Information security fundamentals

Effective security rules and procedures do not exist for their own sake-they are put in place to protect critical assets, thereby supporting overall business objectives. Recognizing security as a business enabler is the first step in building a successful program. Information Security Fundamentals allows future security professionals to gain a solid understanding of the foundations of the field and the entire range of issues that practitioners must address. This book enables students to understand the key elements that comprise a successful information security program and eventually apply these concepts to their own efforts. The book examines the elements of computer security, employee roles and responsibilities, and common threats. It examines the need for management controls, policies and procedures, and risk analysis, and also presents a comprehensive list of tasks and objectives that make up a typical information protection program. The volume discusses organizationwide policies and their documentation, and legal and business requirements. It explains policy format, focusing on global, topic-specific, and application-specific policies. Following a review of asset classification, the book explores access control, the components of physical security, and the foundations and processes of risk analysis and risk management. Information Security Fundamentals concludes by describing business continuity planning, including preventive controls, recovery strategies, and ways to conduct a business impact analysis.

OVERVIEW Elements of Information Protection More Than Just Computer Security Employee Mind-Set toward Controls Roles and Responsibilities Director, Design and Strategy Common Threats Policies and Procedures Risk Management Typical Information Protection Program Summary THREATS TO INFORMATION SECURITY What Is Information Security? Common Threats Errors and Omissions Fraud and Theft Malicious Hackers Malicious Code Denial-of Service-Attacks Social Engineering Common Types of Social Engineering Summary THE STRUCTURE OF AN INFORMATION SECURITY PROGRAM Overview Enterprisewide Security Program Business Unit Responsibilities Creation and Implementation of Policies and Standards Compliance with Policies and Standards Information Security Awareness Program Frequency Media Information Security Program Infrastructure Information Security Steering Committee Assignment of Information Security Responsibilities Senior Management Information Security Management Business Unit Managers First Line Supervisors Employees Third Parties Summary INFORMATION SECURITY POLICIES Policy Is the Cornerstone Why Implement an Information Security Policy Corporate Policies Organizationwide (Tier 1) Policies Employment Standards of Conduct Conflict of Interest Performance Management Employee Discipline Information Security Corporate Communications Workplace Security Business Continuity Plans (BCPs) Procurement and Contracts Records Management Asset Classification Organizationwide Policy Document Legal Requirements Duty of Loyalty Duty of Care Federal Sentencing Guidelines for Criminal Convictions The Economic Espionage Act of 1996 The Foreign Corrupt Practices Act (FCPA) Sarbanes-Oxley (SOX) Act Health Insurance Portability and Accountability Act (HIPAA) Gramm-Leach-Bliley Act (GLBA) Business Requirements Definitions Policy Standards Procedures Guidelines Policy Key Elements Policy Format Global (Tier 1) Policy Topic Scope Responsibilities Compliance or Consequences Sample Information Security Global Policies Topic-Specific (Tier 2) Policy Thesis Statement Relevance Responsibilities Compliance Supplementary Information Application-Specific (Tier 3) Policy Summary ASSET CLASSIFICATION Introduction Overview Why Classify Information? What Is Information Classification? Where to Begin? Information Classification Category Examples Example 1 Example 2 Example 3 Example 4 Resist the Urge to Add Categories What Constitutes Confidential Information Copyright Employee Responsibilities Owner Information Owner Custodian User Classification Examples Classification: Example 1 Classification: Example 2 Classification: Example 3 Classification: Example 4 Declassification or Reclassification of Information Records Management Policy Sample Records Management Policy Information Handling Standards Matrix Printed Material Electronically Stored Information Electronically Transmitted Information Record Management Retention Schedule Information Classification Methodology Authorization for Access Owner Custodian User Summary Access Control Business Requirements for Access Control Access Control Policy User Access Management Account Authorization Access Privilege Management Account Authentication Management System and Network Access Control Network Access and Security Components System Standards Remote Access Operating System Access Controls Operating Systems Standards Change Control Management Monitoring System Access Event Logging Monitoring Standards Intrusion Detection Systems Cryptography Definitions Public Key and Private Key Block Mode, Cipher Block, and Stream Ciphers Cryptanalysis Sample Access Control Policy Summary Physical Security Data Center Requirements Physical Access Controls Assets to be Protected Potential Threats Attitude toward Risk Sample Controls Fire Prevention and Detection Fire Prevention Fire Detection Fire Fighting Verified Disposal of Documents Collection of Documents Document Destruction Options Choosing Services Agreements Duress Alarms Intrusion Detection Systems Purpose Planning Elements Procedures Sample Physical Security Policy Summary RISK ANALYSIS AND RISK MANAGEMENT Introduction Frequently Asked Questions on Risk Analysis Why Conduct a Risk Analysis? When to Conduct a Risk Analysis? Who Should Conduct the Risk Analysis? How Long Should A Risk Analysis Take? What a Risk Analysis Analyzes What Can the Results of a Risk Analysis Tell an Organization? Who Should Review the Results of a Risk Analysis? How Is the Success of the Risk Analysis Measured? Information Security Life Cycle Risk Analysis Process Asset Definition Threat Identification Determine Probability of Occurrence Determine the Impact of the Threat Controls Recommended Documentation Risk Mitigation Control Categories Cost/Benefit Analysis Summary BUSINESS CONTINUITY PLANNING Overview Business Continuity Planning Policy Policy Statement Scope Responsibilities Compliance Conducting a Business Impact Analysis (BIA) Identify Sponsor(s) Scope Information Meeting Information Gathering Questionnaire Design Scheduling the Interviews Conducting Interviews Tabulating the Information Presenting the Results Preventive Controls Recovery Strategies Hot Site, Cold Site, Warm Site, Mobile Site Key Considerations People Communications Computing Equipment Facilities PLAN CONSTRUCTION, TESTING, AND MAINTENANCE Plan Construction Crisis Management Plan Plan Distribution Plan Testing Line Testing Walk-Through Testing Single Process Testing Full Testing Plan Testing Summary Plan Maintenance Sample Business Continuity Plan Policy Summary