Title:
Security planning and disaster recovery
Personal Author:
Publication Information:
New York : McGraw-Hill Osborne, 2002
ISBN:
9780072224634
Added Author:
Available:*
Library | Item Barcode | Call Number | Material Type | Item Category 1 | Status |
---|---|---|---|---|---|
Searching... | 30000010020248 | TK5105.59 M36 2002 | Open Access Book | Book | Searching... |
On Order
Summary
Summary
This volume provides information for creating and implementing a successful security and disaster recovery plan. Each chapter includes a hands-on security checklist with tasks to implement to ensure networks are safe.
Table of Contents
Acknowledgments | p. xv |
Introduction | p. xvii |
Part I Guiding Principles in Plan Development | |
1 The Role of the Information Security Program | p. 3 |
Getting Off on the Right Foot | p. 4 |
Establishing the Role of Security | p. 5 |
Reporting Structure | p. 6 |
Mission Statement | p. 7 |
Long-Term Goals | p. 8 |
Short-Term Objectives | p. 10 |
Relationships | p. 10 |
Technical Relationships | p. 10 |
Business Relationships | p. 13 |
Checklist: Key Roles of the Program | p. 18 |
2 Laws and Regulations | p. 19 |
Working with the Legal and Compliance Departments | p. 21 |
Legal Background | p. 22 |
Computer Fraud and Abuse Act of 1986 | p. 22 |
Electronic Communications Privacy Act of 1986 | p. 24 |
Computer Security Act of 1987 | p. 27 |
National Information Infrastructure Protection Act of 1996 | p. 27 |
Gramm-Leach-Bliley Financial Services Modernization Act | p. 29 |
Health Insurance Portability and Accountability Act (HIPAA) | p. 33 |
Resources | p. 37 |
Checklist: Key Points in Information Security Legal Issues | p. 38 |
3 Assessments | p. 39 |
Internal Audits | p. 40 |
External Audits | p. 43 |
Assessments | p. 44 |
Self-Assessments | p. 44 |
Vulnerability Assessments | p. 45 |
Penetration Tests | p. 46 |
Risk Assessments | p. 49 |
Checklist: Key Points in Assessments | p. 53 |
Part II Plan Implementation | |
4 Establishing Policies and Procedures | p. 57 |
Purpose of Policies | p. 58 |
Policies to Create | p. 59 |
Acceptable Use Policy | p. 60 |
Information Security Policy | p. 61 |
Dealing with Existing Documents | p. 68 |
Getting Buy-In | p. 69 |
Policy Review | p. 70 |
Checklist: Key Points in Establishing Policies and Procedures | p. 72 |
5 Implementing the Security Plan | p. 73 |
Where to Start | p. 75 |
Establish the Plan | p. 76 |
Risk Assessment | p. 78 |
Risk Reduction Plan | p. 78 |
Develop Policies | p. 81 |
Solution Deployment | p. 81 |
Training | p. 82 |
Audit and Reporting | p. 82 |
Do It All Over Again | p. 83 |
Working with System Administrators | p. 85 |
Working with Management | p. 87 |
Educating Users | p. 88 |
Checklist: Key Points in Implementing the Security Plan | p. 89 |
6 Deploying New Projects and Technologies | p. 91 |
New Business Projects | p. 92 |
Requirements Definition | p. 94 |
System Design | p. 97 |
Internal Development | p. 111 |
Third-Party Products | p. 112 |
Test | p. 112 |
Pilot | p. 112 |
Full Production | p. 114 |
Checklist: Key Points in Deploying Business Projects | p. 114 |
7 Security Training and Awareness | p. 117 |
User Awareness | p. 119 |
Management Awareness | p. 120 |
Security Team Training and Awareness | p. 121 |
Training Methods | p. 122 |
Job Description | p. 123 |
New Hire Orientation | p. 124 |
Acceptable Use Policy | p. 125 |
Formal Classroom Training | p. 125 |
Seminars and Brown Bag Sessions | p. 126 |
Newsletters and Web Sites | p. 127 |
Campaigns | p. 128 |
Conferences | p. 129 |
Checklist: Key Points for Security Training and Awareness | p. 130 |
8 Monitoring Security | p. 131 |
Policy Monitoring | p. 132 |
Awareness | p. 132 |
Systems | p. 133 |
Employees | p. 134 |
Computer Use | p. 135 |
Network Monitoring | p. 136 |
System Configurations | p. 136 |
Attacks | p. 137 |
Mechanisms to Monitor the Network | p. 137 |
Audit Log Monitoring | p. 138 |
Unauthorized Access | p. 139 |
Inappropriate Behavior | p. 139 |
Mechanisms for Effective Log Monitoring | p. 140 |
Vulnerability Monitoring | p. 141 |
Software Patches | p. 142 |
Configuration Issues | p. 142 |
Mechanisms to Identify Vulnerabilities | p. 143 |
Checklist: Key Points in Monitoring Security | p. 146 |
Part III Plan Administration | |
9 Budgeting for Security | p. 149 |
Establishing the Need | p. 150 |
Building the Budget | p. 153 |
Other Considerations | p. 153 |
Staffing Requirements | p. 154 |
Training Costs | p. 156 |
Software and Hardware Maintenance | p. 157 |
Outside Services | p. 157 |
New Products | p. 159 |
Unexpected Costs | p. 160 |
Stick to Your Budget | p. 160 |
Checklist: Key Points in Security Program Budgeting | p. 161 |
10 The Security Staff | p. 163 |
Skill Areas | p. 164 |
