You are previewing The Best Damn IT Security Management Book Period.
O'Reilly logo
The Best Damn IT Security Management Book Period

Book Description

The Best Damn Security Manager's Handbook Periodhas comprehensive coverage of all management isuses facing IT and security professionals. Compiled from the best of the Syngress and Butterworth Heinemann libraries and authored by business continuity expert Susan Snedakers, this volume is an indispensable addition to a serious security professional's toolkit.

Coverage includes Business Continuity, Risk Assessment, Protection Assets, Project Management, Security Operations, and Security Management, and Security Design & Integration.

* An all encompassing book, covering general security management issues and providing specific guidelines and checklists.
* Anyone studying for a security specific certification or ASIS certification, will find this a valuable resource.
* The only book to cover all major IT and security management issues in one place: disaster recover, project management, operations management, risk assessment.

Table of Contents

  1. Copyright
  2. About the Authors
  3. 1. From Vulnerability to Patch
    1. 1. Windows of Vulnerability
      1. Introduction
      2. What Are Vulnerabilities?
      3. Understanding the Risks Posed by Vulnerabilities
      4. Summary
    2. 2. Vulnerability Assessment 101
      1. Introduction
      2. What Is a Vulnerability Assessment?
        1. Step 1: Information Gathering/Discovery
        2. Step 2: Enumeration
        3. Step 3: Detection
      3. Seeking Out Vulnerabilities
      4. Detecting Vulnerabilities via Security Technologies
        1. Deciphering VA Data Gathered by Security Technologies
        2. Accessing Vulnerabilities via Remediation (Patch) Technologies
        3. Extracting VA Data from Remediation Repositories
        4. Leveraging Configuration Tools to Assess Vulnerabilities
      5. The Importance of Seeking Out Vulnerabilities
        1. Looking Closer at the Numbers
      6. Summary
    3. 3. Vulnerability Assessment Tools
      1. Introduction
      2. Features of a Good Vulnerability Assessment Tool
      3. Using a Vulnerability Assessment Tool
        1. Step 1: Identify the Hosts on Your Network
        2. Step 2: Classify the Hosts into Asset Groups
        3. Step 3: Create an Audit Policy
        4. Step 4: Launch the Scan
        5. Step 5: Analyze the Reports
        6. Step 6: Remediate Where Necessary
      4. Summary
    4. 4. Vulnerability Assessment: Step One
      1. Introduction
      2. Know Your Network
      3. Classifying Your Assets
      4. I Thought This Was a Vulnerability Assessment Chapter
      5. Summary
    5. 5. Vulnerability Assessment: Step Two
      1. Introduction
      2. An Effective Scanning Program
      3. Scanning Your Network
      4. When to Scan
      5. Summary
    6. 6. Going Further
      1. Introduction
      2. Types of Penetration Tests
      3. Scenario: An Internal Network Attack
        1. Client Network
        2. Step 1: Information Gathering
          1. Operating System Detection
          2. Discovering Open Ports and Enumerating
        3. Step 2: Determine Vulnerabilities
          1. Setting Up the VA
          2. Interpreting the VA Results
      4. Penetration Testing
        1. Step 3: Attack and Penetrate
          1. Uploading Our Data
          2. Attack and Penetrate
          3. Searching the Web Server for Information
          4. Discovering Web Services
      5. Vulnerability Assessment versus a Penetration Test
        1. Tips for Deciding between Conducting a VA or a Penetration Test
      6. Internal versus External
      7. Summary
    7. 7. Vulnerability Management
      1. Introduction
      2. The Vulnerability Management Plan
      3. The Six Stages of Vulnerability Management
        1. Stage One: Identify
        2. Stage Two: Assess
        3. Stage Three: Remediate
        4. Stage Four: Report
        5. Stage Five: Improve
        6. Stage Six: Monitor
      4. Governance (What the Auditors Want to Know)
      5. Measuring the Performance of a Vulnerability Management Program
      6. Common Problems with Vulnerability Management
      7. Summary
    8. 8. Vulnerability Management Tools
      1. Introduction
      2. The Perfect Tool in a Perfect World
      3. Evaluating Vulnerability Management Tools
      4. Commercial Vulnerability Management Tools
        1. eEye Digital Security
        2. Symantec (BindView)
        3. Attachmate (NetIQ)
