| |
| |
| |
Information Security Architecture | |
| |
| |
Why an Architecture? | |
| |
| |
Incident | |
| |
| |
Client/Server Environments | |
| |
| |
Overview of Security Controls | |
| |
| |
The Threat | |
| |
| |
The Risks | |
| |
| |
Incident | |
| |
| |
The Controls | |
| |
| |
The Strategic Information Technology (IT) Plan | |
| |
| |
Summary | |
| |
| |
Getting Started | |
| |
| |
| |
Security Organization / Infrastructure | |
| |
| |
Learning Objectives | |
| |
| |
The Security Organization | |
| |
| |
The Executive Committee for Security | |
| |
| |
The Chief Information Officer | |
| |
| |
The Chief Financial Officer | |
| |
| |
The Security Officer | |
| |
| |
The Security Team | |
| |
| |
Security Coordinators or Liaisons | |
| |
| |
Departmental Management | |
| |
| |
Network and Application Administrators | |
| |
| |
Human Resources | |
| |
| |
Legal Counsel | |
| |
| |
Help Desk | |
| |
| |
Audit | |
| |
| |
Internal Audit | |
| |
| |
External Audit | |
| |
| |
Component Audits | |
| |
| |
Compliance Audits | |
| |
| |
System Users | |
| |
| |
Centralized versus Decentralized Security Administration | |
| |
| |
Information and Resource Ownership | |
| |
| |
The Strategic Information Technology (IT) Plan | |
| |
| |
Chapter Summary | |
| |
| |
Getting Started: Project Management | |
| |
| |
Deliverables | |
| |
| |
Password Parameters | |
| |
| |
Notes | |
| |
| |
| |
Security Policies, Standards, and Procedures | |
| |
| |
Introduction | |
| |
| |
Learning Objectives | |
| |
| |
The Information Security Policy | |
| |
| |
Information Security Policy Acknowledgment Form | |
| |
| |
Network Usage Policy | |
| |
| |
E-Mail Policy | |
| |
| |
Internet Policy | |
| |
| |
Internet Risk | |
| |
| |
Process for Change | |
| |
| |
Security Standards | |
| |
| |
Standards Organizations | |
| |
| |
Security Procedures | |
| |
| |
Chapter Summary | |
| |
| |
Getting Started | |
| |
| |
Notes | |
| |
| |
| |
Security Baselines and Risk Assessments | |
| |
| |
Information Security Assessment: A Phased Approach | |
| |
| |
High-Level Security Assessment (Section I) | |
| |
| |
Assessing the Organization of the Security Function | |
| |
| |
Assessing the Security Plan | |
| |
| |
Assessing Security Policies, Standards, and Procedures | |
| |
| |
Assessing Risk-Related Programs | |
| |
| |
Security Operations (Section II) | |
| |
| |
Security Monitoring | |
| |
| |
Computer Virus Controls | |
| |
| |
Microcomputer Security | |
| |
| |
Compliance with Legal and Regulatory Requirements | |
| |
| |
Computer Operations (Section III) | |
| |
| |
Physical and Environmental Security | |
| |
| |
Backup and Recovery | |
| |
| |
Computer Systems Management | |
| |
| |
Problem Management | |
| |
| |
Application Controls Assessments | |
| |
| |
Access Controls | |
| |
| |
Separation (or Segregation) of Duties | |
| |
| |
Audit Trails | |
| |
| |
Authentication | |
| |
| |
Application Development and Implementation | |
| |
| |
Change Management | |
| |
| |
Database Security | |
| |
| |
Network Assessments | |
| |
| |
Emergency Response | |
| |
| |
Remote Access | |
| |
| |
Gateways Separating the Corporate WAN and Lines of Business | |
| |
| |
Current and Future Internet Connections | |
| |
| |
Electronic Mail and the Virtual Office | |
| |
| |
Placement of WAN Resources at Client Sites | |
| |
| |
Operating System Security Assessment | |
| |
| |
Windows NT | |
| |
| |
Telecommunications Assessments | |
| |
| |
Summary | |
| |
| |
| |
Security Awareness and Training Program | |
| |
| |
Program Objectives | |
| |
| |
Employees Recognize Their Responsibility for Protecting the Enterprise's Information Assets | |
