You are previewing Information Assurance Handbook: Effective Computer Security and Risk Management Strategies.
O'Reilly logo
Information Assurance Handbook: Effective Computer Security and Risk Management Strategies

Book Description

Best practices for protecting critical data and systems

Information Assurance Handbook: Effective Computer Security and Risk Management Strategies discusses the tools and techniques required to prevent, detect, contain, correct, and recover from security breaches and other information assurance failures. This practical resource explains how to integrate information assurance into your enterprise planning in a non-technical manner. It leads you through building an IT strategy and offers an organizational approach to identifying, implementing, and controlling information assurance initiatives for small businesses and global enterprises alike.

Common threats and vulnerabilities are described and applicable controls based on risk profiles are provided. Practical information assurance application examples are presented for select industries, including healthcare, retail, and industrial control systems. Chapter-ending critical thinking exercises reinforce the material covered. An extensive list of scholarly works and international government standards is also provided in this detailed guide.

Comprehensive coverage includes:

  • Basic information assurance principles and concepts
  • Information assurance management system
  • Current practices, regulations, and plans
  • Impact of organizational structure
  • Asset management
  • Risk management and mitigation
  • Human resource assurance
  • Advantages of certification, accreditation, and assurance
  • Information assurance in system development and acquisition
  • Physical and environmental security controls
  • Information assurance awareness, training, and education
  • Access control
  • Information security monitoring tools and methods
  • Information assurance measurements and metrics
  • Incident handling and computer forensics
  • Business continuity management
  • Backup and restoration
  • Cloud computing and outsourcing strategies
  • Information assurance big data concerns

