488
A Practical Guide to Security Assessments
process(es)
critical, 145
description of, 127
employee knowledge of, 84
questions, 125
–related interviews, 165, 177
review, 166
technology supporting, 127
unit information, 111
Business-to-business (B2B), 170, 361–369
architecture, 366–369
general, 362–365
partnerships, 266
policy, 48
problems, 117
relationships, 5, 6, 108, 362
Business to consumer (B2C), 172, 371–384
database, 374
data integrity, loss of, 375
e-commerce processes, 241
Internet access and, 278
policy, 48
security policy, risks of not having, 372
Web site, 374, 377
Business Process Evaluation, 62, 66, 139–163
analysis of information collected and
documenting of findings, 156–158
executive summary, 162–163
meeting with business process owners,
154–156
interviews, 154–156
potential pitfalls, 156
preparation for meetings, 154
potential concerns, 161
question sets for process reviews, 151–153
review of company and key business
processes, 142–151
business environment, 147
critical business processes, 145–147
management concerns regarding
information security, 151
organization structure, 148–151
planned changes that may impact security,
148
status meeting with client, 158–161
discussion of critical technologies,
160–161
findings, 160
status based on project plan, 160
Business process owners, 271–276
business process–related questions, 271–273
interviews with, 80, 154
meeting with, 154
security-related questions, 273–276
C
Caching, 379
Canadian Institute of Chartered Accountants
(CICA), 19, 21, 240
CAs,
see
Chartered Accountants
Cash flows, 315
CC,
see
Common Criteria
Center for Internet Security benchmarks, 19
CEOs,
see
Chief executive officers
Certified Information Security Manager (CISM),
33
Certified Information Systems Auditor (CISA),
29, 32
Certified Information Systems Security
Professional (CISSP), 9, 29, 30, 411
Certified Public Accountants (CPAs), 20, 239
CFO,
see
Chief financial officer
CFR,
see
Code of Federal Regulations
Change(s)
control committee, 389
emergency, 390
management, 133, 231, 275, 385–390
policy, 385, 412
process, 280
Chartered Accountants (CAs), 20
Chief executive officers (CEOs), 250
Chief financial officer (CFO), 216, 250
Chief information officer (CIO), 149
Chief Information Security Officer (CISO), 149
Chief Security Officer (CSO), 24, 25, 49
CICA,
see
Canadian Institute of Chartered
Accountants
CIO,
see
Chief information officer
CISA,
see
Certified Information Systems
Auditor
Cisco, 18, 243
CISM,
see
Certified Information Security
Manager
CISO,
see
Chief Information Security Officer
CISSP,
see
Certified Information Systems
Security Professional
Clean desk policy, 134, 340
Client(s)
communication, 64, 94
disaster recovery plan of, 461
expectations, 95, 102
feedback, 160
information gathered from 118, 119
lack of cooperation from, 161
learning during interviews with, 123
meetings, preparation for, 259
recommendations to, 212
risk analysis, data encryption and, 479
security weaknesses known by, 208
AU1706_Idx.fm Page 488 Saturday, August 21, 2004 6:26 PM