        4. StillSecure
        5. McAfee
      5. Open Source and Free Vulnerability Management Tools
        1. Asset Management, Workflow, and Knowledgebase
        2. Host Discovery
        3. Vulnerability Scanning and Configuration Scanning
        4. Configuration and Patch Scanning
        5. Vulnerability Notification
        6. Security Information Management
      6. Managed Vulnerability Services
      7. Summary
    9. 9. Vulnerability and Configuration Management
      1. Introduction
      2. Patch Management
        1. System Inventories
        2. System Classification
        3. System Baselines
          1. Creating a Baseline
          2. Baseline Example
          3. The Common Vulnerability Scoring System
      3. Building a Patch Test Lab
        1. Establish a Patch Test Lab with “Sacrificial Systems”
          1. Virtualization
          2. Environmental Simulation
      4. Patch Distribution and Deployment
        1. Logging and Reporting
      5. Configuration Management
      6. Change Control
      7. Summary
    10. 10. Regulatory Compliance
      1. Introduction
      2. Regulating Assessments and Pen Tests
        1. The Payment Card Industry (PCI) Standard
        2. The Health Insurance Portability and Accountability Act of 1996 (HIPAA)
        3. The Sarbanes-Oxley Act of 2002 (SOX)
        4. Compliance Recap
      3. Drafting an Information Security Program
      4. Summary
    11. 11. Tying It All Together
      1. Introduction
      2. A Vulnerability Management Methodology
      3. Step One: Know Your Assets
        1. What You Need to Do
        2. Why You Need to Do It
        3. How to Do It
        4. What Tools Exist to Help You Do It
      4. Step Two: Categorize Your Assets
        1. What You Need to Do
        2. Why You Need to Do It
        3. How to Do It
        4. What Tools Exist to Help You Do It
      5. Step Three: Create a Baseline Scan of Assets
        1. What You Need to Do
        2. Why You Need to Do It
        3. How to Do It
        4. What Tools Exist to Help You Do It
      6. Step Four: Perform a Penetration Test on Certain Assets
        1. What You Need to Do
        2. Why You Need to Do It
        3. How to Do It
        4. What Tools Exist to Help You Do It
      7. Step Five: Remediate Vulnerabilities and Risk
        1. What You Need to Do
        2. Why You Need to Do It
        3. How to Do It
        4. What Tools Exist to Help You Do It
      8. Step Six: Create a Vulnerability Assessment Schedule
        1. What You Need to Do
        2. Why You Need to Do It
        3. How to Do It
      9. Step Seven: Create a Patch and Change Management Process
        1. What You Need to Do
        2. Why You Need to Do It
        3. How to Do It
        4. What Tools Exist to Help You Do It
      10. Step Eight: Monitor for New Risks to Assets
        1. What You Need to Do
        2. Why You Need to Do It
        3. How to Do It
        4. What Tools Exist to Help You Do It
  4. 2. Network Security Evaluation
    1. 12. Introducing the INFOSEC Evaluation Methodology
      1. Introduction
      2. What Is the IEM?
        1. Tying the Methodologies Together
      3. What the IEM Is Not
        1. The IEM Is Not an Audit or Inspection
        2. The IEM Is Not a Risk Assessment
      4. Standards and Regulations
        1. Lack of Expertise
        2. Certification Does Not Give You Expertise
      5. Summary
    2. 13. Before the Evaluation Starts
      1. Introduction
      2. The Evaluation Request
        1. Why Are Evaluations Requested?
          1. Compliance With Laws and Regulations
            1. The Sarbanes-Oxley Act
            2. Federal Information Security Management Act
            3. Health Insurance Portability and Accountability Act of 1996
            4. The Gramm-Leach-Bliley Act
            5. The Family Educational Rights and Privacy Act
            6. The DoD Information Technology Security Certification and Accreditation Process
            7. The National Information Assurance Certification and Accreditation Process
            8. Defense Information Assurance Certification and Accreditation Process
            9. ISO 17799
            10. The North American Electric Reliability Council
          2. Response to Suspicious Activities
            1. Recent Successful Penetration
            2. Suspected Possible Penetration
            3. Unsuccessful Penetration Attempt
            4. “I Don’t Know If Our Organization Has Been Penetrated”
