book

Information Assurance Handbook: Effective Computer Security and Risk Management Strategies

by Corey Schou, Steven Hernandez

September 2014

Intermediate to advanced

480 pages

14h 47m

English

McGraw-Hill

Read now

Unlock full access

Cover
Title
Copyright Page
Dedication
Contents
Foreword
Acknowledgments
Introduction
Part I Information Assurance Basics
Chapter 1 Developing an Information Assurance Strategy
ComprehensiveIndependentLegal and Regulatory RequirementsLiving DocumentLong Life SpanCustomizable and PragmaticRisk-Based ApproachOrganizationally SignificantStrategic, Tactical, and OperationalConcise, Well-Structured, and ExtensibleCritical Thinking Exercises

Chapter 2 The Need for Information Assurance
Protection of Critical and Sensitive AssetsCompliance to Regulations and Circulars/LawsMeeting Audit and Compliance RequirementsProviding Competitive AdvantageCritical Thinking Exercises
Chapter 3 Information Assurance Principles
The MSR Model of Information AssuranceInformation AssuranceInformation SecurityInformation ProtectionCybersecurityInformation Assurance: Business EnablerInformation Assurance: Protects the Fabric of an Organization’s SystemsInformation Assurance: Cost Effective and Cost BeneficialInformation Assurance: Shared ResponsibilitiesInformation Assurance: Robust ApproachInformation Assurance: Reassessed PeriodicallyInformation Assurance: Restricted by Social ObligationsImplications from Lack of Information AssurancePenalties from a Legal/Regulatory AuthoritiesLoss of Information AssetsOperational Losses and Operational Risk ManagementCustomer LossesLoss of Image and ReputationFurther ReadingCritical Thinking Exercises
Chapter 4 Information Assurance Concepts
Defense in DepthConfidentiality, Integrity, and Availability ConfidentialityIntegrityAvailabilityCIA BalanceNonrepudiation and AuthenticationNonrepudiationIdentification, Authentication, Authorization, and AccountabilityIdentificationAuthenticationAuthorizationAccountabilityPrivacy’s Relationship to Information AssuranceAssets, Threats, Vulnerabilities, Risks, and ControlsCommon ThreatsVulnerabilitiesControlsCryptologyCodes and CiphersFurther ReadingCritical Thinking Exercises
Chapter 5 Organizations Providing Resources for Professionals
Organizations Providing Resources for Professionals(ISC)2 International Information System Security Certification ConsortiumComputing Technology Industry AssociationInformation System Audit and Control AssociationInformation System Security AssociationSANS InstituteDisaster Recovery Institute, InternationalBusiness Continuity InstituteDeciding Among CertificationsCodes of EthicsFurther ReadingCritical Thinking Exercises
Chapter 6 Information Assurance Management System
Security Considerations for the Information Asset Life CyclePlan-Do-Check-Act ModelPlanDoCheckActBoyd’s OODA LoopThe Kill ChainFurther ReadingCritical Thinking Exercises
Chapter 7 Current Practices, Regulations, and Plans for Information Assurance Strategy
Due Care and Due DiligenceDue CareDue DiligenceSpecific Laws and RegulationsComputer LawsIntellectual Property LawPrivacy LawsInternational Laws and ActsStandards and Best PracticesFurther ReadingCritical Thinking Exercise
Part II Information Assurance Planning Process
Chapter 8 Approaches to Implementing Information Assurance
Key Components of Information Assurance ApproachesLevels of Controls in Managing SecurityTop-Down ApproachBottom-Up ApproachOutsourcing and the CloudBalancing Information Assurance and Associated CostsFurther ReadingCritical Thinking Exercises
Chapter 9 Organizational Structure for Managing Information Assurance
Importance of Managing Information Assurance as a ProgramStructure of an Information Assurance OrganizationInformation Assurance StaffingRoles and ResponsibilitiesSenior ManagementInformation Assurance UnitsTechnology and Service ProvidersUsersOrganizational MaturityInformation Technology Infrastructure LibraryCapability Maturity ModelOrganizational Change Maturity ModelOutsourcing and Cloud ComputingFurther ReadingCritical Thinking Exercises
Chapter 10 Asset Management
Types of AssetsResponsibilities for AssetsInventory of AssetsOwnership of AssetsAcceptable Use of AssetsInformation Classification and HandlingClassification GuidelinesInformation Labeling and HandlingInformation Classification (Categorization) ExampleFurther ReadingCritical Thinking Exercises
Chapter 11 Information Assurance Risk Management
Benefits of Risk ManagementRisk Management ProcessBackground PlanningAsset AnalysisThreat AnalysisVulnerability AnalysisRisk IdentificationRisk AnalysisRisk TreatmentMonitoring RiskIntegration with Other Management PracticesFurther ReadingCritical Thinking Exercises
Chapter 12 Information Assurance Policy
Importance of PolicyPolicy and Other Governance FunctionsPolicy in Relation to StandardsPolicy in Relation to GuidelinesPolicy in Relation to ProceduresPolicy Development StepsInformation GatheringPolicy Framework DefinitionPolicy DevelopmentReview and ApprovalEnforcementPolicy LayoutFurther ReadingCritical Thinking Exercises
Chapter 13 Human Resource Assurance
RecruitmentInclude Security in Job Scope/DescriptionDefined Level of Confidentiality or SensitivityFilling the PositionUse of Legal Documents to Protect InformationEmploymentSupervisory ControlsRotation of DutiesMonitoring and Privacy ExpectationsPeriodic MonitoringEmployee Training and AwarenessDisciplinary ProcessTermination or Change of EmploymentFurther ReadingCritical Thinking Exercises
Chapter 14 Advantages of Certification, Accreditation, and Assurance
Concepts and DefinitionsPurpose of Certification and AccreditationPrimary Roles for Supporting Certification and AccreditationCertification and Accreditation ProcessCertification BaselinesConsiderations for Product Evaluation, Certification, and AccreditationFurther ReadingCritical Thinking Exercises
Part III Risk Mitigation Process
Chapter 15 Information Assurance in System Development and Acquisition
Benefits of Incorporating Security ConsiderationsOverview of the System Development Life CycleInformation Assurance in the System Development Life CycleInformation Assurance in the System or Service Acquisition Life CycleSystem DevelopmentSystem AcquisitionChange ManagementConfiguration ManagementFurther ReadingCritical Thinking Exercises
Chapter 16 Physical and Environmental Security Controls
BenefitsPhysical and Environmental Security ControlsPhysical Security of Premises and OfficesHandling of MediaManagement of Removable MediaDisposal of MediaFurther ReadingCritical Thinking Exercises
Chapter 17 Information Assurance Awareness, Training, and Education (AT&E)
