Information Assurance This Page Intentionally Left Blank Information Assurance Managing Organizational IT Security Risks Joseph G. Boyce Dan W. Jennings An Imprint of Elsevier Science Amsterdam Boston London New York Oxford Paris San Diego San Francisco Singapore Sydney Tokyo Butterworth–Heinemann is an imprint of Elsevier Science Copyright © 2002 by Elsevier Science (USA) All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, or otherwise, without the prior written permission of the publisher. Recognizing the importance of preserving what has been written, Butterworth–Heinemann prints its books on acid-free paper whenever possible. Library of Congress Cataloging-in-Publication Data Boyce, Joseph George, 1951– Information assurance: managing organizational IT security risks / Joseph George Boyce, Dan Wesley Jennings. p. cm. Includes bibliographical references and index. ISBN 0-7506-7327-3 (pbk. : alk. paper) 1. Computer security. 2. Data protection. I. Jennings, Dan Wesley, 1954- II. Title. QA76.9.A25 B69 2002 005.8 — dc21 2001056663 British Library Cataloguing-in-Publication Data A catalogue record for this book is available from the British Library. The publisher offers special discounts on bulk orders of this book. For information, please contact: Manager of Special Sales Elsevier Science 225 Wildwood Avenue Woburn, MA 01801-2041 Tel: 781-904-2500 Fax: 781-904-2620 For information on all Butterworth–Heinemann publications available, contact our World Wide Web home page at: http://www.bh.com 10 9 8 7 6 5 4 3 2 1 Printed in the United States of America To my parents, my brother, my wife Odette, my two wonderful children, Kimberly and Alan, and my friends, Bishop John Neumann and Dr. Biddle. Joseph George Boyce To my wife and best friend, Denise, who reminds me about what is important, and to all my security staff, past and present, from whom I continue to learn and grow. Dan Wesley Jennings Among the natural rights of the colonists are these: First a right to life, secondly to lib- erty, thirdly to property; together with the right to defend them in the best manner they can. — Samuel Adams The personal right to acquire property, which is a natural right, gives to property, when acquired, a right to protection, as a social right. — James Madison Contents Foreword xi Preface xv Acknowledgments xxi I THE ORGANIZATIONAL IA PROGRAM: THE PRACTICAL AND CONCEPTUAL FOUNDATION 1 1. IA and the Organization: The Challenges 3 Chapter Objectives 3 The Meaning and Significance of IA 3 The Rights of Organizations 3 The Contribution of Information and Information Technology (IT) to Achieving the Rights of Organizations 5 The Emergence of New Challenges 6 Summary 11 References 11 2. Basic Security Concepts, Principles, and Strategy 13 Chapter Objectives 13 Basic Security Concepts and Principles 13 Basic Security Strategy 30 Summary 35 References 35 II DEFINING THE ORGANIZATION’S CURRENT IA POSTURE 37 3. Determining the Organization’s IA Baseline 39 Chapter Objectives 39 Information Assurance Elements 39 Summary 52 References 52 vii viii Contents 4. Determining IT Security Priorities 53 Chapter Objectives 53 Identifying Your Security Protection Priorities 53 Measuring the Accomplishment of Organizational IA Needs 64 Summary 65 References 65 5. The Organization’s IA Posture 67 Chapter Objectives 67 Introduction 67 The Process for Determining Organizational IA Posture 70 Summary 82 References 83 III ESTABLISHING AND MANAGING AN IA DEFENSE IN DEPTH STRATEGY WITHIN AN ORGANIZATION 85 6. Layer 1: IA Policies 87 Chapter Objectives 87 The Concept of Policy 87 The Intent and Significance of IA Policies 88 The Mechanics of Developing, Communicating, and Enforcing IA Policies 90 Summary 93 References 93 7. Layer 2: IA Management 95 Chapter Objectives 95 Establishing an IA Management Program 95 Managing IA 107 Summary 110 References 110 8. Layer 3: IA Architecture 113 Chapter Objectives 113 The Objectives of the IA Architecture 113 Knowledge Required to Design the IA Architecture 114 The Design of the Organization’s IA Architecture 125 Allocation of Security Services and Security Mechanisms 136 The Implementation of the Organization’s IA Architecture 142 Summary 143 References 143 9. Layer 4: Operational Security Administration 145 Chapter Objectives 145 Administering Information Systems Security 145 Summary 151 References 152 Contents ix 10. Layer 5: Configuration Management 153 Chapter Objectives 153 The Necessity of Managing Changes to the IA Baseline 153 Configuration Management: An Approach for Managing IA Baseline Changes 154 Summary 161 References 162 11. Layer 6: Life-Cycle Security 163 Chapter Objectives 163 Security Throughout the System Life Cycle 163 Summary 170 Reference 170 12. Layer 7: Contingency Planning 171 Chapter Objectives 171 Planning for the Worst 171 Summary 174 Reference 174 13. Layer 8: IA Education, Training, and Awareness 175 Chapter Objectives 175 The Importance of IA Education, Training, and Awareness 175 Implementation of Organizational IA Education, Training, and Awareness 176 Summary 179 References 179 14. Layer 9: IA Policy Compliance Oversight 181 Chapter Objective 181 The Necessity of IA Policy Compliance Oversight 181 The Implementers of IA Policy Compliance Oversight 181 Mechanisms of IA Policy Compliance Oversight 182 Summary 187 References 188 15. Layer 10: IA Incident Response 189 Chapter Objectives 189 Reacting and Responding to IA Incidents 189 Summary 195 References 196 16. Layer 11: IA Reporting 197 Chapter Objectives 197 The Definition of Formal IA Reporting 197 The Development of an IA Reporting Structure and Process 197 Summary 200 References 200