1st Edition
Enterprise Architecture and Information Assurance Developing a Secure Foundation
Securing against operational interruptions and the theft of your data is much too important to leave to chance. By planning for the worst, you can ensure your organization is prepared for the unexpected. Enterprise Architecture and Information Assurance: Developing a Secure Foundation explains how to design complex, highly available, and secure enterprise architectures that integrate the most critical aspects of your organization's business processes.
Filled with time-tested guidance, the book describes how to document and map the security policies and procedures needed to ensure cost-effective organizational and system security controls across your entire enterprise. It also demonstrates how to evaluate your network and business model to determine if they fit well together. The book’s comprehensive coverage includes:
- Infrastructure security model components
- Systems security categorization
- Business impact analysis
- Risk management and mitigation
- Security configuration management
- Contingency planning
- Physical security
- The certification and accreditation process
Facilitating the understanding you need to reduce and even mitigate security liabilities, the book provides sample rules of engagement, lists of NIST and FIPS references, and a sample certification statement. Coverage includes network and application vulnerability assessments, intrusion detection, penetration testing, incident response planning, risk mitigation audits/reviews, and business continuity and disaster recovery planning.
Reading this book will give you the reasoning behind why security is foremost. By following the procedures it outlines, you will gain an understanding of your infrastructure and what requires further attention.
Setting the Foundation
Building the Enterprise Infrastructure
Security Categorization Applied to Information Types
Security Categorization Applied to Information Systems
Minimum Security Requirements
Specifications for Minimum Security Requirements
Security Control Selection
Infrastructure Security Model Components
Developing the Security Architecture Model
Dataflow Defense
Data in Transit, Data in Motion, and Data at Rest
Network
Client-Side Security
Server-Side Security
Strategy vs. Business Model
Security Risk Framework
Systems Security Categorization
System Security Categorization Applied to Information Types
Application of System Security Controls
Minimum Security Requirements
System Security Controls
Business Impact Analysis
Objectives of the Business Impact Analysis
Developing the Project Plan
BIA Process Steps
Performing the BIA
Gathering Information
Performing a Vulnerability Assessment
Analyzing the Information
Documenting the Results and Presenting the Recommendations
Risk
Risk Management
Risk Framework
Risk Assessment or Evaluation
Risk Mitigation and Response
Risk Monitoring
Risk Assessment
Secure Configuration Management
Phases of Security-Focused Configuration Management
Security Configuration Management Plan
Coordination
Configuration Control
Change Control Board (CCB) or Technical Review Board (TRB)
Configuration Items
Baseline Identification
Functional Baseline
Design Baseline
Development Baseline
Product Baseline
Roles and Responsibilities
Change Control Process
Change Classifications
Change Control Forms
Problem Resolution Tracking
Measurements
Configuration Status Accounting
Configuration Management Libraries
Release Management (RM)
Configuration Audits
Functional Configuration Audit
Physical Configuration Audit
Tools
Training
Training Approach
Contingency Planning
Types of Plans
Business Continuity Plan (BCP)
Continuity of Operations (COOP) Plan
Cyber Incident Response Plan
Disaster Recovery Plan (DRP)
Contingency Plan (CP)
Occupant Emergency Plan (OEP)
Crisis Communications Plan
Backup Methods and Off-Site Storage
Cloud Computing
Essential Characteristics
Service Models
Continuous Monitoring
Continuous Monitoring Strategy
Organization (Tier 1) and Mission/Business
Processes (Tier 2) Continuous Monitoring Strategy
Information System (Tier 3) Continuous Monitoring Strategy
Process Roles and Responsibilities
Define Sample Populations
Continuous Monitoring Program
Determine Metrics
Monitoring and Assessment Frequencies
Considerations in Determining Assessment and Monitoring Frequencies
Physical Security
Security Level (SL) Determination
Threat Factors/Criteria
Building Security Level Matrix
Building Security Level Scoring Criteria
Mission/Business
Public Impact
Building Occupants
Building Square Footage
Impact on Tenants
Other Factors
Level E Facilities
Campuses, Complexes, and Corporate or Commercial Centers
Changes in the Building Security Level
Building Security
Illumination
Lighting for CCTV Surveillance
Building Security Levels
Minimum Security Standards
Entry Security
Interior Security
Security Planning
The Certification and Accreditation Process
Accreditation Decisions
Continuous Monitoring
General Process Phase I
Security Categorization
System Security Plans (SSPs)
Risk Assessments (RAs)
Contingency Plans (CPs)
Security Control Compliance Matrix (SCCM)
Standard Operating Procedures (SOPs)
Privacy Impact Assessment (PIA)
Configuration Management Plan (CMP)
Service Level Agreements (SLAs)
General Process Phase II: Security Test and Evaluation (ST&E)
Develop the Security Test and Evaluation (ST&E) Plan
Execute the ST&E Plan
Create the ST&E Report and Recommend Countermeasures
Update the Risk Assessment
Update the Security Plan
Document Certification Findings
General Management and Methodologies
Employed Methodologies
Internal Review Procedures
End-State Security Model
Appendix A: List of References (NIST )
Appendix B: List of References (FIPS)
Appendix C: Sample Certification Statement
Appendix D: Sample Rules of Engagement
Biography
James A. Scholz is a veteran who served 20 years in the US Army. As a soldier he served as an explosive ordnance disposal technician for 17 years (10 years stationed at Fort Leonard Wood, Missouri) and part of his responsibilities were to ensure the security of Presidents, Vice-Presidents, and Foreign Dignitaries as they traveled throughout the Nation and abroad. James was awarded the Bronze Star for Valor, a Bronze Star, multiple Meritorious Service Medals, and the South West Asia Campaign Medal.
James served as the single responsible person for a 1.8 million dollar budget and as a Class "A" Agent for the US Army, overseas. James served as a Reserve Deputy Sheriff and a Crime Scene Technician with the El Paso County Sheriff’s Department, Texas from 1993 through 1996. James is President and CEO of a small, service disabled veteran -owned small business that provides disaster recovery, business continuity, physical, and logical security services to federal agencies. James has 31 years experience working with the federal government at all levels and has supported many rural towns in Missouri during his career as an explosive ordnance disposal technician.