Purpose of the AT&E ProgramBenefits of the AT&E ProgramDesign, Development, and Assessment of ProgramsTypes of Learning ProgramsInformation Assurance AwarenessInformation Assurance TrainingInformation Assurance EducationFurther ReadingCritical Thinking Exercises
Chapter 18 Preventive Information Assurance Tools
Preventive Information Assurance ToolsContent FiltersCryptographic Protocols and ToolsFirewallsNetwork Intrusion Prevention SystemProxy ServersPublic Key InfrastructureVirtual Private NetworksPreventive Information Assurance ControlsBackupsChange Management and Configuration ManagementIT SupportMedia Controls and DocumentationPatch ManagementFurther ReadingCritical Thinking Exercises
Chapter 19 Access Control
Access Control: The BenefitsAccess Control TypesAccess Control ModelsAccess Control TechniquesRule-Based Access ControlAccess Control MatrixAccess Control ListsCapability TablesConstrained User InterfacesContent-Dependent Access ControlContext-Dependent Access ControlAccess Control AdministrationCentralized Access Control AdministrationDecentralized Access Control AdministrationFurther ReadingCritical Thinking Exercises
Part IV Information Assurance Detection and Recovery Processes
Chapter 20 Information Assurance Monitoring Tools and Methods
Intrusion Detection SystemsHost Intrusion Detection SystemNetwork Intrusion Detection SystemLog Management ToolsSecurity Information and Event Management (SIEM)Honeypot/HoneynetMalware DetectionSignature DetectionChange DetectionState DetectionVulnerability ScannersVulnerability Scanner StandardsHost-Based ScannerNetwork-Based ScannerDatabase Vulnerability ScannerDistributed Network ScannerPenetration TestExternal Penetration TestInternal Penetration TestWireless Penetration TestPhysical ControlsPersonnel Monitoring ToolsNetwork SurveillanceThe Concept of Continuous Monitoring and AuthorizationFurther ReadingCritical Thinking Exercises
Chapter 21 Information Assurance Measurements and Metrics
Importance of Information Assurance MeasurementInformation Assurance Measurement ProcessDevelop MeasurementsCollect DataAnalyze and ReportIntegrate Measurement OutputImprove Measurement ProcessImportance of Information Assurance MetricsInformation Assurance Metrics ProgramData Collection PreparationData Collection and AnalysisCorrective Action IdentificationBusiness Case DevelopmentCorrective Action ApplicationsFurther ReadingCritical Thinking Exercises
Chapter 22 Incident Handling
Importance of Incident HandlingIncident ReportingIncident Handling ProcessPhase 1: PreparationPhase 2: Detection/IdentificationPhase 3: ContainmentPhase 4: EradicationPhase 5: RecoveryPhase 6: ReviewFurther ReadingCritical Thinking Exercises
Chapter 23 Computer Forensics
Importance of Computer ForensicsPrerequisites of a Computer Forensic ExaminerForensic SkillsSupplemental Forensic SkillsRules of Computer ForensicsChain of CustodyComputer Forensic StepsRules of EvidenceComputer Forensics TeamsEstablishing a Computer Forensics TeamFurther ReadingCritical Thinking Exercises
Chapter 24 Business Continuity Management
Importance of Business Continuity ManagementCritical Success Factors for BCM ImplementationBusiness Continuity Management ProcessesStage 1: Recognize BCP Is EssentialStage 2: Identify the Business NeedsStage 3: Develop BCM StrategiesStage 4: Developing and Implementing a BCM ResponseStage 5: Developing a BCM CultureStage 6: Execute, Test, Maintain, and AuditBusiness Continuity in the CloudFurther ReadingCritical Thinking Exercises
Chapter 25 Backup and Restoration
Importance of BackupBackup ConsiderationsBackup SolutionsMediaBackup InfrastructureBackup SoftwareTypes of BackupSchedulingRetentionTape MediaAdministrationRestoration of DataBYOD and Cloud BackupsFurther ReadingCritical Thinking Exercises
Part V Application of Information Assurance to Select Industries
Chapter 26 Healthcare
Overview of Information Assurance ApproachHealthcare-Specific TerminologyInformation Assurance ManagementPersonnelManagement ApproachRegulations and Legal RequirementsInformation Assurance Risk ManagementAssetsThreatsVulnerabilitiesRisk AssessmentRisk MitigationPolicy, Procedures, Standards, and GuidanceHuman ResourcesCertification, Accreditation, and AssuranceInformation Assurance in System Development and AcquisitionPhysical and Environmental Security ControlsAwareness, Training, and EducationAccess ControlContinuous Monitoring, Incident Response, and ForensicsBusiness Continuity and BackupsFurther ReadingCritical Thinking Exercises
Chapter 27 Retail
Overview of the Information Assurance ApproachInformation Assurance ManagementPersonnelManagement ApproachRegulations and Legal RequirementsInformation Assurance Risk ManagementAssetsThreatsVulnerabilitiesRisk AssessmentRisk MitigationPolicy, Procedures, Standards, and GuidanceHuman ResourcesCertification, Accreditation, and AssuranceInformation Assurance: System Development and AcquisitionPhysical and Environmental Security ControlsAwareness, Training, and EducationAccess ControlContinuous Monitoring, Incident Response, and ForensicsBusiness Continuity and BackupsFurther ReadingCritical Thinking Exercises
Chapter 28 Industrial Control Systems
Overview of the Information Assurance ApproachIndustrial Control–Specific LanguageInformation Assurance ManagementPersonnelManagement ApproachRegulations and Legal RequirementsInformation Assurance Risk ManagementAssetsThreatsVulnerabilitiesRisk AssessmentRisk MitigationPolicy, Procedures, Standards, and GuidanceCertification, Accreditation, and AssuranceHuman ResourcesInformation Assurance in System Development and AcquisitionPhysical and Environmental Security ControlsAwareness, Training, and EducationAccess ControlContinuous Monitoring, Incident Response, and ForensicsBusiness Continuity and BackupsFurther ReadingCritical Thinking Exercises
Part VI Appendixes
A Suggestions for Critical Thinking Exercises
Chapter 1Chapter 2Chapter 3Chapter 4Chapter 5Chapter 6Chapter 7Chapter 8Chapter 9Chapter 10Chapter 11Chapter 12Chapter 13Chapter 14Chapter 15Chapter 16Chapter 17Chapter 18Chapter 19Chapter 20Chapter 21Chapter 22Chapter 23Chapter 24Chapter 25Chapter 26Chapter 27Chapter 28
B Common Threats
Threat: Force MajeureThreat: Deliberate ActsThreat: Human FailureThreat: Technical Failure
C Common Vulnerabilities
Vulnerability: Organizational ShortcomingsVulnerability: Technical ShortcomingsVulnerability: Procedural Shortcomings
D Sample Information Assurance Policy for Passwords
Password PolicyPassword ExpirationChoosing an Effective PasswordOther Common Precautions to Protect a Password
E Sample Risk Analysis Table
F Select Privacy Laws and Regulations by Country/Economy or State
G Information System Security Checklist
H References and Sources of Information
I List of Acronyms
Glossary
Index

