Available:*
Library | Item Barcode | Call Number | Material Type | Item Category 1 | Status |
---|---|---|---|---|---|
Searching... | 30000010324830 | QA76.9.D314 S34 2014 | Open Access Book | Book | Searching... |
On Order
Summary
Summary
Securing against operational interruptions and the theft of your data is much too important to leave to chance. By planning for the worst, you can ensure your organization is prepared for the unexpected. Enterprise Architecture and Information Assurance: Developing a Secure Foundation explains how to design complex, highly available, and secure enterprise architectures that integrate the most critical aspects of your organization's business processes.
Filled with time-tested guidance, the book describes how to document and map the security policies and procedures needed to ensure cost-effective organizational and system security controls across your entire enterprise. It also demonstrates how to evaluate your network and business model to determine if they fit well together. The book's comprehensive coverage includes:
Facilitating the understanding you need to reduce and even mitigate security liabilities, the book provides sample rules of engagement, lists of NIST and FIPS references, and a sample certification statement. Coverage includes network and application vulnerability assessments, intrusion detection, penetration testing, incident response planning, risk mitigation audits/reviews, and business continuity and disaster recovery planning.
Reading this book will give you the reasoning behind why security is foremost. By following the procedures it outlines, you will gain an understanding of your infrastructure and what requires further attention.
Author Notes
James A. Scholz is a veteran who served 20 years in the US Army. As a soldier he served as an explosive ordnance disposal technician for 17 years (10 years stationed at Fort Leonard Wood, Missouri) and part of his responsibilities were to ensure the security of Presidents, Vice-Presidents, and Foreign Dignitaries as they traveled throughout the Nation and abroad. James was awarded the Bronze Star for Valor, a Bronze Star, multiple Meritorious Service Medals, and the South West Asia Campaign Medal.
James served as the single responsible person for a 1.8 million dollar budget and as a Class "A" Agent for the US Army, overseas. James served as a Reserve Deputy Sheriff and a Crime Scene Technician with the El Paso County Sheriff's Department,nbsp;Texas from 1993 through 1996. James is President and CEO of a small, service disabled veteran -owned small business that provides disaster recovery, business continuity, physical, and logical security services to federal agencies. James has 31 years experience working with the federal government at all levels and has supported many rural towns in Missouri during his career as an explosive ordnance disposal technician.
Table of Contents
Preface | p. xi |
Acknowledgments | p. xv |
Introduction | p. xvii |
About the Author | p. xxv |
Chapter 1 Setting the Foundation | p. 1 |
Chapter 2 Building the Enterprise Infrastructure | p. 5 |
Security Categorization Applied to Information Types | p. 9 |
Security Categorization Applied to Information Systems | p. 11 |
Minimum Security Requirements | p. 14 |
Specifications for Minimum Security Requirements | p. 15 |
Security Control Selection | p. 20 |
Chapter 3 Infrastructure Security Model Components | p. 23 |
Developing the Security Architecture Model | p. 24 |
Dataflow Defense | p. 28 |
Data in Transit, Data in Motion, and Data at Rest | p. 29 |
Network | p. 32 |
Client-Side Security | p. 35 |
Server-Side Security | p. 42 |
Strategy vs. Business Model | p. 43 |
Security Risk Framework | p. 46 |
Chapter 4 Systems Security Categorization | p. 53 |
System Security Categorization Applied to Information Types | p. 60 |
Application of System Security Controls | p. 70 |
Minimum Security Requirements | p. 72 |
System Security Controls | p. 74 |
Chapter 5 Business Impact Analysis | p. 81 |
What Is the Business Impact Analysis? | p. 83 |
Objectives of the Business Impact Analysis | p. 84 |
Developing the Project Plan | p. 85 |
BIA Process Steps | p. 86 |
Performing the BIA | p. 91 |
Gathering Information | p. 92 |
Performing a Vulnerability Assessment | p. 92 |
Analyzing the Information | p. 93 |
