Title:
IT security governance guidebook with security program metrics on CD-ROM
Personal Author:
Publication Information:
Boca Raton, FL : Auerbach Publications, 2007
Physical Description:
1 CD-ROM ; 12 cm.
ISBN:
9780849384356
General Note:
Accompanies text of the same title : (TK5105.59 C63 2007)
Available:*
Library | Item Barcode | Call Number | Material Type | Item Category 1 | Status |
|---|---|---|---|---|---|
Searching... | 30000010123320 | CP 8941 | Computer File Accompanies Open Access Book | Compact Disc Accompanies Open Access Book | Searching... |
On Order
Summary
Summary
The IT Security Governance Guidebook with Security Program Metrics on CD-ROM provides clear and concise explanations of key issues in information protection, describing the basic structure of information protection and enterprise protection programs. Including graphics to support the information in the text, this book includes both an overview of material as well as detailed explanations of specific issues. The accompanying CD-ROM offers a collection of metrics, formed from repeatable and comparable measurement, that are designed to correspond to the enterprise security governance model provided in the text, allowing an enterprise to measure its overall information protection program.
Table of Contents
| Executive Summary | p. xi |
| About This Material | p. xii |
| Chapter 1 The Structure of Information Protection | p. 1 |
| 1.1 A Comprehensive Information Protection Program | p. 1 |
| 1.1.1 The Architectural Model | p. 1 |
| 1.1.2 Risk Management | p. 3 |
| 1.1.3 How the Business Works | p. 5 |
| 1.1.4 How Information Technology Protection Works | p. 7 |
| 1.1.5 Interdependencies | p. 8 |
| 1.1.6 But How Much Is Enough? The Duty to Protect | p. 8 |
| 1.2 What Is Information Protection Governance All About? | p. 8 |
| 1.2.1 The Goal of Governance | p. 8 |
| 1.2.2 What Are the Aspects of Governance? | p. 10 |
| 1.2.2.1 Structures | p. 10 |
| 1.2.2.2 What Are the Rules? | p. 11 |
| 1.2.2.3 Principles and Standards | p. 12 |
| 1.2.2.4 Power and Influence | p. 13 |
| 1.2.2.5 Funding | p. 15 |
| 1.2.2.6 Enforcement Mechanisms | p. 17 |
| 1.2.2.7 Appeals Processes and Disputes | p. 20 |
| 1.2.3 The Overall Control System | p. 21 |
| 1.3 Fitting Protection into Business Structures | p. 22 |
| 1.3.1 Fitting In | p. 23 |
| 1.3.2 The Theory of Groups | p. 23 |
| 1.3.3 What Groups Are Needed | p. 24 |
| 1.4 Who Is in Charge and Who Does This Person Work for? | p. 25 |
| 1.4.1 The CISO | p. 25 |
| 1.4.2 The CISO's Team | p. 25 |
| 1.4.3 The Structure of the Groups | p. 27 |
| 1.4.4 Meetings and Groups the CISO Chairs or Operates | p. 28 |
| 1.4.5 Should the CISO Work for the CIO or Others? | p. 28 |
| 1.5 Should the CISO, CPO, CSO, or Others Be Combined? | p. 30 |
| 1.5.1 Where Should the CISO Be in the Corporate Structure? | p. 31 |
| 1.6 Budgets and Situations | p. 31 |
| 1.6.1 Direct Budget for the CISO | p. 31 |
| 1.6.2 Identifiable Costs | p. 31 |
| 1.7 Enforcement and Appeals Processes | p. 34 |
| 1.7.1 Top Management Buy-In and Support | p. 34 |
| 1.7.2 Power and Influence and Managing Change | p. 34 |
| 1.7.3 Responses to Power and Influence | p. 35 |
| 1.7.4 Other Power Issues | p. 35 |
