ebook img

Information assurance handbook: effective computer security and risk management strategies PDF

481 Pages·2015·3.567 MB·English
Save to my drive
Quick download
Download
Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.

Preview Information assurance handbook: effective computer security and risk management strategies

Information Assurance Handbook Effective Computer Security and Risk Management Strategies Corey Schou Steven Hernandez New York Chicago San Francisco Athens London Madrid Mexico City Milan New Delhi Singapore Sydney Toronto Copyright © 2015 by McGraw-Hill Education. All rights reserved. Except as permitted under the United States Copyright Act of 1976, no part of this publication may be reproduced or distributed in any form or by any means, or stored in a database or retrieval system, without the prior written permission of the publisher, with the exception that the program listings may be entered, stored, and executed in a computer system, but they may not be reproduced for publication. ISBN: 978-0-07-182631-0 MHID: 0-07-182631-9 The material in this eBook also appears in the print version of this title: ISBN: 978-0-07-182165-0, MHID: 0-07-182165-1. eBook conversion by codeMantra Version 1.0 All trademarks are trademarks of their respective owners. Rather than put a trademark symbol after every occurrence of a trademarked name, we use names in an editorial fashion only, and to the benefit of the trademark owner, with no intention of infringement of the trademark. Where such designations appear in this book, they have been printed with initial caps. McGraw-Hill Education eBooks are available at special quantity discounts to use as premiums and sales promotions or for use in corporate training programs. To contact a representative, please visit the Contact Us page at www.mhprofessional.com. Information has been obtained by McGraw-Hill Education from sources believed to be reliable. However, because of the possibility of human or mechanical error by our sources, McGraw-Hill Education, or others, McGraw-Hill Education does not guarantee the ac- curacy, adequacy, or completeness of any information and is not responsible for any errors or omissions or the results obtained from the use of such information. TERMS OF USE This is a copyrighted work and McGraw-Hill Education and its licensors reserve all rights in and to the work. Use of this work is subject to these terms. Except as permitted under the Copyright Act of 1976 and the right to store and retrieve one copy of the work, you may not decompile, disassemble, reverse engineer, reproduce, modify, create derivative works based upon, transmit, distribute, disseminate, sell, publish or sublicense the work or any part of it without McGraw-Hill Education’s prior consent. You may use the work for your own noncommercial and personal use; any other use of the work is strictly prohibited. Your right to use the work may be terminated if you fail to comply with these terms. THE WORK IS PROVIDED “AS IS.” McGRAW-HILL EDUCATION AND ITS LICENSORS MAKE NO GUARANTEES OR WARRANTIES AS TO THE ACCURACY, ADEQUACY OR COMPLETENESS OF OR RESULTS TO BE OBTAINED FROM USING THE WORK, INCLUDING ANY INFORMATION THAT CAN BE ACCESSED THROUGH THE WORK VIA HYPER- LINK OR OTHERWISE, AND EXPRESSLY DISCLAIM ANY WARRANTY, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. McGraw- Hill Education and its licensors do not warrant or guarantee that the functions contained in the work will meet your requirements or that its operation will be uninterrupted or error free. Neither McGraw-Hill Education nor its licensors shall be liable to you or anyone else for any inaccuracy, error or omission, regardless of cause, in the work or for any damages resulting therefrom. McGraw-Hill Education has no responsibility for the content of any information accessed through the work. Under no circumstances shall McGraw- Hill Education and/or its licensors be liable for any indirect, incidental, special, punitive, consequential or similar damages that result from the use of or inability to use the work, even if any of them has been advised of the possibility of such damages. This limitation of liability shall apply to any claim or cause whatsoever whether such claim or cause arises in contract, tort or otherwise. For my family—more patient than I deserve; for my mentors, who gave me the lamp to guide me; for my students, who give me constant purpose and challenge. —Corey Schou For my beloved wife, Michelle; you inspire the very best in me. —Steven Hernandez About the Authors Corey Schou, Ph.D., is a Fulbright Scholar, a frequent public speaker, an active researcher, and an author of more than 300 books, papers, articles, and other presentations. His interests include information assurance, risk management, software engineering, developing secure applications, security and privacy, and collaborative decision making. He has been described in the press as the father of the knowledge base used worldwide to establish computer security and information assurance. He was responsible for compiling and editing computer security training standards for the U.S. government. In 2003, he was selected as the first University Professor at Idaho State University. He directs the Informatics Research Institute and the National Information Assurance Training and Education Center. His program was recognized by the U.S. government as a Center of Academic Excellence in Information Assurance and is a leading institution in the CyberCorps/Scholarship for Service program. In addition to his academic accomplishments, he holds a broad spectrum of certifications including Certified Cyber Forensics Professional (CCFP), Certified Secure Software Lifecycle Professional (CSSLP), HealthCare Information Security and Privacy Practitioner (HCISPP), CISSP Information Systems Security Architecture Professional (CISSP-ISSAP), and CISSP Information Systems Security Management Professional (CISSP-ISSMP). During his career, he has been recognized by many organizations, including the Federal