Documenting the Results and Presenting the Recommendations | p. 94 |
Chapter 6 Risk | p. 95 |
Risk Management | p. 95 |
Framework | p. 95 |
Assessment or Evaluation | p. 97 |
Mitigation and Response | p. 97 |
Monitoring | p. 98 |
Risk Assessment | p. 99 |
Chapter 7 Secure Configuration Management | p. 103 |
Phases of Security-Focused Configuration Management | p. 105 |
Security Configuration Management Plan | p. 107 |
Coordination | p. 109 |
Configuration Control | p. 109 |
Change Control Board (CCB) or Technical Review Board (TRB) | p. 110 |
Configuration Items | p. 111 |
Baseline Identification | p. 111 |
Functional Baseline | p. 112 |
Design Baseline | p. 112 |
Development Baseline | p. 113 |
Product Baseline | p. 113 |
Roles and Responsibilities | p. 114 |
Change Control Process | p. 115 |
Change Classifications | p. 115 |
Change Control Forms | p. 116 |
Problem Resolution Tracking | p. 116 |
Measurements | p. 116 |
Configuration Status Accounting | p. 117 |
Configuration Management Libraries | p. 117 |
Release Management (RM) | p. 117 |
Configuration Audits | p. 118 |
Functional Configuration Audit | p. 118 |
Physical Configuration Audit | p. 118 |
Tools | p. 119 |
Training | p. 119 |
Training Approach | p. 119 |
Chapter 8 Contingency Planning | p. 121 |
Types of Plans | p. 134 |
Business Continuity Plan (BCP) | p. 137 |
Continuity of Operations (COOP) Plan | p. 138 |
Cyber Incident Response Plan | p. 138 |
Disaster Recovery Plan (DRP) | p. 138 |
Contingency Plan (CP) | p. 139 |
Occupant Emergency Plan (OEP) | p. 139 |
Crisis Communications Plan | p. 140 |
Backup Methods and Off-Site Storage | p. 140 |
Chapter 9 Cloud Computing | p. 143 |
Essential Characteristics | p. 146 |
Service Models | p. 147 |
Chapter 10 Continuous Monitoring | p. 149 |
Continuous Monitoring Strategy | p. 156 |
Organization (Tier 1) and Mission/Business Processes (Tier 2) | p. 156 |
Information System (Tier 3) | p. 158 |
Process Roles and Responsibilities | p. 159 |
Define Sample Populations | p. 161 |
Continuous Monitoring Program | p. 163 |
Determine Metrics | p. 163 |
Monitoring and Assessment Frequencies | p. 164 |
Considerations in Determining Assessment and Monitoring Frequencies | p. 165 |
Chapter 11 Physical Security | p. 169 |
History | p. 170 |
Security Level (SL) Determination | p. 172 |
Threat Factors/Criteria | p. 173 |
Building Security Level Matrix | p. 174 |
Building Security Level Scoring Criteria | p. 175 |
Mission/Business | p. 175 |
Public Impact | p. 177 |
Building Occupants | p. 177 |
Building Square Footage | p. 179 |
Impact on Tenants | p. 180 |
Other Factors | p. 180 |
Level E Facilities | p. 182 |
Campuses, Complexes, and Corporate or Commercial Centers | p. 182 |
Changes in the Building Security Level | p. 182 |
Chapter 12 Building Security | p. 185 |
Illumination | p. 185 |
Lighting for CCTV Surveillance | p. 187 |
Building Security Levels | p. 187 |
Minimum Security Standards | p. 189 |
Entry Security | p. 189 |
Interior Security | p. 190 |
Security Planning | p. 190 |
Chapter 13 Validating the Enterprise | p. 195 |
Certification and Accreditation Process | p. 195 |
Accreditation Decisions | p. 196 |
Continuous Monitoring | p. 198 |
General Process Phase I | p. 199 |
Security Categorization | p. 199 |
System Security Plans (SSPs) | p. 201 |
Risk Assessments (RAs) | p. 202 |
Contingency Plans (CPs) | p. 204 |
Security Control Compliance Matrix (SCCM) | p. 205 |
Standard Operating Procedures (SOPs) | p. 206 |
Privacy Impact Assessment (PIA) | p. 206 |
Configuration Management Plan (CMP) | p. 207 |
Service Level Agreements (SLAs) | p. 208 |
General Process Phase II: Security Test and Evaluation (ST&E) | p. 208 |
Develop the Security Test and Evaluation (ST&E) Plan | p. 209 |
Execute the ST&E Plan | p. 209 |
Create the ST&E Report and Recommend Countermeasures | p. 209 |
Update the Risk Assessment | p. 210 |
Update the Security Plan | p. 210 |
Document Certification Findings | p. 210 |
General Management and Methodologies | p. 211 |
Employed Methodologies | p. 211 |
Internal Review Procedures | p. 213 |
End-State Security Model | p. 213 |
Appendix A References (NIST) | p. 215 |
Appendix B References (FIPS) | p. 219 |
Appendix C Sample Certification Statement | p. 221 |
Appendix D Sample Rules of Engagement | p. 223 |
Index | p. 229 |