives.

Logical Access
Ensure systems security An information security policy exists and has been approved by an appropriate level of executive management.

ISO27002 recommends that an organization’s user registration process should cover the following:
1. Unique user identifications (IDs) should be issued so that users can be linked to, and made responsible for, their actions.

2. The user’s access rights should be documented and describe what assets and systems the user is allowed to access.

3. System owners should authorize proposed users to use the system, and the access rights document should also be authorized by the individual’s line manager, to ensure that it is appropriate.

Below sample service level agreement (SLA) for supporting security event feeds from network devices. This sample SLA is arranged between the network support team (NetEng) and the team to whom security monitoring is assigned (InfoSec).

The purpose of this document is to clarify support responsibilities and expectations. Specifically, it outlines:
- Services provided by NetEng to support network security event recording for monitoring and incident response

- General levels of response, availability, and maintenance associated with these services

Message-level security
SOA brings changes in the requirements for data confidentiality and data integrity. When a message sent to party 1 (brokerage) contains parts intended for party 2 (bank), we need the ability to differently encrypt and/or sign the part that is intended for use only by party 2. Clearly, traditional transport layer security mechanisms such as SSL/TLS are not good enough here, as they cannot stop party 1 from reading and/or tampering with the message part intended for party 2.

Message-level security (as opposed to transport-level security) is a new approach to solve this problem. With this approach, different parts of a message can be protected differently, to make them usable only by intended parties in the message path.

Download Free Folder Lock from Free Folder Hider 10.5. Almost every computer user keeps files that are personal, private and confidential, or important to be preserved as undeletable. You may have files that are inappropriate for kids or other family members, or files with valuable information that can be stolen. Such files and folders need security protection so that intruders or unauthorized users cannot access, read, view, copy, move or delete them. Folder Hider can hide and password-protect your files, folders, pictures, and documents in seconds. With Folder Hider, you can keep all the data you want to secure in a Privacy Area.

These guidelines apply to all participants in the new information society and suggest the need for a greater awareness and understanding of security issues, including the need to develop a "culture of security" - that is, a focus on security in the development of information systems and networks, and the adoption of new ways of thinking and behaving when using and interacting within information systems and networks. The guidelines constitute a foundation for work towards a culture of security throughout society.

GAISP is based on a solid consensus-building process that is central to the success of this approach. Principles at all levels are developed by information security practitioners who fully understand the underlying issues of the
documented practices and their application in the real world. Then, these principles will be reviewed and vetted by
skilled information security experts and authorities who will ensure that each principle is:

• Accurate, complete, and consistent
• Compliant with its stated objective
• Technically reasonable
• Well-presented, grammatically and editorially correct
• Conforms to applicable standards and guideline

Generally Accepted System Security Principles incorporate the consensus, at a particular time, as to the principles, standards, conventions, and mechanisms that information security practitioners should employ, that information processing products should provide, and that information owners should acknowledge to ensure the security of information and information systems.

GASSP relates to physical, technical, and administrative information security and encompasses pervasive, broad functional, and detailed security principles. GASSP nomenclature considers the terms policy, rules, procedures, and practices to relate to the organizational implementation of security. Information technology (IT) changes rapidly, and GASSP are expected to evolve accordingly. Consensus regarding accepted information security principles is achieved first within the GASSP Committee followed by international IT community review.

GAAP versus GASSP?