Assessing and Managing Security Risk in IT Systems: A Structured Methodology, 1st Edition (Hardback) book cover

Assessing and Managing Security Risk in IT Systems

A Structured Methodology, 1st Edition

By John McCumber

Auerbach Publications

288 pages | 35 B/W Illus.

Purchasing Options:$ = USD
Hardback: 9780849322327
pub: 2004-08-12
$83.95
x
eBook (VitalSource) : 9780429208409
pub: 2004-08-12
from $41.98


FREE Standard Shipping!

Description

Assessing and Managing Security Risk in IT Systems: A Structured Methodology builds upon the original McCumber Cube model to offer proven processes that do not change, even as technology evolves. This book enables you to assess the security attributes of any information system and implement vastly improved security environments.

Part I delivers an overview of information systems security, providing historical perspectives and explaining how to determine the value of information. This section offers the basic underpinnings of information security and concludes with an overview of the risk management process.

Part II describes the McCumber Cube, providing the original paper from 1991 and detailing ways to accurately map information flow in computer and telecom systems. It also explains how to apply the methodology to individual system components and subsystems.

Part III serves as a resource for analysts and security practitioners who want access to more detailed information on technical vulnerabilities and risk assessment analytics. McCumber details how information extracted from this resource can be applied to his assessment processes.

Table of Contents

SECURITY CONCEPTS

Using Models

Introduction: Understanding, Selecting, and Applying Models

Understanding Assets

Layered Security

Using Models in Security

Security Models for Information Systems

Shortcomings of Models in Security

Security in Context

Reference

Defining Information Security

Confidentiality, Integrity, and Availability

Information Attributes

Intrinsic versus Imputed Value

Information as an Asset

The Elements of Security

Security Is Security Only in Context

Information as an Asset

Introduction

Determining Value

Managing Information Resources

References

Understanding Threat and Its Relation to Vulnerabilities

Introduction

Threat Defined

Analyzing Threat

Assessing Physical Threats

Infrastructure Threat Issues

Assessing Risk Variables: The Risk Assessment Process

Introduction

Learning to Ask the Right Questions about Risk

The Basic Elements of Risk in IT Systems

Information as an Asset

Defining Threat for Risk Management

Defining Vulnerabilities for Risk Management

Defining Safeguards for Risk Management

The Risk Assessment Process

THE McCUMBER CUBE METHODOLOGY

The McCumber Cube

Introduction

The Nature of Information

Critical Information Characteristics

Confidentiality

Integrity

Availability

Security Measures

Technology

Policy and Practice

Education, Training, and Awareness (Human Factors)

The Model

References

Determining Information States and Mapping

Information Flow

Introduction

Information States: A Brief Historical Perspective

Automated Processing: Why Cryptography Is Not Sufficient

Simple State Analysis

Information States in Heterogeneous Systems

Boundary Definition

Decomposition of Information States

Developing an Information State Map

Reference

Decomposing the Cube for Security Enforcement

Introduction

A Word about Security Policy

Definitions

The McCumber Cube Methodology

The Transmission State

The Storage State

The Processing State

Recap of the Methodology

Information State Analysis for Components and

Subsystems

Introduction

Shortcomings of Criteria Standards for Security Assessments

Applying the McCumber Cube Methodology for Product

Assessments

Steps for Product and Component Assessment

Information Flow Mapping

Cube Decomposition Based on Information States

Develop Security Architecture

Recap of the Methodology for Subsystems, Products, and

Components

References

Managing the Security Life Cycle

Introduction

Safeguard Analysis

Introduction

Technology Safeguards

Procedural Safeguards

Human Factors Safeguards

Assessing and Managing Security Risk in IT Systems

Vulnerability-Safeguard Pairing

Hierarchical Dependencies of Safeguards

Security Policies and Procedural Safeguards

Developing Comprehensive Safeguards: The Lessons of the Shogun

Identifying and Applying Appropriate Safeguards

Comprehensive Safeguard Management: Applying the

McCumber Cube

The ROI of Safeguards: Do Security Safeguards Have a Payoff?

Practical Applications of McCumber Cube Analysis

Introduction

Applying the Model to Global and National Security Issues

Programming and Software Development

Using the McCumber Cube in an Organizational Information

Security Program

Using the McCumber Cube for Product or Subsystem Assessment

Using the McCumber Cube for Safeguard Planning and Deployment

Tips and Techniques for Building Your Security Program

Establishing the Security Program: Defining You

Avoiding the Security Cop Label

Obtaining Corporate Approval and Support

Creating Pearl Harbor Files

Defining Your Security Policy

Defining What versus How

Security Policy: Development and Implementation

Reference

SECTION III APPENDICES

Vulnerabilities

Risk Assessment Metrics

Diagrams and Tables

Other Resources

Subject Categories

BISAC Subject Codes/Headings:
BUS073000
BUSINESS & ECONOMICS / Commerce
COM032000
COMPUTERS / Information Technology
COM053000
COMPUTERS / Security / General