Title:
Security planning and disaster recovery
Personal Author:
Publication Information:
New York : McGraw-Hill Osborne, 2002
ISBN:
9780072224634
Added Author:
Available:*
Library | Item Barcode | Call Number | Material Type | Item Category 1 | Status |
|---|---|---|---|---|---|
Searching... | 30000010020248 | TK5105.59 M36 2002 | Open Access Book | Book | Searching... |
On Order
Summary
Summary
This volume provides information for creating and implementing a successful security and disaster recovery plan. Each chapter includes a hands-on security checklist with tasks to implement to ensure networks are safe.
Table of Contents
| Acknowledgments | p. xv |
| Introduction | p. xvii |
| Part I Guiding Principles in Plan Development | |
| 1 The Role of the Information Security Program | p. 3 |
| Getting Off on the Right Foot | p. 4 |
| Establishing the Role of Security | p. 5 |
| Reporting Structure | p. 6 |
| Mission Statement | p. 7 |
| Long-Term Goals | p. 8 |
| Short-Term Objectives | p. 10 |
| Relationships | p. 10 |
| Technical Relationships | p. 10 |
| Business Relationships | p. 13 |
| Checklist: Key Roles of the Program | p. 18 |
| 2 Laws and Regulations | p. 19 |
| Working with the Legal and Compliance Departments | p. 21 |
| Legal Background | p. 22 |
| Computer Fraud and Abuse Act of 1986 | p. 22 |
| Electronic Communications Privacy Act of 1986 | p. 24 |
| Computer Security Act of 1987 | p. 27 |
| National Information Infrastructure Protection Act of 1996 | p. 27 |
| Gramm-Leach-Bliley Financial Services Modernization Act | p. 29 |
| Health Insurance Portability and Accountability Act (HIPAA) | p. 33 |
| Resources | p. 37 |
| Checklist: Key Points in Information Security Legal Issues | p. 38 |
| 3 Assessments | p. 39 |
| Internal Audits | p. 40 |
| External Audits | p. 43 |
| Assessments | p. 44 |
| Self-Assessments | p. 44 |
| Vulnerability Assessments | p. 45 |
| Penetration Tests | p. 46 |
| Risk Assessments | p. 49 |
| Checklist: Key Points in Assessments | p. 53 |
| Part II Plan Implementation | |
| 4 Establishing Policies and Procedures | p. 57 |
| Purpose of Policies | p. 58 |
| Policies to Create | p. 59 |
| Acceptable Use Policy | p. 60 |
| Information Security Policy | p. 61 |
| Dealing with Existing Documents | p. 68 |
| Getting Buy-In | p. 69 |
| Policy Review | p. 70 |
| Checklist: Key Points in Establishing Policies and Procedures | p. 72 |
| 5 Implementing the Security Plan | p. 73 |
| Where to Start | p. 75 |
| Establish the Plan | p. 76 |
| Risk Assessment | p. 78 |
| Risk Reduction Plan | p. 78 |
| Develop Policies | p. 81 |
| Solution Deployment | p. 81 |
| Training | p. 82 |
| Audit and Reporting | p. 82 |
| Do It All Over Again | p. 83 |
| Working with System Administrators | p. 85 |
| Working with Management | p. 87 |
| Educating Users | p. 88 |
| Checklist: Key Points in Implementing the Security Plan | p. 89 |
| 6 Deploying New Projects and Technologies | p. 91 |
| New Business Projects | p. 92 |
| Requirements Definition | p. 94 |
| System Design | p. 97 |
| Internal Development | p. 111 |
| Third-Party Products | p. 112 |
| Test | p. 112 |
| Pilot | p. 112 |
| Full Production | p. 114 |
| Checklist: Key Points in Deploying Business Projects | p. 114 |
| 7 Security Training and Awareness | p. 117 |
| User Awareness | p. 119 |
