lxiv Chapter Summary
formance of a business mission. However, even as corporate dependence on
information technology has grown, so too has the vulnerability of this tech-
nology and the range of external threats to it.
As a result of such vulnerabilities, considerable effort has been expended
by hundreds, if not thousands, of security experts to create the applicable
policies that attempt to mitigate the risks these vulnerabilities pose. The
U.S. government has moved to keep abreast of such changes, enacting vari-
ous laws that impose severe penalties for perpetrators of cybercrimes. Fur-
thermore, laws placing specific obligations on corporate entities have also
been passed to enable or assist law enforcement in pursuing these cyber-
criminals. A get tough attitude towards hackers and cybercriminals has
become pervasive since the September 11, 2001 disaster.
No corporate or government entity wants to take chances that expose
them to greater risk these days. Security teams must now operate within a
highly complex legal and security policy landscape to ensure the resources
they are tasked to protect remain safe. Providing security for IT resources is
a difficult technical challenge, one that needs to be managed properly and
to have support from the top echelons of an organization. IT and network
security is also highly dependent on the behavior of human beings. To this
end, formal management of both the technology aspects and the human
aspects of a security organization are addressed in greater detail in Appendix
C of this book.
Chapter Summary
In this introduction to basic security concepts, we discussed in detail threats
to personal privacy, fraud and theft, the rise and growth of Internet fraud,
and various malicious acts that can be directed against an organization.
These acts include employee sabotage, infrastructure attacks, malicious
hackers and coders, industrial espionage, and social engineering. We
stressed the importance of educating your staff and security personnel and
crafting corporate social engineering policy to aid in the prevention of such
acts. The subject of audits was discussed. We covered relevant privacy stan-
dards and regulations, such as the NAIC model act, the Gramm-Leach-Bli-
ley Act, and HIPAA, to name a few.
The importance of proper controls for physical access was discussed, and
we introduced the topic of access control, its purpose, and its fundamental
concepts. Establishment of a security policy, accountability, and assurance
were explained also. As part of our discussion on access controls, we intro-
duced the various access control models and talked about several internal
Get Business Continuity and Disaster Recovery for InfoSec Managers now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
