IT Security Governance Guidebook with Security Program Metrics on CD-ROM Book

Executive Summary     xi
About This Material     xii
The Structure of Information Protection     1
A Comprehensive Information Protection Program     1
The Architectural Model     1
Risk Management     3
How the Business Works     5
How Information Technology Protection Works     7
Interdependencies     8
But How Much Is Enough? The Duty to Protect     8
What Is Information Protection Governance All About?     8
The Goal of Governance     8
What Are the Aspects of Governance?     10
Structures     10
What Are the Rules?     11
Principles and Standards     12
Power and Influence     13
Funding     15
Enforcement Mechanisms     17
Appeals Processes and Disputes     20
The Overall Control System     21
Fitting Protection into Business Structures     22
Fitting In     23
The Theory of Groups     23
What Groups Are Needed     24
Who Is in Charge and Who Does This Person Work for?     25
The CISO     25
The CISO's Team     25
The Structure of the Groups     27
Meetings and Groups the CISO Chairs or Operates     28
Should the CISO Work for the CIO or Others?     28
Should the CISO, CPO, CSO, or Others Be Combined?     30
Where Should the CISO Be in the Corporate Structure?     31
Budgets and Situations     31
Direct Budget for the CISO     31
Identifiable Costs     31
Enforcement and Appeals Processes     34
Top Management Buy-In and Support     34
Power and Influence and Managing Change     34
Responses to Power and Influence     35
Other Power Issues     35
The Control System     36
Metrics     37
Costs     37
Performance     37
Time     38
Lower-Level Metrics     38
How Long Will It Take?     39
Summary     41
Drill-Down     43
How the Business Works     44
The Security Oversight Function     46
Duty to Protect     47
Externally Imposed Duties     47
Internally Imposed Duties     47
Contractual Duties     48
Risk Management and What to Protect     48
Risk Evaluation     48
Consequences     48
Threats     49
Vulnerabilities     49
Interdependencies and Risk Aggregations     50
Risk Treatment     52
Risk Acceptance     52
Risk Avoidance     52
Risk Transfer     52
Risk Mitigation     52
What to Protect and How Well     53
The Risk Management Space     53
Risk Assessment Methodologies and Limitations     54
Matching Surety to Risk     55
Enterprise Risk Management Process: An Example     58
The Risk Management Process     59
Evaluation Processes to Be Used     60
The Order of Analysis     61
Selection of Mitigation Approach     62
Specific Mitigations     63
Specific Issues Mandated by Policy     63
A Schedule of Risk Management Activities     63
Initial Conditions     64
Management's Role     64
Reviews to Be Conducted     65
Threat Assessment     65
Fulfilling the Duties to Protect     66
Security Governance     69
Responsibilities at Organizational Levels     69
Enterprise Security Management Architecture     70
Groups That CISO Meets with or Creates and Chairs     72
Top-Level Governance Board     72
Business Unit Governance Boards     72
Policy, Standards, and Procedures Group and Review Board     73
Legal Group and Review Board     74
Personnel Security Group and Review Board     74
Risk Management Group     75
Protection Testing and Change Control Group and Review Board     75
Technical Safeguards Group and Review Board     76
Zoning Boards and Similar Governance Entities     77
Physical Security Group and Review Board     77
Incident Handling Group and Review Board     78
Audit Group and Review Board     79
Awareness and Knowledge Group and Review Board     80
Documentation Group     81
Issues Relating to Separation of Duties     81
Understanding and Applying Power and Influence     81
Physical Power     81
Resource Power     82
Positional Power     82
Expertise, Personal, and Emotional Power     83
Persuasion Model     84
Managing Change      85
Organizational Perspectives     91
Management     91
Policy     92
Standards     93
Procedures     95
Documentation     96
Auditing     97
Testing and Change Control     97
Technical Safeguards: Information Technology     98
Personnel     101
Incident Handling     102
Legal Issues     104
Physical Security     105
Knowledge     107
Awareness     108
Organization     110
Summary of Perspectives     111
Control Architecture     111
Protection Objectives     111
Integrity     112
Availability     113
Confidentiality     113
Use Control     115
Accountability     116
Access Control Architecture     118
Technical Architecture Functional Units and Composites     118
Perimeter Architectures     118
Physical Perimeter Architecture     119
Logical Perimeter Architecture     122
Perimeter Summary     124
Access Process Architecture      124
Identification     124
Authentication     125
Authorization     125
Use     126
Change Control Architecture     126
Research and Development     126
Change Control     127
Production     127
Technical Security Architecture     127
Issues of Context     127
Time ("When")     127
Location ("Where")     128
Purpose ("Why")     129
Behaviors ("What")     130
Identity ("Who")     130
Method ("How")     131
Life Cycles     132
Business     132
People     134
Systems     138
Data     141
Protection Process: Data State     146
Data at Rest     147
Data in Motion     152
Data in Use     154
Protection Process: Attack and Defense     155
Deter     156
Prevent     157
Detect     159
React     163
Adapt     165
Detect/React Loop     167
Protection Process: Work Flows     168
Work to Be Done      169
Process for Completion and Options     169
Control Points and Approval Requirements     170
Appeals Processes and Escalations     170
Authentication Requirements and Mechanisms     170
Authorization and Context Limitations     171
Work Flow Documentation and Audit     171
Control and Validation of the Engine(s)     171
Risk Aggregation in the Engine(s)     172
Protective Mechanisms     172
Perception     172
Structure     173
Content Controls     175
Behavior     176
Roll-Up of the Drill-Down     178
Summary and Conclusions     181
Index     183