Resources likely to be of interest or use to IT auditors 

Updated: Tuesday, 05 June 2007

Publications: Non-public Organisations




An international management consulting and technology services company. Research & Insights page contains links to interesting articles on business and technology. The Case Studies page provides some illustrations of government sector developments.

Apache Software Foundation

Provides support for the Apache community of open-source software projects. The Apache projects are characterized by a collaborative, consensus based development process, an open and pragmatic software license, and a desire to create high quality software that leads the way in its field. We consider ourselves not simply a group of projects sharing a server, but rather a community of developers and users.

Information about products, bug workarounds, and release information.


Jim Kaplan's information site. Offers links, tools, audit programmes, security resources, etc. developed for the benefit of the auditing profession.

Business Software Alliance

A trade organisation representing software developers worldwide, set up to fight software copyright infringement ( or "help businesses avoid software licensing problems"). BSA offers guidance and audit tools for controlling software licensing and detecting unlicensed products - for example, see their Guide to Software Management (.pdf, 920KB) and software audit tool, GASP.


The Co-operative Association for Internet Data Analysis, provides tools and analyses promoting the engineering and maintenance of a robust, scalable global Internet infrastructure.


The CERT Coordination Center is a centre of Internet security expertise, located at the Software Engineering Institute, a federally funded research and development centre operated by Carnegie Mellon University. Our information ranges from protecting your system against potential problems to reacting to current problems to predicting future problems. Our work involves handling computer security incidents and vulnerabilities, publishing security alerts, researching long-term changes in networked systems, and developing information and training to help you improve security at your site. See Security Improvement Modules.


A free on-line learning resource covering such subjects as programming with C, C++, and Java.

Common Criteria for IT Security Evaluation

The Common Criteria (v2.1) represents the outcome of a series of efforts to develop criteria for evaluation of IT security that are broadly useful within the international community. The Common Criteria provides a basis for evaluating the security properties of IT products and systems. By establishing such a common criteria base, the results of an IT security evaluation will be meaningful to a wider audience.

CISCO Systems

Pretty much all you need to know about data communications. The Internetworking Technology Handbook and Glossary (Internetworking Terms and Acronyms) are worth taking a look at.

Consumer Sentinel

An international law enforcement fraud-fighting program, Consumer Sentinel members include more than 475 law enforcement agencies in Australia, Canada and the United States.  It helps them build cases and detect trends in consumer fraud and identity theft. Consumer Sentinel gives law enforcers access to over 700,000 complaints including consumer complaints from numerous Better Business Bureaus, the National Fraud Information Center, and Canada's PhoneBusters.

Electronic Frontier Foundation

Among various activities, EFF aims to oppose misguided legislation, initiate and defend court cases preserving individuals' rights, launch global public campaigns, introduce leading edge proposals and papers, host frequent educational events, regularly engage the press and publishe a comprehensive archive of digital civil liberties information. Among other publications the site hosts material on recent legal cases.


A standards organisation involved in the development of industry-driven standards for the Electronic Product Code (EPC) Network to support the use of radio frequency identification (RFID). The site offers information and research papers about RFID technology and its uses.


FraudNet is the area of AuditNet devoted to sharing fraud policies, procedures, code of ethics, and resources.

Free Software Foundation

FSF is the principal organisational sponsor of the GNU Project. The GNU Project was launched in 1984 to develop a complete Unix-like operating system which is free software: the GNU system. Variants of the GNU operating system, which use the Linux kernel, are now widely used; though these systems are often referred to as ``Linux'', they are more accurately called GNU/Linux systems.


Legal white papers on such subjects as computer crime, e-mail policy and privacy.

GNU Project

See Free Software Foundation.

Grid Computing

The ability to perform billions and billions of calculations using the power of many processors acting in concert. See.....

-   IBM's grid computing web site explains "multiple heterogeneous systems, seamlessly integrated as a powerful single system". See also the University of Berkeley's SETI at home and the University of Pennsylvania's breast cancer research projects.

-   Sun's grid computing page - includes case studies.

