Information Security Architecture An Integrated Approach to Security in the Organization, Second Edition

Information Security Architecture, Second Edition incorporates the knowledge developed during the past decade that has pushed the information security life cycle from infancy to a more mature, understandable, and manageable state. It simplifies security by providing clear and organized methods and by guiding you to the most effective resources available. In addition to the components of a successful Information Security Architecture (ISA) detailed in the previous edition, this volume also discusses computer incident/emergency response. The book describes in detail every one of the eight ISA components. Each chapter provides an understanding of the component and details how it relates to the other components of the architecture. The text also outlines how to establish an effective plan to implement each piece of the ISA within an organization.The second edition has been modified to provide security novices with a primer on general security methods. It has also been expanded to provide veteran security professionals with an understanding of issues related to recent legislation, information assurance, and the latest technologies, vulnerabilities, and responses.

INFORMATION SECURITY ARCHITECTURE Why an Architecture? Client/Server Environments Overview of Security Controls The Strategic Information Technology (IT) Plan Summary Getting StartedSECURITY ORGANIZATION / INFRASTRUCTURELearning Objectives The Security OrganizationThe Executive Committee for Security The Chief Information Officer The Chief Financial Officer The Security OfficerThe Security TeamSecurity Coordinators or LiaisonsDepartmental Management Network and Application Administrators Human ResourcesLegal Counsel Help DeskAudit System UsersCentralized versus Decentralized Security AdministrationInformation and Resource OwnershipThe Strategic Information Technology (IT) Plan Chapter SummaryGetting Started: Project Management Starcross, Inc.Enterprisewide Information Security ArchitectureBusiness NeedApproach, Scope, and Deliverables Key MilestonesExternal Security Systems (ESS) Engagement TeamEngagement ManagementChange Management ApproachDeliverables Notes SECURITY POLICIES, STANDARDS, AND PROCEDURES IntroductionLearning ObjectivesThe Information Security Policy Information Security Policy Acknowledgment Form Network Usage Policy E-Mail Policy Internet PolicyInternet RiskProcess for ChangeSecurity Standards Standards OrganizationsSecurity Procedures Chapter SummaryGetting Started Notes SECURITY BASELINES AND RISK ASSESSMENTS Information Security Assessment: A Phased Approach High-Level Security Assessment (Section I)Assessing the Organization of the Security FunctionAssessing the Security PlanAssessing Security Policies, Standards, and Procedures Assessing Risk-Related Programs Security Operations (Section II) Security Monitoring Computer Virus Controls Microcomputer Security Compliance with Legal and Regulatory RequirementsComputer Operations (Section III) Physical and Environmental Security Backup and Recovery Computer Systems Management Problem Management Application Controls Assessments Access Controls Separation (or Segregation) of DutiesAudit Trails Authentication Application Development and ImplementationChange Management Database Security Network Assessments.Emergency Response Remote AccessGateways Separating the Corporate WAN and Lines of BusinessCurrent and Future Internet Connections Electronic Mail and the Virtual OfficePlacement of WAN Resources at Client Sites Operating System Security Assessment Windows NT Telecommunications Assessments Summary SECURITY AWARENESS AND TRAINING PROGRAMProgram ObjectivesEmployees Recognize Their Responsibility for Protecting the Enterprise's Information Assets Employees Understand the Value of Information Security Employees Recognize Potential Violations and Know Who to ContactThe Level of Security Awareness among Existing Employees Remains HighProgram ConsiderationsEffectiveness Is Based on Long-term Commitment of Resources and FundingBenefits Are Difficult to Measure in the Short Term Scoping the Target AudienceEffectively Reaching the Target Audience Security OrganizationsSummary Getting Started - Program DevelopmentCOMPLIANCELevel One Compliance: The Component OwnerLevel Two Compliance: The Audit Function Level Three Compliance: The Security Team Line of Business (LOB) Security Plan Enterprise Management Tools SummaryPITFALLS TO AN EFFECTIVE ISA PROGRAM Lack of a Project Sponsor and Executive Management SupportExecutive-Level ResponsibilitiesExecutive Management's Lack of Understanding of Realistic RiskLack of ResourcesThe Impact of Mergers and Acquisitions on Disparate SystemsIndependent Operations throughout Business Units Discord Between Mainframe versus Distributed Computing Cultures Fostering Trust in the Organization Mom-and-Pop Shop Beginnings Third-Party and Remote Network Management The Rate of Change in TechnologySummaryGetting Started COMPUTER INCIDENT / EMERGENCY RESPONSEIntroductionLearning ObjectivesCERT®/CCCSIRT Goals and ResponsibilitiesReactive ServicesAlerts and WarningsIncident HandlingVulnerability HandlingArtifact Handling Incident Response Handling Methodology Reporting Incident ClassificationTriage Identification Incident Analysis Incident Response Incident Response Coordination Key OrganizationsContainmentEradication RecoveryNotificationDevelopment of the CSIRT Issues in Developing a CSIRTFunding Management Buy-InStaffing and Training Policy DevelopmentLegal Issues Reevaluation of CSIRT Operations Chapter Summary Getting StartedNotesCONCLUSIONAPPENDIXESInformation Security Policy Information Security Policy Acknowledgment FormNetwork Computing Policy E-Mail Security PolicyInternet Policy Security Lists Security Standards and Procedures Manual Table of Anti-Virus Update ProcedureSecurity Assessment WorkplanApplications Security Assessment Network Security Assessment WorkplanWindows NT Assessment Workplan Telecommunications Security Assessment Workplan Computer Incidence/Emergency Response PlanSample Line of Business Security PlanIntrusion Checklist