| Management Awareness | p. 120 |
| Security Team Training and Awareness | p. 121 |
| Training Methods | p. 122 |
| Job Description | p. 123 |
| New Hire Orientation | p. 124 |
| Acceptable Use Policy | p. 125 |
| Formal Classroom Training | p. 125 |
| Seminars and Brown Bag Sessions | p. 126 |
| Newsletters and Web Sites | p. 127 |
| Campaigns | p. 128 |
| Conferences | p. 129 |
| Checklist: Key Points for Security Training and Awareness | p. 130 |
| 8 Monitoring Security | p. 131 |
| Policy Monitoring | p. 132 |
| Awareness | p. 132 |
| Systems | p. 133 |
| Employees | p. 134 |
| Computer Use | p. 135 |
| Network Monitoring | p. 136 |
| System Configurations | p. 136 |
| Attacks | p. 137 |
| Mechanisms to Monitor the Network | p. 137 |
| Audit Log Monitoring | p. 138 |
| Unauthorized Access | p. 139 |
| Inappropriate Behavior | p. 139 |
| Mechanisms for Effective Log Monitoring | p. 140 |
| Vulnerability Monitoring | p. 141 |
| Software Patches | p. 142 |
| Configuration Issues | p. 142 |
| Mechanisms to Identify Vulnerabilities | p. 143 |
| Checklist: Key Points in Monitoring Security | p. 146 |
| Part III Plan Administration | |
| 9 Budgeting for Security | p. 149 |
| Establishing the Need | p. 150 |
| Building the Budget | p. 153 |
| Other Considerations | p. 153 |
| Staffing Requirements | p. 154 |
| Training Costs | p. 156 |
| Software and Hardware Maintenance | p. 157 |
| Outside Services | p. 157 |
| New Products | p. 159 |
| Unexpected Costs | p. 160 |
| Stick to Your Budget | p. 160 |
| Checklist: Key Points in Security Program Budgeting | p. 161 |
| 10 The Security Staff | p. 163 |
| Skill Areas | p. 164 |
| Security Administration | p. 165 |
| Policy Development | p. 166 |
| Architecture | p. 167 |
| Research | p. 167 |
| Assessment | p. 167 |
| Audit | p. 168 |
| Hiring Good People | p. 168 |
| Work Ethic | p. 168 |
| Skills and Experience | p. 169 |
| Personality | p. 170 |
| Certifications | p. 172 |
| Small Organizations | p. 173 |
| Skills on the Staff | p. 173 |
| Finding Skills Outside of the Staff | p. 173 |
| Large Organizations | p. 175 |
| Basic Organization of the Security Department | p. 175 |
| Finding Skills Outside of the Staff | p. 175 |
| Checklist: Key Points in Hiring Staff | p. 176 |
| 11 Reporting | p. 177 |
| Progress on Project Plans | p. 178 |
| State of Security | p. 180 |
| Metrics | p. 180 |
| Risk Measurement | p. 183 |
| Return on Investment | p. 189 |
| Business Projects | p. 189 |
| Direct Savings | p. 189 |
| Incidents | p. 190 |
| Factual Account of Events | p. 190 |
| Vulnerabilities Exploited | p. 190 |
| Actions Taken | p. 191 |
| Recommendations | p. 191 |
| Audits | p. 191 |
| Security Department Response | p. 192 |
| Checklist: Key Points in Security Reporting | p. 192 |
| Part IV How to Respond to Incidents | |
| 12 Incident Response | p. 197 |
| The Team | p. 198 |
| Team Members | p. 198 |
| Leadership | p. 201 |
| Authority | p. 201 |
| Team Preparation | p. 202 |
| Identifying the Incident | p. 202 |
| What Is an Incident? | p. 202 |
| What to Look For | p. 203 |
| The Help Desk Can Help | p. 205 |
| Escalation | p. 206 |
| Investigation | p. 206 |
| Collecting Evidence | p. 207 |
| Determining Response | p. 208 |
| Containment | p. 209 |
| Eradication | p. 210 |
| Documentation | p. 211 |
| Before Documentation | p. 211 |
