Executive MBA in Information Security Book

Preface

Acknowledgments

The Author

Contributors

Information Security Overview

Information Security Management

What Is Information Security?

Responsibilities

Organization

Functions

Ideal Traits of an Information Security Professional

Certification Requirements

Recruiting

Screening

Interviewing

Reference Checks

Retention

Trust and Loyalty

Why Is Information Security Important?

Information Security Concepts

Laws of Security

Information Security Requirements

Interrelationship of Regulations, Policies, Standards, Procedures, and Guidelines

Regulations

Sarbanes—Oxley Act

Gramm—Leach—Bliley Act

Health Insurance Portability and Accountability Act

Federal Financial Institutions Examination Council

Payment Card Industry (PCI) Data Security Standard

Common Elements of Compliance

Security Controls

Industry Best Practice Guidelines

Standards

Measurement Techniques

Control Objectives for Information and Related Technology

(COBIT)

ISO 27002 Overview

Capability Maturity Model (CMM)

Generally Accepted Information Security Principles (GAISP)

Common Pitfalls of an Effective Information Security Program

Defense in Depth

Managing Risks

Risk Management

System Characterization

Threat Identification

Vulnerability Identification and

Categorization

Control Analysis

Likelihood Rating

Impact Rating (Premitigation)

Risk Determination

Recommendations

Technical Evaluation Plan (TEP)

Methodology Overview

Role of Common Vulnerabilities and Exposures (CVE)

Executive Summary

Follow-Up

Tracking

Conflict Resolution

Test Plans

Physical Security

Access Control Systems and Methods

Discretionary Access Controls (DACs)

Mandatory Access Controls (MACs)

Nondiscretionary Access Controls

Administrative Access Controls

Physical Access Controls

Technical Access Controls

Logical Access Controls

Common Access Control Practices

Auditing

Physical Security

Social Engineering

Phishing

Pharming

Vishing

Passive Information Gathering

Active Information Gathering

Covert Testing

Clean Desk Policy

Dumpster Diving

Business Continuity Plans and Disaster Recovery

Business Continuity

Phase 1—Project Management and Initiation

Phase 2—Business Impact Analysis

Phase 3—Recovery Strategies

Phase 4—Plan, Design, and Develop

Phase 5—Testing, Maintenance, and

Awareness Training

Complications to Consider in BCP

Disaster Recovery

Business

Facilities and Supplies

Users

Technology

Data

Event Stages

Disaster Recovery Testing

Business Continuity Planning and Disaster Recovery Training

Administrative Controls

Change Management

Request Phase

Process Phase

Release Phase

Change Management Steps

Computer Forensics

Computer Investigation Model

Incident Management

Reporting Information

Steps

Notification

Incident Details

Incident Handler

Actions to Date

Recommended Actions

Laws, Investigations, and Ethics

Laws

Investigations

Ethics

Operations Security

OPSEC Controls

Separation of Duties

Job Rotation

Least Privileges

Records Retention

Federal Rules of Civil Procedure

Security Awareness Training

A Cracker’s Story

Security Management Practices

Security Countermeasures

Service Providers, Service-Level Agreements, and Vendor

Reviews

Vendor Relationship Policy

Service-Level Agreements

Vendor Reviews

Managing Security Risks in Vendor Relationships

Due Diligence: The First Tool

Key Contractual Protections: The Second Tool

Information Security Requirements Exhibit: The Third

Tool

Technical Controls

Host Security

System Hardening Checklist

Host Services

Other Host Security Controls

Malware Protection

Viruses, Worms, and Backdoors

DAT Signatures

Multimedia Devices

Network Security

Seven Layers of the OSI Model

Other Layers

Protocol Data Units

TCP/IP Model

Decimal, Binary, and Hexadecimal Compared

Network Addressing

Network Security Controls

Passwords

Patch or Vulnerability Management

Application Controls

Application and System Development

e-Mail

Encryption

Private Key Encryption (Symmetric Key Encryption)

Choosing a Symmetric Key Cryptography Method

Public Key Encryption (Asymmetric Key

Encryption)

Choosing an Asymmetric Key Cryptography Method

Digital Signature

One-Way Encryption

e-Mail Encryption

Choosing e-Mail Encryption

Internet Encryption

Choosing an Internet Security Method

Encrypting Hard Drives

Encryption Attacks

Multifactor Authentication

Perimeter Controls

Security Architecture

Internal Controls

External Controls

Telecommunications Security

Voice over IP Security

Virtual Private Network

Wireless Security

Web Filtering

Audit and Compliance

Audit and Compliance

Information Security Governance Metrics

Testing—Vulnerability Assessment

Appendix A: Information Security Policy

Appendix B: Technology Resource Policy

Appendix C: Log-on Warning Banner

Appendix D: Penetration Test Waiver

Appendix E: Tools

Appendix F: How to Report Internet Crime

Acronyms

MyISAT

Web References

Index