Table of Contents

  1. Cover
  2. Title
  3. Copyright Page
  4. Dedication
  5. Contents
  6. Foreword
  7. Acknowledgments
  8. Introduction
  9. Part I Information Assurance Basics
    1. Chapter 1 Developing an Information Assurance Strategy
      1. Comprehensive
      2. Independent
      3. Legal and Regulatory Requirements
      4. Living Document
      5. Long Life Span
      6. Customizable and Pragmatic
      7. Risk-Based Approach
      8. Organizationally Significant
      9. Strategic, Tactical, and Operational
      10. Concise, Well-Structured, and Extensible
      11. Critical Thinking Exercises
    2. Chapter 2 The Need for Information Assurance
      1. Protection of Critical and Sensitive Assets
      2. Compliance to Regulations and Circulars/Laws
      3. Meeting Audit and Compliance Requirements
      4. Providing Competitive Advantage
      5. Critical Thinking Exercises
    3. Chapter 3 Information Assurance Principles
      1. The MSR Model of Information Assurance
      2. Information Assurance
        1. Information Security
        2. Information Protection
        3. Cybersecurity
      3. Information Assurance: Business Enabler
      4. Information Assurance: Protects the Fabric of an Organization’s Systems
      5. Information Assurance: Cost Effective and Cost Beneficial
      6. Information Assurance: Shared Responsibilities
      7. Information Assurance: Robust Approach
      8. Information Assurance: Reassessed Periodically
      9. Information Assurance: Restricted by Social Obligations
      10. Implications from Lack of Information Assurance
        1. Penalties from a Legal/Regulatory Authorities
        2. Loss of Information Assets
        3. Operational Losses and Operational Risk Management
        4. Customer Losses
        5. Loss of Image and Reputation
      11. Further Reading
      12. Critical Thinking Exercises
    4. Chapter 4 Information Assurance Concepts
      1. Defense in Depth
      2. Confidentiality, Integrity, and Availability
        1. Confidentiality
        2. Integrity
        3. Availability
        4. CIA Balance
      3. Nonrepudiation and Authentication
        1. Nonrepudiation
        2. Identification, Authentication, Authorization, and Accountability
        3. Identification
        4. Authentication
        5. Authorization
        6. Accountability
        7. Privacy’s Relationship to Information Assurance
      4. Assets, Threats, Vulnerabilities, Risks, and Controls
        1. Common Threats
        2. Vulnerabilities
        3. Controls
      5. Cryptology
        1. Codes and Ciphers
      6. Further Reading
      7. Critical Thinking Exercises
    5. Chapter 5 Organizations Providing Resources for Professionals
      1. Organizations Providing Resources for Professionals
      2. (ISC)2 International Information System Security Certification Consortium
        1. Computing Technology Industry Association
        2. Information System Audit and Control Association
        3. Information System Security Association
        4. SANS Institute
        5. Disaster Recovery Institute, International
        6. Business Continuity Institute
      3. Deciding Among Certifications
        1. Codes of Ethics
      4. Further Reading
      5. Critical Thinking Exercises
    6. Chapter 6 Information Assurance Management System
      1. Security Considerations for the Information Asset Life Cycle
      2. Plan-Do-Check-Act Model
        1. Plan
        2. Do
        3. Check
        4. Act
      3. Boyd’s OODA Loop
      4. The Kill Chain
      5. Further Reading
      6. Critical Thinking Exercises
    7. Chapter 7 Current Practices, Regulations, and Plans for Information Assurance Strategy
      1. Due Care and Due Diligence
        1. Due Care
        2. Due Diligence
      2. Specific Laws and Regulations
        1. Computer Laws
        2. Intellectual Property Law
        3. Privacy Laws
      3. International Laws and Acts
      4. Standards and Best Practices
      5. Further Reading
      6. Critical Thinking Exercise
  10. Part II Information Assurance Planning Process
    1. Chapter 8 Approaches to Implementing Information Assurance
      1. Key Components of Information Assurance Approaches
      2. Levels of Controls in Managing Security
      3. Top-Down Approach
      4. Bottom-Up Approach
      5. Outsourcing and the Cloud
      6. Balancing Information Assurance and Associated Costs
      7. Further Reading
      8. Critical Thinking Exercises
    2. Chapter 9 Organizational Structure for Managing Information Assurance
      1. Importance of Managing Information Assurance as a Program
      2. Structure of an Information Assurance Organization
        1. Information Assurance Staffing
        2. Roles and Responsibilities
        3. Senior Management
        4. Information Assurance Units
        5. Technology and Service Providers
        6. Users
      3. Organizational Maturity
        1. Information Technology Infrastructure Library
        2. Capability Maturity Model
        3. Organizational Change Maturity Model
      4. Outsourcing and Cloud Computing
      5. Further Reading
      6. Critical Thinking Exercises
    3. Chapter 10 Asset Management
      1. Types of Assets
      2. Responsibilities for Assets
      3. Inventory of Assets
      4. Ownership of Assets
      5. Acceptable Use of Assets
      6. Information Classification and Handling
        1. Classification Guidelines
        2. Information Labeling and Handling
        3. Information Classification (Categorization) Example
      7. Further Reading
      8. Critical Thinking Exercises
    4. Chapter 11 Information Assurance Risk Management
      1. Benefits of Risk Management
      2. Risk Management Process
        1. Background Planning
        2. Asset Analysis
        3. Threat Analysis
        4. Vulnerability Analysis
        5. Risk Identification
        6. Risk Analysis
        7. Risk Treatment
        8. Monitoring Risk
      3. Integration with Other Management Practices
      4. Further Reading
      5. Critical Thinking Exercises
