Information Security Fundamentals
Purchasing Options
Features
Summary
Effective security rules and procedures do not exist for their own sake-they are put in place to protect critical assets, thereby supporting overall business objectives. Recognizing security as a business enabler is the first step in building a successful program.
Information Security Fundamentals allows future security professionals to gain a solid understanding of the foundations of the field and the entire range of issues that practitioners must address. This book enables students to understand the key elements that comprise a successful information security program and eventually apply these concepts to their own efforts. The book examines the elements of computer security, employee roles and responsibilities, and common threats. It examines the need for management controls, policies and procedures, and risk analysis, and also presents a comprehensive list of tasks and objectives that make up a typical information protection program.
The volume discusses organizationwide policies and their documentation, and legal and business requirements. It explains policy format, focusing on global, topic-specific, and application-specific policies. Following a review of asset classification, the book explores access control, the components of physical security, and the foundations and processes of risk analysis and risk management. Information Security Fundamentals concludes by describing business continuity planning, including preventive controls, recovery strategies, and ways to conduct a business impact analysis.
Table of Contents
OVERVIEW
Elements of Information Protection
More Than Just Computer Security
Employee Mind-Set toward Controls
Roles and Responsibilities
Director, Design and Strategy
Common Threats
Policies and Procedures
Risk Management
Typical Information Protection Program
Summary
THREATS TO INFORMATION SECURITY
What Is Information Security?
Common Threats
Errors and Omissions
Fraud and Theft
Malicious Hackers
Malicious Code
Denial-of Service-Attacks
Social Engineering
Common Types of Social Engineering
Summary
THE STRUCTURE OF AN INFORMATION SECURITY
PROGRAM
Overview
Enterprisewide Security Program
Business Unit Responsibilities
Creation and Implementation of Policies and Standards
Compliance with Policies and Standards
Information Security Awareness Program
Frequency
Media
Information Security Program Infrastructure
Information Security Steering Committee
Assignment of Information Security Responsibilities
Senior Management
Information Security Management
Business Unit Managers
First Line Supervisors
Employees
Third Parties
Summary
INFORMATION SECURITY POLICIES
Policy Is the Cornerstone
Why Implement an Information Security Policy
Corporate Policies
Organizationwide (Tier 1) Policies
Employment
Standards of Conduct
Conflict of Interest
Performance Management
Employee Discipline
Information Security
Corporate Communications
Workplace Security
Business Continuity Plans (BCPs)
Procurement and Contracts
Records Management
Asset Classification
Organizationwide Policy Document
Legal Requirements
Duty of Loyalty
Duty of Care
Federal Sentencing Guidelines for Criminal Convictions
The Economic Espionage Act of 1996
The Foreign Corrupt Practices Act (FCPA)
Sarbanes-Oxley (SOX) Act
Health Insurance Portability and Accountability
Act (HIPAA)
Gramm-Leach-Bliley Act (GLBA)
Business Requirements
Definitions
Policy
Standards
Procedures
Guidelines
Policy Key Elements
Policy Format
Global (Tier 1) Policy
Topic
Scope
Responsibilities
Compliance or Consequences
Sample Information Security Global Policies
Topic-Specific (Tier 2) Policy
Thesis Statement
Relevance
Responsibilities
Compliance
Supplementary Information
Application-Specific (Tier 3) Policy
Summary
ASSET CLASSIFICATION
Introduction
Overview
Why Classify Information?
What Is Information Classification?
Where to Begin?
Information Classification Category Examples
Example 1
Example 2
Example 3
Example 4
Resist the Urge to Add Categories
What Constitutes Confidential Information
Copyright
Employee Responsibilities
Owner
Information Owner
Custodian
User
Classification Examples
Classification: Example 1
Classification: Example 2
Classification: Example 3
Classification: Example 4
Declassification or Reclassification of Information
Records Management Policy
Sample Records Management Policy
Information Handling Standards Matrix
Printed Material
Electronically Stored Information
Electronically Transmitted Information
Record Management Retention Schedule
Information Classification Methodology
Authorization for Access
Owner
Custodian
User
Summary
Access Control
Business Requirements for Access Control
Access Control Policy
User Access Management
Account Authorization
Access Privilege Management
Account Authentication Management
System and Network Access Control
Network Access and Security Components
System Standards
Remote Access
Operating System Access Controls
Operating Systems Standards
Change Control Management
Monitoring System Access
Event Logging
Monitoring Standards
Intrusion Detection Systems
Cryptography
Definitions
Public Key and Private Key
Block Mode, Cipher Block, and Stream Ciphers
Cryptanalysis
Sample Access Control Policy
Summary
Physical Security
Data Center Requirements
Physical Access Controls
Assets to be Protected
Potential Threats
Attitude toward Risk
Sample Controls
Fire Prevention and Detection
Fire Prevention
Fire Detection
Fire Fighting
Verified Disposal of Documents
Collection of Documents
Document Destruction Options
Choosing Services
Agreements
Duress Alarms
Intrusion Detection Systems
Purpose
Planning
Elements
Procedures
Sample Physical Security Policy
Summary
RISK ANALYSIS AND RISK MANAGEMENT
Introduction
Frequently Asked Questions on Risk Analysis
Why Conduct a Risk Analysis?
When to Conduct a Risk Analysis?
Who Should Conduct the Risk Analysis?
How Long Should A Risk Analysis Take?
What a Risk Analysis Analyzes
What Can the Results of a Risk Analysis Tell an Organization?
Who Should Review the Results of a Risk Analysis?
How Is the Success of the Risk Analysis Measured?
Information Security Life Cycle
Risk Analysis Process
Asset Definition
Threat Identification
Determine Probability of Occurrence
Determine the Impact of the Threat
Controls Recommended
Documentation
Risk Mitigation
Control Categories
Cost/Benefit Analysis
Summary
BUSINESS CONTINUITY PLANNING
Overview
Business Continuity Planning Policy
Policy Statement
Scope
Responsibilities
Compliance
Conducting a Business Impact Analysis (BIA)
Identify Sponsor(s)
Scope
Information Meeting
Information Gathering
Questionnaire Design
Scheduling the Interviews
Conducting Interviews
Tabulating the Information
Presenting the Results
Preventive Controls
Recovery Strategies
Hot Site, Cold Site, Warm Site, Mobile Site
Key Considerations
People
Communications
Computing Equipment
Facilities
PLAN CONSTRUCTION, TESTING, AND MAINTENANCE
Plan Construction
Crisis Management Plan
Plan Distribution
Plan Testing
Line Testing
Walk-Through Testing
Single Process Testing
Full Testing
Plan Testing Summary
Plan Maintenance
Sample Business Continuity Plan Policy
Summary
Related Titles
