A Practical Guide to Security Assessments

Note: Supplemental materials are not guaranteed with Rental or Used book purchases.

ISBN: 9780849317064 | 0849317061
Cover: Hardcover
Copyright: 9/29/2004

Rent

(Recommended)

$75.34

Term

Due

Price

Semester

Dec 13

$79.31

Quarter

Aug 16

$75.34

Short Term

Jul 4

$71.38

*This item is part of an exclusive publisher rental program and requires an additional convenience fee. This fee will be reflected in the shopping cart.
Buy New

Usually Ships in 3-5 Business Days

$108.36
eBook

Available Instantly

Online: 180 Days

Downloadable: 180 Days

$46.38

The modern dependence upon information technology and the corresponding information security regulations and requirements force companies to evaluate the security of their core business processes, mission critical data, and supporting IT environment. Combine this with a slowdown in IT spending resulting in justifications of every purchase, and security professionals are forced to scramble to find comprehensive and effective ways to assess their environment in order to discover and prioritize vulnerabilities, and to develop cost-effective solutions that show benefit to the business.A Practical Guide to Security Assessments is a process-focused approach that presents a structured methodology for conducting assessments. The key element of the methodology is an understanding of business goals and processes, and how security measures are aligned with business risks. The guide also emphasizes that resulting security recommendations should be cost-effective and commensurate with the security risk. The methodology described serves as a foundation for building and maintaining an information security program.In addition to the methodology, the book includes an Appendix that contains questionnaires that can be modified and used to conduct security assessments.This guide is for security professionals who can immediately apply the methodology on the job, and also benefits management who can use the methodology to better understand information security and identify areas for improvement.

Chapter 1 Introduction

(4)

Chapter 2 Evolution of Information Security

(40)

Introduction

(1)

Distributed Systems and the Internet

(1)

Business-to-Business (B2B) Relationships

(1)

Remote Access

(1)

Enterprise Resource Planning (ERP)

(2)

Information Security Today

(1)

Why Protect Information Assets?

(6)

The Internet and the Availability and Accessibility of Information

(1)

Shift from Paper-Based to Electronic-Based Information

(1)

Integration of Systems

(2)

Legislation

(1)

Cyber-Related Threats

(1)

Growing Role of Internal Audit

(1)

Security Standards

(7)

Best Practice Standards

(1)

Technical Standards

(1)

Marketplace Standards

(4)

Better Business Bureau (BBB) Online Privacy Seal

(2)

AICPA/CICA WebTrust Program

(2)

Organizational Impacts

(6)

Rise of the Chief Security Officer

(3)

Autonomous Departments Devoted to Information Security

(2)

Independence and the Ability to Escalate

(1)

Expertise

(1)

Security Certifications

(5)

Vendor-Neutral Certifications

(4)

Certified Information Systems Security Professional (CISSP)

(2)

Certified Information Systems Auditor (CISA)

(1)

System Administration and Network Security Certifications (SANS) - GIAC (Global Information Assurance Certification)

(1)

CISM (Certified Information Security Manager)

(1)

Vendor-Specific Certifications

(1)

Trends in Information Security

(8)

Focus on the Overall Information Security Program

(2)

Security Spending Is Tightening

(1)

Growing Awareness of Information Security

(1)

Outsourcing Security Functions

(4)

Government Regulations

(1)

Notes

(3)

Chapter 3 The Information Security Program and How a Security Assessment Fits In

(22)

What Is an Information Security Program?

(10)

Security Strategy

(2)

Security Policies and Procedures

(2)

Security Organization

(1)

Executive Support

(1)

Training and Awareness

(2)

Toolsets

(1)

Enforcement

(1)

How Does a Security Assessment Fit In?

(3)

Why Conduct a Security Assessment?

