book

Asset Protection through Security Awareness

by Tyler Justin Speed

April 2016

Intermediate to advanced

337 pages

8h 22m

English

Auerbach Publications

Read now

Unlock full access

Protecting Corporate AssetsProtective MeasuresTechnical Protective MeasuresPhysical Protective MeasuresPersonnel Protective MeasuresA Culture of Security AwarenessEducation Is KeyCreating the CultureAcknowledging Security IssuesAccepting ResponsibilityAssessing RiskCrafting Security PoliciesTraining at All LevelsCreating Benchmarks for SuccessSecurity AuditsEncouraging Secure OperationsBuilding a Security TeamPlanning for DisasterRemaining Dynamic
Industry StandardsPrivacy ConcernsVisual Data Privacy ProtectionAuditory Privacy ProtectionDigital Data PrivacyHealth Information ConcernsClient RecordsPassword ManagementCredit Card Compliance (PCI)General File ManagementFile Access ControlPhysical Access ControlExamples of Security Regulations and LawsFinancial InstitutionsIndustry-Specific Regulations
Empowering Security ProfessionalsTop-Down ApproachC-Level ManagersUpper ManagementMid-Level ManagersLow-Level ManagersEnd UsersA Workforce of Security Professionals

The “People” Portion of Information SecurityA Breakdown in Trust = A Breakdown in SecurityThe IS SpecialistAn Issue of CommunicationTwo Different WorldsDiplomacy—The IS Professional’s Best FriendSoftening the Security MessageThe IS ServantA Caretaker’s ApproachEnd Users Are Great Network MonitorsSuper-UsersThe End User’s Diplomatic Responsibility
What Is Privacy?Why Does Privacy Matter?Types of Private DataProprietary InformationCustomer RecordsEmployment RecordsHealth-Related InformationIndustry ResearchKeeping Files PrivateDigital DataPhysical DataManagement NotesVerbal DataPrivacy-Related Regulations and LawsGramm–Leach–Bliley (GLB) Financial Modernization Act of 1999—Year Enacted: 1999Health Insurance Portability and Accountability Act (HIPAA)—Year Enacted: 2003 (Final Ruling)Children’s Online Privacy Protection Act—Year Enacted: 1998Privacy Policies
Interdepartmental SecurityAdministrative PersonnelHuman Resources DepartmentAccounting DepartmentLegal DepartmentInformation Technology (IT) DepartmentPurchasingSales and Customer ServiceMarketing DepartmentManufacturingFacilities CrewShipping & Receiving DepartmentInterdepartmental IS Committee
Risk Management and Asset ProtectionData LossDisastersRisk ManagementRisk AnalysisDetermine the Single Loss Expectancy (SLE)Complete a Threat AnalysisCalculate Annual Loss Expectancy (ALE)Manage the Risk
What Is Social Engineering?Psychology of Social EngineeringRecognition of and Respect for AuthorityPoliteness, Professional Customs, and CourtesyConformity in the WorkplaceSocial Engineering Information Gathering MethodsDumpster DivingTailgatingShoulder SurfingPosing as an Employee
What Is an Incident?Incident Detection Types of Intrusion Detection System InstallationsProcess of Intrusion Detection SystemsIDS ConsiderationsIDS BenefitsIDS Drawbacks and WeaknessesIncident ResponseComputer Security Incident Response TeamsCSIRT ManualTypes of CSIRT TeamsResponse to EventsPreparedness Is KeyRecognizing ScopeManagement of OccurrencesEvent PostmortemsRecommendations for ImprovementsLaw Enforcement Liaisons
Human-Caused IncidentsAccidental SpillsAccidental DestructionAccidental Transport DamageServer Room AccidentsIntentional DestructionPhysical Security MeasuresPerimeter FencesSecurity SystemsDoor LocksCamerasSecurity GuardsCheckpointsConstruction ConsiderationsWeather/Natural DisastersWindstormsFloodsFires
PCI ComplianceGoal of PCI DSSWho Must Adhere to PCI Compliance?Who Is Authorized to Perform PCI Security Scans?The Five Levels of PCI ComplianceLevel 1 ComplianceLevel 2 ComplianceLevel 3 ComplianceLevel 4 ComplianceLevel 5 CompliancePCI DSS OverviewCategory 1. Protect and Maintain a Secure NetworkCategory 2: Protect Cardholder DataCategory 3: Maintain a Vulnerability Management ProgramCategory 4: Implement Strong Access Control MeasuresCategory 5: Regularly Monitor and Test NetworksCategory 6: Maintain an Information Security PolicyA Good Place to Start