Information Systems Security Educators Association, which selected him as the 1996 Educator of the Year, and his research and center were cited by the Information Systems Security Association for Outstanding Contributions to the Profession. In 1997, he was given the TechLearn award for contributions to distance education. He was nominated and selected as an honorary Certified Information Systems Security Professional (CISSP) based on his lifetime achievement. In 2001, the International Information Systems Security Certification Consortium (ISC)2 selected him as the second recipient of the Tipton award for contribution to the information security profession. In 2007, he was recognized as a Fellow of (ISC)2. Steven Hernandez, MBA, CISSP, CISA, CSSLP, SSCP, CAP, HCISPP, CompTIA Security+, is the chief information security officer for the Office of Inspector General at the U.S. Department of Health and Human Services (HHS). His 16 years of extensive background in information assurance includes work for international heavy manufacturing, large finance organizations, academia, government agencies, nongovernment organizations, and international not-for-profits. Hernandez is an industry-recognized expert in risk management, information assurance investment performance, privacy in healthcare and commerce, and information assurance management. He guest lectures at Idaho State University as affiliate faculty, the National Information Assurance Training and Education Center as affiliate faculty, George Washington University as a distinguished speaker, and California State University at San Bernardino as an honorary professor. He is the editor and lead author of the third edition of the Official (ISC)2 Guide to the CISSP CBK. Hernandez is the chair of the (ISC)2 HCISPP Common Body of Knowledge Domain committee in addition to editor of the first edition of the Official (ISC)2 Guide to the HCISPP CBK. About the Technical Editors Flemming Faber is the senior adviser at the Danish Centre for Cyber Security, part of the Danish Defence Intelligence Service. He has been an information security expert since 1994 and was the first Dane to obtain CISSP certification in 1999. Flemming has worked as a security consultant and information security manager in international consultancy companies for a decade. In 2003, he joined the Danish National IT and Telecom Agency, a Danish government agency where he was head of the IT security division until 2009. In the agency, he was in charge of the information security strategy in relation to the general Danish e-government initiatives, the Danish government’s information security awareness campaigns, privacy initiatives, and the development of information security standards for Danish government agencies. Since 2006, Flemming has been the Danish government representative on the board of the European Network and Information Security Agency (ENISA). He was the main architect in establishing the Danish GovCERT in 2009, where he is responsible for policy, strategy, and international cooperation. Since 2011, the Danish GovCERT has been part of the Danish Centre for Cyber Security under the Ministry of Defence. He has been active in promoting information security internationally and has been involved with (ISC)2 activities since 1999. Flemming was a member of the (ISC)2 Board of Directors from 2010 to 2013. Jill Slay is the director of the new Australian Centre for Cyber Security at UNSW Canberra @ ADFA. With long-term funding allocated, this centre aims to develop critical mass in cross-disciplinary research and teaching in cybersecurity to serve the Australian government and Defence Force and help strengthen the digital economy. She carries out collaborative research in forensic computing, information assurance, and critical infrastructure protection with industry, state, and federal government partners in Australia, South Africa, the United States, and Asia; and she has advised various governments, supporting them in research and process development. Jill was made a member of the Order of Australia (AM) in the 2011 Australia Day Honours Awards for service to the information technology industry through contributions in the areas of forensic computer science, security, protection of infrastructure, and cyberterrorism. She is a member of the Institute of Electrical and Electronic Engineers and also a fellow of the (ISC)2 and the Australian Computer Society. These awards were made for her service to the IT security profession. This page intentionally left blank Contents Foreword ..................................................xix Acknowledgments ...........................................xxi Introduction ..............................................xxiii Part I Information Assurance Basics Chapter 1 Developing an Information Assurance Strategy ....................5 Comprehensive............................................... 5 Independent................................................. 5 Legal and Regulatory Requirements ............................. 6 Living Document ............................................. 6 Long Life Span............................................... 7 Customizable and Pragmatic.................................... 7 Risk-Based Approach.......................................... 7 Organizationally Significant .................................... 7 Strategic, Tactical, and Operational .............................. 7 Concise, Well-Structured, and Extensible.......................... 8 Critical Thinking Exercises ..................................... 8 Chapter 2 The Need for Information Assurance............................9 Protection of Critical and Sensitive Assets ........................ 10 Compliance to Regulations and Circulars/Laws ................... 10 Meeting Audit and Compliance Requirements.................... 10 Providing Competitive Advantage............................... 11 Critical Thinking Exercises .................................... 12 Chapter 3 Information Assurance Principles..............................13 The MSR Model of Information Assurance ....................... 