Y L F M A E T Team-Fly® DEFENDING THE DIGITAL FRONTIER A SECURITY AGENDA Mark W. Doll Sajay Rai Jose Granado JOHN WILEY & SONS, INC. DEFENDING THE DIGITAL FRONTIER DEFENDING THE DIGITAL FRONTIER A SECURITY AGENDA Mark W. Doll Sajay Rai Jose Granado JOHN WILEY & SONS, INC. Copyright © 2003 by Ernst & Young LLP. All rights reserved. Published by John Wiley & Sons, Inc., Hoboken, New Jersey. Published simultaneously in Canada. Restrict, Run, RecoverSMis a servicemark of EYGN Limited. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning, or otherwise, except as permitted under Section 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorization through payment of the appropriate per-copy fee to the Copyright Clearance Center, Inc., 222 Rosewood Drive, Danvers, MA 01923, 978-750-8400, fax 978-750-4470, or on the web at www.copyright.com. Requests to the Publisher for permission should be addressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, 201-748-6011, fax 201-748-6008, e-mail: [email protected]. Limit of Liability/Disclaimer of Warranty: While the publisher and author have used their best efforts in preparing this book, they make no representations or warranties with respect to the accuracy or completeness of the contents of this book and specifically disclaim any implied warranties of merchantability of fitness for a particular purpose. No warranty may be created or extended by sales representatives or written sales materials. The advice and strategies contained herein may not be suitable for your situation. You should consult with a professional where appropriate. Neither the publisher nor author shall be liable for any loss of profit or any other commercial damages, including but not limited to special, incidental, consequential, or other damages. For general information on our other products and services, or technical support, please contact our Customer Care Department within the United States at 800-762-2974, outside the United States at 317-572-3993 or fax 317-572-4002. Wiley also publishes its books in a variety of electronic formats. Some content that appears in print may not be available in electronic books. For more information about Wiley products, visit our Web site at www.wiley.com. ISBN 0-471-22144-9 Printed in the United States of America. 10 9 8 7 6 5 4 3 2 1 Contents List of Figures and Tables ix Foreword xi Preface xiii Acknowledgments xvii PART ONE THE CHALLENGE OF THE FRONTIER 1 Chapter 1: The Security Frontier 5 Identifying the Security Frontier 11 Environment 12 Responsibilities 15 Priorities 17 Challenges at the Frontier 19 Threats and Vulnerabilities 19 An Attack Scenario 22 Chapter 2: Security Characteristics 27 Aligned 28 Enterprise-Wide 32 Continuous 34 Proactive 36 Validated 38 Formal 42 v vi CONTENTS Chapter 3: Organizational Components and Security Objectives 47 Organizational Components 48 People 49 Process 50 Technology 51 Security Objectives 52 Confidentiality, Integrity, and Availability 53 Access Control 53 PART TWO THE AGENDA FOR ACTION 57 Chapter 4: The Security Agenda 61 Restrict, Run, and RecoverSM 61 Security Agenda Items 63 Planning, Architecture, Operations, and Monitoring Capabilities 65 Organizational Model 66 Capabilities 68 Chapter 5: The Three Rs of Digital Security 77 Restrict 77 Intrusion and Virus Detection 78 Incident Response 83 Privacy 91 Policies, Standards, and Guidelines 94 Physical Security 99 Run 102 Asset and Service Management 104 Vulnerability Management 107 Entitlement Management 111 Recover 114 Business Continuity Planning 115 PART THREE THE APPROACH FOR SAFETY 119 Chapter 6: The Security Culture 123 The Chief Executive as an Agent of Change 125 Instill a Heightened Sense of Awareness 125 Build a Digital Security Guidance Council 126 CONTENTS vii Establish a Time Table and Monitor Progress 126 Roll Out an Enterprise-Wide Security Awareness and Training Program 127 Chapter 7: The Risk Frontier 131 Modeling and Defining Digital Security Risk 131 Low and Slow Scenario: Lessons to Be Learned 137 High-Impact Risk Scenario: Lessons to Be Learned 141 Containment and Control Scenarios: Lessons to Be Learned 143 Approaching Risk Management 144 Chapter 8: Road Map for Success 147 Positioning the Organization within the Industry 148 Resource Allocation 151 Insuring against Digital Security Events 154 Table-Top Exercises 155 The Orbit of Regard 157 Appendix A: Security-Related Laws and Regulations 159 U.S. Laws 159 The USA Patriot Act of 2001 159 The Digital Privacy Act of 2000 160 The Electronic Communications Privacy Act of 1986, 2000 160 The Gramm Leach Bliley (GLB) Act of 1999 (Financial Services Modernization Act) 160 The Electronic Freedom of Information Act of 1996 161 The Healthcare Insurance Portability and Accountability Act (HIPAA) of 1996 161 The National Information Infrastructure Protection Act of 1996 162 The Computer Security Act of 1987 162 The Computer Fraud and Abuse Act of 1986 163 The Computer Crime Control Act of 1984 163 U.S. Federal Privacy Act of 1974 163 U.S. Regulations, Agencies, and Guidelines 164 The National Infrastructure Assurance Council (NIAC, 1999) 164
Description: