1st Edition

Information Security Management Concepts and Practice

By Bel G. Raggad Copyright 2010
    868 Pages 222 B/W Illustrations
    by CRC Press

    Information security cannot be effectively managed unless secure methods and standards are integrated into all phases of the information security life cycle. And, although the international community has been aggressively engaged in developing security standards for network and information security worldwide, there are few textbooks available that provide clear guidance on how to properly apply the new standards in conducting security audits and creating risk-driven information security programs.

    An authoritative and practical classroom resource, Information Security Management: Concepts and Practice provides a general overview of security auditing before examining the various elements of the information security life cycle. It explains the ISO 17799 standard and walks readers through the steps of conducting a nominal security audit that conforms to the standard. The text also provides detailed guidance for conducting an in-depth technical security audit leading to certification against the 27001 standard. Topics addressed include cyber security, security risk assessments, privacy rights, HIPAA, SOX, intrusion detection systems, security testing activities, cyber terrorism, and vulnerability assessments.

    This self-contained text is filled with review questions, workshops, and real-world examples that illustrate effective implementation and security auditing methodologies. It also includes a detailed security auditing methodology students can use to devise and implement effective risk-driven security programs that touch all phases of a computing environment—including the sequential stages needed to maintain virtually air-tight IS management systems that conform to the latest ISO standards.

    INTRODUCTION

    Introduction to Information Security Management
    Why Information Security Matters
    Information Sensitivity Classification
    Information Security Governance
    The Computing Environment
    Security of Various Components in the Computing
    Environment
    Security Interdependence
    CIA Triad
    Security Goals versus Business Goals
    The Security Star
    Parker’s View of Information Security
    What Is Information Security Management?
    Defense-In-Depth Security
    Security Controls
    The NSA Triad for Security Assessment

    Introduction to Management Concepts
    Brief History of Management
    Traditional Management Skills and Security Literacy
    Managerial Skills
    Redefining Mintzberg’s Managerial Roles
    Strategic Management Concepts
    IS Security Management Activities
    Do We Really Need an Independent Information Security Functional Unit?
    The Information Security Management Cycle
    IS Security Management versus Functional Management

    The Information Security Life Cycle
    Security Planning in the SLC
    Security Analysis
    Security Design
    Security Implementation
    Security Review
    Continual Security

    SECURITY PLAN

    Security Plan
    SP Development Guidelines
    SP Methodology

    Security Policy
    Security Policy, Standards, and Guidelines
    Security Policy Methodologies

    Business Continuity Planning
    Business Disruptions
    Business Continuity
    Disaster Recovery
    Responding to Business Disruptions
    Developing a BCP

    SECURITY ANALYSIS

    Security Risk Management
    The Risk Management Life Cycle
    The Preparation Effort for Risk Management
    A Sustainable Security Culture
    Information Needed to Manage Risks
    Factors Affecting Security Risk
    The ALE Risk Methodology
    Operational, Functional, and Strategic Risks
    Operational Risk Management: Case of the Naval Safety Center
    The ABLE Methodology

    Continual Security: Integrated Fault-Event Analysis and Response Framework (IFEAR)
    IFEAR Methodology
    Fault Tree Analysis
    Event Tree Analysis
    FTA-ETA Integration
    Risk Management
    |Simulation and Sensitivity Analysis

    Active Security Assessment
    Standards for Active Security Assessment
    Limits of Active Security Assessment
    Can You Hack Your Own System?
    Ethical Hacking of a Computing Environment
    Ethics in Ethical Hacking
    ASA through Penetration Testing
    Strategies for Active Security Assessment
    Guidelines and Terms between Testers and the Organization
    The Active Security Assessment Project

    System Availability
    Computer Clustering
    Review of Cluster Concepts
    Types of Clusters
    Web Site Availability
    Application Centers No Longer the Only Sound Implementation
    Computation of Availability in High-Availability Cluster
    Related Availability Definitions
    How to Obtain Higher Availability: The Cisco Process Nines’ Availability
    Common Configurations for Clusters
    Self-Healing and Availability

    SECURITY DESIGN

    Nominal Security Enhancement Design Based on ISO/IEC 27002
    History of the ISO/IEC 27002
    ISO/IEC 27002
    How to Use the ISO/IEC 27002 to Enhance Security
    Measurement and Implementations
    Strategies to Enhance the ISO/IEC 27002-Based Security Posture
    Comparing the ISO/IEC 27002-Based Security Posture Enhancement Strategies

    Technical Security Enhancement Based on ISO/IEC 27001
    How Organizations Interact with the Standards
    General ISMS Framework
    The ISMS Model
    The Process Approach Ensures the Continual Improvement of the ISMS
    Development of the Information Security Management System
    Design of the ISMS
    Security Inventory Needs
    The Integration of ISMS Subsystems
    Self-Assessment for Compliance
    Revisiting ISMS Scoping

    SECURITY IMPLEMENTATION

    Security Solutions
    Security Solutions
    The NIST Security Solution Taxonomy
    The ISO Security Solution Taxonomy

    The Common Criteria
    The Birth of the Common Criteria
    Common Uses of the CC
    The CC Document
    The CC Security Approach
    Information Resource Evaluation Methodology
    CC Security Evaluation Programs
    The American Model of CC Evaluation Programs
    A National Model
    Some Other CC Evaluation Requirements
    Minicase

    SECURITY REVIEW

    Security Review through Security Audit
    Security Audit Means Different Things to Different People
    Some Security Audit Activities
    Our Definition of Security Audit
    Main Features in Security Audit
    Application Audit
    How Does Security Audit Relate to the Corporate Security Policy?
    Structure of a Security Audit
    Security Audit versus IT Auditing
    Applicable Security-Related Standards
    Security Audit Grades

    Privacy Rights, Information Technology, and HIPAA
    The Problem of Privacy
    The Meaning of Privacy
    HIPAA
    Regulatory Standards: The Privacy Rule
    The HIPAA Security Rule
    Administrative Safeguards
    NIST on HIPAA
    Conducting Effective Risk Analysis

    CONTINUAL SECURITY

    The Sarbanes–Oxley Act and IT Compliance
    Methods of Doing Business
    Background of the SarbanesOxley Act
    SarbanesOxley Act of 2002
    Major Provisions of SO
    Management Assessment of Internal Controls and IT
    Compliance
    IT Compliance
    International Responses
    Advantages to SOX Compliance
    Foreign Whistleblowers and SOX
    Reconciling SOX and European Conflicting Standards
    EU Corporate Governance Initiatives
    E.U.’s Eighth Directive
    Planning IT Management for SOX: Delayed SOX Impact

    Cyberterrorism and Homeland Security
    Security Economic Intelligence
    Homeland Security
    Cyberterrorism in the Literature
    Cyberterrorism in the Real World: The FBI Perspective
    U.S. Legislative Enactments and Proposed Programs
    U.S. Criminal Statutes Affecting the Internet
    Statutes and Executive Orders Concerned with Cyberterrorism
    International Initiatives
    Individual European State Approaches to Security and Counterterrorism
    Other International Efforts

    Index

    Each chapter begins with an Introduction and concludes with a Summary, Review Questions, Workshops, and References

    Biography

    Bel G. Raggad

    … a comprehensive overview of security topics related to the management and development of secure systems. This rich collection of literature reviews matches every stage of security management, implementation, and deployment. … The extensive breakdown of risk analysis and threat assessment will be of particular interest to practitioners with background in this area… one of the most comprehensive works to date on the topic, and includes lengthy examples of how to determine and manage the risks associated with a new development project. The book describes most, if not all, security paradigms that are in practice today in terms of analyzing the goals of a project and establishing priorities. … a valuable resource for anyone conducting research in the field of information security as well as for experienced managers seeking to concentrate on security in future endeavors. Summing Up: Highly recommended.
    — T.D. Richardson, South University, in CHOICE, November 2010, Vol. 48 No. 03