Cover image for Enterprise architecture and information assurance : developing a secure foundation
Title:
Enterprise architecture and information assurance : developing a secure foundation
Personal Author:
Publication Information:
Boca Raton : CRC Press, Taylor & Francis Group, 2014
Physical Description:
xxv, 240 p. : ill. ; 26 cm.
ISBN:
9781439841594

Available:*

Library
Item Barcode
Call Number
Material Type
Item Category 1
Status
Searching...
30000010324830 QA76.9.D314 S34 2014 Open Access Book Book
Searching...

On Order

Summary

Summary

Securing against operational interruptions and the theft of your data is much too important to leave to chance. By planning for the worst, you can ensure your organization is prepared for the unexpected. Enterprise Architecture and Information Assurance: Developing a Secure Foundation explains how to design complex, highly available, and secure enterprise architectures that integrate the most critical aspects of your organization's business processes.

Filled with time-tested guidance, the book describes how to document and map the security policies and procedures needed to ensure cost-effective organizational and system security controls across your entire enterprise. It also demonstrates how to evaluate your network and business model to determine if they fit well together. The book's comprehensive coverage includes:

Infrastructure security model components Systems security categorization Business impact analysis Risk management and mitigation Security configuration management Contingency planning Physical security The certification and accreditation process

Facilitating the understanding you need to reduce and even mitigate security liabilities, the book provides sample rules of engagement, lists of NIST and FIPS references, and a sample certification statement. Coverage includes network and application vulnerability assessments, intrusion detection, penetration testing, incident response planning, risk mitigation audits/reviews, and business continuity and disaster recovery planning.

Reading this book will give you the reasoning behind why security is foremost. By following the procedures it outlines, you will gain an understanding of your infrastructure and what requires further attention.


Author Notes

James A. Scholz is a veteran who served 20 years in the US Army. As a soldier he served as an explosive ordnance disposal technician for 17 years (10 years stationed at Fort Leonard Wood, Missouri) and part of his responsibilities were to ensure the security of Presidents, Vice-Presidents, and Foreign Dignitaries as they traveled throughout the Nation and abroad. James was awarded the Bronze Star for Valor, a Bronze Star, multiple Meritorious Service Medals, and the South West Asia Campaign Medal.

James served as the single responsible person for a 1.8 million dollar budget and as a Class "A" Agent for the US Army, overseas. James served as a Reserve Deputy Sheriff and a Crime Scene Technician with the El Paso County Sheriff's Department,nbsp;Texas from 1993 through 1996. James is President and CEO of a small, service disabled veteran -owned small business that provides disaster recovery, business continuity, physical, and logical security services to federal agencies. James has 31 years experience working with the federal government at all levels and has supported many rural towns in Missouri during his career as an explosive ordnance disposal technician.