          3. Third-Party Independent Reviews of Security Posture
            1. Customer-Required Reviews
            2. Insurance-Required Reviews
            3. SLA-Required Reviews
          4. It’s The Right Thing To Do
        2. How Are Evaluations Requested?
      3. Validating the Evaluation Request
        1. Sources of Information for Validation
          1. Validating with the Customer
            1. The Engagement Scoping Questionnaire
            2. Customer Discussions and Information Confirmation
          2. Publicly Available Information
        2. Understanding the Level of Effort
      4. The Formal Engagement Agreement
        1. Nondisclosure Agreements
        2. Engagement Agreement Composition
          1. Minimum Engagement Agreement Contents
          2. Understanding the Pricing Options
            1. Government Contracting
            2. Commercial Contracting
            3. Fixed Price vs. Hourly Rate
          3. Additional Engagement Agreement Contents
        3. Dealing with Contract Pitfalls
          1. “Scope Creep” and Timelines
          2. Uneducated Salespeople
          3. Evaluations 101
          4. Bad Assumptions
            1. Assumption Topic Areas
          5. Poorly Written Contracts
            1. Poor Scope Definition
            2. Underbid or Overbid: The Art of Poor Cost Estimating
      5. Customer and Evaluation Team Approval
        1. The Customer Approval Process
        2. The Evaluation Team Approval Process
      6. Summary
    3. 14. Setting Expectations
      1. Introduction
      2. Objectives of the Pre-Evaluation Phase
      3. Understanding Concerns and Constraints
        1. What Are the Requirements?
        2. Other Significant Regulations
        3. Budgetary Concerns
        4. Cyber-Insurance
        5. System Accreditation
          1. FISMA
          2. DoD Information Technology Security Certification and Accreditation Process
          3. National Information Assurance Certification and Accreditation Process
          4. Defense Information Assurance Certification and Accreditation Process
        6. Response to Suspected Threats or Intrusions
      4. Obtaining Management Buy-In
      5. Obtaining Technical Staff Buy-In
      6. Establishing Points of Contact
      7. Summary
    4. 15. Scoping the Evaluation
      1. Introduction
      2. Focusing the Evaluation
        1. The Power of Expectations
          1. What Does the Customer Expect for Delivery?
          2. Adjusting Customer Expectations
        2. When Scoping Fails
          1. “Scope Creep” and Time Lines
            1. Restricting Scope Slippage in the Contract
            2. Contracting Differences
          2. Uneducated Salespeople
            1. Evaluations 101
          3. Bad Assumptions
          4. Assumption Topic Areas
          5. Poorly Written Contracts
            1. Poor Scope Definition
            2. Underbid or Overbid: The Art of Poor Cost Estimating
      3. Identifying the Rules of Engagement
        1. Customer Concerns
          1. Stating the Evaluation Purpose
        2. Customer Constraints
          1. Impact Resistance and Acceptable Levels of Invasiveness
            1. Identifying Scanning Times
            2. Off-Limit Nodes
            3. Evaluation Tool Limitations
            4. Notification Procedures
            5. Evaluation Addressing
            6. Reporting Level of Detail
            7. Clear and Concise Writing
        3. Establishing the Evaluation Boundaries
          1. Physical Boundaries
          2. Logical Boundaries
          3. Critical Path and Critical Components
      4. Finding the Sources of Scoping Information
        1. Customer
          1. The Scoping Questionnaire
            1. Information Gained from the Questionnaire
            2. Value of the Questionnaire
            3. Example Responses on a Scoping Questionnaire
          2. Evaluation Requestor
          3. Customer Senior Leadership
          4. Administrative Customer Contact
          5. Technical Customer Contacts
        2. Evaluation Team
          1. Evaluation Team Lead
          2. Evaluation Team Members
        3. Validating Scoping Information
      5. Staffing Your Project
        1. Job Requirements
          1. Networking and Operating Systems
          2. Hardware Knowledge
          3. Picking the Right People
            1. Matching Consultants to Customers
            2. Personality Issues
      6. Summary
    5. 16. Legal Principles for Information Security Evaluations
      1. Introduction
      2. Uncle Sam Wants You: How Your Company’s Information Security Can Affect U.S. National Security
      3. Legal Standards Relevant to Information Security
        1. Selected Federal Laws
          1. Gramm-Leach-Bliley Act
          2. Health Insurance Portability and Accountability Act
          3. Sarbanes-Oxley
          4. Federal Information Security and Management Act
          5. FERPA and the TEACH Act
          6. Electronic Communications Privacy Act and Computer Fraud and Abuse Act
        2. State Laws
          1. Unauthorized Access
          2. Deceptive Trade Practices
        3. Enforcement Actions
        4. Three Fatal Fallacies
          1. The “Single Law” Fallacy
          2. The Private Entity Fallacy
          3. The “Pen Test Only” Fallacy
      4. Do It Right or Bet the Company: Tools to Mitigate Legal Liability
        1. We Did our Best; What is the Problem?
          1. The Basis for Liability
          2. Negligence and the “Standard of Care”
        2. What Can Be Done?
          1. Understand your Legal Environment
          2. Comprehensive and Ongoing Security Assessments, Evaluations, and Implementation
          3. Use Contracts to Define Rights and Protect Information
          4. Use Qualified Third-party Professionals
          5. Making Sure Your Standards-of-care Assessments Keep Up with Evolving Law
          6. Plan for the Worst
          7. Insurance
