Every year, the U.S. government spends billions of dollars on IT-security resources. Most of this money is funneled toward the DHS (Department of Homeland Security); the DoD (Department of Defense); and various other federal, state and local agencies in an effort to protect government computer systems and data from attackers. On the other hand, many government security resources can also be readily used by businesses in almost any field to enhance their own security strategies and practices. Here is quick guide to five of the best government IT-security resources available on the Web.
1. National Vulnerability Database : Maintained by the CSRC (Computer Security Resource Center ) of the NIST (National Institute of Standards and Technology), the National Vulnerability Database lets users search U.S. government security resources for information about potential vulnerabilities in their own systems. The database provides information on critical security weaknesses in specific hardware and software products and also includes security checklists, data on security-related software flaws, misconfiguration information and impact metrics.
2. Build Security In : This knowledge base, sponsored by the DHS's NCSD (National Cyber Security Division), offers businesses a variety of best-practices insights, technical tools, guidelines, examples, principles and other resources that software developers , system architects and security professionals can use to incorporate security into software during every phase of its development. According to the NCSD, the project's resources are structured on the principle that software security is fundamentally an engineering problem that must be addressed in a systematic way throughout the development life cycle.
3. Stay Safe Online : Sponsored by the NCSA (National Cyber Security Alliance) — a collaborative effort among experts in government, security, nonprofit and academic organizations — Stay Safe Online provides nontechnical security advice to potential cybercrime victims. This online resource center has areas that are geared toward home computer uses, small businesses and educators. Stay Safe Online is a useful and free resource that can be easily incorporated into an employee IT-security training program.
4. Public/Private Security Practices : The NIST has compiled this database to help businesses in a variety of different fields learn about and adopt security strategies that have been successfully tested in the field. The database also provides access to documents that cover a variety of key security issues. This is a handy resource for businesses that are beginning to plan or update their security strategies.
5. ITL Security Bulletins : The NIST's ITL (Information Technology Laboratory) publishes online bulletins on an average of six times per year. According to the ITL, each bulletin provides a deep examination of a single topic that is of significant interest to the information-systems community. This resource is a must-read for any business that wants to keep on top of its security game.
Bonus — OCTAVE : Although not strictly a government project, OCTAVE (Operationally Critical Threat, Asset, and Vulnerability Evaluation) is a resource that many government agencies use. Designed for use by enterprises with 300 or more employees, OCTAVE is a risk-based strategic-assessment and planning framework. Developed by CERT (Computer Emergency Response Team), the OCTAVE method is a three-phased approach for examining organizational and technology issues and assembling a comprehensive picture of an organization's security needs. OCTAVE is generally recognized as a very thorough method for getting all departments within an enterprise to create a uniform and sustainable security strategy.