My friend and colleague Dan Swanson (CIA, CMA, CISA, CISSP, CAP) runs a Yahoo group relating to IT and information assurance (IA) audit that readers may find useful. One can receive his postings either by receiving individual e-mail messages, by choosing daily digests, or by logging on to the group Web site to see the messages online. He posts a wealth of material of interest to auditors and IA specialists - especially educators.
Recently he announced his assumption of the position of editor for the venerable and highly regarded EDPACS publication, the _EDP Audit, Control, and Security Newsletter_. This monthly publication has a long reputation for publishing practical and well-written contributions by industry experts and provides a stimulating dose of thoughtful and thought-provoking writing for a modest fee of about $20 a month.
The articles are about 10 to 12 pages long, attractively formatted and often have colorful diagrams suitable for use in teaching (remember that Fair Use and academic custom suggests that we ask for permission to include them permanently in our work if we use them in teaching more than once). In addition, the newsletter has short pointers to hot topics that include links for further reading.
Until the end of February, readers can enjoy a bonanza of free data mining on the EDPACS Web site: the publishers have opened up their archives back to 1998 and are allowing unlimited downloads of their article files in PDF. There are hundreds of useful articles there. In a few hours, I picked through the archives for 2004 through 2006 and picked up 96 wonderful additions to my collection of teaching and reference materials - many, I am please to report, by friends and colleagues at Norwich University such as Tom Peltier and Rebecca Herold.
Here are just a few of the gems I collected from this treasure trove (these are my file names, not the exact titles):
* Auditing Wireless PDA Devices (2005-09)
* BCP DRP - Things Overlooked (2005-07)
* BCP DRP Testing (2005-11)
* Best Practices in Due Professional Care (2004-02)
* Building Effective Privacy Program (2005-09)
* CA ID-Theft Law & CFAA Implications (2003-12)
* Change Mgmt (2005-10)
* Chief Privacy Officers (2004-03)
* Corporate Liability Disposing Old Computers (2004-11)
* Corporate Liability for Illegal Downloading (2005-03)
* Cost of Poor Testing Part 1 (2003-07) & Part 2 (2003-08)
* Culture Change in Security & Privacy (2004-06)
* Data Destruction & Preservation Part 1 (2003-09) & Part 2 (2003-10)
* Developing Enterprisewide Policy Structure (2004-02)
* E-mail Archiving - Reasons Risks Rewards (2006-04)
* Effective Operational Security Metrics (2006-06)
* Implementing Security Metrics (2006-09)
* ISO-17799 for Security Mgmt & Audit (2004-05)
* Managing Risks Offshore IT Development (2004-10)
* Measuring Risk Using Existing Frameworks (2005-02)
* Measuring Security (2006-10)
* MetaFisher - Next-Generation Bots & Phishing (2006-10)
* Outsmarting New Malware (2006-03)
* Risk Analysis & Risk Management (2004-09)
* ROI for Controlling Risk Costs (2003-05)
* Securing Against Insider Attacks (2006-07)
* Seven Habits of Successful E-mail Managers (2006-08)
* Social Engineering Concepts Solutions
* SOX & IT Governance - IT Control & Compliance (2004-04)
* SOX Compliance - Practitioner's Guide (2005-10)
* Ten Steps for Effective Web-Based Security-Policy Devt (2004-04)
* Understanding IM Threat (2006-03)
* Windows 2003 & XP Auditing 101 (2003-10)
So hurry on over and start poring over the issues. Who knows - you may even want to subscribe. [Note for the record: I have received no reward for this nice article - not even a free subscription. I am paid by _Network World_ for writing these columns and do not accept anything (i.e., bribes) from others for doing this work.]