      5. What to Cover in IEM Contracts
        1. What, Who, When, Where, How, and How Much
          1. What
            1. Description of the Security Evaluation and Business Model
            2. Definitions Used in the Contract
            3. Description of the Project
            4. Assumptions, Representations, and Warranties
            5. Boundaries and Limitations
            6. Identification of Deliverables
          2. Who
            1. Statement of Parties to the Contractual Agreement
            2. Authority of Signatories to the Contractual Agreement
            3. Roles and Responsibilities of Each Party to the Contractual Agreement
            4. Non-disclosure and Secrecy Agreements
            5. Assessment Personnel
            6. Crisis Management and Public Communications
            7. Indemnification, Hold Harmless, and Duty to Defend
            8. Ownership and Control of Information
            9. Intellectual Property Concerns
            10. Licenses
          3. When
            1. Actions or Events that Affect Schedule
          4. Where
          5. How
          6. How Much
            1. Fees and Cost
            2. Billing Methodology
            3. Payment Expectations and Schedule
            4. Rights and Procedures to Collect Payment
            5. Insurance for Potential Damage During Evaluation
          7. Murphy’s Law (When Something Goes Wrong)
            1. Governing Law
            2. Acts of God, Terror Attacks, and other Unforeseeable Even
            3. When Agreement is Breached and Remedies
            4. Liquidated Damages
            5. Limitation on Liability
            6. Survival of Obligations
            7. Waiver and Severability
            8. Amendments to the Contract
        2. Where the Rubber Meets the Road: The LOA as Liability Protection
          1. Beyond You and Your Customer
            1. Software License Agreements
            2. Your Customer’s Customer
      6. The First Thing We Do...? Why You Want Your Lawyers Involved From Start to Finish
        1. Attorney-client Privilege
        2. Advice of Counsel Defense
        3. Establishment and Enforcement of Rigorous Assessment, Interview, and Report-writing Standards
        4. Creating a Good Record for Future Litigation
        5. Maximizing Ability to Defend Litigation
        6. Dealing with Regulators, Law Enforcement, Intelligence, and Homeland Security Officials
        7. The Ethics of Information Security Evaluation
    6. 17. Building the Technical Evaluation Plan
      1. Introduction
      2. Purpose of the Technical Evaluation Plan
        1. The IEM TEP as an Agreement
        2. The TEP as Road Map
      3. Building the Technical Evaluation Plan
        1. Source of the Technical Evaluation Plan Information
        2. TEP Section I: Points of Contact
          1. Evaluation Team Contacts
          2. Customer Contacts
        3. TEP Section II: Methodology Overview
          1. Purpose of the IEM
          2. Description of the IEM
          3. Evaluation Tools to Be Used
        4. TEP Section III: Criticality Information
          1. Organizational Criticality Matrices
          2. System Criticality Information
        5. TEP Section IV: Detailed Network Information
        6. TEP Section V: Customer Concerns
        7. TEP Section VI: Customer Constraints
        8. TEP Section VII: Rules of Engagement
          1. Evaluation Team Requirements
            1. External Requirements
            2. Internal Requirements
          2. Customer Requirements
        9. TEP Section VIII: Coordination Agreements
          1. Level of Detail of Recommendations
          2. List of Agreed-On Deliverables
          3. The Coordination Agreements Section: A Catchall
        10. TEP Section IX: Letter of Authorization
        11. TEP Section X: Timeline of Events
      4. Customizing and Modifying the Technical Evaluation Plan
        1. Modifying the Ten NSA-Defined Areas
        2. Level of Detail
        3. Format
      5. Getting the Signatures
        1. Customer Approval
        2. Evaluation Team Approval
      6. Summary
    7. 18. Starting Your Onsite Efforts
      1. Introduction
      2. Preparing for the Onsite Evaluation Phase
        1. Scheduling
          1. Day One Accomplishments
          2. Day Two Accomplishments
          3. Day Three Accomplishments
          4. Day Four Accomplishments
          5. Day Five Accomplishments
            1. Flexibility and Adaptation
        2. Administrative Planning
        3. Technical Planning
      3. IAM vs. IEM
        1. Vulnerability Definitions
        2. Onsite Evaluation Phase Objectives
          1. Verification of “Known” and “Rogue” Components
          2. Discovery of Technical Vulnerabilities
          3. Validation = Value Add?
      4. IEM Baseline Activities
        1. I. Port Scanning
        2. II. SNMP Scanning
        3. III. Enumeration and Banner Grabbing
        4. IV. Wireless Enumeration
        5. V. Vulnerability Scanning
        6. VI. Host Evaluation
        7. VII. Network Device Analysis
        8. VIII. Password Compliance Testing
        9. IX. Application-Specific Scanning
        10. X. Network Sniffing
        11. Other Activities
      5. The Role of CVE and CAN
      6. The In-Brief
        1. Presenting the TEP
        2. Cultural Sensitivity
      7. Summary
    8. 19. Network Discovery Activities
      1. Introduction
      2. Goals and Objectives
        1. Results as Findings and Evaluation Task Attributes
        2. System Mapping
      3. Tool Basics
        1. Expected Usage and Requirements
      4. Port Scanning
        1. Nmap
          1. NMAP Options
            1. TCP SYN
            2. UDP Scanning
            3. Ping Scanning
            4. Basic Nmap Options
        2. SuperScan
        3. ScanLine
        4. SolarWinds
        5. Port Scan System Mapping
      5. SNMP Scanning
        1. SolarWinds
