ebook img

Asset protection and security management handbook PDF

423 Pages·2003·5.993 MB·English
by  
Save to my drive
Quick download
Download
Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.

Preview Asset protection and security management handbook

AU1549_half title page 11/18/05 12:30 PM Page 1 Information Security Architecture Second Edition AU_sec 6 series 11/18/05 12:55 PM Page 1 OTHER INFORMATION SECURITY BOOKS FROM AUERBACH Asset Protection and Security Management Information Technology Control and Audit Handbook Fredrick Gallegos, Daniel Manson, POA Publishing and Sandra Allen-Senft ISBN: 0-8493-1603-0 ISBN: 0-8493-9994-7 Building a Global Information Assurance Investigator’s Guide to Steganography Program Gregory Kipper Raymond J. Curts and Douglas E. Campbell ISBN: 0-8493-2433-5 ISBN: 0-8493-1368-6 Managing a Network Vulnerability Building an Information Security Awareness Assessment Program Thomas Peltier, Justin Peltier, and John A. Blackley Mark B. Desman ISBN: 0-8493-1270-1 ISBN: 0-8493-0116-5 Network Perimeter Security: Critical Incident Management Building Defense In-Depth Alan B. Sterneckert Cliff Riggs ISBN: 0-8493-0010-X ISBN: 0-8493-1628-6 Cyber Crime Investigator’s Field Guide The Practical Guide to HIPAA Privacy and Bruce Middleton Security Compliance ISBN: 0-8493-1192-6 Kevin Beaver and Rebecca Herold Cyber Forensics: A Field Manual for ISBN: 0-8493-1953-6 Collecting, Examining, and Preserving A Practical Guide to Security Engineering Evidence of Computer Crimes and Information Assurance Albert J. Marcella, Jr. and Robert S. Greenfield Debra S. Herrmann ISBN: 0-8493-0955-7 ISBN: 0-8493-1163-2 The Ethical Hack: A Framework for Business The Privacy Papers: Managing Technology, Value Penetration Testing Consumer, Employee and Legislative Actions James S. Tiller Rebecca Herold ISBN: 0-8493-1609-X ISBN: 0-8493-1248-5 The Hacker’s Handbook: The Strategy Behind Public Key Infrastructure: Breaking into and Defending Networks Building Trusted Applications and Susan Young and Dave Aitel Web Services ISBN: 0-8493-0888-7 John R. Vacca Information Security Architecture: ISBN: 0-8493-0822-4 An Integrated Approach to Security in the Securing and Controlling Cisco Routers Organization Peter T. Davis Jan Killmeyer Tudor ISBN: 0-8493-1290-6 ISBN: 0-8493-9988-2 Strategic Information Security Information Security Fundamentals John Wylder Thomas R. Peltier ISBN: 0-8493-2041-0 ISBN: 0-8493-1957-9 Surviving Security: How to Integrate Information Security Management Handbook, People, Process, and Technology, 5th Edition Second Edition Harold F. Tipton and Micki Krause Amanda Andress ISBN: 0-8493-1997-8 ISBN: 0-8493-2042-9 Information Security Policies, Procedures, A Technical Guide to IPSec Virtual and Standards: Guidelines for Effective Private Networks Information Security Management James S. Tiller Thomas R. Peltier ISBN: 0-8493-0876-3 ISBN: 0-8493-1137-3 Using the Common Criteria for IT Security Information Security Risk Analysis, 2nd Evaluation Edition Debra S. Herrmann Thomas R. Peltier ISBN: 0-8493-1404-6 ISBN: 0-8493-3346-6 AUERBACH PUBLICATIONS www.auerbach-publications.com To Order Call: 1-800-272-7737 • Fax: 1-800-374-3401 E-mail: [email protected] AU1549_title page 11/18/05 12:28 PM Page 1 Information Securit y Architecture An Integrated Approach to Security in the Organization Second Edition Jan Killmeyer Boca Raton New York AU1549_Discl.fm Page 1 Wednesday, November 9, 2005 2:30 PM Published in 2006 by Auerbach Publications Taylor & Francis Group 6000 Broken Sound Parkway NW, Suite 300 Boca Raton, FL 33487-2742 © 2006 by Taylor & Francis Group, LLC Auerbach is an imprint of Taylor & Francis Group No claim to original U.S. Government works Printed in the United States of America on acid-free paper 10 9 8 7 6 5 4 3 2 1 International Standard Book Number-10: 0-8493-1549-2 (Hardcover) International Standard Book Number-13: 978-0-8493-1549-7 (Hardcover) Library of Congress Card Number 00-040399 This book contains information obtained from authentic and highly regarded sources. Reprinted material is quoted with permission, and sources are indicated. A wide variety of references are listed. Reasonable efforts have been made to publish reliable data and information, but the author and the publisher cannot assume responsibility for the validity of all materials or for the consequences of their use. No part of this book may be reprinted, reproduced, transmitted, or utilized in any form by any electronic, mechanical, or other means, now known or hereafter invented, including photocopying, microfilming, and recording, or in any information storage or retrieval system, without written permission from the publishers. For permission to photocopy or use material electronically from this work, please access www.copyright.com (http://www.copyright.com/) or contact the Copyright Clearance Center, Inc. (CCC) 222 Rosewood Drive, Danvers, MA 01923, 978-750-8400. CCC is a not-for-profit organization that provides licenses and registration for a variety of users. For organizations that have been granted a photocopy license by the CCC, a separate system of payment has been arranged. Trademark Notice: Product or corporate names may be trademarks or registered trademarks, and are used only for identification and explanation without intent to infringe. Library of Congress Cataloging-in-Publication Data Tudor, Jan Killmeyer Information security architecture: an integrated approach to security in the organization / Jan Killmeyer Tudor. p. cm. Includes bibliographical references and index. ISBN 0-8493-1549-2 (alk. paper) 1. Computer security. 