In corporate environments, I.T. professionals are constantly trying to adhere to the latest guidelines that apply to the line of business they are a part of.  Most organizations are guided by one or more of the following:  HIPPA (Healthcare), PCI (Credit Card Industry), and SOX among others.  These guidelines definitely overlap with each other in areas.  If your privileged enough to have to satisfy more than one of these governing bodies, many times an issue addressed in one will also address the same issue in another.  The overlap exists largely because all of these guidelines are based on ‘best practices’.  When you have a list of these best practices available to audit against, it allows you to score yourself before the formal audits happen that are required by the various governing bodies.  It is also wise to be aware of the best practices before implementing a new system, in order to prevent having to go back and revisit after the implementation.

The good news is there are resources available to anyone and are provided by Defense Information Systems Agency (DISA) which is a government agency that is part of the Department of Defense (DoD). These guides are separated into two different types: One set is called Security Technical Informational Guides (STIG) and the other is called Security Checklists.  These guides are developed to provide guidance for people who build and manage DoD networks.  They are also used in audits performed within Department of Defense networks.

None of the DoD offered materials has anything to do with HIPPA, PCI, SOX, etc. on the surface, but the thing they do have in common is they are focused on security best practices.  In my experience dealing with HIPPA, PCI, SOX, and DoD networks, using these guides as a reference to secure a network or platform will cover 90+% of anything that would come up in a HIPPA, PCI, or SOX audit.

These guides are available publicly to anyone and are considered unclassified material in their currently offered form.

Use the following link to browse the security checklists, find one that addresses your area of interest and download.  All unpacked files are in .pdf format.

http://iase.disa.mil/stigs/checklist/index.html