          1. SNMPSweep
          2. MIB Walk
          3. MIB Browser
        2. SNScan
        3. WS_Ping Pro-Pak
        4. SNMP Scan System Mapping
      6. Enumeration and Banner Grabbing
        1. Nmap
        2. THC-Amap
        3. NBTScan
        4. SuperScan
        5. WS_Ping Pro-Pak
        6. UNIX Enumeration
        7. Telnet
        8. DNS Queries
        9. Enumeration and Banner-Grabbing System Mapping
      7. Wireless Enumeration
        1. Wireless Enumeration Obstacles
        2. Kismet
        3. NetStumbler
        4. Wireless Encryption Evaluation
        5. Wireless Enumeration System Mapping
      8. Summary
    9. 20. Collecting the Majority of Vulnerabilities
      1. Introduction
      2. Vulnerability and Attack Trends
        1. Vulnerability Scanning’s Role in the IEM
      3. Conducting Vulnerability Scans
        1. Breaking Out the Scanning Tools
          1. Vulnerability Scanners: Commercial and Freeware
      4. Conducting Host Evaluations
        1. Host Evaluation Example Tools and Scripts
          1. Benchmark Scripts and Custom Scripts
        2. Host Evaluations: What to Look For
          1. Auditing
          2. File/Directory Permissions
          3. OS and Application Services
          4. User Rights Assignments
          5. Patch Management
      5. Mapping the Findings to the IEM Process
        1. Vulnerability Scans and Host Evaluations: Correlating the Data
        2. Summarize and Validate Findings
      6. Summary
    10. 21. Fine-Tuning the Evaluation
      1. Introduction
      2. Network Device Analysis
        1. Approaches Used in Network Device Analysis
        2. Evaluating the Perimeter Design and Defenses
        3. Evaluating Network Device Configurations
      3. Password-Compliance Testing
        1. Password-Compliance Testing Methods
        2. Methods of Obtaining the Password File
        3. Password-Compliance Testing Tools
      4. Application-Specific Scanning
        1. The DMZ
        2. Types of Applications to Be Scanned
      5. Network Protocol Analysis
        1. Why Perform Network Protocol Analysis?
        2. Introducing Network Protocol Analyzers
      6. Summary
    11. 22. The Onsite Closing Meeting
      1. Introduction
      2. Organizing the Meeting
        1. Time and Location
        2. Evaluation Team and Customer Involvement
          1. The Customer
          2. The Evaluation Team
        3. Presentation Needs
        4. The Agenda
      3. TEP Overview
        1. The Evaluation Process
          1. How Was Information Collected?
          2. The Tools
          3. Customer Documentation
        2. Customer Concerns
        3. What Is Driving the Evaluation?
        4. Customer Constraints
        5. Protecting Testing Data
      4. Setting Timelines
        1. Important Events During Testing
        2. Final Report Delivery
      5. Overview of Critical Findings
        1. How Does the Vulnerability Impact the System?
        2. What Is the Likelihood That a Threat Will Exploit the Vulnerability?
        3. Mapping to Business Mission and Objectives
        4. Positive vs. Negative Findings
      6. Points of Immediate Resolution
        1. Short Term vs. Long Term
      7. What Do You Do With the Information That You Have Collected?
      8. Summary
    12. 23. Post-Evaluation Analysis
      1. Introduction
      2. Getting Organized
        1. Analysis Needs
        2. Reporting Needs
      3. Categorization, Consolidation, Correlation, and Consultation
        1. False Positives and False Negatives
        2. Evaluation Perspectives
          1. External Exposures
          2. Internal Exposures
          3. System Boundaries
      4. Conducting Additional Research
        1. Resources
        2. Consulting Subject Matter Experts
          1. Other Team Members
          2. External Resources
      5. Analyzing Customer Documentation
        1. INFOSEC Policies and Proceures
          1. Previous Evaluations/VA/Penetration-Testing Results
      6. Developing Practical Recommendations
        1. Level of Detail
          1. Finding
          2. Description
          3. References
          4. Criticality Rating
          5. Business Impact
          6. Threat Likelihood
          7. Recommendations
        2. Tying in Regulations, Legislation, Organizational Policies, and Industry Best Practices
      7. Summary
    13. 24. Creating Measurements and Trending Results
      1. Introduction
      2. The Purpose and Goal of the Matrixes
      3. Information Types
      4. Common Vulnerabilities and Exposures
      5. NIST ICAT
      6. Developing System Vulnerability Criticality Matrixes
      7. Developing Overall Vulnerability Criticality Matrixes
      8. Using the OVCM and SVCM
      9. Summary
    14. 25. Trending Metrics
      1. Introduction
      2. Metrics and Their Usefulness
        1. Return on Investment
        2. How Do We Compare?
      3. The INFOSEC Posture Profile
        1. Defense in Depth
        2. Adversaries or Threats
          1. Protect
          2. Detect
          3. Respond
          4. Sustain
          5. People
          6. Technology
            1. Defense in Multiple Places
            2. Layered Defenses
            3. Specify the Security Robustness
            4. Robust Key Management
            5. Event Correlation
          7. Operations
        3. Developing the INFOSEC Posture Profile
      4. The INFOSEC Posture Rating
      5. Value-Added Trending
      6. Summary
    15. 26. Final Reporting
      1. Introduction
      2. Pulling All the Information Together
        1. The Team Meeting
        2. Research
        3. The SVCM and OVCM
        4. Review
      3. Making Recommendations
        1. Findings
        2. Recommendations
      4. Creating the Final Report
        1. Organizing the Data
        2. Discussion of Findings
        3. Final Report Delivery Date
        4. The Cover Letter
        5. The Executive Summary
