Information Security Architecture: An Integrated Approach to Security in the Organization, Second Edition

Information Security Architecture, Second Edition incorporates the knowledge developed during the past decade that has pushed the information security life cycle from infancy to a more mature, understandable, and manageable state. It simplifies security by providing clear and organized methods and by guiding you to the most effective resources available. In addition to the components of a successful Information Security Architecture (ISA) detailed in the previous edition, this volume also discusses computer incident/emergency response. The book describes in detail every one of the eight ISA components. Each chapter provides an understanding of the component and details how it relates to the other components of the architecture. The text also outlines how to establish an effective plan to implement each piece of the ISA within an organization. The second edition has been modified to provide security novices with a primer on general security methods. It has also been expanded to provide veteran security professionals with an understanding of issues related to recent legislation, information assurance, and the latest technologies, vulnerabilities, and responses.

Table of Contents:
INFORMATION SECURITY ARCHITECTURE Why an Architecture? Client/Server Environments Overview of Security Controls The Strategic Information Technology (IT) Plan Summary Getting Started SECURITY ORGANIZATION / INFRASTRUCTURE Learning Objectives The Security Organization The Executive Committee for Security The Chief Information Officer The Chief Financial Officer The Security Officer The Security Team Security Coordinators or Liaisons Departmental Management Network and Application Administrators Human Resources Legal Counsel Help Desk Audit System Users Centralized versus Decentralized Security Administration Information and Resource Ownership The Strategic Information Technology (IT) Plan Chapter Summary Getting Started: Project Management Starcross, Inc. Enterprisewide Information Security Architecture Business Need Approach, Scope, and Deliverables Key Milestones External Security Systems (ESS) Engagement Team Engagement Management Change Management Approach Deliverables Notes SECURITY POLICIES, STANDARDS, AND PROCEDURES Introduction Learning Objectives The Information Security Policy Information Security Policy Acknowledgment Form Network Usage Policy E-Mail Policy Internet Policy Internet Risk Process for Change Security Standards Standards Organizations Security Procedures Chapter Summary Getting Started Notes SECURITY BASELINES AND RISK ASSESSMENTS Information Security Assessment: A Phased Approach High-Level Security Assessment (Section I) Assessing the Organization of the Security Function Assessing the Security Plan Assessing Security Policies, Standards, and Procedures Assessing Risk-Related Programs Security Operations (Section II) Security Monitoring Computer Virus Controls Microcomputer Security Compliance with Legal and Regulatory Requirements Computer Operations (Section III) Physical and Environmental Security Backup and Recovery Computer Systems Management Problem Management Application Controls Assessments Access Controls Separation (or Segregation) of Duties Audit Trails Authentication Application Development and Implementation Change Management Database Security Network Assessments. Emergency Response Remote Access Gateways Separating the Corporate WAN and Lines of Business Current and Future Internet Connections Electronic Mail and the Virtual Office Placement of WAN Resources at Client Sites Operating System Security Assessment Windows NT Telecommunications Assessments Summary SECURITY AWARENESS AND TRAINING PROGRAM Program Objectives Employees Recognize Their Responsibility for Protecting the Enterprise's Information Assets Employees Understand the Value of Information Security Employees Recognize Potential Violations and Know Who to Contact The Level of Security Awareness among Existing Employees Remains High Program Considerations Effectiveness Is Based on Long-term Commitment of Resources and Funding Benefits Are Difficult to Measure in the Short Term Scoping the Target Audience Effectively Reaching the Target Audience Security Organizations Summary Getting Started - Program Development COMPLIANCE Level One Compliance: The Component Owner Level Two Compliance: The Audit Function Level Three Compliance: The Security Team Line of Business (LOB) Security Plan Enterprise Management Tools Summary PITFALLS TO AN EFFECTIVE ISA PROGRAM Lack of a Project Sponsor and Executive Management Support Executive-Level Responsibilities Executive Management's Lack of Understanding of Realistic Risk Lack of Resources The Impact of Mergers and Acquisitions on Disparate Systems Independent Operations throughout Business Units Discord Between Mainframe versus Distributed Computing Cultures Fostering Trust in the Organization Mom-and-Pop Shop Beginnings Third-Party and Remote Network Management The Rate of Change in Technology Summary Getting Started COMPUTER INCIDENT / EMERGENCY RESPONSE Introduction Learning Objectives CERT®/CC CSIRT Goals and Responsibilities Reactive Services Alerts and Warnings Incident Handling Vulnerability Handling Artifact Handling Incident Response Handling Methodology Reporting Incident Classification Triage Identification Incident Analysis Incident Response Incident Response Coordination Key Organizations Containment Eradication Recovery Notification Development of the CSIRT Issues in Developing a CSIRT Funding Management Buy-In Staffing and Training Policy Development Legal Issues Reevaluation of CSIRT Operations Chapter Summary Getting Started Notes CONCLUSION APPENDIXES Information Security Policy Information Security Policy Acknowledgment Form Network Computing Policy E-Mail Security Policy Internet Policy Security Lists Security Standards and Procedures Manual Table of Anti-Virus Update Procedure Security Assessment Workplan Applications Security Assessment Network Security Assessment Workplan Windows NT Assessment Workplan Telecommunications Security Assessment Workplan Computer Incidence/Emergency Response Plan Sample Line of Business Security Plan Intrusion Checklist