While every network designer/architect with an emphasis on security has his or her favorite design templates, I'm wondering what public sources do people start with?
Cisco SAFE and other published designs
IBM Redbooks
DOD Security Technical Implementation Guides (STIGs)
NIST Special Publications
O'Reilly series (specific books?)
Of course, every designer customizes things based on the project and
preferences. So I'm not asking for what's best, or even what's wrong
with particular sources. Just where do you start?
While the DISA STIGs are probably the archetype, you have to start with
whatever the sponsoring or certifying authority uses, if you need to
pass some audit later.
While the DISA STIGs are probably the archetype, you have to start with
whatever the sponsoring or certifying authority uses, if you need to
pass some audit later.
True, but even sponsoring and certifying authorities need to get information from somewhere. So where should they get it from?
For example, amex/mastercard/visa/others created PCI security standards; and if all you want to do is achieve compliance with those security standards that's where you would stop. But where should the people creating the PCI security standards look beyond their own world to find
better ideas to improve the next version? Replace "PCI" with whatever your favorite group is... CAG, SOX, FDCC, etc.
NIST documents are updated on a regular basis. If part of your job was helping to update NIST documents, are there other resources to consider
when updating those documents?
Are there things in NIST documents you think could be improved?