        6. The INFOSEC Profile
        7. The Introduction
        8. INFOSEC Analysis
          1. Technical Areas
            1. High-Criticality Findings
            2. Medium-Criticality Findings
            3. Low-Criticality Findings
        9. The Conclusion
          1. Posture Description
          2. Posture Profile
          3. Security Practices
      5. Presenting the Final Report
      6. Summary
    16. 27. Summing Up the INFOSEC Evaluation Methodology
      1. Introduction
      2. The Pre-Evaluation Phase
      3. The Onsite Evaluation
      4. The Post-Evaluation Phase
      5. Examples of INFOSEC Tools by Baseline Activity
      6. Port Scanning
      7. SNMP Scanning
      8. Enumeration and Banner Grabbing
      9. Wireless Enumeration*
      10. Vulnerability Scanning
      11. Host Evaluation
      12. Network Device Analysis
      13. Password-Compliance Testing
      14. Application-Specific Scanning
      15. Network Protocol Analysis
      16. Technical Evaluation Plan Outline and Sample
      17. Sample Technical Evaluation Plan
      18. I. Evaluation Points of Contact
      19. II. Methodology Overview
      20. III. Organizational and System Criticality Information
        1. The OUCH Mission
        2. OUCH Impact Definitions
        3. OUCH Organizational Criticality
        4. System Information Criticality
      21. IV. Detailed Network Information
      22. V. Customer Concerns
      23. VI. Customer Constraints
      24. VII. Rules of Engagement
      25. VIII. Internal and External Customer Requirements
      26. IX. Coordination Agreements
        1. Level of Detail of Recommendations
        2. Deliverables
        3. Other Agreements
      27. X. Letter of Authorization
      28. XI. Timeline of Evaluation Events
  5. 3. Business Continuity & Disaster Recovery
    1. 28. Business Continuity and Disaster Recovery Overview
      1. Introduction
      2. Business Continuity and Disaster Recovery Defined
      3. Components of Business
        1. People in BC/DR Planning
        2. Process in BC/DR Planning
        3. Technology in BC/DR Planning
      4. The Cost of Planning versus the Cost of Failure
        1. People
        2. Process
        3. Technology
      5. Types of Disasters
        1. Natural Hazards
          1. Cold Weather Related Hazards
          2. Warm Weather Related Hazards
          3. Geological Hazards
        2. Human-Caused Hazards
        3. Accidents and Technological Hazards
        4. Electronic Data Threats
          1. Personal Privacy
          2. Privacy Standards and Legislation
            1. Gramm-Leach-Bliley Act (GLBA)
            2. Health Insurance Portability and Accountability Act (HIPAA)
          3. Social Engineering
          4. Fraud and Theft
            1. General Business Fraud
          5. Managing Access
      6. Business Continuity and Disaster Recovery Planning Basics
        1. Project Initiation
        2. Risk Assessment
        3. Business Impact Analysis
        4. Mitigation Strategy Development
        5. Plan Development
        6. Training, Testing, Auditing
        7. Plan Maintenance
      7. Summary
    2. 29. Project Initiation
      1. Introduction
      2. Elements of Project Success
        1. Executive Support
        2. User Involvement
        3. Experienced Project Manager
        4. Clearly Defined Project Objectives
        5. Clearly Defined Project Requirements
        6. Clearly Defined Scope
        7. Shorter Schedule, Multiple Milestones
        8. Clearly Defined Project Management Process
      3. Project Plan Components
        1. Project Definition
          1. Problem and Mission Statement
          2. Potential Solutions
          3. Requirements and Constraints
          4. Success Criteria
          5. Project Proposal
          6. Estimates
          7. Project Sponsor
        2. Forming the Project Team
          1. Organizational
          2. Technical
          3. Logistical
          4. Political
        3. Project Organization
          1. Project Objectives
            1. Business Continuity Plan
            2. Continuity of Operations Plan
            3. Disaster Recovery Plan
            4. Crisis Communication Plan
            5. Cyber Incident Response Plan (CIRP)
            6. Occupant Emergency Plan
          2. Project Stakeholders
          3. Project Requirements
          4. Project Parameters
          5. Project Infrastructure
          6. Project Processes
            1. Team Meetings
            2. Reporting
            3. Escalation
            4. Project Progress
            5. Change Control
            6. Quality Control
          7. Project Communication Plan
        4. Project Planning
          1. Work Breakdown Structure
          2. Critical Path
        5. Project Implementation
          1. Managing Progress
          2. Managing Change
        6. Project Tracking
        7. Project Close Out
      4. Key Contributors and Responsibilities
        1. Information Technology
          1. Experience Working on a Cross-Departmental Team
          2. Ability to Communicate Effectively
          3. Ability to Work Well with a Wide Variety of People
          4. Experience with Critical Business and Technology Systems
          5. IT Project Management Leadership
        2. Human Resources
        3. Facilities/Security
        4. Finance/Legal
        5. Warehouse/Inventory/Manufacturing/Research
        6. Purchasing/Logistics
        7. Marketing and Sales
        8. Public Relations
      5. Project Definition
        1. Business Requirements
        2. Functional Requirements
        3. Technical Requirements
      6. Business Continuity and Disaster Recovery Project Plan
        1. Project Definition, Risk Assessment
        2. Business Impact Analysis
        3. Risk Mitigation Strategies
        4. Plan Development
        5. Emergency Preparation
        6. Training, Testing, Auditing
      7. Plan Maintenance