2. Computer architecture. I. Title. QA76.9.A25 T83 2000 005.8--dc21 00-040399 Visit the Taylor & Francis Web site at http://www.taylorandfrancis.com Taylor & Francis Group and the Auerbach Publications Web site at is the Academic Division of Informa plc. http://www.auerbach-publications.com AU1549_C000.fm Page v Friday, November 18, 2005 2:15 PM Dedication This book is dedicated to the memory of my father, Fred J. Killmeyer, Jr., and the honor of my mother, Gladys Killmeyer Gillespie, whose love, inspi- ration, and devotion to their children provided me with the courage to take on and complete the challenge of writing this book. v AU1549_C000.fm Page vi Friday, November 18, 2005 2:15 PM AU1549_C000.fm Page vii Friday, November 18, 2005 2:15 PM Contents 1 Information Security Architecture.....................................................1 Why an Architecture?........................................................................................2 Incident.......................................................................................................3 Client/Server Environments.........................................................................6 Overview of Security Controls...................................................................11 The Threat...............................................................................................11 The Risks..................................................................................................12 Incident.....................................................................................................12 The Controls............................................................................................14 The Strategic Information Technology (IT) Plan.....................................17 Summary...........................................................................................................22 Getting Started..................................................................................................22 2 Security Organization / Infrastructure.............................................25 Learning Objectives.........................................................................................25 The Security Organization...............................................................................26 The Executive Committee for Security.....................................................29 The Chief Information Officer....................................................................29 The Chief Financial Officer.........................................................................31 The Security Officer.....................................................................................32 The Security Team.......................................................................................33 Security Coordinators or Liaisons.............................................................35 Departmental Management........................................................................36 Network and Application Administrators................................................37 Human Resources........................................................................................37 Legal Counsel...............................................................................................37 Help Desk......................................................................................................39 Audit..............................................................................................................39 Internal Audit...........................................................................................39 External Audit..........................................................................................41 Component Audits..................................................................................42 Compliance Audits..................................................................................42 System Users................................................................................................42 Centralized versus Decentralized Security Administration........................43 vii AU1549_C000.fm Page viii Friday, November 18, 2005 2:15 PM Information Security Architecture Information and Resource Ownership...........................................................45 The Strategic Information Technology (IT) Plan..........................................49 Chapter Summary.............................................................................................54 Getting Started: Project Management.......................................................56 Deliverables..................................................................................................71 Password Parameters.............................................................................72 Notes..................................................................................................................75 3 Security Policies, Standards, and Procedures.................................77 Introduction.......................................................................................................77 Learning Objectives..........................................................................................77 The Information Security Policy.....................................................................81 Information Security Policy Acknowledgment Form...................................82 Network Usage Policy......................................................................................82 E-Mail Policy......................................................................................................83 Internet Policy...................................................................................................87 Internet Risk..................................................................................................88 Process for Change...........................................................................................90 Security Standards...........................................................................................91 Standards Organizations..................................................................................92 Security Procedures.........................................................................................96 Chapter Summary.............................................................................................97 Getting Started..................................................................................................98 Notes..................................................................................................................99 4 Security Baselines and Risk