| 1.8 The Control System | p. 36 |
| 1.8.1 Metrics | p. 37 |
| 1.8.1.1 Costs | p. 37 |
| 1.8.1.2 Performance | p. 37 |
| 1.8.1.3 Time | p. 38 |
| 1.8.1.4 Lower-Level Metrics | p. 38 |
| 1.9 How Long Will It Take? | p. 39 |
| 1.10 Summary | p. 41 |
| Chapter 2 Drill-Down | p. 43 |
| 2.1 How the Business Works | p. 44 |
| 2.2 The Security Oversight Function | p. 46 |
| 2.2.1 Duty to Protect | p. 47 |
| 2.2.1.1 Externally Imposed Duties | p. 47 |
| 2.2.1.2 Internally Imposed Duties | p. 47 |
| 2.2.1.3 Contractual Duties | p. 48 |
| 2.3 Risk Management and What to Protect | p. 48 |
| 2.3.1 Risk Evaluation | p. 48 |
| 2.3.1.1 Consequences | p. 48 |
| 2.3.1.2 Threats | p. 49 |
| 2.3.1.3 Vulnerabilities | p. 49 |
| 2.3.1.4 Interdependencies and Risk Aggregations | p. 50 |
| 2.3.2 Risk Treatment | p. 52 |
| 2.3.2.1 Risk Acceptance | p. 52 |
| 2.3.2.2 Risk Avoidance | p. 52 |
| 2.3.2.3 Risk Transfer | p. 52 |
| 2.3.2.4 Risk Mitigation | p. 52 |
| 2.3.3 What to Protect and How Well | p. 53 |
| 2.3.4 The Risk Management Space | p. 53 |
| 2.3.4.1 Risk Assessment Methodologies and Limitations | p. 54 |
| 2.3.4.2 Matching Surety to Risk | p. 55 |
| 2.3.5 Enterprise Risk Management Process: An Example | p. 58 |
| 2.3.5.1 The Risk Management Process | p. 59 |
| 2.3.5.2 Evaluation Processes to Be Used | p. 60 |
| 2.3.5.3 The Order of Analysis | p. 61 |
| 2.3.5.4 Selection of Mitigation Approach | p. 62 |
| 2.3.5.5 Specific Mitigations | p. 63 |
| 2.3.5.6 Specific Issues Mandated by Policy | p. 63 |
| 2.3.5.7 A Schedule of Risk Management Activities | p. 63 |
| 2.3.5.8 Initial Conditions | p. 64 |
| 2.3.5.9 Management's Role | p. 64 |
| 2.3.5.10 Reviews to Be Conducted | p. 65 |
| 2.3.6 Threat Assessment | p. 65 |
| 2.3.7 Fulfilling the Duties to Protect | p. 66 |
| 2.4 Security Governance | p. 69 |
| 2.4.1 Responsibilities at Organizational Levels | p. 69 |
| 2.4.2 Enterprise Security Management Architecture | p. 70 |
| 2.4.3 Groups That CISO Meets with or Creates and Chairs | p. 72 |
| 2.4.3.1 Top-Level Governance Board | p. 72 |
| 2.4.3.2 Business Unit Governance Boards | p. 72 |
| 2.4.3.3 Policy, Standards, and Procedures Group and Review Board | p. 73 |
| 2.4.3.4 Legal Group and Review Board | p. 74 |
| 2.4.3.5 Personnel Security Group and Review Board | p. 74 |
| 2.4.3.6 Risk Management Group | p. 75 |
| 2.4.3.7 Protection Testing and Change Control Group and Review Board | p. 75 |
| 2.4.3.8 Technical Safeguards Group and Review Board | p. 76 |
| 2.4.3.9 Zoning Boards and Similar Governance Entities | p. 77 |
| 2.4.3.10 Physical Security Group and Review Board | p. 77 |
| 2.4.3.11 Incident Handling Group and Review Board | p. 78 |
| 2.4.3.12 Audit Group and Review Board | p. 79 |
| 2.4.3.13 Awareness and Knowledge Group and Review Board | p. 80 |
| 2.4.3.14 Documentation Group | p. 81 |
| 2.4.4 Issues Relating to Separation of Duties | p. 81 |
| 2.4.5 Understanding and Applying Power and Influence | p. 81 |
| 2.4.5.1 Physical Power | p. 81 |
| 2.4.5.2 Resource Power | p. 82 |
| 2.4.5.3 Positional Power | p. 82 |
| 2.4.5.4 Expertise, Personal, and Emotional Power | p. 83 |
| 2.4.5.5 Persuasion Model | p. 84 |
| 2.4.5.6 Managing Change | p. 85 |