      8. Summary
    3. 30. Risk Assessment
      1. Introduction
      2. Risk Management Basics
        1. Risk Management Process
          1. Threat Assessment
          2. Vulnerability Assessment
          3. Impact Assessment
          4. Risk Mitigation Strategy Development
        2. People, Process, Technology, and Infrastructure in Risk Management
          1. People
          2. Process
          3. Technology
          4. Infrastructure
        3. IT-Specific Risk Management
          1. IT Risk Management Objectives
          2. The System Development Lifecycle Model
      3. Risk Assessment Components
        1. Information Gathering Methods
        2. Natural and Environmental Threats
          1. Fire
          2. Floods
          3. Severe Winter Storms
          4. Electrical Storms
          5. Drought
          6. Earthquake
          7. Tornados
          8. Hurricanes/Typhoons/Cyclones
          9. Tsunamis
          10. Volcanoes
          11. Avian Flu/Pandemics
        3. Human Threats
          1. Fire
          2. Theft, Sabotage, Vandalism
          3. Labor Disputes
          4. Workplace Violence
          5. Terrorism
          6. Chemical or Biological Hazards
          7. War
          8. Cyber Threats
            1. Cyber Crime
            2. Loss of Records or Data—Theft, Sabotage, Vandalism
            3. IT System Failure—Theft, Sabotage, Vandalism
        4. Infrastructure Threats
          1. Building Specific Failures
          2. Public Transportation Disruption
          3. Loss of Utilities
          4. Disruption to Oil or Petroleum Supplies
          5. Food or Water Contamination
          6. Regulatory or Legal Changes
        5. Looking Back
        6. Threat Checklist
      4. Threat Assessment Methodology
        1. Quantitative Threat Assessment
        2. Qualitative Threat Assessment
      5. Vulnerability Assessment
        1. People, Process, Technology, and Infrastructure
          1. People
          2. Process
          3. Technology
          4. Infrastructure
        2. Vulnerability Assessment
      6. Summary
    4. 31. Business Impact Analysis
      1. Introduction
      2. Business Impact Analysis Overview
        1. Upstream and Downstream Losses
        2. Understanding the Human Impact
          1. Key Positions
          2. Human Needs
      3. Understanding Impact Criticality
        1. Criticality Categories
          1. Mission-Critical
          2. Vital
          3. Important
          4. Minor
        2. Recovery Time Requirements
      4. Identifying Business Functions
        1. Facilities and Security
        2. Finance
        3. Human Resources
        4. IT
        5. Legal/Compliance
        6. Manufacturing (Assembly)
        7. Marketing and Sales
        8. Operations
        9. Research and Development
        10. Warehouse (Inventory, Order Fulfillment, Shipping, Receiving)
        11. Other Areas
      5. Gathering Data for the Business Impact Analysis
        1. Data Collection Methodologies
          1. Questionnaires
          2. Interviews
          3. Workshops
      6. Determining the Impact
      7. Business Impact Analysis Data Points
        1. Understanding IT Impact
        2. Example of Business Impact Analysis For Small Business
      8. Preparing the Business Impact Analysis Report
      9. Summary
    5. 32. Mitigation Strategy Development
      1. Introduction
      2. Types of Risk Mitigation Strategies
        1. Risk Acceptance
        2. Risk Avoidance
        3. Risk Limitation
        4. Risk Transference
      3. The Risk Mitigation Process
        1. Recovery Requirements
        2. Recovery Options
          1. As Needed
          2. Prearranged
          3. Preestablished
        3. Recovery Time of Options
        4. Cost versus Capability of Recovery Options
        5. Recovery Service Level Agreements
        6. Review Existing Controls
      4. Developing Your Risk Mitigation Strategy
        1. Sample 1: Section from Mitigation Strategy for Critical Data
        2. Sample 2: Section from Mitigation Strategy for Critical Data
      5. People, Buildings, and Infrastructure
      6. IT Risk Mitigation
        1. Critical Data and Records
        2. Critical Systems and Infrastructure
          1. Reviewing Critical System Priorities
      7. Backup and Recovery Considerations
        1. Alternate Business Processes
        2. IT Recovery Systems
          1. Alternate Sites
            1. Fully Mirrored Site
            2. Hot Site
            3. Warm Site
            4. Mobile Site
            5. Cold Site
            6. Reciprocal Site
          2. Disk Systems
            1. RAID
            2. Remote Journaling
            3. Replication
            4. Electronic Vaulting
            5. Standby Operating Systems
            6. Network-Attached Storage (NAS)
            7. Storage Area Network (SAN)
          3. Desktop Solutions
          4. Software and Licensing
          5. Web Sites
      8. Summary
    6. 33. Business Continuity/Disaster Recovery Plan Development
      1. Introduction
      2. Phases of the Business Continuity and Disaster Recovery
        1. Activation Phase
          1. Major Disaster or Disruption
          2. Intermediate Disaster or Disruption
          3. Minor Disaster or Disruption
          4. Activating BC/DR Teams
          5. Developing Triggers
          6. Transition Trigger—Activation to Recovery
        2. Recovery Phase
          1. Transition Trigger—Recovery to Continuity
        3. Business Continuity Phase
        4. Maintenance/Review Phase
      3. Defining BC/DR Teams and Key Personnel
        1. Crisis Management Team
        2. Management
        3. Damage Assessment Team
        4. Operations Assessment Team
        5. IT Team
        6. Administrative Support Team
        7. Transportation and Relocation Team
        8. Media Relations Team
        9. Human Resources Team
        10. Legal Affairs Team