(4)

Obtaining an Independent View of Security

(1)

Managing Security Risks Proactively

(1)

Determining Measures to Take to Address Any Regulatory Concerns

(1)

Justification for Funds

(1)

The Security Assessment Process

(3)

Executive Summary

(2)

Chapter 4 Planning

(36)

Defining the Scope

(20)

Business Drivers

(5)

Proactive Approach to Security

(1)

Regulatory Concerns

(1)

Justification for Additional Funds for Information Security Initiatives

(1)

Security Incident Has Occurred

(1)

Disgruntled Employees

(1)

Changes in the IT Environment

(1)

Mergers and Acquisitions

(1)

Scope Definition

(5)

Analysis

(1)

Define the Scope of Work

(2)

Potential Scope Issues

(3)

Scope Creep

(1)

Incorrect Assumptions

(1)

Lack of Standards

(1)

Staffing

(2)

Consultant's Perspective

(1)

Client's Perspective

(11)

Internal Employees

(1)

Third-Party Consultants

(3)

Kickoff Meeting

(5)

Develop Project Plan

(2)

Set Client Expectations

(6)

Understanding the Meaning of a Security Assessment

(3)

Key Communications

(3)

Status Meetings

(1)

Deliverable Template

(2)

Executive Summary

100

(2)

Defining Scope

100

(1)

Staffing

100

(1)

Kickoff Meeting

101

(1)

Develop Project Plan

101

(1)

Set Client Expectations

102

(1)

Notes

102

(1)

Chapter 5 Initial Information Gathering

103

(36)

Benefits of Initial Preparation

103

(2)

Credibility with the Customer

103

(1)

Ability to Ask the Right Questions

104

(1)

Gather Publicly Available Information

105

(1)

Where Is This Information Found?

105

(12)

Company Web Site

107

(4)

General Company News

107

(1)

Operations-Related Information

108

(1)

Planned Initiatives

109

(1)

Management Team

109

(1)

Financial Information

109

(1)

Web-Based Offerings

110

(1)

Sense of Dependency on the Web Presence

110

(1)

Financial Statements

111

(5)

Form 10K - Annual Report

111

(4)

Form 10Q - Quarterly Report

115

(1)

Form 8K - Report of Unscheduled Material Events

115

(1)

Trade Journals

116

(1)

Other Interviewee-Specific Questions

132

(1)

Traditional Security-Related Questions

132

(2)

Develop and Document Template for Final Report

134

(2)

Executive Summary

136

(3)

Gather Publicly Available Information

137

(1)

Gather Information Using an Initial Questionnaire

137

(1)

Analyze Gathered Info

137

(1)

Prepare Initial Question Sets

138

(1)

Develop and Document Template for Final Report

138

(1)

Chapter 6 Business Process Evaluation

139

(26)

General Review of Company and Key Business Processes

142

(9)

Critical Business Processes

145

(2)

Business Environment

147

(1)

Planned Changes That May Impact Security

148

(1)

Organization Structure

148

(3)

Management Concerns Regarding Information Security

151

(1)

Finalize Question Sets for Process Reviews

151

(3)

Meet with Business Process Owners

154

(2)

Preparation for Meetings

154

(1)

Interviews with Process Owners

154

(2)

Potential Pitfalls

156

(1)

Analyze Information Collected and Document Findings

156

(2)

Status Meeting with Client

158

(3)

Findings

160

(1)

Status Based on Project Plan

160

(1)

Discussion of Critical Technologies

160

(1)

Potential Concerns During This Phase

161

(1)

Executive Summary

162

(3)

Chapter 7 Technology Evaluation

165

(28)

General Review of Technology and Related Documentation

166

(4)

Develop Question Sets for Technology Reviews

170

(4)

Meet with Technology Owners and Conduct Detailed Testing

174

(13)

Interviews

176

(1)

Hands-On Testing

177

(7)

Reasons for Conducting Detailed Testing

177

(3)

Test Planning and Related Considerations

180

(1)

Manual vs. Automated Testing

181

(1)

Tool Selection

182

(1)

Process for Conducting Detailed Technology Testing

183

(1)

Common Detailed Technology Testing

184

(3)

Analyze Information Collected and Document Findings

187

(2)

Status Meeting with Client

189

(1)

Potential Concerns During This Phase

189

(2)

Executive Summary

191

(2)

Chapter 8 Risk Analysis and Final Presentation

193

(36)