Table of Contents

Prefacep. xi
Acknowledgmentsp. xv
Introductionp. xvii
About the Authorp. xxv
Chapter 1 Setting the Foundationp. 1
Chapter 2 Building the Enterprise Infrastructurep. 5
Security Categorization Applied to Information Typesp. 9
Security Categorization Applied to Information Systemsp. 11
Minimum Security Requirementsp. 14
Specifications for Minimum Security Requirementsp. 15
Security Control Selectionp. 20
Chapter 3 Infrastructure Security Model Componentsp. 23
Developing the Security Architecture Modelp. 24
Dataflow Defensep. 28
Data in Transit, Data in Motion, and Data at Restp. 29
Networkp. 32
Client-Side Securityp. 35
Server-Side Securityp. 42
Strategy vs. Business Modelp. 43
Security Risk Frameworkp. 46
Chapter 4 Systems Security Categorizationp. 53
System Security Categorization Applied to Information Typesp. 60
Application of System Security Controlsp. 70
Minimum Security Requirementsp. 72
System Security Controlsp. 74
Chapter 5 Business Impact Analysisp. 81
What Is the Business Impact Analysis?p. 83
Objectives of the Business Impact Analysisp. 84
Developing the Project Planp. 85
BIA Process Stepsp. 86
Performing the BIAp. 91
Gathering Informationp. 92
Performing a Vulnerability Assessmentp. 92
Analyzing the Informationp. 93
Documenting the Results and Presenting the Recommendationsp. 94
Chapter 6 Riskp. 95
Risk Managementp. 95
Frameworkp. 95
Assessment or Evaluationp. 97
Mitigation and Responsep. 97
Monitoringp. 98
Risk Assessmentp. 99
Chapter 7 Secure Configuration Managementp. 103
Phases of Security-Focused Configuration Managementp. 105
Security Configuration Management Planp. 107
Coordinationp. 109
Configuration Controlp. 109
Change Control Board (CCB) or Technical Review Board (TRB)p. 110
Configuration Itemsp. 111
Baseline Identificationp. 111
Functional Baselinep. 112
Design Baselinep. 112
Development Baselinep. 113
Product Baselinep. 113
Roles and Responsibilitiesp. 114
Change Control Processp. 115
Change Classificationsp. 115
Change Control Formsp. 116
Problem Resolution Trackingp. 116
Measurementsp. 116
Configuration Status Accountingp. 117
Configuration Management Librariesp. 117
Release Management (RM)p. 117
Configuration Auditsp. 118
Functional Configuration Auditp. 118
Physical Configuration Auditp. 118
Toolsp. 119
Trainingp. 119
Training Approachp. 119
Chapter 8 Contingency Planningp. 121
Types of Plansp. 134
Business Continuity Plan (BCP)p. 137
Continuity of Operations (COOP) Planp. 138
Cyber Incident Response Planp. 138
Disaster Recovery Plan (DRP)p. 138
Contingency Plan (CP)p. 139
Occupant Emergency Plan (OEP)p. 139
Crisis Communications Planp. 140
Backup Methods and Off-Site Storagep. 140
Chapter 9 Cloud Computingp. 143
Essential Characteristicsp. 146
Service Modelsp. 147
Chapter 10 Continuous Monitoringp. 149
Continuous Monitoring Strategyp. 156
Organization (Tier 1) and Mission/Business Processes (Tier 2)p. 156
Information System (Tier 3)p. 158
Process Roles and Responsibilitiesp. 159
Define Sample Populationsp. 161
Continuous Monitoring Programp. 163
Determine Metricsp. 163
Monitoring and Assessment Frequenciesp. 164
Considerations in Determining Assessment and Monitoring Frequenciesp. 165
Chapter 11 Physical Securityp. 169
Historyp. 170
Security Level (SL) Determinationp. 172
Threat Factors/Criteriap. 173
Building Security Level Matrixp. 174
Building Security Level Scoring Criteriap. 175
Mission/Businessp. 175
Public Impactp. 177
Building Occupantsp. 177
Building Square Footagep. 179
Impact on Tenantsp. 180
Other Factorsp. 180
Level E Facilitiesp. 182
Campuses, Complexes, and Corporate or Commercial Centersp. 182
Changes in the Building Security Levelp. 182
Chapter 12 Building Securityp. 185
Illuminationp. 185
Lighting for CCTV Surveillancep. 187
Building Security Levelsp. 187
Minimum Security Standardsp. 189
Entry Securityp. 189
Interior Securityp. 190
Security Planningp. 190
Chapter 13 Validating the Enterprisep. 195
Certification and Accreditation Processp. 195
Accreditation Decisionsp. 196
Continuous Monitoringp. 198
General Process Phase Ip. 199
Security Categorizationp. 199
System Security Plans (SSPs)p. 201
Risk Assessments (RAs)p. 202
Contingency Plans (CPs)p. 204
Security Control Compliance Matrix (SCCM)p. 205
Standard Operating Procedures (SOPs)p. 206
Privacy Impact Assessment (PIA)p. 206
Configuration Management Plan (CMP)p. 207
Service Level Agreements (SLAs)p. 208
General Process Phase II: Security Test and Evaluation (ST&E)p. 208
Develop the Security Test and Evaluation (ST&E) Planp. 209
Execute the ST&E Planp. 209
Create the ST&E Report and Recommend Countermeasuresp. 209
Update the Risk Assessmentp. 210
Update the Security Planp. 210
Document Certification Findingsp. 210
General Management and Methodologiesp. 211
Employed Methodologiesp. 211
Internal Review Proceduresp. 213
End-State Security Modelp. 213
Appendix A References (NIST)p. 215
Appendix B References (FIPS)p. 219
Appendix C Sample Certification Statementp. 221
Appendix D Sample Rules of Engagementp. 223
Indexp. 229