Table Of ContentPractical
Information
Security
Management
A Complete Guide to Planning and
Implementation
—
Tony Campbell
Practical Information
Security Management
A Complete Guide to Planning and
Implementation
Tony Campbell
Practical Information Security Management: A Complete Guide to Planning and Implementation
Tony Campbell
Burns Beach
Australia
ISBN-13 (pbk): 978-1-4842-1684-2 ISBN-13 (electronic): 978-1-4842-1685-9
DOI 10.1007/978-1-4842-1685-9
Library of Congress Control Number: 2016960737
Copyright © 2016 by Tony Campbell
This work is subject to copyright. All rights are reserved by the Publisher, whether the whole or part of the
material is concerned, specifically the rights of translation, reprinting, reuse of illustrations, recitation,
broadcasting, reproduction on microfilms or in any other physical way, and transmission or information storage
and retrieval, electronic adaptation, computer software, or by similar or dissimilar methodology now known or
hereafter developed.
Trademarked names, logos, and images may appear in this book. Rather than use a trademark symbol with
every occurrence of a trademarked name, logo, or image we use the names, logos, and images only in an
editorial fashion and to the benefit of the trademark owner, with no intention of infringement of the trademark.
The use in this publication of trade names, trademarks, service marks, and similar terms, even if they are
not identified as such, is not to be taken as an expression of opinion as to whether or not they are subject to
proprietary rights.
While the advice and information in this book are believed to be true and accurate at the date of publication,
neither the authors nor the editors nor the publisher can accept any legal responsibility for any errors or
omissions that may be made. The publisher makes no warranty, express or implied, with respect to the
material contained herein.
Managing Director: Welmoed Spahr
Acquisitions Editor: Susan McDermott
Developmental Editor: Matt Moodie
Technical Reviewer: Nigel Hardy, Tristan Bennett
Editorial Board: Steve Anglin, Pramila Balen, Laura Berendson, Aaron Black, Louise Corrigan,
Jonathan Gennick, Robert Hutchinson, Celestin Suresh John, Nikhil Karkal, James Markham,
Susan McDermott, Matthew Moodie, Natalie Pao, Gwenan Spearing
Coordinating Editor: Rita Fernando
Copy Editor: Kim Burton-Weisman
Compositor: SPi Global
Indexer: SPi Global
Cover image: Designed by Hurca - Freepik.com
Distributed to the book trade worldwide by Springer Science+Business Media New York,
233 Spring Street, 6th Floor, New York, NY 10013. Phone 1-800-SPRINGER, fax (201) 348-4505,
e-mail o rders-ny@springer-sbm.com , or visit w ww.springer.com . Apress Media, LLC is a California
LLC and the sole member (owner) is Springer Science + Business Media Finance Inc (SSBM Finance Inc).
SSBM Finance Inc is a Delaware corporation.
For information on translations, please e-mail rights@apress.com , or visit w ww.apress.com .
Apress and friends of ED books may be purchased in bulk for academic, corporate, or promotional use.
eBook versions and licenses are also available for most titles. For more information, reference our Special
Bulk Sales–eBook Licensing web page at w ww.apress.com/bulk-sales .
Any source code or other supplementary materials referenced by the author in this text is available to
readers at w ww.apress.com . For detailed information about how to locate your book’s source code, go to
w ww.apress.com/source-code/ .
Printed on acid-free paper
“I saw the angel in the marble and carved until I set him free.”
—Michelangelo
This book is dedicated to the two people in my life that inspire me the most.
For Sharon and Lara: set your angels free.