Risk Analysis and Risk Score Calculation

193

(12)

Risk Score Calculation

197

(8)

Business Impact

198

(2)

Calculation of Business Impact

200

(1)

Analysis of Business Impact

200

(1)

Probability - Medium

200

(1)

Potential Impact to the Business - Medium

201

(1)

Level of Control

201

(3)

Determination of Risk Score

204

(1)

Finalize Findings and Risks

205

(5)

Finalize Wording for Findings

205

(4)

Document Risks and Criticality

209

(1)

Develop Recommendations and Prepare Draft Report

210

(12)

Develop and Document Recommendations

212

(2)

Characteristics of Good Recommendations

214

(4)

Address the Risk

214

(1)

Provide Enough Detail

215

(1)

Cost Effectiveness (Return on Security Investment)

215

(3)

Other General Recommendations

218

(11)

Ongoing Assessment

219

(1)

Managed Security Services

220

(2)

Discuss Draft Report with Client

222

(2)

Present Final Report to Management

224

(2)

Potential Concerns During This Phase

226

(1)

Executive Summary

227

(1)

Notes

228

(1)

Chapter 9 Information Security Standards

229

(16)

International Standards Organization 17799 (ISO 17799)

229

(3)

Use in a Security Assessment

232

(1)

Common Criteria (CC)

232

(2)

Structure of the Common Criteria

233

(1)

Use in a Security Assessment

233

(1)

COBIT (Control Objectives for Information [Related] Technology)

234

(4)

COBIT Structure

234

(4)

IT Governance Self Assessment

235

(1)

Management's IT Concern Diagnostic

236

(1)

Control Objectives

236

(1)

Management Guidelines

237

(1)

Use in a Security Assessment

238

(1)

ITIL (IT Infrastructure Library) Security Management

238

(2)

Use in a Security Assessment

239

(1)

SAS (Statement on Auditing Standards) 70

239

(1)

Use in a Security Assessment

240

(1)

AICPA SysTrust

240

(1)

Use in a Security Assessment

240

(1)

AICPA WebTrust

241

(1)

Use in a Security Assessment

241

(1)

RFC 2196 - Site Security Handbook

241

(1)

Use in a Security Assessment

242

(1)

Other Resources

242

(1)

SANS (SysAdmin, Audit, Network, Security)/FBI (Federal Bureau of Investigation) Top 20 List

242

(1)

Vendor Best Practices

243

(1)

Notes

243

(2)

Chapter 10 Information Security Legislation

245

(10)

Relevance of Legislation in Security Assessments

245

(1)

HIPAA (Health Insurance Portability and Accountability Act)

246

(2)

GLBA (Gramm-Leach-Bliley Act)

248

(2)

Sarbanes-Oxley Act

250

(1)

21 CFR Part 11

251

(1)

Safe Harbor

252

(1)

Federal Information Security Management Act (FIMSA)

252

(1)

Other Legislative Action

253

(1)

Notes

254

(1)

Appendices Security Questionnaires and Checklists

255

(232)

Appendix A Preliminary Checklist to Gather Information

259

(12)

Appendix B Generic Questionnaire for Meetings with Business Process Owners

271

(6)

Appendix C Generic Questionnaire for Meetings with Technology Owners

277

(6)

Appendix D Data Classification

283

(8)

Appendix E Data Retention

291

(6)

Appendix F Backup and Recovery

297

(12)

Appendix G Externally Hosted Services

309

(16)

Appendix H Physical Security

325

(18)

Appendix I Employee Termination

343

(8)

Appendix J Incident Handling

351

(10)

Appendix K Business to Business (B2B)

361

(10)

Appendix L Business to Consumer (B2C)

371

(14)

Appendix M Change Management

385

(6)

Appendix N User ID Administration

391

(12)

Appendix O Managed Security

403

(12)

Appendix P Media Handling

415

(8)

Appendix Q HIPAA Security

423

(64)

Index

487

Please wait while the item is added to your bag...

FREE SHIPPING

Amazon no longer offers textbook rentals. We do!

A Practical Guide to Security Assessments

Summary

Table of Contents

Supplemental Materials