Free standard shipping on all orders

Assessing and Managing Security Risk in IT Systems: A Structured Methodology book cover

1st Edition

Assessing and Managing Security Risk in IT Systems A Structured Methodology

By John McCumber Copyright 2004
    288 Pages 35 B/W Illustrations
    by Auerbach Publications

    288 Pages
    by Auerbach Publications
    VitalSource Logo Learn about VitalSource eBooks Opens popup
    Also available as eBook on:

    Assessing and Managing Security Risk in IT Systems: A Structured Methodology builds upon the original McCumber Cube model to offer proven processes that do not change, even as technology evolves. This book enables you to assess the security attributes of any information system and implement vastly improved security environments.

    Part I delivers an overview of information systems security, providing historical perspectives and explaining how to determine the value of information. This section offers the basic underpinnings of information security and concludes with an overview of the risk management process.

    Part II describes the McCumber Cube, providing the original paper from 1991 and detailing ways to accurately map information flow in computer and telecom systems. It also explains how to apply the methodology to individual system components and subsystems.

    Part III serves as a resource for analysts and security practitioners who want access to more detailed information on technical vulnerabilities and risk assessment analytics. McCumber details how information extracted from this resource can be applied to his assessment processes.

    SECURITY CONCEPTS

    Using Models
    Introduction: Understanding, Selecting, and Applying Models
    Understanding Assets
    Layered Security
    Using Models in Security
    Security Models for Information Systems
    Shortcomings of Models in Security
    Security in Context
    Reference

    Defining Information Security
    Confidentiality, Integrity, and Availability
    Information Attributes
    Intrinsic versus Imputed Value
    Information as an Asset
    The Elements of Security
    Security Is Security Only in Context

    Information as an Asset
    Introduction
    Determining Value
    Managing Information Resources
    References

    Understanding Threat and Its Relation to Vulnerabilities
    Introduction
    Threat Defined
    Analyzing Threat
    Assessing Physical Threats
    Infrastructure Threat Issues

    Assessing Risk Variables: The Risk Assessment Process
    Introduction
    Learning to Ask the Right Questions about Risk
    The Basic Elements of Risk in IT Systems
    Information as an Asset
    Defining Threat for Risk Management
    Defining Vulnerabilities for Risk Management
    Defining Safeguards for Risk Management
    The Risk Assessment Process

    THE McCUMBER CUBE METHODOLOGY

    The McCumber Cube
    Introduction
    The Nature of Information
    Critical Information Characteristics
    Confidentiality
    Integrity
    Availability
    Security Measures
    Technology
    Policy and Practice
    Education, Training, and Awareness (Human Factors)
    The Model
    References

    Determining Information States and Mapping
    Information Flow
    Introduction
    Information States: A Brief Historical Perspective
    Automated Processing: Why Cryptography Is Not Sufficient
    Simple State Analysis
    Information States in Heterogeneous Systems
    Boundary Definition
    Decomposition of Information States
    Developing an Information State Map
    Reference

    Decomposing the Cube for Security Enforcement
    Introduction
    A Word about Security Policy
    Definitions
    The McCumber Cube Methodology
    The Transmission State
    The Storage State
    The Processing State
    Recap of the Methodology

    Information State Analysis for Components and
    Subsystems
    Introduction
    Shortcomings of Criteria Standards for Security Assessments
    Applying the McCumber Cube Methodology for Product
    Assessments
    Steps for Product and Component Assessment
    Information Flow Mapping
    Cube Decomposition Based on Information States
    Develop Security Architecture
    Recap of the Methodology for Subsystems, Products, and
    Components
    References

    Managing the Security Life Cycle
    Introduction

    Safeguard Analysis
    Introduction
    Technology Safeguards
    Procedural Safeguards
    Human Factors Safeguards
    Assessing and Managing Security Risk in IT Systems
    Vulnerability-Safeguard Pairing
    Hierarchical Dependencies of Safeguards
    Security Policies and Procedural Safeguards
    Developing Comprehensive Safeguards: The Lessons of the Shogun
    Identifying and Applying Appropriate Safeguards
    Comprehensive Safeguard Management: Applying the
    McCumber Cube
    The ROI of Safeguards: Do Security Safeguards Have a Payoff?

    Practical Applications of McCumber Cube Analysis
    Introduction
    Applying the Model to Global and National Security Issues
    Programming and Software Development
    Using the McCumber Cube in an Organizational Information
    Security Program
    Using the McCumber Cube for Product or Subsystem Assessment
    Using the McCumber Cube for Safeguard Planning and Deployment
    Tips and Techniques for Building Your Security Program
    Establishing the Security Program: Defining You
    Avoiding the Security Cop Label
    Obtaining Corporate Approval and Support
    Creating Pearl Harbor Files
    Defining Your Security Policy
    Defining What versus How
    Security Policy: Development and Implementation
    Reference

    SECTION III APPENDICES

    Vulnerabilities
    Risk Assessment Metrics
    Diagrams and Tables
    Other Resources

    Biography

    John McCumber

    Add to Cart