    5. Chapter 12 Information Assurance Policy
      1. Importance of Policy
      2. Policy and Other Governance Functions
        1. Policy in Relation to Standards
        2. Policy in Relation to Guidelines
        3. Policy in Relation to Procedures
      3. Policy Development Steps
        1. Information Gathering
        2. Policy Framework Definition
        3. Policy Development
        4. Review and Approval
        5. Enforcement
        6. Policy Layout
      4. Further Reading
      5. Critical Thinking Exercises
    6. Chapter 13 Human Resource Assurance
      1. Recruitment
        1. Include Security in Job Scope/Description
        2. Defined Level of Confidentiality or Sensitivity
        3. Filling the Position
        4. Use of Legal Documents to Protect Information
      2. Employment
        1. Supervisory Controls
        2. Rotation of Duties
      3. Monitoring and Privacy Expectations
        1. Periodic Monitoring
        2. Employee Training and Awareness
        3. Disciplinary Process
      4. Termination or Change of Employment
      5. Further Reading
      6. Critical Thinking Exercises
    7. Chapter 14 Advantages of Certification, Accreditation, and Assurance
      1. Concepts and Definitions
      2. Purpose of Certification and Accreditation
      3. Primary Roles for Supporting Certification and Accreditation
      4. Certification and Accreditation Process
      5. Certification Baselines
      6. Considerations for Product Evaluation, Certification, and Accreditation
      7. Further Reading
      8. Critical Thinking Exercises
  11. Part III Risk Mitigation Process
    1. Chapter 15 Information Assurance in System Development and Acquisition
      1. Benefits of Incorporating Security Considerations
      2. Overview of the System Development Life Cycle
      3. Information Assurance in the System Development Life Cycle
      4. Information Assurance in the System or Service Acquisition Life Cycle
        1. System Development
        2. System Acquisition
        3. Change Management
        4. Configuration Management
      5. Further Reading
      6. Critical Thinking Exercises
    2. Chapter 16 Physical and Environmental Security Controls
      1. Benefits
      2. Physical and Environmental Security Controls
        1. Physical Security of Premises and Offices
      3. Handling of Media
        1. Management of Removable Media
        2. Disposal of Media
      4. Further Reading
      5. Critical Thinking Exercises
    3. Chapter 17 Information Assurance Awareness, Training, and Education (AT&E)
      1. Purpose of the AT&E Program
      2. Benefits of the AT&E Program
      3. Design, Development, and Assessment of Programs
      4. Types of Learning Programs
        1. Information Assurance Awareness
        2. Information Assurance Training
        3. Information Assurance Education
      5. Further Reading
      6. Critical Thinking Exercises
    4. Chapter 18 Preventive Information Assurance Tools
      1. Preventive Information Assurance Tools
        1. Content Filters
        2. Cryptographic Protocols and Tools
        3. Firewalls
        4. Network Intrusion Prevention System
        5. Proxy Servers
        6. Public Key Infrastructure
        7. Virtual Private Networks
      2. Preventive Information Assurance Controls
        1. Backups
        2. Change Management and Configuration Management
        3. IT Support
        4. Media Controls and Documentation
        5. Patch Management
      3. Further Reading
      4. Critical Thinking Exercises
    5. Chapter 19 Access Control
      1. Access Control: The Benefits
        1. Access Control Types
        2. Access Control Models
      2. Access Control Techniques
        1. Rule-Based Access Control
        2. Access Control Matrix
        3. Access Control Lists
        4. Capability Tables
        5. Constrained User Interfaces
        6. Content-Dependent Access Control
        7. Context-Dependent Access Control
      3. Access Control Administration
        1. Centralized Access Control Administration
        2. Decentralized Access Control Administration
      4. Further Reading
      5. Critical Thinking Exercises
  12. Part IV Information Assurance Detection and Recovery Processes
    1. Chapter 20 Information Assurance Monitoring Tools and Methods
      1. Intrusion Detection Systems
        1. Host Intrusion Detection System
        2. Network Intrusion Detection System
      2. Log Management Tools
        1. Security Information and Event Management (SIEM)
      3. Honeypot/Honeynet
      4. Malware Detection
        1. Signature Detection
        2. Change Detection
        3. State Detection
      5. Vulnerability Scanners
        1. Vulnerability Scanner Standards
        2. Host-Based Scanner
        3. Network-Based Scanner
        4. Database Vulnerability Scanner
        5. Distributed Network Scanner
      6. Penetration Test
        1. External Penetration Test
        2. Internal Penetration Test
        3. Wireless Penetration Test
      7. Physical Controls
        1. Personnel Monitoring Tools
        2. Network Surveillance
      8. The Concept of Continuous Monitoring and Authorization
      9. Further Reading
      10. Critical Thinking Exercises
    2. Chapter 21 Information Assurance Measurements and Metrics
      1. Importance of Information Assurance Measurement
      2. Information Assurance Measurement Process
        1. Develop Measurements
        2. Collect Data
        3. Analyze and Report
        4. Integrate Measurement Output
        5. Improve Measurement Process
      3. Importance of Information Assurance Metrics
      4. Information Assurance Metrics Program
        1. Data Collection Preparation
        2. Data Collection and Analysis
        3. Corrective Action Identification
        4. Business Case Development
        5. Corrective Action Applications
      5. Further Reading
      6. Critical Thinking Exercises
    3. Chapter 22 Incident Handling
      1. Importance of Incident Handling
      2. Incident Reporting
