A Practical Guide to Security Assessments: 1st Edition (Hardback) book cover

A Practical Guide to Security Assessments

1st Edition

By Sudhanshu Kairab

Auerbach Publications

520 pages | 36 B/W Illus.

Purchasing Options:$ = USD
Hardback: 9780849317064
pub: 2004-09-29
$105.00
x
eBook (VitalSource) : 9780429211379
pub: 2004-09-29
from $52.50


FREE Standard Shipping!

Description

The modern dependence upon information technology and the corresponding information security regulations and requirements force companies to evaluate the security of their core business processes, mission critical data, and supporting IT environment. Combine this with a slowdown in IT spending resulting in justifications of every purchase, and security professionals are forced to scramble to find comprehensive and effective ways to assess their environment in order to discover and prioritize vulnerabilities, and to develop cost-effective solutions that show benefit to the business.

A Practical Guide to Security Assessments is a process-focused approach that presents a structured methodology for conducting assessments. The key element of the methodology is an understanding of business goals and processes, and how security measures are aligned with business risks. The guide also emphasizes that resulting security recommendations should be cost-effective and commensurate with the security risk. The methodology described serves as a foundation for building and maintaining an information security program.

In addition to the methodology, the book includes an Appendix that contains questionnaires that can be modified and used to conduct security assessments.

This guide is for security professionals who can immediately apply the methodology on the job, and also benefits management who can use the methodology to better understand information security and identify areas for improvement.

Table of Contents

INTRODUCTION

EVOLUTION OF INFORMATION SECURITY

Distributed Systems

Business-to-Business (B2B) Relationships

Remote Access

Enterprise Resource Planning (ERP)

Information Security Today

Why Protect Information Assets

Growing Role of Internal Audit

Security Standards

Organizational Impacts

Security Certifications

Trends in Information Security

INFORMATION SECURITY PROGRAM AND HOW SECURITY ASSESSMENTS FIT IN

What is an Information Security Program

How Does a Security Assessment Fit In

Why Conduct a Security Assessment

Security Assessment Process

Executive Summary

PLANNING

Define Scope

Staffing

Kickoff Meeting

Develop Project Plan

Set Client Expectations

Executive Summary

INITIAL INFORMATION GATHERING

Gather Publicly Available Information

Gather Information from the Client

Analyze Gathered Information

Prepare Initial Question Sets

Develop and Document Template for Final Report

Executive Summary

BUSINESS PROCESS EVALUATION

General Review of Company and Key Business Processes

Finalize Question Sets for Process Reviews

Meet with Business Process Owners

Analyze Information Collected and Document Findings

Status Meeting with Client

Potential Concerns During This Phase

Executive Summary

TECHNOLOGY EVALUATION

General Review of Technology and Related Documentation

Develop Question Sets for Technology Reviews

Meet with Technology Owners and Conduct Detail Testing

Analyze Information Collected and Document Findings

Status Meeting with Client

Potential Concerns During this Phase

Executive Summary

RISK ANALYSIS AND FINAL PRESENTATION

Risk Analysis

Risk Score Calculation

Document Risks and Develop Recommendations for Draft Report

Discuss Draft Report with Client

Present Final Report to Management

Potential Concerns During this Phase

Executive Summary

INFORMATION SECURITY STANDARDS

International Standards Organization 17799 (ISO 17799)

Common Criteria (CC)

COBIT (Control Objectives for Information (Related) Technology)

ITIL (IT Infrastructure Library) Security Management

SAS (Statement on Auditing Standards) 70

AICPA SysTrust

AICPA WebTrust

RFC 2196 - Site Security Handbook

SANS (SysAdmin, Audit, Network, Security) / FBI Top 20 List

Vendor Best Practices

INFORMATION SECURITY LEGISLATION

Relevance to Security Assessments

HIPAA (Health Insurance Portability and Accountability Act)

GLB Act (Gramm-Leach-Bliley Act)

Sarbanes - Oxley Act

21 CFR Part 11

Safe Harbor

Federal Information Security Management Act

Other Legislative Action

APPENDIX - SECURITY QUESTIONNAIRES/ CHECKLISTS

Questionnaire Structure

Preliminary Checklist to Gather Information

Generic Questionnaire for Business Process Owners

Data Classification

Data Retention

Backup and Recovery

Externally Hosted Services

Physical Security

Employee Termination

Incident Handling

Business to Business (B2B)

Business to Consumer (B2C)

Change Management

User ID Administration

Managed Security

Media Handling

HIPAA Security

Subject Categories

BISAC Subject Codes/Headings:
BUS073000
BUSINESS & ECONOMICS / Commerce
COM032000
COMPUTERS / Information Technology
COM053000
COMPUTERS / Security / General