| Foreword | p. xi |
| Preface | p. xv |
| Acknowledgments | p. xxi |
| The Organizational IA Program: The Practical and Conceptual Foundation | p. 1 |
| IA and the Organization: The Challenges | p. 3 |
| Chapter Objectives | p. 3 |
| The Meaning and Significance of IA | p. 3 |
| The Rights of Organizations | p. 3 |
| The Contribution of Information and Information Technology (IT) to Achieving the Rights of Organizations | p. 5 |
| The Emergence of New Challenges | p. 6 |
| Summary | p. 11 |
| References | p. 11 |
| Basic Security Concepts, Principles, and Strategy | p. 13 |
| Chapter Objectives | p. 13 |
| Basic Security Concepts and Principles | p. 13 |
| Basic Security Strategy | p. 30 |
| Summary | p. 35 |
| References | p. 35 |
| Defining the Organization's Current IA Posture | p. 37 |
| Determining the Organization's IA Baseline | p. 39 |
| Chapter Objectives | p. 39 |
| Information Assurance Elements | p. 39 |
| Summary | p. 52 |
| References | p. 52 |
| Determining IT Security Priorities | p. 53 |
| Chapter Objectives | p. 53 |
| Identifying Your Security Protection Priorities | p. 53 |
| Measuring the Accomplishment of Organizational IA Needs | p. 64 |
| Summary | p. 65 |
| References | p. 65 |
| The Organization's IA Posture | p. 67 |
| Chapter Objectives | p. 67 |
| Introduction | p. 67 |
| The Process for Determining Organizational IA Posture | p. 70 |
| Summary | p. 82 |
| References | p. 83 |
| Establishing and Managing an IA Defense in Depth Strategy Within an Organization | p. 85 |
| Layer 1: IA Policies | p. 87 |
| Chapter Objectives | p. 87 |
| The Concept of Policy | p. 87 |
| The Intent and Significance of IA Policies | p. 88 |
| The Mechanics of Developing, Communicating, and Enforcing IA Policies | p. 90 |
| Summary | p. 93 |
| References | p. 93 |
| Layer 2: IA Management | p. 95 |
| Chapter Objectives | p. 95 |
| Establishing an IA Management Program | p. 95 |
| Managing IA | p. 107 |
| Summary | p. 110 |
| References | p. 110 |
| Layer 3: IA Architecture | p. 113 |
| Chapter Objectives | p. 113 |
| The Objectives of the IA Architecture | p. 113 |
| Knowledge Required to Design the IA Architecture | p. 114 |
| The Design of the Organization's IA Architecture | p. 125 |
| Allocation of Security Services and Security Mechanisms | p. 136 |
| The Implementation of the Organization's IA Architecture | p. 142 |
| Summary | p. 143 |
| References | p. 143 |
| Layer 4: Operational Security Administration | p. 145 |
| Chapter Objectives | p. 145 |
| Administering Information Systems Security | p. 145 |
| Summary | p. 151 |
| References | p. 152 |
| Layer 5: Configuration Management | p. 153 |
| Chapter Objectives | p. 153 |
| The Necessity of Managing Changes to the IA Baseline | p. 153 |
| Configuration Management: An Approach for Managing IA Baseline Changes | p. 154 |
| Summary | p. 161 |
| References | p. 162 |
| Layer 6: Life-Cycle Security | p. 163 |
| Chapter Objectives | p. 163 |
| Security Throughout the System Life Cycle | p. 163 |
| Summary | p. 170 |
| Reference | p. 170 |
| Layer 7: Contingency Planning | p. 171 |
| Chapter Objectives | p. 171 |
| Planning for the Worst | p. 171 |
| Summary | p. 174 |
| Reference | p. 174 |
| Layer 8: IA Education, Training, and Awareness | p. 175 |
| Chapter Objectives | p. 175 |
| The Importance of IA Education, Training, and Awareness | p. 175 |
| Implementation of Organizational IA Education, Training, and Awareness | p. 176 |
| Summary | p. 179 |
| References | p. 179 |
| Layer 9: IA Policy Compliance Oversight | p. 181 |
| Chapter Objective | p. 181 |
| The Necessity of IA Policy Compliance Oversight | p. 181 |
| The Implementers of IA Policy Compliance Oversight | p. 181 |
| Mechanisms of IA Policy Compliance Oversight | p. 182 |
| Summary | p. 187 |
| References | p. 188 |
| Layer 10: IA Incident Response | p. 189 |
| Chapter Objectives | p. 189 |
| Reacting and Responding to IA Incidents | p. 189 |
| Summary | p. 195 |
| References | p. 196 |
| Layer 11: IA Reporting | p. 197 |
| Chapter Objectives | p. 197 |
| The Definition of Formal IA Reporting | p. 197 |
| The Development of an IA Reporting Structure and Process | p. 197 |
| Summary | p. 200 |
| References | p. 200 |
| Appendices | p. 201 |
| Listing of IA Threats | p. 203 |
| Threat Category | p. 203 |
| Definitions | p. 207 |
| Reference | p. 208 |
| Listing of Threat Statuses | p. 209 |
| Listing of Major Sources of Vulnerability Information | p. 211 |
| General Sources of Vulnerability Information | p. 211 |
| Vendor-Specific Security Information | p. 211 |
| Vendor-Specific Security Patches | p. 212 |
| IA Policy Web Sites | p. 213 |
| IA Policy Basic Structure and Major Policy Subjects | p. 215 |
| Basic Structure | p. 215 |
| Major Policy Subjects | p. 215 |
| Sample IA Manager Appointment Letter | p. 221 |
| Sample Outline for IA Master Plan | p. 223 |
| Things to Do to Improve Organizational IA Posture | p. 225 |
| Life-Cycle Management | p. 225 |
| Password and Access Controls | p. 225 |
| System Auditing and Monitoring | p. 226 |
| Security Operations/Management | p. 226 |
| Configuration Management | p. 227 |
| Contingency Planning | p. 227 |
| Incident Response and Handling | p. 227 |
| Information Assurance Self-Inspection Checklist | p. 229 |
| Sample Outline for a Disaster Recovery Plan (DRP) | p. 251 |
| References | p. 252 |
| Sample Threat Response Matrix | p. 253 |
| About the Authors | p. 255 |
| Index | p. 257 |
| Table of Contents provided by Syndetics. All Rights Reserved. |
