- Training
- Training Live Events
- Training Without Travel
- SANS Courses
- Certified Instructors
- Career Roadmap
- Training Calendars
- SANS @Home
- SANS OnDemand
- Community SANS
- SANS Mentor Program
- SANS Onsite
- SANS SelfStudy
- SANS Partnership Series
- SANS Workshop Series
- Webcasts
- Work Study
- Events Archive
- DoD 8570
- Voucher Credit Program
- group discounts
- Certification
- Resources
- Vendor
- Portal
- Storm Center
- College
- Developer
- About
the most trusted source for computer security training, certification and research
SANS InfoSec Reading Room - Auditing & Assessment
Most of the computer security white papers in the Reading Room have been written by students seeking GIAC certification to fulfill part of their certification requirements and are provided by SANS as a resource to benefit the security community at large. SANS attempts to ensure the accuracy of information, but papers are published "as is". Errors or inconsistencies may exist or may be introduced over time as material becomes dated. If you suspect a serious error, please contact webmaster@sans.org.
Featuring 57 papers as of Sep 8, 2008
Achieving PCI Compliance with Log Management
SenSage - July 2008
Closing Internal User Visibility and Data Governance Gaps with PacketMotion
PacketMotion - April 2008
- Auditing Nokia Firewall
- Richard Sokal
- June 18, 2008
- - download paper
- Creating a Comprehensive Vulnerability Assessment Program for a Large Company Using QualysGuard
- Tim Proffitt
- March 31, 2008
- - download paper
- Auditing a Corporate Log Server
- Roger Meyer
- February 1, 2008
- - download paper
- WiFi with BackTrack
- Antonio Merola
- December 24, 2007
- - download paper
- NSS Vs NDS
- Robert Edwards
- November 5, 2007
- - download paper
- Certification and Accreditation: A madmans dilemma - Costs
- Robert Edwards
- November 5, 2007
- - download paper
- Certification and Accreditation: A madmans dilemma - Controls
- Robert Edwards
- November 5, 2007
- - download paper
- Certification and Accreditation for Dummies
- Robert Edwards
- November 5, 2007
- - download paper
- Certification and Accreditation (C&A) Vs System Development Life Cycle Management (SDLC)
- Robert Edwards
- November 5, 2007
- - download paper
- A Taxonomy of Information Systems Audits, Assessments and Reviews
- Craig Wright
- June 20, 2007
- - download paper
- VPNScan: Extending the Audit and Compliance Perimeter
- Rob VandenBrink
- February 12, 2007
- - download paper
- A Guide to Security Metrics
- Shirley C. Payne
- January 18, 2007
- - download paper
- An Introduction to Information System Risk Management
- Steve Elky
- January 18, 2007
- - download paper
- Aligning an information risk management approach to BS 7799-3:2005
- Ken Biery
- November 13, 2006
- - download paper
- A Practical Guide to Auditing an ASP
- Johanna Ollinger
- May 17, 2005
- - download paper
- Sarbanes-Oxley Information Technology Compliance Audit
- Dan Seider
- May 17, 2005
- - download paper
- B.A.S.E – A Security Assessment Methodology
- Gregory Braunton
- May 5, 2005
- - download paper
- Information Systems Security Architecture: A Novel Approach to Layered Protection
- George Farah
- January 22, 2005
- - download paper
- The Application Audit Process - A Guide for Information Security Professionals
- Robert Hein
- January 22, 2005
- - download paper
- Information Systems Security Architecture A Novel Approach to Layered Protection
- George Farah
- January 19, 2005
- - download paper
- Using Vulnerability Assessment Tools To Develop an OCTAVE Risk Profile
- Andrew Storms
- March 25, 2004
- - download paper
- Red Teaming: The Art of Ethical Hacking
- Christopher Peake
- December 13, 2003
- - download paper
- Application Security, Information Assurance's Neglected Stepchild - A Blueprint for Risk Assessment
- Ted Mina
- October 31, 2003
- - download paper
- Information System Security Evaluation Team: Security Insurance?