Content preview from Information Assurance Handbook: Effective Computer Security and Risk Management Strategies

CHAPTER 6 Information Assurance Management System

Information assurance is not dependent on the size of an organization nor is it an once-in-a-lifetime event. It is an ongoing process. The Maconachy-Schou-Ragsdale (MSR) model points out that technology does provide some protection to information assets. However, technology alone is not enough. If an organization does not have a set of well-designed policies and procedures serving as the foundation of information assurance initiatives, deploying even the best technology would be worthless. Organizations of any size can effectively reduce risk exposures by having processes in place that address security.

Implementing and maintaining a high-quality information assurance program requires constant ...

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Read now

Unlock full access

More than 5,000 organizations count on O’Reilly

O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.

Julian F.

Head of Cybersecurity

I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.

Addison B.

Field Engineer

I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.

Amir M.

Data Platform Tech Lead

I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.

Mark W.

Embedded Software Engineer

Publisher Resources

ISBN: 9780071821650

Cloud Computing

Data Engineering

Data Science

AI & ML

Programming Languages

Software Architecture

IT/Ops

Security

Design

Business

Soft Skills

Information Assurance Handbook: Effective Computer Security and Risk Management Strategies

by Corey Schou, Steven Hernandez

CHAPTER 6

Information Assurance Management System

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.