| During Documentation | p. 212 |
| After Documentation | p. 213 |
| Legal Issues | p. 214 |
| Monitoring | p. 214 |
| Evidence Collection | p. 214 |
| Checklist: Key Points in Incident Response | p. 215 |
| 13 Developing Contingency Plans | p. 217 |
| Defining Disasters | p. 218 |
| Identifying Critical Systems and Data | p. 221 |
| Business Impact Analysis | p. 221 |
| The Interview Process | p. 223 |
| Preparedness | p. 223 |
| Risk Analysis Items | p. 224 |
| Inventory | p. 224 |
| Funding | p. 226 |
| Justification | p. 227 |
| Allocation of Funds | p. 227 |
| Interorganizational Cooperation and Corporate Politics | p. 228 |
| Putting the Recovery Team and Steering Committee Together | p. 228 |
| General Procedures | p. 230 |
| Backups and Tape Storage | p. 231 |
| Resources | p. 233 |
| Checklist: Key Points for Contingency Plans | p. 234 |
| 14 Responding to Disasters | p. 235 |
| Reality Check | p. 236 |
| First Things First | p. 236 |
| Damage Assessment | p. 237 |
| Defining Authority and the Team | p. 238 |
| Assembling the Team | p. 238 |
| Assessing Available Skills | p. 240 |
| Setting Initial Priorities | p. 240 |
| Setting Goals | p. 241 |
| Following or Not Following the Plan | p. 241 |
| Phases of a Disaster | p. 242 |
| Response | p. 242 |
| Resumption | p. 244 |
| Recovery | p. 246 |
| Restoration | p. 248 |
| Checklist: Key Points in Disaster Response | p. 249 |
| Part V Appendixes | |
| A Handling Audits | p. 253 |
| Being Part of the Team | p. 254 |
| Information Gathering | p. 254 |
| Audit Report | p. 255 |
| Audit Response | p. 256 |
| Internal Audits | p. 256 |
| Regularly Scheduled Audits | p. 257 |
| Audits in Response to a Problem | p. 257 |
| External Audits | p. 258 |
| Financial Audits | p. 258 |
| SAS-70 | p. 260 |
| Security's Response to the Audit | p. 264 |
| Checklist: Key Points in Handling Audits | p. 265 |
| B Outsourcing Security | p. 267 |
| Services to Outsource | p. 268 |
| "Technical" Security Services | p. 269 |
| "People" Security Services | p. 269 |
| Choosing What to Outsource | p. 270 |
| Reasons for Outsourcing | p. 270 |
| Costs Involved in Outsourcing | p. 271 |
| Back to Risk Management | p. 272 |
| Choosing a Vendor | p. 273 |
| Services | p. 273 |
| Price | p. 274 |
| Other Issues | p. 274 |
| Working with the Vendor | p. 276 |
| Day-to-Day Interaction | p. 276 |
| Setting Expectations | p. 276 |
| Managing Risk | p. 277 |
| Checklist: Key Points in Outsourcing | p. 277 |
| C Managing New Security Projects | p. 279 |
| Defining Requirements | p. 280 |
| Security Requirements | p. 280 |
| Fail-over Requirements | p. 281 |
| Performance Requirements | p. 281 |
| Manageability Requirements | p. 282 |
| Integration Requirements | p. 283 |
| Writing the RFP | p. 283 |
| RFP Requirements | p. 284 |
| RFP Conditions of Acceptance | p. 284 |
| Evaluating Responses | p. 284 |
| Technical Responses | p. 284 |
| Non-technical Responses | p. 286 |
| Tradeoffs | p. 286 |
| Choosing the Vendor | p. 286 |
| Developing New Security Projects Internally | p. 287 |
| Integrating the Products with the Organization | p. 287 |
| Technology Integration | p. 287 |
| Procedural Integration | p. 288 |
| Security Product Integration | p. 288 |
| Checklist: Key Points in Deploying New Security Technology | p. 289 |
| Index | p. 291 |