- Bruce Swartz
- October 31, 2003
- - download paper
- The Art of Reconnaissance - Simple Techniques
- Sai Bhamidipati
- October 31, 2003
- - download paper
- Footprint Your Intranet
- Bob Brown
- October 31, 2003
- - download paper
- Footprinting: What Is It, Who Should Do It, and Why?
- James P. McGreevy
- October 31, 2003
- - download paper
- A Perspective on Threats in the Risk Analysis Process
- Arthur Nichols
- October 31, 2003
- - download paper
- System Identification for Vulnerability Assessment
- Michael C. Harris
- October 31, 2003
- - download paper
- Conducting a Penetration Test on an Organization
- ChanTuck Wai
- October 31, 2003
- - download paper
- Port Scanning Techniques and the Defense Against Them
- Roger Christopher
- October 31, 2003
- - download paper
- Distributed Scan Model for Enterprise-Wide Network Vulnerability Assessment
- Alexander Lopyrev
- October 31, 2003
- - download paper
- Auditing Inside the Enterprise via Port Scanning & Related Tools
- Bob Konigsberg
- October 31, 2003
- - download paper
- An Overview of Threat and Risk Assessment
- James Bayne
- October 31, 2003
- - download paper
- Seeking Security: The New Paradigm for Government Agencies
- Stephan H. Chapman
- October 31, 2003
- - download paper
- Proactive Vulnerability Assessments with Nessus
- Jason Mitchell
- October 31, 2003
- - download paper
- Evaluating Untrusted Software In a Controlled Environment
- Jeff Reava
- October 31, 2003
- - download paper
- How-To Make Linux System Auditing a Little Easier
- Paul J. Santos
- October 31, 2003
- - download paper
- A Qualitative Risk Analysis and Management Tool - CRAMM
- Zeki Yazar
- October 31, 2003
- - download paper
- Case Study - TruSecure Security Certification
- David Vos
- October 31, 2003
- - download paper
- Information Classification - Who, Why and How
- Sue Fowler
- October 31, 2003
- - download paper
- Quantitative Risk Analysis Step-By-Step
- Ding Tan
- October 31, 2003
- - download paper
- Security Assessment Guidelines for Financial Institutions
- Karen Nelson
- October 31, 2003
- - download paper
- Application Of The Nsa Infosec Assessment Methodology
- Kathryn Cross
- October 31, 2003
- - download paper
- Conducting an electronic information risk assessment for Gramm-Leach-Bliley Act compliance.
- Kevin Bong
- October 31, 2003
- - download paper
- Security Program Management and Risk
- Archie Andrews
- October 31, 2003
- - download paper
- Strategies for Improving Vulnerability Assessment Effectiveness in Large Organizations
- Robert Huber
- October 31, 2003
- - download paper
- The Institutional Need for Comprehensive Auditing Strategies
- Steward Milus
- October 31, 2003
- - download paper
- Security Auditing: A Continuous Process
- Pam Page
- October 31, 2003
- - download paper
- Network- and Host-Based Vulnerability Assessments: An Introduction to a Cost Effective and Easy to Use Strategy.
- Ragi Guirguis
- October 31, 2003
- - download paper
- Data-Centric Quantitative Computer Security Risk Assessment
- Brett Berger
- October 31, 2003
- - download paper
- Wireless Network Audits using Open Source tools
- Edouard Lafargue
- October 31, 2003
- - download paper
- Auditing-In-Depth For Solaris
- Jeff Pike
- October 31, 2003
- - download paper
- Conducting a Security Audit of an Oracle Database
- Egil Andresen
- March 8, 2002
- - download paper
- Defining a Risk Assessment Process for Federal Security Personnel
- Kathleen Federico
- January 26, 2002
- - download paper
Check Them Out!
This is hands-down, the premiere training opportunity.
- Dan Mather, JICPAC