Evaluation of Critical Systems and ResourcesPrioritization of Critical Systems and ResourcesIdentify Threats Posed to Critical Systems and ResourcesAssign Business Continuity ResponsibilitiesDevelop the Continuity Planning Policy StatementWhat Should the Continuity Planning Statement Include?Listing Critical FunctionsDevelop Recovery PrioritiesIdentify Preventive ControlsDevelop Recovery StrategiesDevelop the Contingency PlanKey PersonnelKey ResourcesImplement Business Continuity PlanMaintain the PlanTrain According to Business Continuity Plan Objectives
User AuthenticationCryptosystemsCryptographic HashingData CompressionSymmetric and Asymmetric KeysPublic Key InfrastructureCertificate AuthorityRegistration AuthorityX.509 or PKIXKey ManagementPKI VendorsWeb of TrustPretty Good Privacy
AcquireChain of CustodyIdentificationCryptographyDigital Forensic ToolsEvidence PreservationAuthenticateAnalyzeThe Digital Investigator
VirusesWormsFamous WormsProtecting Against WormsKeyloggersRootkitsSpywareAdwareTrojan HorsesTypes of Antivirus ProgramsSignature-Based ScanningBehavior-Based ScanningMemory Resident DetectionInoculationDetecting and Removing VirusesStart-Up DetectionRestore PointsRecommended Antivirus ProgramsSpybot - Search and Destroy (Spybot-S&D)Lavasoft’s Ad-AwareHijackthisAVG Technologies’ Anti-Virus Free Edition (AVG Free)Software Updates
Planning Versus Reactionary Response (Or—Why It’s Important to Have a Security Plan)No Cost AnalysisIncomplete ControlsCompounded Security IssuesDon’t Wait to PlanImportance of a Security PolicySetting Goals and Measuring SuccessDaily OperationsSecurity AwarenessResources for Crafting Security PoliciesCrafting the PolicyThe Team of Policy CraftersManagement SupportStandards, Policies, Procedures, and ControlsStandardsPoliciesProceduresControlsAccessibility, Supportability, and ClarityAccessibilitySupportabilityClarityAssessing the Organization’s Network InfrastructureAssessing/Categorizing AssetsSecurity Policy Structure OutlineDistribution of the PolicyPhysical DistributionDigital Distribution
The NecessityAudit CommitteesInternal Versus External AuditorsPreaudit ConsiderationsSecurity PolicyDefining Security RulesDefinition of User RequirementsPerforming a Risk AssessmentIdentify All Network AssetsList All ThreatsList VulnerabilitiesDetermine Threat Occurrence FrequencyPerform Threat AnalysisDetermine CountermeasuresDetermine Uncovered AssetsBuild the Security ArchitectureMigration of Security ArchitectureEvaluate Security MeasuresManaging Security ImplementationsHow Frequently Should Audits Be Performed?
AccountabilityIdentification and AuthenticationSomething a User HasSomething a User KnowsSomething a User IsSomewhere a User IsDual Factor AuthenticationAuthorizationDifferent Access Control MethodologiesRole-Based Access ControlMandatory Access ControlDiscretionary Access Control
Checklist for Creating a Security PolicyNetwork Inventory ChecklistPhysical Security Checklist

Content preview from Asset Protection through Security Awareness

17 Performing Security Analyses and Audits

DOI: 10.1201/b11355-17

I don’t think there’s a company, a management, an audit committee that hasn’t gone back and re-looked at what they’re doing. . . . People are really scrutinizing and (want to) really make sure their houses are in order and clean.

William Esrey

An information security audit is a formal process, performed by a qualified unbiased entity, that analyzes the current state of network security. More than just passively observing network characteristics and then checking off boxes to ensure certain technical measures and controls are in place, an audit should be an active process, offering solutions to current network issues. Auditors are not in the business of catching people failing ...

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Start your free trial

Physical Security and Safety

Truett A. Ricks, Bobby E. Ricks, Jeffrey Dingle

Security and Privacy in Cyber-Physical Systems

Houbing Song, Glenn A. Fink, Sabina Jeschke

Securing the Virtual Environment: How to Defend the Enterprise Against Attack, Included DVD

Davi Ottenheimer, Matthew Wallace

Advanced Persistent Training : Take Your Security Awareness Program to the Next Level

Jordan Schroeder

Publisher Resources

ISBN: 9781439809839