Assessments......................................101 Information Security Assessment: A Phased Approach............................102 High-Level Security Assessment (Section I)................................................103 Assessing the Organization of the Security Function............................103 Assessing the Security Plan......................................................................104 Assessing Security Policies, Standards, and Procedures.....................104 Assessing Risk-Related Programs............................................................104 Security Operations (Section II)...................................................................105 Security Monitoring...................................................................................105 Computer Virus Controls..........................................................................106 Microcomputer Security...........................................................................107 Compliance with Legal and Regulatory Requirements..............................108 Computer Operations (Section III)...............................................................108 Physical and Environmental Security......................................................108 Backup and Recovery................................................................................109 Computer Systems Management.............................................................110 Problem Management................................................................................110 Application Controls Assessments...............................................................111 Access Controls..........................................................................................112 Separation (or Segregation) of Duties.....................................................113 Audit Trails.................................................................................................114 viii AU1549_C000.fm Page ix Friday, November 18, 2005 2:15 PM Contents Authentication...........................................................................................114 Application Development and Implementation.....................................116 Change Management.................................................................................117 Database Security......................................................................................117 Network Assessments...............................................................................119 Emergency Response................................................................................120 Remote Access...........................................................................................121 Gateways Separating the Corporate WAN and Lines of Business.......122 Current and Future Internet Connections..............................................122 Electronic Mail and the Virtual Office.....................................................123 Placement of WAN Resources at Client Sites.........................................124 Operating System Security Assessment.................................................125 Windows NT...............................................................................................125 Telecommunications Assessments.........................................................132 Summary.........................................................................................................136 5 Security Awareness and Training Program.....................................139 Program Objectives........................................................................................139 Employees Recognize Their Responsibility for Protecting the Enterprise’s Information Assets..............................................................139 Employees Understand the Value of Information Security..................140 Employees Recognize Potential Violations and Know Who to Contact...................................................................................................142 Incident...................................................................................................142 Forms of Attack.....................................................................................143 The Level of Security Awareness among Existing Employees Remains High..............................................................................................146 Program Considerations................................................................................147 Effectiveness Is Based on Long-Term Commitment of Resources and Funding................................................................................................147 Benefits Are Difficult to Measure in the Short Term.............................148 Scoping the Target Audience....................................................................149 Incident...................................................................................................151 Effectively Reaching the Target Audience..............................................154 Security Organizations..............................................................................159 Summary.........................................................................................................160 Getting Started — Program Development...................................................161 6 Compliance......................................................................................165 Level One Compliance: The Component Owner........................................166 Level Two Compliance: The Audit Function...............................................167 Level Three Compliance: The Security Team.............................................172 Line of Business (LOB) Security Plan..........................................................173 Enterprise Management Tools......................................................................173 Summary.........................................................................................................176 ix

See more

The list of books you might like

Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.