Written by two INFOSEC experts, this book provides a systematic and practical approach for establishing, managing and operating a comprehensive Information Assurance program. It is designed to provide ISSO managers, security managers, and INFOSEC professionals with an understanding of the essential issues required to develop and apply a targeted information security posture to both public and private corporations and government run agencies.There is a growing concern among all corporations and within the security industry to come up with new approaches to measure an organization's information security risks and posture. Information Assurance explains and defines the theories and processes that will help a company protect its proprietary information including: * The need to assess the current level of risk.* The need to determine what can impact the risk.* The need to determine how risk can be reduced. The authors lay out a detailed strategy for defining information security, establishing IA goals, providing training for security awareness, and conducting airtight incident response to system compromise. Such topics as defense in depth, configuration management, IA legal issues, and the importance of establishing an IT baseline are covered in-depth from an organizational and managerial decision-making perspective. * Experience-based theory provided in a logical and comprehensive manner.* Management focused coverage includes establishing an IT security posture, implementing organizational awareness and training, and understanding the dynamics of new technologies.* Numerous real-world examples provide a baseline for assessment and comparison.
Author(s): Joseph Boyce, Daniel Jennings
Edition: 1st
Year: 2002
Language: English
Pages: 261
Front Cover......Page 1
Information Assurance: Managing Organizational IT Security Risks......Page 4
Copyright Page......Page 5
Contents......Page 8
Foreword......Page 12
Preface......Page 16
Acknowledgments......Page 22
PART I: THE ORGANIZATIONAL IA PROGRAM: THE PRACTICAL AND CONCEPTUAL FOUNDATION......Page 24
The Rights of Organizations......Page 26
The Contribution of Information and Information Technology (IT) to Achieving the Rights of Organizations......Page 28
The Emergence of New Challenges......Page 29
References......Page 34
Basic Security Concepts and Principles......Page 36
Basic Security Strategy......Page 53
References......Page 58
PART II: DEFINING THE ORGANIZATION’S CURRENT IA POSTURE......Page 60
Information Assurance Elements......Page 62
References......Page 75
Identifying Your Security Protection Priorities......Page 76
Measuring the Accomplishment of Organizational IA Needs......Page 87
References......Page 88
Introduction......Page 90
The Process for Determining Organizational IA Posture......Page 93
Summary......Page 105
References......Page 106
PART III: ESTABLISHING AND MANAGING AN IA DEFENSE IN DEPTH STRATEGY WITHIN AN ORGANIZATION......Page 108
The Concept of Policy......Page 110
The Intent and Significance of IA Policies......Page 111
The Mechanics of Developing, Communicating, and Enforcing IA Policies......Page 113
References......Page 116
Establishing an IA Management Program......Page 118
Managing IA......Page 130
References......Page 133
The Objectives of the IA Architecture......Page 136
Knowledge Required to Design the IA Architecture......Page 137
The Design of the Organization’s IA Architecture......Page 148
Allocation of Security Services and Security Mechanisms......Page 159
The Implementation of the Organization’s IA Architecture......Page 165
References......Page 166
Administering Information Systems Security......Page 168
Summary......Page 174
References......Page 175
The Necessity of Managing Changes to the IA Baseline......Page 176
Configuration Management: An Approach for Managing IA Baseline Changes......Page 177
Summary......Page 184
References......Page 185
Security Throughout the System Life Cycle......Page 186
Reference......Page 193
Planning for the Worst......Page 194
Reference......Page 197
The Importance of IA Education, Training, and Awareness......Page 198
Implementation of Organizational IA Education, Training, and Awareness......Page 199
References......Page 202
The Implementers of IA Policy Compliance Oversight......Page 204
Mechanisms of IA Policy Compliance Oversight......Page 205
Summary......Page 210
References......Page 211
Reacting and Responding to IA Incidents......Page 212
Summary......Page 218
References......Page 219
The Development of an IA Reporting Structure and Process......Page 220
References......Page 223
APPENDICES......Page 224
Threat Category......Page 226
Definitions......Page 230
Reference......Page 231
Appendix B. Listing of Threat Statuses......Page 232
Vendor-Specific Security Information......Page 234
Vendor-Specific Security Patches......Page 235
Appendix D. IA Policy Web Sites......Page 236
Major Policy Subjects......Page 238
Appendix F. Sample IA Manager Appointment Letter......Page 244
Appendix G. Sample Outline for IA Master Plan......Page 246
Password and Access Controls......Page 248
Security Operations/Management......Page 249
Incident Response and Handling......Page 250
Appendix I. Information Assurance Self-Inspection Checklist......Page 252
Appendix J. Sample Outline for a Disaster Recovery Plan (DRP)......Page 274
References......Page 275
Appendix K. Sample Threat Response Matrix......Page 276
About the Authors......Page 278
Index......Page 280