13 Information Assurance ....................................... 14 Information Security..................................... 15 Information Protection................................... 15 Cybersecurity ........................................... 16 Information Assurance: Business Enabler ........................ 17 Information Assurance: Protects the Fabric of an Organization’s Systems .......................... 17 Information Assurance: Cost Effective and Cost Beneficial .......... 18 vii viii Information Assurance Handbook Information Assurance: Shared Responsibilities ................... 19 Information Assurance: Robust Approach........................ 19 Information Assurance: Reassessed Periodically ................... 19 Information Assurance: Restricted by Social Obligations............ 20 Implications from Lack of Information Assurance ................. 20 Penalties from a Legal/Regulatory Authorities................ 20 Loss of Information Assets ................................ 21 Operational Losses and Operational Risk Management......... 21 Customer Losses ........................................ 21 Loss of Image and Reputation ............................. 22 Further Reading............................................. 22 Critical Thinking Exercises .................................... 23 Chapter 4 Information Assurance Concepts ..............................25 Defense in Depth............................................ 25 Confidentiality, Integrity, and Availability ........................ 27 Confidentiality.......................................... 27 Integrity ............................................... 27 Availability ............................................. 28 CIA Balance ............................................ 28 Nonrepudiation and Authentication ............................ 28 Nonrepudiation......................................... 28 Identification, Authentication, Authorization, and Accountability.................................... 29 Identification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30 Authentication.......................................... 30 Authorization........................................... 31 Accountability .......................................... 31 Privacy’s Relationship to Information Assurance .............. 31 Assets, Threats, Vulnerabilities, Risks, and Controls ................ 32 Common Threats........................................ 33 Vulnerabilities .......................................... 40 Controls ............................................... 40 Cryptology.................................................. 43 Codes and Ciphers....................................... 43 Further Reading............................................. 46 Critical Thinking Exercises .................................... 47 Chapter 5 Organizations Providing Resources for Professionals ..............49 Organizations Providing Resources for Professionals ............... 50 (ISC)2 International Information System Security Certification Consortium................................... 50 Computing Technology Industry Association ................. 50 Information System Audit and Control Association ............ 51 Information System Security Association .................... 51 SANS Institute .......................................... 51 Contents ix Disaster Recovery Institute, International .................... 51 Business Continuity Institute .............................. 52 Deciding Among Certifications................................. 52 Codes of Ethics.......................................... 52 Further Reading............................................. 54 Critical Thinking Exercises .................................... 54 Chapter 6 Information Assurance Management System .....................55 Security Considerations for the Information Asset Life Cycle ........ 56 Plan-Do-Check-Act Model ..................................... 57 Plan................................................... 58 Do.................................................... 59 Check ................................................. 59 Act.................................................... 60 Boyd’s OODA Loop.......................................... 60 The Kill Chain .............................................. 61 Further Reading............................................. 61 Critical Thinking Exercises .................................... 62 Chapter 7 Current Practices, Regulations, and Plans for Information Assurance Strategy ....................63 Due Care and Due Diligence................................... 63 Due Care .............................................. 63 Due Diligence .......................................... 63 Specific Laws and Regulations.................................. 64 Computer Laws ......................................... 64 Intellectual Property Law ................................. 65 Privacy Laws ............................................ 65 International Laws and Acts ................................... 67 Standards and Best Practices................................... 68 Further Reading............................................. 69 Critical Thinking Exercise..................................... 70 Part II Information Assurance Planning Process Chapter 8 Approaches to Implementing Information Assurance...............75 Key Components of Information Assurance Approaches............ 75 Levels of Controls in Managing Security ......................... 77 Top-Down Approach ......................................... 78 Bottom-Up Approach......................................... 78 Outsourcing and the Cloud.................................... 79 Balancing Information Assurance and Associated Costs............. 79 Further Reading............................................. 80 Critical Thinking Exercises .................................... 81

See more

The list of books you might like

Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.