| Preface | p. xiii |
| Acknowledgments | p. xvii |
| The need for a proactive approach | p. 1 |
| Introduction | p. 1 |
| The reality of the modern enterprise | p. 3 |
| Evolution of organizational structures | p. 4 |
| Evolution of technical infrastructure | p. 5 |
| Limitations of policy-driven decision making | p. 7 |
| Education and awareness | p. 9 |
| Management awareness | p. 9 |
| The technology trap | p. 10 |
| Awareness of end users | p. 10 |
| Operational issues | p. 11 |
| Complexity | p. 11 |
| Scalability | p. 13 |
| New challenges | p. 14 |
| Trust | p. 14 |
| Privacy | p. 16 |
| Introducing The (not so) Secure Bank | p. 17 |
| Summary | p. 19 |
| References | p. 20 |
| Management techniques | p. 23 |
| Knowledge and experience | p. 23 |
| Information relating to security incidents and vulnerabilities | p. 25 |
| Risk analysis and risk management | p. 27 |
| Strategy and planning | p. 30 |
| Policy and standards | p. 32 |
| Processes and procedures | p. 34 |
| Methodologies and frameworks | p. 36 |
| Awareness and training | p. 38 |
| Audits | p. 40 |
| Contracts | p. 41 |
| Outsourcing | p. 42 |
| Summary | p. 43 |
| References | p. 44 |
| Technical tools | p. 47 |
| Overview | p. 47 |
| Classification of security tools | p. 48 |
| Host-oriented tools | p. 49 |
| Security layers | p. 49 |
| The native operating system security subsystem | p. 50 |
| Authentication and authorization | p. 51 |
| System integrity | p. 52 |
| System access control | p. 56 |
| System security monitoring | p. 58 |
| Data confidentiality and integrity | p. 60 |
| Network-oriented tools | p. 62 |
| Network authentication and authorization | p. 62 |
| Network integrity | p. 65 |
| Network access control | p. 68 |
| Network security monitoring | p. 71 |
| Data confidentiality and integrity | p. 72 |
| Supporting infrastructure | p. 74 |
| PKI | p. 74 |
| Smart cards and cryptographic modules | p. 76 |
| Authentication devices | p. 79 |
| Summary | p. 80 |
| References | p. 81 |
| A proactive approach: Overview | p. 85 |
| Introduction | p. 85 |
| The consolidation period and strategic-planning cycles | p. 86 |
| Deciding on a personal strategy | p. 87 |
| The consolidation period | p. 89 |
| Planning | p. 89 |
| Establishing contact with stakeholders | p. 90 |
| Identifying major issues | p. 91 |
| Classifying issues | p. 92 |
| Implementing short-term solutions | p. 95 |
| Identifying quick wins | p. 98 |
| Implementing initial management-control mechanisms | p. 99 |
| The strategic-planning cycle | p. 100 |
| Overview | p. 100 |
| Definition of a strategy | p. 101 |
| Production of a strategic plan | p. 102 |
| Execution of the strategic plan | p. 102 |
| Monitoring for further improvement | p. 104 |
| The core deliverables | p. 105 |
| Summary | p. 106 |
| References | p. 107 |
| The information-security strategy | p. 109 |
| The need for a strategy | p. 109 |
| Planning | p. 110 |
| Analysis of the current situation | p. 111 |
| Identification of business strategy requirements | p. 114 |
| Identification of legal and regulatory requirements | p. 117 |
| Identification of requirements due to external trends | p. 119 |
| Definition of the target situation | p. 122 |
| Definition and prioritization of strategic initiatives | p. 123 |
| Distribution of the draft strategy | p. 126 |
| Agreement and publication of final strategy | p. 127 |
| Summary | p. 128 |
| References | p. 129 |
| Policy and standards | p. 131 |
| Some introductory remarks on documentation | p. 131 |
| Designing the documentation set | p. 132 |
| Policy | p. 135 |
| The purpose of policy statements | p. 135 |
| Identifying required policy statements | p. 136 |
| Design and implementation | p. 137 |
| The Secure Bank--Policy statements | p. 139 |
| Establishing a control framework | p. 140 |
| Standards | p. 143 |
| Types of standards | p. 143 |
| External standards | p. 144 |
| Internal standards | p. 147 |
| Agreement and distribution of standards | p. 148 |
| Guidelines and working papers | p. 150 |
| Summary | p. 150 |
| References | p. 151 |
| Process design and implementation | p. 155 |
| Requirements for stable processes | p. 155 |
| Why processes fail to deliver | p. 156 |
| Productivity issues | p. 156 |
| Adaptability issues | p. 157 |
| Acceptance issues | p. 158 |
| Process improvement | p. 159 |
| Methods for process improvement | p. 159 |
| Improving productivity | p. 161 |
| Improving adaptability | p. 165 |
| Improving acceptance | p. 166 |
| The Secure Bank: Improving the authorization and access-control procedure | p. 168 |
| Planning | p. 168 |
| The current process | p. 168 |
| Identifying the target situation | p. 171 |
| Planning incremental improvements | p. 172 |
| Implementing improvements | p. 174 |
| Continuous improvement | p. 176 |
| Summary | p. 177 |
| References | p. 178 |
| Building an IT security architecture | p. 181 |
| Evolution of enterprise IT infrastructure | p. 181 |
| Problems associated with system-focused approaches | p. 182 |
| A three-phased approach | p. 184 |
| The design phase | p. 185 |
| Planning | p. 185 |
| Agreeing on basic design principles | p. 186 |
| Modeling the IT infrastructure | p. 187 |
| Risk analysis | p. 192 |
| Identifying logical components | p. 194 |
| Obtaining signoff of the concept | p. 198 |
| The implementation phase | p. 198 |
| Planning considerations | p. 198 |
| Production of a phased implementation plan | p. 200 |
| Preparing proposals | p. 202 |
| Selection of commercial packages | p. 203 |
| Testing and integration | p. 205 |
| SLAs and support contracts | p. 206 |
| Technical training | p. 208 |
| Administration and maintenance phase | p. 208 |
| Routine administration and maintenance | p. 209 |
| Managing vulnerabilities | p. 209 |
| Managing incidents | p. 210 |
| Managing risk using risk indicators | p. 212 |
| Summary | p. 213 |
| References | p. 213 |
| Creating a security-minded culture | p. 215 |
| Introduction | p. 215 |
| Techniques for introducing cultural change | p. 217 |
| Internal marketing and sales | p. 219 |
| Support and feedback | p. 221 |
| Security-awareness training | p. 222 |
| The security-awareness program | p. 222 |
| Planning considerations | p. 223 |
| Defining the objectives | p. 224 |
| Identifying the audience | p. 224 |
| Identifying the message | p. 227 |
| Developing the material | p. 228 |
| Defining tracking and follow-up procedures | p. 231 |
| Delivering the pilot phase | p. 231 |
| Security skills training | p. 232 |
| General remarks | p. 232 |
| The information-security team | p. 233 |
| Other staff | p. 236 |
| Involvement initiatives | p. 237 |
| Summary | p. 238 |
| References | p. 239 |
| Fast risk analysis | p. 241 |
| Introduction | p. 241 |
| The method | p. 241 |
| A worked example | p. 243 |
| Comments | p. 243 |
| About the author | p. 249 |
| Index | p. 251 |
| Table of Contents provided by Ingram. All Rights Reserved. |