Security Administration | p. 165 |
Policy Development | p. 166 |
Architecture | p. 167 |
Research | p. 167 |
Assessment | p. 167 |
Audit | p. 168 |
Hiring Good People | p. 168 |
Work Ethic | p. 168 |
Skills and Experience | p. 169 |
Personality | p. 170 |
Certifications | p. 172 |
Small Organizations | p. 173 |
Skills on the Staff | p. 173 |
Finding Skills Outside of the Staff | p. 173 |
Large Organizations | p. 175 |
Basic Organization of the Security Department | p. 175 |
Finding Skills Outside of the Staff | p. 175 |
Checklist: Key Points in Hiring Staff | p. 176 |
11 Reporting | p. 177 |
Progress on Project Plans | p. 178 |
State of Security | p. 180 |
Metrics | p. 180 |
Risk Measurement | p. 183 |
Return on Investment | p. 189 |
Business Projects | p. 189 |
Direct Savings | p. 189 |
Incidents | p. 190 |
Factual Account of Events | p. 190 |
Vulnerabilities Exploited | p. 190 |
Actions Taken | p. 191 |
Recommendations | p. 191 |
Audits | p. 191 |
Security Department Response | p. 192 |
Checklist: Key Points in Security Reporting | p. 192 |
Part IV How to Respond to Incidents | |
12 Incident Response | p. 197 |
The Team | p. 198 |
Team Members | p. 198 |
Leadership | p. 201 |
Authority | p. 201 |
Team Preparation | p. 202 |
Identifying the Incident | p. 202 |
What Is an Incident? | p. 202 |
What to Look For | p. 203 |
The Help Desk Can Help | p. 205 |
Escalation | p. 206 |
Investigation | p. 206 |
Collecting Evidence | p. 207 |
Determining Response | p. 208 |
Containment | p. 209 |
Eradication | p. 210 |
Documentation | p. 211 |
Before Documentation | p. 211 |
During Documentation | p. 212 |
After Documentation | p. 213 |
Legal Issues | p. 214 |
Monitoring | p. 214 |
Evidence Collection | p. 214 |
Checklist: Key Points in Incident Response | p. 215 |
13 Developing Contingency Plans | p. 217 |
Defining Disasters | p. 218 |
Identifying Critical Systems and Data | p. 221 |
Business Impact Analysis | p. 221 |
The Interview Process | p. 223 |
Preparedness | p. 223 |
Risk Analysis Items | p. 224 |
Inventory | p. 224 |
Funding | p. 226 |
Justification | p. 227 |
Allocation of Funds | p. 227 |
Interorganizational Cooperation and Corporate Politics | p. 228 |
Putting the Recovery Team and Steering Committee Together | p. 228 |
General Procedures | p. 230 |
Backups and Tape Storage | p. 231 |
Resources | p. 233 |
Checklist: Key Points for Contingency Plans | p. 234 |
14 Responding to Disasters | p. 235 |
Reality Check | p. 236 |
First Things First | p. 236 |
Damage Assessment | p. 237 |
Defining Authority and the Team | p. 238 |
Assembling the Team | p. 238 |
Assessing Available Skills | p. 240 |
Setting Initial Priorities | p. 240 |
Setting Goals | p. 241 |
Following or Not Following the Plan | p. 241 |
Phases of a Disaster | p. 242 |
Response | p. 242 |
Resumption | p. 244 |
Recovery | p. 246 |
Restoration | p. 248 |
Checklist: Key Points in Disaster Response | p. 249 |
Part V Appendixes | |
A Handling Audits | p. 253 |
Being Part of the Team | p. 254 |
Information Gathering | p. 254 |
Audit Report | p. 255 |
Audit Response | p. 256 |
Internal Audits | p. 256 |
Regularly Scheduled Audits | p. 257 |
Audits in Response to a Problem | p. 257 |
External Audits | p. 258 |
Financial Audits | p. 258 |
SAS-70 | p. 260 |
Security's Response to the Audit | p. 264 |
Checklist: Key Points in Handling Audits | p. 265 |
B Outsourcing Security | p. 267 |
Services to Outsource | p. 268 |
"Technical" Security Services | p. 269 |
"People" Security Services | p. 269 |
Choosing What to Outsource | p. 270 |
Reasons for Outsourcing | p. 270 |
Costs Involved in Outsourcing | p. 271 |
Back to Risk Management | p. 272 |
Choosing a Vendor | p. 273 |
Services | p. 273 |
Price | p. 274 |
Other Issues | p. 274 |
Working with the Vendor | p. 276 |
Day-to-Day Interaction | p. 276 |
Setting Expectations | p. 276 |
Managing Risk | p. 277 |
Checklist: Key Points in Outsourcing | p. 277 |
C Managing New Security Projects | p. 279 |
Defining Requirements | p. 280 |
Security Requirements | p. 280 |
Fail-over Requirements | p. 281 |
Performance Requirements | p. 281 |
Manageability Requirements | p. 282 |
Integration Requirements | p. 283 |
Writing the RFP | p. 283 |
RFP Requirements | p. 284 |
RFP Conditions of Acceptance | p. 284 |
Evaluating Responses | p. 284 |
Technical Responses | p. 284 |
Non-technical Responses | p. 286 |
Tradeoffs | p. 286 |
Choosing the Vendor | p. 286 |
Developing New Security Projects Internally | p. 287 |
Integrating the Products with the Organization | p. 287 |
Technology Integration | p. 287 |
Procedural Integration | p. 288 |
Security Product Integration | p. 288 |
Checklist: Key Points in Deploying New Security Technology | p. 289 |
Index | p. 291 |