      3. Incident Handling Process
        1. Phase 1: Preparation
        2. Phase 2: Detection/Identification
        3. Phase 3: Containment
        4. Phase 4: Eradication
        5. Phase 5: Recovery
        6. Phase 6: Review
      4. Further Reading
      5. Critical Thinking Exercises
    4. Chapter 23 Computer Forensics
      1. Importance of Computer Forensics
      2. Prerequisites of a Computer Forensic Examiner
        1. Forensic Skills
        2. Supplemental Forensic Skills
        3. Rules of Computer Forensics
        4. Chain of Custody
        5. Computer Forensic Steps
        6. Rules of Evidence
      3. Computer Forensics Teams
        1. Establishing a Computer Forensics Team
      4. Further Reading
      5. Critical Thinking Exercises
    5. Chapter 24 Business Continuity Management
      1. Importance of Business Continuity Management
      2. Critical Success Factors for BCM Implementation
      3. Business Continuity Management Processes
        1. Stage 1: Recognize BCP Is Essential
        2. Stage 2: Identify the Business Needs
        3. Stage 3: Develop BCM Strategies
        4. Stage 4: Developing and Implementing a BCM Response
        5. Stage 5: Developing a BCM Culture
        6. Stage 6: Execute, Test, Maintain, and Audit
      4. Business Continuity in the Cloud
      5. Further Reading
      6. Critical Thinking Exercises
    6. Chapter 25 Backup and Restoration
      1. Importance of Backup
      2. Backup Considerations
      3. Backup Solutions
        1. Media
        2. Backup Infrastructure
        3. Backup Software
      4. Types of Backup
      5. Scheduling
      6. Retention
      7. Tape Media
      8. Administration
      9. Restoration of Data
      10. BYOD and Cloud Backups
      11. Further Reading
      12. Critical Thinking Exercises
  13. Part V Application of Information Assurance to Select Industries
    1. Chapter 26 Healthcare
      1. Overview of Information Assurance Approach
      2. Healthcare-Specific Terminology
      3. Information Assurance Management
        1. Personnel
        2. Management Approach
        3. Regulations and Legal Requirements
      4. Information Assurance Risk Management
        1. Assets
        2. Threats
        3. Vulnerabilities
        4. Risk Assessment
      5. Risk Mitigation
        1. Policy, Procedures, Standards, and Guidance
        2. Human Resources
        3. Certification, Accreditation, and Assurance
        4. Information Assurance in System Development and Acquisition
        5. Physical and Environmental Security Controls
        6. Awareness, Training, and Education
        7. Access Control
        8. Continuous Monitoring, Incident Response, and Forensics
        9. Business Continuity and Backups
      6. Further Reading
      7. Critical Thinking Exercises
    2. Chapter 27 Retail
      1. Overview of the Information Assurance Approach
      2. Information Assurance Management
        1. Personnel
        2. Management Approach
        3. Regulations and Legal Requirements
      3. Information Assurance Risk Management
        1. Assets
        2. Threats
        3. Vulnerabilities
        4. Risk Assessment
      4. Risk Mitigation
        1. Policy, Procedures, Standards, and Guidance
        2. Human Resources
        3. Certification, Accreditation, and Assurance
        4. Information Assurance: System Development and Acquisition
        5. Physical and Environmental Security Controls
        6. Awareness, Training, and Education
        7. Access Control
        8. Continuous Monitoring, Incident Response, and Forensics
        9. Business Continuity and Backups
      5. Further Reading
      6. Critical Thinking Exercises
    3. Chapter 28 Industrial Control Systems
      1. Overview of the Information Assurance Approach
      2. Industrial Control–Specific Language
      3. Information Assurance Management
        1. Personnel
        2. Management Approach
        3. Regulations and Legal Requirements
      4. Information Assurance Risk Management
        1. Assets
        2. Threats
        3. Vulnerabilities
        4. Risk Assessment
      5. Risk Mitigation
        1. Policy, Procedures, Standards, and Guidance
        2. Certification, Accreditation, and Assurance
        3. Human Resources
        4. Information Assurance in System Development and Acquisition
        5. Physical and Environmental Security Controls
        6. Awareness, Training, and Education
        7. Access Control
        8. Continuous Monitoring, Incident Response, and Forensics
        9. Business Continuity and Backups
      6. Further Reading
      7. Critical Thinking Exercises
  14. Part VI Appendixes
    1. A Suggestions for Critical Thinking Exercises
      1. Chapter 1
      2. Chapter 2
      3. Chapter 3
      4. Chapter 4
      5. Chapter 5
      6. Chapter 6
      7. Chapter 7
      8. Chapter 8
      9. Chapter 9
      10. Chapter 10
      11. Chapter 11
      12. Chapter 12
      13. Chapter 13
      14. Chapter 14
      15. Chapter 15
      16. Chapter 16
      17. Chapter 17
      18. Chapter 18
      19. Chapter 19
      20. Chapter 20
      21. Chapter 21
      22. Chapter 22
      23. Chapter 23
      24. Chapter 24
      25. Chapter 25
      26. Chapter 26
      27. Chapter 27
      28. Chapter 28
    2. B Common Threats
      1. Threat: Force Majeure
      2. Threat: Deliberate Acts
      3. Threat: Human Failure
      4. Threat: Technical Failure
    3. C Common Vulnerabilities
      1. Vulnerability: Organizational Shortcomings
      2. Vulnerability: Technical Shortcomings
      3. Vulnerability: Procedural Shortcomings
    4. D Sample Information Assurance Policy for Passwords
      1. Password Policy
        1. Password Expiration
        2. Choosing an Effective Password
        3. Other Common Precautions to Protect a Password
    5. E Sample Risk Analysis Table
    6. F Select Privacy Laws and Regulations by Country/Economy or State
    7. G Information System Security Checklist
    8. H References and Sources of Information
    9. I List of Acronyms
  15. Glossary
  16. Index