Assessing and Managing Security Risk in IT Systems: A Structured Methodology

Note: Supplemental materials are not guaranteed with Rental or Used book purchases.

ISBN: 9780849322327 | 0849322324
Cover: Hardcover
Copyright: 8/12/2004

Buy New

Print on Demand: 2-4 Weeks. This item cannot be cancelled or returned.

$85.65
eBook

Available Instantly

Online: 180 Days

Downloadable: 180 Days

$58.76

Assessing and Managing Security Risk in IT Systems: A Structured Methodology builds upon the original McCumber Cube model to offer proven processes that do not change, even as technology evolves. This book enables you to assess the security attributes of any information system and implement vastly improved security environments.Part I delivers an overview of information systems security, providing historical perspectives and explaining how to determine the value of information. This section offers the basic underpinnings of information security and concludes with an overview of the risk management process.Part II describes the McCumber Cube, providing the original paper from 1991 and detailing ways to accurately map information flow in computer and telecom systems. It also explains how to apply the methodology to individual system components and subsystems.Part III serves as a resource for analysts and security practitioners who want access to more detailed information on technical vulnerabilities and risk assessment analytics. McCumber details how information extracted from this resource can be applied to his assessment processes.

SECTION I SECURITY CONCEPTS

Using Models

(20)

Introduction: Understanding, Selecting, and Applying Models

(1)

Understanding Assets

(2)

Layered Security

(2)

Using Models in Security

(3)

Security Models for Information Systems

(4)

Shortcomings of Models in Security

(4)

Security in Context

(3)

Reference

(1)

Defining Information Security

(18)

Confidentiality, Integrity, and Availability

(3)

Information Attributes

(2)

Intrinsic versus Imputed Value

(2)

Information as an Asset

(2)

The Elements of Security

(8)

Confidentiality

(4)

Integrity

(2)

Availability

(2)

Security Is Security Only in Context

(1)

Information as an Asset

(16)

Introduction

(3)

Determining Value

(6)

Managing Information Resources

(5)

References

(2)

Understanding Threat and Its Relation to Vulnerabilities

(14)

Introduction

(1)

Threat Defined

(5)

Analyzing Threat

(1)

Assessing Physical Threats

(2)

Infrastructure Threat Issues

(5)

Assessing Risk Variables: The Risk Assessment Process

(28)

Introduction

(5)

Learning to Ask the Right Questions about Risk

(7)

The Basic Elements of Risk in IT Systems

(1)

Information as an Asset

(1)

Defining Threat for Risk Management

(2)

Defining Vulnerabilities for Risk Management

(3)

Defining Safeguards for Risk Management

(1)

The Risk Assessment Process

(9)

SECTION II THE MCCUMBER CUBE METHODOLOGY

The McCumber Cube

(12)

Introduction

(2)

The Nature of Information

101

(1)

Critical Information Characteristics

102

(1)

Confidentiality

102

(1)

Integrity

103

(1)

Availability

103

(1)

Security Measures

104

(1)

Technology

105

(1)

Policy and Practice

105

(1)

Education, Training, and Awareness (Human Factors)

106

(1)

The Model

107

(3)

Overview

107

(1)

Use of the Model

108

(2)

References

110

(1)

Determining Information States and Mapping Information Flow

111

(20)

Introduction

111

(1)

Information States: A Brief Historical Perspective

112

(3)

Automated Processing: Why Cryptography Is Not Sufficient

115

(1)

Simple State Analysis

116

(3)

Information States in Heterogeneous Systems

119

(3)

Boundary Definition

122

(1)

Decomposition of Information States

122

(5)

Step 1: Defining the Boundary

123

(2)

Step 2: Make an Inventory of All IT Resources

125

(1)

Step 3: Decompose and Identify Information States

126

(1)

Developing an Information State Map

127

(2)

Reference

129

(2)

Decomposing the Cube for Security Enforcement

131

(22)

Introduction

131

(2)

A Word about Security Policy

133

(1)

Definitions

134

(1)

The McCumber Cube Methodology

135

(2)

The Transmission State

137

(3)

Transmission: Confidentiality

137

(2)

Transmission: Integrity

139

(1)

Transmission: Availability

139

(1)

The Storage State

140

(5)

Storage: Confidentiality

140

(2)

Storage: Integrity

142

(2)

Storage: Availability

144

(1)

The Processing State

145

(5)

Processing: Confidentiality

147

(1)

Processing: Integrity

148

(2)

Processing: Availability

150

(1)

Recap of the Methodology

150

(3)

Information State Analysis for Components and Subsystems

153

(12)

Introduction

153

(1)

Shortcomings of Criteria Standards for Security Assessments

154

(2)

Applying the McCumber Cube Methodology for Product Assessments

156

(1)

Steps for Product and Component Assessment

157

(1)

Information Flow Mapping

158

(1)

Define the Boundary

158

(1)

Take an Inventory of Information Resources and Components

158

(1)

Decompose and Identify All Information States

158

(1)

Cube Decomposition Based on Information States

159

(2)

Call Out the Information State Column

159

(1)

Decompose Blocks by Attribute

160

(1)

Identify Existing and Potential Vulnerabilites

160

(1)

Develop Security Architecture

161

(1)

Describe Required Safeguards

161

(1)

Cost Out Architecture Components and Enforcement Mechanisms

162

(1)

Recap of the Methodology for Subsystems, Products, and Components

162

(1)

References

163

(2)

Managing the Security Life Cycle

165

(12)

Introduction

165

(12)

Safeguard Analysis

177

(20)

Introduction

177

(1)

Technology Safeguards

178

(1)

Procedural Safeguards

179

(1)

Human Factors Safeguards

180

(1)

Vulnerability--Safeguard Pairing

181

(1)

Hierarchical Dependencies of Safeguards

182

(3)

Security Policies and Procedural Safeguards

185

(1)

Developing Comprehensive Safeguards: The Lessons of the Shogun

186

(3)

Identifying and Applying Appropriate Safeguards

189

(2)

Comprehensive Safeguard Management: Applying the McCumber Cube

191

(1)

The ROI of Safeguards: Do Security Safeguards Have a Payoff?

192

(5)

Practical Applications of McCumber Cube Analysis

197

(58)

Introduction

197

(1)

Applying the Model to Global and National Security Issues

198

(2)

Programming and Software Development

200

(1)

Using the McCumber Cube in an Organizational Information Security Program

200

(3)

Using the McCumber Cube for Product or Subsystem Assessment

203

(1)

Using the McCumber Cube for Safeguard Planning and Deployment

204

(1)

Tips and Techniques for Building Your Security Program

205

(1)

Establishing the Security Program: Defining You

205

(2)

Avoiding the Security Cop Label

207

(1)

Obtaining Corporate Approval and Support

207

(3)

Creating Pearl Harbor Files

210

(4)

Defining Your Security Policy

214

(1)

Defining What versus How

215

(3)

Security Policy: Development and Implementation

218

(1)

Reference

219

(4)

SECTION III APPENDICES

Appendix A --- Vulnerabilities

223

(12)

Appendix B --- Risk Assessment Metrics

235

(10)

Appendix C --- Diagrams and Tables

245

(6)

Appendix D --- Other Resources

251

(4)

Index

255

Please wait while the item is added to your bag...

FREE SHIPPING

Amazon no longer offers textbook rentals. We do!

Assessing and Managing Security Risk in IT Systems: A Structured Methodology

Summary

Table of Contents

Supplemental Materials