-   Oracle's grid computing page.

How Stuff Works

Of course you know. But just in case you have a presentation to prepare and something's slipped your memory, then the 'computers' or 'electronics' pages might provide that vital prompt. If this doesn't help, try Webopedia, or TechWeb.


Many reports (.pdf format) are available to download from IBM's Redbooks page.


Claims to be "the most comprehensive computer and network security resource on the Internet for Information System Security Professionals". The site certainly hosts a bucketful of information and security-related links.


The AEB Web Security Guidelines - "In order to survive and grow in today's world, most organisations need a web presence, whether it is solely to inform, to communicate with partners or, as is increasingly the case, to trade on a global basis. All too often though, in their haste to build a web site get online, many companies overlook or fail to understand the need to protect their most vital asset - information."

Intellectual Property

UK Government-backed site providing answers to questions on the jungle of Copyright, Designs, Patents and Trade Marks.

Internet Architectural Board

The Internet Architecture Board is a committee of the Internet Engineering Task Force (IETF). Its responsibilities include architectural oversight of IETF activities, Internet Standards Process oversight and appeal, and is responsible for the management of publication of the RFC Series and the management of the IETF protocol parameter registry, operated by the Internet Assigned Numbers Authority (IANA).

Internet Engineering Task Force

The Internet Engineering Task Force is a large open international community of network designers, operators, vendors, and researchers concerned with the evolution of the Internet architecture and the smooth operation of the Internet. It is open to any interested individual.

Internet-Drafts are the working documents of the Internet Engineering Task Force.

Internet Crime Complaints Center

IC3 is a partnership between the Federal Bureau of Investigation (FBI) and the National White Collar Crime Center (NW3C). IC3 publishes some interesting Internet fraud statistics.

Internet Storm Center

The Internet Storm Center gathers more than 3,000,000 intrusion detection log entries every day. Its quest is to find new storms faster, isolate the sites that are used for attacks, and provide authoritative data on the types of attacks that are being mounted against computers in various industries and regions around the globe. This work is supported by the SANS Institute from tuition paid by students attending SANS security education programs.

IT Governance Institute

The IT Governance Institute strives to assist enterprise leadership in ensuring long-term, sustainable enterprise success and increased stakeholder value by expanding awareness of the need for and benefits of effective IT governance. The Institute develops and advances awareness of the vital link between IT and enterprise governance, and offers best practice guidance on the management of IT-related risks.


KPMG is a global network of professional service firms providing financial advisory, assurance, tax and legal services. KPMG was formed in 1987 with the merger of Peat Marwick International (PMI) and Klynveld Main Goerdeler (KMG) and their individual member firms. "Hot Downloads" (.pdf) include:


FAQs on telecomms fraud protection

Microsoft TechNet

Best Practices For Enterprise Security is a collection of white papers focusing on the different aspects of security in enterprise networks. The white papers are grouped into three general categories that reflect the different levels of knowledge needed to create and implement a successful security concept. The structure also allows readers to approach the subject of security based on their individual areas of expertise and interest. Library & Web Workshops also worth visiting.


mi2g focuses on Digital Risk Management. The site hosts some interesting reports and intelligence briefings on information security and risk management issues.

OASIS PKI Member Section

Established as a PKI Forum in 1999 to foster support for standards-based, interoperable public-key infrastructure (PKI) as a foundation for secure transactions in e-business applications. The white papers page contains much useful information on PKI, smart cards and trust.

Open Archives Initiative

OAI develops and promotes interoperability standards that aim to facilitate the efficient dissemination of content. Essential documents, tutorials and primers.

Open Web Application Security Project

OWASP - an Open Source community project staffed by volunteers from across the world. The project is developing software tools and knowledge based documentation that helps secure web applications and services. Much of the work is driven by discussions on the Web Application Security list at All software and documentation is released under the GNU public licenses.

Organization for the Advancement of Structured Information Standards

OASIS produces worldwide standards for security, Web services, XML conformance, business transactions, electronic publishing, topic maps and interoperability within and between marketplaces.