| 2.4.6 Organizational Perspectives | p. 91 |
| 2.4.6.1 Management | p. 91 |
| 2.4.6.2 Policy | p. 92 |
| 2.4.6.3 Standards | p. 93 |
| 2.4.6.4 Procedures | p. 95 |
| 2.4.6.5 Documentation | p. 96 |
| 2.4.6.6 Auditing | p. 97 |
| 2.4.6.7 Testing and Change Control | p. 97 |
| 2.4.6.8 Technical Safeguards: Information Technology | p. 98 |
| 2.4.6.9 Personnel | p. 101 |
| 2.4.6.10 Incident Handling | p. 102 |
| 2.4.6.11 Legal Issues | p. 104 |
| 2.4.6.12 Physical Security | p. 105 |
| 2.4.6.13 Knowledge | p. 107 |
| 2.4.6.14 Awareness | p. 108 |
| 2.4.6.15 Organization | p. 110 |
| 2.4.6.16 Summary of Perspectives | p. 111 |
| 2.5 Control Architecture | p. 111 |
| 2.5.1 Protection Objectives | p. 111 |
| 2.5.1.1 Integrity | p. 112 |
| 2.5.1.2 Availability | p. 113 |
| 2.5.1.3 Confidentiality | p. 113 |
| 2.5.1.4 Use Control | p. 115 |
| 2.5.1.5 Accountability | p. 116 |
| 2.5.2 Access Control Architecture | p. 118 |
| 2.5.3 Technical Architecture Functional Units and Composites | p. 118 |
| 2.5.4 Perimeter Architectures | p. 118 |
| 2.5.4.1 Physical Perimeter Architecture | p. 119 |
| 2.5.4.2 Logical Perimeter Architecture | p. 122 |
| 2.5.4.3 Perimeter Summary | p. 124 |
| 2.5.5 Access Process Architecture | p. 124 |
| 2.5.5.1 Identification | p. 124 |
| 2.5.5.2 Authentication | p. 125 |
| 2.5.5.3 Authorization | p. 125 |
| 2.5.5.4 Use | p. 126 |
| 2.5.6 Change Control Architecture | p. 126 |
| 2.5.6.1 Research and Development | p. 126 |
| 2.5.6.2 Change Control | p. 127 |
| 2.5.6.3 Production | p. 127 |
| 2.6 Technical Security Architecture | p. 127 |
| 2.6.1 Issues of Context | p. 127 |
| 2.6.1.1 Time ("When") | p. 127 |
| 2.6.1.2 Location ("Where") | p. 128 |
| 2.6.1.3 Purpose ("Why") | p. 129 |
| 2.6.1.4 Behaviors ("What") | p. 130 |
| 2.6.1.5 Identity ("Who") | p. 130 |
| 2.6.1.6 Method ("How") | p. 131 |
| 2.6.2 Life Cycles | p. 132 |
| 2.6.2.1 Business | p. 132 |
| 2.6.2.2 People | p. 134 |
| 2.6.2.3 Systems | p. 138 |
| 2.6.2.4 Data | p. 141 |
| 2.6.3 Protection Process: Data State | p. 146 |
| 2.6.3.1 Data at Rest | p. 147 |
| 2.6.3.2 Data in Motion | p. 152 |
| 2.6.3.3 Data in Use | p. 154 |
| 2.6.4 Protection Process: Attack and Defense | p. 155 |
| 2.6.4.1 Deter | p. 156 |
| 2.6.4.2 Prevent | p. 157 |
| 2.6.4.3 Detect | p. 159 |
| 2.6.4.4 React | p. 163 |
| 2.6.4.5 Adapt | p. 165 |
| 2.6.4.6 Detect/React Loop | p. 167 |
| 2.6.5 Protection Process: Work Flows | p. 168 |
| 2.6.5.1 Work to Be Done | p. 169 |
| 2.6.5.2 Process for Completion and Options | p. 169 |
| 2.6.5.3 Control Points and Approval Requirements | p. 170 |
| 2.6.5.4 Appeals Processes and Escalations | p. 170 |
| 2.6.5.5 Authentication Requirements and Mechanisms | p. 170 |
| 2.6.5.6 Authorization and Context Limitations | p. 171 |
| 2.6.5.7 Work Flow Documentation and Audit | p. 171 |
| 2.6.5.8 Control and Validation of the Engine(s) | p. 171 |
| 2.6.5.9 Risk Aggregation in the Engine(s) | p. 172 |
| 2.6.6 Protective Mechanisms | p. 172 |
| 2.6.6.1 Perception | p. 172 |
| 2.6.6.2 Structure | p. 173 |
| 2.6.6.3 Content Controls | p. 175 |
| 2.6.6.4 Behavior | p. 176 |
| 2.7 Roll-Up of the Drill-Down | p. 178 |
| Chapter 3 Summary and Conclusions | p. 181 |
| Index | p. 183 |
