Available:*
Library | Item Barcode | Call Number | Material Type | Item Category 1 | Status |
---|---|---|---|---|---|
Searching... | 30000010196806 | HF5548.37 E57 2009 | Open Access Book | Book | Searching... |
On Order
Summary
Summary
Here's a unique and practical book that addresses the rapidly growing problem of information security, privacy, and secrecy threats and vulnerabilities. This authoritative resource helps you understand what really needs to be done to protect sensitive data and systems and how to comply with the burgeoning roster of data protection laws and regulations. The book examines the effectiveness and weaknesses of current approaches and guides you towards practical methods and doable processes that can bring about real improvement in the overall security environment. You gain insight into the latest security and privacy trends, learn how to determine and mitigate risks, and discover the specific dangers and responses regarding the most critical sectors of a modern economy.
Author Notes
C. Warren Axelrod is the research director for financial services for the U.S. Cyber Consequences Unit and an executive adviser to the Financial Services Technology Consortium Previously, he was the chief privacy officer and business information security officer for U.S. Trust. He has been a senior information technology executive in financial services for more than 25 years, has contributed to numerous conferences and seminars, and has published extensively. Dr. Axelrod is the author of Outsourcing Information Security (Artech House, 2004). He holds a Ph.D. in managerial economics from Cornell University and a B.Sc. in electrical engineering and an M.A. in economics and statistics from Glasgow University. He is certified as a CISSP and CISM.
Jennifer L. Bayuk is an independent consultant on topics including information security policy, process, management, and metrics. Ms. Bayuk has been a chief information officer at a major financial firm, a manager of information systems auditing, a Big 4 security consultant and auditor, and a security software engineer at AtT Bell Laboratories. She is a well-published author and holds masters' degrees in computer science and philosophy.
Daniel Schutzer is the executive director of the Financial Services Technology Consortium (FSTC), responsible for its day-to-day operation. He is also a member of the BITS Advisory Council, an ASC X9 board member and a fellow of the New York Academy of Sciences. He was previously a director and senior vice president of Citigroup for over 23 years. Dr. Schutzer holds an M.S.E.E. and a Ph.D. from Syracuse University and a B.S.E.E. from City College of New York. He has authored more than 65 publications and 7 books.
Table of Contents
Foreword | p. xiii |
Preface | p. xix |
Acknowledgments | p. xxiii |
Part I Trends | p. 1 |
1 Privacy Roles and Responsibilities | p. 3 |
1.1 Background | p. 4 |
1.2 Observations | p. 8 |
1.3 Recommendations | p. 12 |
1.3.1 Roles and Responsibilities of Information Security | p. 14 |
1.3.2 The Impact of Outsourcing: Privacy, Security, and Enforcing Controls | p. 16 |
1.3.3 Privacy and New Roles for Information Security | p. 16 |
1.4 Future Trends | p. 18 |
2 Data Protection | p. 21 |
2.1 Background | p. 21 |
2.2 Observations | p. 24 |
2.3 Recommendations | p. 27 |
2.3.1 Formalize a Trust Model | p. 28 |
2.3.2 Utilize an Integrated and Holistic Approach to Security and Governance | p. 30 |
2.3.3 Implement a Risk-Based Systemic Security Architecture | p. 32 |
2.3.4 Support an Adaptive Security Approach to Security | p. 36 |
2.3.5 Build Systems, Applications, Networks, Protocols, and Others Using Accepted Standards | p. 37 |
2.4 Future Trends | p. 40 |
3 IT Operational Pressures on Information Security | p. 41 |
3.1 Background | p. 41 |
3.1.1 It Operations and It Service Development Impede Information Security Goals | p. 42 |
3.1.2 Information Security Impedes It Operations and It Service Development Goals | p. 43 |
3.1.3 Information Security Using a Technology-Centric, Bottom-Up Risk Model | p. 44 |
3.2 Observations | p. 45 |
3.3 Recommendations | p. 48 |
3.3.1 Stabilize the Patient and Get Plugged into Production | p. 51 |
3.3.2 Find Business Risks, Identify Controls, and Fix Fragile Artifacts | p. 53 |
3.3.3 Implement Development and Release Controls | p. 55 |
3.3.4 Continually Improve | p. 56 |
3.4 Future Trends | p. 57 |
4 Information Classification | p. 59 |
4.1 Background | p. 60 |
4.2 Observations | p. 62 |
4.3 Recommendations | p. 65 |
4.4 Future Trends | p. 69 |
5 Human Factors | p. 71 |
5.1 Background | p. 72 |
5.1.1 Historical Perspective on Privacy | p. 73 |
5.1.2 Impact of Technology on Privacy | p. 74 |
5.1.3 Privacy in a Corporate Setting | p. 76 |
5.1.4 Evolution of Personal Information | p. 76 |
5.2 Observations | p. 77 |
5.2.1 Privacy Trade-offs-Human Behavioral Impact on Privacy | p. 77 |
5.2.2 What is Risk? | p. 80 |
5.3 Recommendations | p. 83 |
5.4 Future Trends | p. 87 |
