1st Edition

The Executive MBA in Information Security

By John J. Trinckes, Jr. Copyright 2010
    352 Pages 25 B/W Illustrations
    by CRC Press

    According to the Brookings Institute, an organization’s information and other intangible assets account for over 80 percent of its market value. As the primary sponsors and implementers of information security programs, it is essential for those in key leadership positions to possess a solid understanding of the constantly evolving fundamental concepts of information security management. Developing this knowledge and keeping it current however, requires the time and energy that busy executives like you simply don’t have.

    Supplying a complete overview of key concepts, The Executive MBA in Information Security provides the tools needed to ensure your organization has an effective and up-to-date information security management program in place. This one-stop resource provides a ready-to use security framework you can use to develop workable programs and includes proven tips for avoiding common pitfalls—so you can get it right the first time.

    Allowing for quick and easy reference, this time-saving manual provides those in key leadership positions with a lucid understanding of:

    • The difference between information security and IT security
    • Corporate governance and how it relates to information security
    • Steps and processes involved in hiring the right information security staff
    • The different functional areas related to information security
    • Roles and responsibilities of the chief information security officer (CISO)

    Presenting difficult concepts in a straightforward manner, this concise guide allows you to get up to speed, quickly and easily, on what it takes to develop a rock-solid information security management program that is as flexible as it is secure.

     

    Preface

    Acknowledgments

    The Author

    Contributors

    Information Security Overview

    Information Security Management

    What Is Information Security?

    Responsibilities

    Organization

    Functions

    Ideal Traits of an Information Security Professional

    Certification Requirements

    Recruiting

    Screening

    Interviewing

    Reference Checks

    Retention

    Trust and Loyalty

    Why Is Information Security Important?

    Information Security Concepts

    Laws of Security

    Information Security Requirements

    Interrelationship of Regulations, Policies, Standards, Procedures, and Guidelines

    Regulations

    Sarbanes–Oxley Act

    Gramm–Leach–Bliley Act

    Health Insurance Portability and Accountability Act

    Federal Financial Institutions Examination Council

    Payment Card Industry (PCI) Data Security Standard

    Common Elements of Compliance

    Security Controls

    Industry Best Practice Guidelines

    Standards

    Measurement Techniques

    Control Objectives for Information and Related Technology

    (COBIT)

    ISO 27002 Overview

    Capability Maturity Model (CMM)

    Generally Accepted Information Security Principles (GAISP)

    Common Pitfalls of an Effective Information Security Program

    Defense in Depth

    Managing Risks

    Risk Management

    System Characterization

    Threat Identification

    Vulnerability Identification and

    Categorization

    Control Analysis

    Likelihood Rating

    Impact Rating (Premitigation)

    Risk Determination

    Recommendations

    Technical Evaluation Plan (TEP)

    Methodology Overview

    Role of Common Vulnerabilities and Exposures (CVE)

    Executive Summary

    Follow-Up

    Tracking

    Conflict Resolution

    Test Plans

    Physical Security

    Access Control Systems and Methods

    Discretionary Access Controls (DACs)

    Mandatory Access Controls (MACs)

    Nondiscretionary Access Controls

    Administrative Access Controls

    Physical Access Controls

    Technical Access Controls

    Logical Access Controls

    Common Access Control Practices

    Auditing

    Physical Security

    Social Engineering

    Phishing

    Pharming

    Vishing

    Passive Information Gathering

    Active Information Gathering

    Covert Testing

    Clean Desk Policy

    Dumpster Diving

    Business Continuity Plans and Disaster Recovery

    Business Continuity

    Phase 1—Project Management and Initiation

    Phase 2—Business Impact Analysis

    Phase 3—Recovery Strategies

    Phase 4—Plan, Design, and Develop

    Phase 5—Testing, Maintenance, and

    Awareness Training

    Complications to Consider in BCP

    Disaster Recovery

    Business

    Facilities and Supplies

    Users

    Technology

    Data

    Event Stages

    Disaster Recovery Testing

    Business Continuity Planning and Disaster Recovery Training

    Administrative Controls

    Change Management

    Request Phase

    Process Phase

    Release Phase

    Change Management Steps

    Computer Forensics

    Computer Investigation Model

    Incident Management

    Reporting Information

    Steps

    Notification

    Incident Details

    Incident Handler

    Actions to Date

    Recommended Actions

    Laws, Investigations, and Ethics

    Laws

    Investigations

    Ethics

    Operations Security

    OPSEC Controls

    Separation of Duties

    Job Rotation

    Least Privileges

    Records Retention

    Federal Rules of Civil Procedure

    Security Awareness Training

    A Cracker’s Story

    Security Management Practices

    Security Countermeasures

    Service Providers, Service-Level Agreements, and Vendor

    Reviews

    Vendor Relationship Policy

    Service-Level Agreements

    Vendor Reviews

    Managing Security Risks in Vendor Relationships

    Due Diligence: The First Tool

    Key Contractual Protections: The Second Tool

    Information Security Requirements Exhibit: The Third

    Tool

    Technical Controls

    Host Security

    System Hardening Checklist

    Host Services

    Other Host Security Controls

    Malware Protection

    Viruses, Worms, and Backdoors

    DAT Signatures

    Multimedia Devices

    Network Security

    Seven Layers of the OSI Model

    Other Layers

    Protocol Data Units

    TCP/IP Model

    Decimal, Binary, and Hexadecimal Compared

    Network Addressing

    Network Security Controls

    Passwords

    Patch or Vulnerability Management

    Application Controls

    Application and System Development

    e-Mail

    Encryption

    Private Key Encryption (Symmetric Key Encryption)

    Choosing a Symmetric Key Cryptography Method

    Public Key Encryption (Asymmetric Key

    Encryption)

    Choosing an Asymmetric Key Cryptography Method

    Digital Signature

    One-Way Encryption

    e-Mail Encryption

    Choosing e-Mail Encryption

    Internet Encryption

    Choosing an Internet Security Method

    Encrypting Hard Drives

    Encryption Attacks

    Multifactor Authentication

    Perimeter Controls

    Security Architecture

    Internal Controls

    External Controls

    Telecommunications Security

    Voice over IP Security

    Virtual Private Network

    Wireless Security

    Web Filtering

    Audit and Compliance

    Audit and Compliance

    Information Security Governance Metrics

    Testing—Vulnerability Assessment

    Appendix A: Information Security Policy

    Appendix B: Technology Resource Policy

    Appendix C: Log-on Warning Banner

    Appendix D: Penetration Test Waiver

    Appendix E: Tools

    Appendix F: How to Report Internet Crime

    Acronyms

    MyISAT

    Web References

    Index

    Biography

    John J. Trinckes Jr.