        11. Physical/Personnel Security Team
        12. Procurement Team (Equipment and Supplies)
        13. General Team Guidelines
        14. BC/DR Contact Information
      4. Defining Tasks, Assigning Resources
        1. Alternate Site
          1. Selection Criteria
          2. Contractual Terms
          3. Comparison Process
          4. Acquisition and Testing
        2. Contracts for BC/DR Services
          1. Develop Clear Functional and Technical Requirements
          2. Determine Required Service Levels
          3. Compare Vendor Proposal/Response to Requirements
          4. Identify Requirements Not Met by Vendor Proposal
          5. Identify Vendor Options Not Specified in Requirements
      5. Communications Plans
        1. Internal
        2. Employee
        3. Customers and Vendors
        4. Shareholders
        5. The Community and the Public
      6. Event Logs, Change Control, and Appendices
        1. Event Logs
        2. Change Control
        3. Distribution
        4. Appendices
        5. Additional Resources
      7. What’s Next
      8. Summary
    7. 34. Emergency Response and Recovery
      1. Introduction
      2. Emergency Management Overview
      3. Emergency Response Plans
        1. Emergency Response Teams
      4. Crisis Management Team
        1. Emergency Response and Disaster Recovery
        2. Alternate Facilities Review and Management
        3. Communications
        4. Human Resources
        5. Legal
        6. Insurance
        7. Finance
      5. Disaster Recovery
        1. Activation Checklists
        2. Recovery Checklists
      6. IT Recovery Tasks
        1. Computer Incident Response
          1. CIRT Responsibilities
            1. Monitor
            2. Alert and Mobilize
            3. Assess and Stabilize
            4. Resolve
            5. Review
      7. Business Continuity
      8. Summary
    8. 35. Training, Testing, and Auditing
      1. Introduction
      2. Training for Disaster Recovery and Business Continuity
        1. Emergency Response
        2. Disaster Recovery and Business Continuity Training Overview
          1. Training Scope, Objectives, Timelines, and Requirements
          2. Performing Training Needs Assessment
          3. Developing Training
          4. Scheduling and Delivering Training
          5. Monitoring and Measuring Training
        3. Training and Testing for Your Business Continuity and Disaster Recovery Plan
        4. Paper Walk-through
          1. Develop Realistic Scenarios
          2. Develop Evaluation Criteria
          3. Provide Copies of the Plan
          4. Divide Participants by Team
          5. Use Checklists
          6. Take Notes
          7. Identify Training Needs
          8. Develop Summary and Lessons Learned
        5. Functional Exercises
        6. Field Exercises
        7. Full Interruption Test
        8. Training Plan Implementers
      3. Testing the BC/DR Plan
        1. Understanding of Processes
        2. Validation of Task Integration
        3. Confirm Steps
        4. Confirm Resources
        5. Familiarize with Information Flow
        6. Identify Gaps or Weaknesses
        7. Determines Cost and Feasibility
        8. Test Evaluation Criteria
        9. Recommendations
      4. Performing IT Systems and Security Audits
        1. IT Systems and Security Audits
      5. Summary
    9. 36. BC/DR Plan Maintenance
      1. Introduction
      2. BC/DR Plan Change Management
        1. Training, Testing, and Auditing
        2. Changes in Information Technologies
        3. Changes in Operations
        4. Corporate Changes
        5. Legal, Regulatory, or Compliance Changes
      3. Strategies for Managing Change
        1. Monitor Change
          1. People
          2. Process
          3. Technology
        2. Evaluate and Incorporate Change
      4. BC/DR Plan Audit
      5. Plan Maintenance Activities
      6. Project Close Out
      7. Summary
    10. 37. BC/DR Checklists
      1. Risk Assessment
        1. Threat and Vulnerability Assessment
        2. Business Impact Analysis
      2. Mitigation Strategies
      3. Crisis Communications Checklist
        1. Communication Checklist
        2. Message Content
      4. Business Continuity and Disaster Recovery Response Checklist
      5. Emergency and Recovery Response Checklist
        1. Activation Checklists
          1. Initial Response
          2. Damage and Situation Assessment
          3. Disaster Declaration and Notification
        2. Emergency Response Checklists
          1. Emergency Checklist One—General Emergency Response
          2. Emergency Checklist Two—Evacuation or Shelter-in-Place Response
          3. Emergency Checklist Three—Specific Emergency Responses
          4. Emergency Checklist Four—Emergency Response Contact List, Maps, Floor Plans
          5. Emergency Checklist Five—Emergency Supplies and Equipment
        3. Recovery Checklists
          1. Recovery Checklist One—General
          2. Recovery Checklist Two—Inspection, Assessment, and Salvage
      6. Business Continuity Checklist
        1. Resuming Work
          1. Resuming Work
          2. Human Resources
          3. Insurance and Legal
        2. Manufacturing, Warehouse, Production, and Operations
        3. Resuming Normal Operations
          1. Existing Facility
          2. New Facility
        4. Transition to Normalized Activities
      7. IT Recovery Checklists
        1. IT Recovery Checklist One—Infrastructure
        2. Recovery Checklist Two—Applications
        3. Recovery Checklist Three—Office Area and End-User Recovery
        4. Recovery Checklist Four—Business Process Recovery
        5. Recovery Checklist Five—Manufacturing, Production, and Operations Recovery
      8. Training, Testing, and Auditing Checklists
      9. Training and Testing
      10. IT Auditing
      11. BC/DR Plan Maintenance Checklist
      12. Change Management