Acknowledgments | p. 87 |
Part II Risks | p. 89 |
6 Making the Case for Replacing Risk-Based Security | p. 91 |
6.1 Introduction | p. 92 |
6.1.1 Understanding Security Risk | p. 92 |
6.2 Why Risk Assessment and Risk Management Fail | p. 95 |
6.2.1 Misplaced Support for Risk-Based Security in Practice | p. 97 |
6.2.2 Alternatives to Security Risk Assessment | p. 99 |
6.3 Conclusion | p. 101 |
7 The Economics of Loss | p. 103 |
7.1 Security as the Prevention of Loss | p. 104 |
7.2 Quantifying the Risk of Loss | p. 105 |
7.3 Refining the Basic Risk Equation | p. 106 |
7.4 The Problem of Quantifying Loss Itself | p. 106 |
7.5 Confronting the Reality of Hypothetical Actions | p. 107 |
7.6 Overcoming the Fixation on Assets | p. 108 |
7.7 Overcoming the Fixation on Market Value | p. 108 |
7.8 Overcoming the Fixation on Productivity | p. 110 |
7.9 Overcoming the Neglect of Substitutes | p. 111 |
7.10 Taking Account of the Duration and Extent of the Effects | p. 112 |
7.11 Distinguishing Between the Different Business Categories of Attacks | p. 113 |
7.12 Putting the Proper Risk Estimates Back into the ROI Calculation | p. 114 |
8 Legal and Regulatory Obligations | p. 115 |
8.1 The Expanding Duty to Provide Security | p. 116 |
8.1.1 Where Does It Come From? | p. 116 |
8.1.2 What Is Covered? | p. 118 |
8.2 The Emergence of a Legal Standard for Compliance | p. 120 |
8.2.1 The Developing Legal Definition of "Reasonable Security" | p. 122 |
8.2.2 An Increasing Focus on Specific Data Elements and Controls | p. 128 |
8.3 The Imposition of a Duty to Warn of Security Breaches | p. 131 |
8.3.1 The Basic Obligation | p. 132 |
8.3.2 International Adoption | p. 134 |
8.4 Conclusion | p. 135 |
9 Telecommunications | p. 137 |
9.1 Security Issues in Mobile Telecommunications | p. 138 |
9.1.1 Pressure on the Perimeter Model | p. 138 |
9.1.2 Computer Security Threats for Portable Devices | p. 139 |
9.2 Security Issues in Global Telecommunications | p. 140 |
9.2.1 Global Cooperation on Cyber Attack | p. 140 |
9.2.2 Global Attention to Software Piracy | p. 141 |
9.3 Security Issues in Internet Protocol-Based Telecommunications | p. 141 |
9.3.1 Reduced Technological Diversity | p. 142 |
9.3.2 Increased Reliance on Shared, Decentralized Internet-Based Systems | p. 142 |
9.4 Security Issues in Bandwidth-Increasing Telecommunications | p. 143 |
9.4.1 Residential Users Have Greater Security Responsibility | p. 143 |
9.4.2 Botnets Become a Huge Threat to the Global Economy | p. 144 |
References | p. 146 |
Part III Experience | p. 147 |
10 Financial Services | p. 149 |
10.1 Laws, Regulations, and Supervisory Requirements | p. 150 |
10.1.1 Gramm-Leach-Bliley Act of 1999 | p. 153 |
10.1.2 The Sarbanes-Oxley Act of 2002 | p. 154 |
10.1.3 The Fair and Accurate Credit Transactions Act of 2003 | p. 154 |
10.1.4 Breach Notification Requirements | p. 155 |
10.1.5 Supervisory Guidance | p. 158 |
10.2 Future Focus | p. 160 |
10.2.1 Identity Theft Prevention | p. 160 |
10.2.2 Outsourcing and Offshoring | p. 160 |
10.2.3 Cross-Border Data Flows | p. 161 |
10.2.4 Encryption | p. 161 |
10.2.5 Online Behavioral Advertising | p. 162 |
10.2.6 Internet Governance | p. 162 |
10.2.7 Wireless Security | p. 162 |
10.2.8 Capital Requirements for Operational Risk | p. 162 |
10.2.9 Security of Web-Based Business Applications | p. 163 |
10.2.10 Other Future Focuses in Financial Sector Security | p. 163 |
10.3 Compliance Challenges | p. 163 |
11 Energy | p. 165 |
11.1 Overview of Sector | p. 166 |
11.2 Risks Related to Security and Privacy | p. 169 |
11.3 How Risks Are Addressed | p. 171 |
11.4 Documentation and Its Relation to Information Security | p. 174 |
11.5 Conclusion | p. 177 |
Acknowledgments | p. 178 |
Selected Bibliography | p. 178 |
12 Transportation Security | p. 181 |
12.1 Overview | p. 182 |
12.2 Technology's Role in Transportation Security | p. 183 |
12.3 Security in Transit | p. 187 |
12.4 Best Practices Applied | p. 189 |
13 Academia | p. 191 |
13.1 Overview | p. 192 |
13.1.1 Age and Demographics | p. 192 |
13.1.2 You Cannot Fire Me | p. 192 |
13.1.3 Hard to Educate Users | p. 192 |
13.1.4 Lax Controls | p. 193 |
13.1.5 How Everything Is Connected | p. 193 |
13.2 Case Studies | p. 193 |
13.2.1 Case Study: Social Networking and Crimeware | p. 194 |
13.2.2 Case Study: Social Phishing | p. 196 |
13.2.3 Case Study: Infected Access Points | p. 196 |
13.3 Protection | p. 197 |
References | p. 197 |
Appendix A Key Information Security Law References | p. 199 |
A.1 Federal Statutes | p. 199 |
A.2 State Statutes | p. 200 |
A.3 Federal Regulations | p. 204 |
A.4 State Regulations | p. 206 |
A.5 Court Decisions | p. 206 |
A.6 FTC Decisions and Consent Decrees | p. 207 |
A.7 State Attorneys General Consent Decrees | p. 208 |
A.8 European Union-Directives | p. 209 |
A.9 European Union-Security Provisions in Country Implementations of Data Protection Directive | p. 209 |
A.10 Other Countries | p. 212 |
About the Authors | p. 213 |
Index | p. 223 |