Contents at a Glance
About the Author .....................................................................................................xv
About the Technical Reviewers .............................................................................xvii
Acknowledgments ..................................................................................................xix
Introduction ............................................................................................................xxi
■ Chapter 1: Evolution of a Profession .....................................................................1
■ Chapter 2: Threats and Vulnerabilities ................................................................15
■ Chapter 3: The Information Security Manager ....................................................31
■ Chapter 4: Organizational Security .....................................................................43
■ Chapter 5: Information Security Implementation ................................................63
■ Chapter 6: Standards, Frameworks, Guidelines, and Legislation ........................71
■ Chapter 7: Protection of Information ...................................................................95
■ Chapter 8: Protection of People .........................................................................113
■ Chapter 9: Protection of Premises .....................................................................131
■ Chapter 10: Protection of Systems ....................................................................155
■ Chapter 11: Digital Evidence and Incident Response ........................................179
■ Chapter 12: Cloud Computing Security..............................................................193
■ Chapter 13: Industrial Control Systems ............................................................205
■ Chapter 14: Secure Systems Development ........................................................213
Index .....................................................................................................................229
v
Contents
About the Author .....................................................................................................xv
About the Technical Reviewers .............................................................................xvii
Acknowledgments ..................................................................................................xix
Introduction ............................................................................................................xxi
■ Chapter 1: Evolution of a Profession .....................................................................1
What’s in a Name? ...........................................................................................................3
The Language of Security.................................................................................................5
CIA .........................................................................................................................................................5
Non-Repudiation .....................................................................................................................................9
Threats and Vulnerabilities .....................................................................................................................9
Risk and Consequence ........................................................................................................................10
Glossary of Useful Terms ................................................................................................12
■ Chapter 2: Threats and Vulnerabilities ................................................................15
Threats ...........................................................................................................................16
Hiding in Plain Sight .............................................................................................................................17
Malware as a Service ...........................................................................................................................21
Physical Threats .............................................................................................................24
Vulnerabilities .................................................................................................................25
Technical Vulnerabilities .......................................................................................................................26
Non-Technical Vulnerabilities ...............................................................................................................27
vii
■ CONTENTS
■ Chapter 3: The Information Security Manager ....................................................31
Information Security Job Roles ......................................................................................32
Training, Experience, and Professionalism .....................................................................34
Career Planning with Professional and Academic Certifi cations .........................................................35
Getting Started in Security Management .......................................................................40
The Information Security Manager’s Responsibilities ..........................................................................40
The Information Security Management System ...................................................................................42
■ Chapter 4: Organizational Security .....................................................................43
Security in Organizational Structures .............................................................................43
Where Does Security Fit? .....................................................................................................................43
License to Operate: Get Your Guys Certifi ed .........................................................................................46
Encourage a Culture of Security Awareness .........................................................................................47
Working with Specialist Groups .....................................................................................50
Working with Standards and Regulations ......................................................................50
Working with Risk Management ...................................................................................52
Risk Identifi cation .................................................................................................................................53
Risk Analysis .........................................................................................................................................54
Risk Treatment ......................................................................................................................................56
Risk Monitoring ....................................................................................................................................58
Business Continuity Management and Disaster Planning ....................................................................58
Working with Enterprise Architecture ............................................................................59
Working with Facilities Management .............................................................................62
Conclusion ......................................................................................................................62
■ Chapter 5: Information Security Implementation ................................................63
Integration with Risk Management ................................................................................64
The Language of Risk ...........................................................................................................................64
Use Existing Frameworks .....................................................................................................................65
Secure Development .....................................................................................................66
Security Architecture Awareness ..........................................................................................................67
Security Requirements ........................................................................................................................68
viii
■ CONTENTS
Organizational Interfaces ...............................................................................................69
Post Implementation ......................................................................................................70
Conclusion ......................................................................................................................70
■ Chapter 6: Standards, Frameworks, Guidelines, and Legislation ........................71
Why Do We Need Standards? .........................................................................................72
Legislation ......................................................................................................................73
Privacy .................................................................................................................................................75
US-EU Safe Harbor and Privacy Shield .................................................................................................76
Employer and Employee Rights ............................................................................................................76
Computer Fraud and Abuse Laws .........................................................................................................77
Records Retention ................................................................................................................................79
Intellectual Property and Copyright ......................................................................................................79