| |
| |
Employees Understand the Value of Information Security | |
| |
| |
Employees Recognize Potential Violations and Know Who to Contact | |
| |
| |
Incident | |
| |
| |
Forms of Attack | |
| |
| |
The Level of Security Awareness among Existing Employees Remains High | |
| |
| |
Program Considerations | |
| |
| |
Effectiveness Is Based on Long-Term Commitment of Resources and Funding | |
| |
| |
Benefits Are Difficult to Measure in the Short Term | |
| |
| |
Scoping the Target Audience | |
| |
| |
Incident | |
| |
| |
Effectively Reaching the Target Audience | |
| |
| |
Security Organizations | |
| |
| |
Summary | |
| |
| |
Getting Started - Program Development | |
| |
| |
| |
Compliance | |
| |
| |
Level One Compliance: The Component Owner | |
| |
| |
Level Two Compliance: The Audit Function | |
| |
| |
Level Three Compliance: The Security Team | |
| |
| |
Line of Business (LOB) Security Plan | |
| |
| |
Enterprise Management Tools | |
| |
| |
Summary | |
| |
| |
| |
Pitfalls to an Effective ISA Program | |
| |
| |
Lack of a Project Sponsor and Executive Management Support | |
| |
| |
Executive-Level Responsibilities | |
| |
| |
Executive Management's Lack of Understanding of Realistic Risk | |
| |
| |
Lack of Resources | |
| |
| |
The Impact of Mergers and Acquisitions on Disparate Systems | |
| |
| |
Independent Operations throughout Business Units | |
| |
| |
Discord Between Mainframe versus Distributed Computing Cultures | |
| |
| |
Fostering Trust in the Organization | |
| |
| |
Mom-and-Pop Shop Beginnings | |
| |
| |
Third-Party and Remote Network Management | |
| |
| |
The Rate of Change in Technology | |
| |
| |
Summary | |
| |
| |
Getting Started | |
| |
| |
| |
Computer Incident / Emergency Response | |
| |
| |
Introduction | |
| |
| |
Learning Objectives | |
| |
| |
CERT/CC | |
| |
| |
CSIRT Goals and Responsibilities | |
| |
| |
Reactive Services | |
| |
| |
Alerts and Warnings | |
| |
| |
Incident Handling | |
| |
| |
Vulnerability Handling | |
| |
| |
Artifact Handling | |
| |
| |
Incident Response Handling Methodology | |
| |
| |
Reporting | |
| |
| |
Incident Classification | |
| |
| |
Triage | |
| |
| |
Identification | |
| |
| |
Incident Analysis | |
| |
| |
Incident Response | |
| |
| |
Incident Response Coordination | |
| |
| |
Key Organizations | |
| |
| |
Containment | |
| |
| |
Eradication | |
| |
| |
Recovery | |
| |
| |
Notification | |
| |
| |
Development of the CSIRT | |
| |
| |
Issues in Developing a CSIRT | |
| |
| |
Funding | |
| |
| |
Management Buy-In | |
| |
| |
Staffing and Training | |
| |
| |
Policy Development | |
| |
| |
Legal Issues | |
| |
| |
Reevaluation of CSIRT Operations | |
| |
| |
Chapter Summary | |
| |
| |
Getting Started | |
| |
| |
Notes | |
| |
| |
| |
Conclusion | |
| |
| |
Appendixes | |
| |
| |
| |
Information Security Policy | |
| |
| |
| |
Information Security Policy Acknowledgment Form | |
| |
| |
| |
Network Computing Policy | |
| |
| |
| |
E-Mail Security Policy | |
| |
| |
| |
Internet Policy | |
| |
| |
| |
Security Lists | |
| |
| |
| |
Security Standards and Procedures Manual Table of Contents | |
| |
| |
| |
Anti-Virus Update Procedure | |
| |
| |
| |
Security Assessment Workplan | |
| |
| |
| |
Application Security Assessment | |
| |
| |
| |
Network Security Assessment Workplan | |
| |
| |
| |
Windows NT Assessment Workplan | |
| |
| |
| |
Telecommunications Security Assessment Workplan | |
| |
| |
| |
Computer Incident/Emergency Response Plan | |
| |
| |
| |
Sample Line of Business Security Plan | |
| |
| |
| |
Intrusion Checklist | |