Good legal site offering advice on many IT-related legal issues, and a good weekly legal newsletter. The site is operated by international law firm, Masons - see their monthly Computer Law Reports.


PC Technology Guide - for anyone interesting in learning what goes on under the hood.


PhoneBusters is the central agency in Canada that collects information on telemarketing, advanced fee fraud letters (Nigerian letters) and identity theft complaints. The information is disseminated to the appropriate law enforcement agencies. The data collected at PhoneBusters is a valuable tool in evaluating the effects of various types of fraud on the public. It also helps to prevent future similar crimes from taking place.

Privacy International

Privacy International (PI) is a human rights group formed in 1990 as a watchdog on surveillance by governments and corporations. PI is based in London, England, and has an office in Washington, D.C. PI has conducted campaigns throughout the world on issues ranging from wiretapping and national security, to ID cards, video surveillance, data matching, police information systems, medical privacy, and freedom of information and expression. (Stupid Security Competition - results.)

Everything - well, nearly everything you could wish to know about protocols. offers a comprehensive listing of data communications protocols, their functions in respect to the OSI model, the structure of the protocol and various errors and parameters.


Recording Industry Association of America - some interesting reflections on copyright enforcement.

Risks Digest

Forum On Risks To The Public In Computers And Related Systems - a regular and widely read newsletter on computer-related risks.


Founded in 1972, with its headquartered in Walldorf, Germany, SAP claims to be the world's largest inter-enterprise software company, and the world's third-largest independent software supplier overall, employing over 28,900 people in more than 50 countries. Brochures/white papers on SAP products.

SANS Institute

The SANS (System Administration, Networking and Security) Institute was established in 1989 as a cooperative research and education organization. The SANS Institute enables more than 156,000 security professionals, auditors, system administrators, and network administrators to share the lessons they are learning and find solutions to the challenges they face.

SANS Institute Information Security Reading Room

The SANS Institute's Information Security Reading Room features over 1300 articles on Information Security in 63 different categories.


Sophos virus analyses describe some of the more common or interesting viruses. The site also hosts other background material on viruses and a running 'top 10' virus league

Sun (source for developers)

A huge range of technical documents and advice, including Responding to a Customer's Security Incidents Part1 and Part 2.


The site provides a synopsis of the latest virus-related threats discovered by Symantec Security Response, including information on: Category Rating (risk), Name of Threat (threat), the day on which the threat was identified (discovered), and the day on which a virus definition was added to protect against the threat (protection).


An online community and information resource for all IT professionals offering in-depth technical articles written by IT professionals. In addition to articles on everything from Windows to e-mail to fire walls, the site offers IT industry analysis, downloads, management tips, discussion forums, and e-newsletters. Requires registration.


Online technical encyclopaedia.

U.S Robotics

What is wireless networking? Some useful white papers on WLAN and WLAN security. See also the Glossary (see under 'Useful terms').

VNU Research Library

This comprehensive resource features the latest white papers, research reports, market intelligence and case studies from the industry's most respected analysts and companies. The reports are updated in real-time to provide a one stop shop for IT professionals who need to stay one step ahead.


Online dictionary and search engine for computer and Internet technology - see also

Another problem solver - see also How Stuff Works.

World Legal Information Institute

WorldLII is a free, independent and non-profit global legal research facility developed collaboratively with many Legal Information Institutes and other organisations. The Privacy & FOI Law Project aims to make searchable from one location all of the databases specialising in Privacy and Freedom Of Information law available on any of the Legal Information Institutes that are part of WorldLII.

World Wide Web Consortium

The World Wide Web Consortium (W3C) develops interoperable technologies (specifications, guidelines, software, and tools) to lead the Web to its full potential. W3C is a forum for information, commerce, communication, and collective understanding (see W3C's "A to Z" index on their home page).

Inside W3Schools you will find a large number of free Web building tutorials, from basic HTML and XHTML to advanced tutorials on XML, XSL and WAP.

For enquiries or comments about this site, please use our Feedback form.