The ISO/IEC 27000 Series of Standards .........................................................................80
ISO/IEC 27001 .......................................................................................................................................80
ISO/IEC 27002 .......................................................................................................................................82
ISO/IEC 27035 .......................................................................................................................................84
List of Published ISO/IEC 27000 Standards ..........................................................................................85
Business Continuity .......................................................................................................86
Risk Management Standards .........................................................................................87
COBIT ..............................................................................................................................90
Payment Card Industry Data Security Standard .............................................................91
Health Insurance Portability and Accountability Act .......................................................92
Conclusion ......................................................................................................................93
■ Chapter 7: Protection of Information ...................................................................95
Information Classifi cation ..............................................................................................95
Business Impact Levels ........................................................................................................................98
Implementing Information Classifi cation ...........................................................................................100
Strategic Implementation ...................................................................................................................103
ix
■ CONTENTS
Identifi cation, Authentication, and Authorization ..........................................................104
Access Control Models .......................................................................................................................104
System Privileges ...............................................................................................................................108
Separation of Duties ...........................................................................................................................109
Delegation of Privileges ......................................................................................................................110
■ Chapter 8: Protection of People .........................................................................113
Human Vulnerabilities ..................................................................................................113
Social Engineering ..............................................................................................................................115
Building a Security Culture ...........................................................................................118
Negligent Staff ....................................................................................................................................119
Shoulder Surfi ng and Eavesdropping .................................................................................................122
Codes of Conduct................................................................................................................................122
Acceptable Use Policies......................................................................................................................122
Employment Contracts .......................................................................................................................123
Personnel Security Life Cycle .......................................................................................124
Recruitment ........................................................................................................................................126
Selection .............................................................................................................................................126
Performance and Succession .............................................................................................................128
Transition ...........................................................................................................................................129
Conclusion ....................................................................................................................129
■ Chapter 9: Protection of Premises .....................................................................131
What Is Physical Security? ..........................................................................................131
Physical Security in ISO/IEC 27001:2013............................................................................................132
Start with a Risk Assessment ......................................................................................133
Threats and Vulnerabilities ................................................................................................................134
Complete the Risk Assessment ..........................................................................................................138
Perimeter Design ..........................................................................................................139
Barriers, Walls, and Fences ................................................................................................................141
Mailrooms and Loading Bays .............................................................................................................142
x
■ CONTENTS
Security Guards and Dogs ..................................................................................................................144
Crime Prevention through Environmental Design (CPTED) ................................................................144
CCTV ..................................................................................................................................................145
Lighting ...............................................................................................................................................146
Administrative Security Controls ........................................................................................................147
Internal Building Security .............................................................................................147
Reception Areas ..................................................................................................................................147
Access Control and Identity Management ..........................................................................................148
Intrusion Detection Systems ..............................................................................................................148
Alarms and Sensors ...........................................................................................................................149
Clear Desk, Clear Screen ....................................................................................................................150
Clear Desk Policy ................................................................................................................................151
Security of Equipment .......................................................................................................................151
Security Considerations when Relocating ..........................................................................................152
Conclusion ....................................................................................................................153
■ Chapter 10: Protection of Systems ....................................................................155
Introducing Malware ....................................................................................................155
What Is Malware? ...............................................................................................................................156
Classifying Malware ..........................................................................................................................156
Active Content Attacks ........................................................................................................................163
Content Injection Attacks ....................................................................................................................164
Threat Vectors ..............................................................................................................164
Technical Countermeasures .........................................................................................165
Network Security .........................................................................................................169
What Are Firewalls? ............................................................................................................................170
The Demilitarized Zone (DMZ) ............................................................................................................171
Network Encryption ............................................................................................................................172
Wireless Networks ..............................................................................................................................175
Governance Over Network Management ............................................................................................176
xi
