Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach’

NIST has recently released the final publication of the "Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach".

This NIST special publication (NIST Special Publication 800-37, Revision 1) can be downloaded from csrc.nist.gov website.

As per this guide, the Certification and Accreditation process of the federal government information systems transformed into a Risk Management Framework that stresses security from an information system’s initial design phase through implementation and daily operations

It places equal emphasis both on defining the correct set of security controls and on implementing them in a robust continuous monitoring process.

This is similar to the various Secure Software Development processes such as MS SDL and OWASP CLASP.

The guide can be downloaded from here

Guide to ISO 31000

Three risk associations, Airmic, Alarm, and the IRM, have collaborated to publish a free guide to ISO 31000 titled "A structured approach to Enterprise Risk Management (ERM) and the requirements of ISO 31000".

The guide is organized in two parts each containing four chapters with two appendices. The document is neatly organized and is useful for organizations implementing/ following ISO 31000

The full guide is available here

Top Cloud Security Threats Report

The Cloud Security Alliance (CSA) and HP have published new research findings that detail the potential threats surrounding the use of cloud services.

This seems to be a serious effort to bring up the security concerns related to the cloud.This 14 page report identifies 7 threats namely

1. Abuse and Nefarious Use of Cloud Computing
2. Insecure Interfaces and APIs
3. Malicious Insiders
4. Shared Technology Issues
5. Data Loss or Leakage
6. Account or Service Hijacking
7. Unknown Risk Profile

The full report is available here