487
Index
A
Acceptable Use policy, 35, 48, 52
Access
control, 185, 231, 475
company security posture and, 391
inadequate, 368
systems, 31
emergency, 478
lists, purging of, 349
privileged, 398, 399
Accounting systems, 12
Acquisitions, 104, 112
Ad hoc data classification policy, 284
AICPA,
see
American Institute of Certified Public
Accountants
ALE,
see
Annual Loss Expectancy
Alert
notification, 221
services, 28
Amazon, 371
American Institute of Certified Public
Accountants (AICPA), 19, 239, 317, 412
SysTrust, 240
WebTrust, 19, 21, 241
Annual Loss Expectancy (ALE), 217
Anti-virus software, 453
Application(s)
backing up of, 300
development security, 31
owners, 129
Application service provider (ASP), 117, 127,
153, 170, 309
company information secured by, 318
model, 216
relationships, 153
technical security of, 310
third-party, 309
ASP,
see
Application service provider
Asset classification and control, 230
Attack(s)
denial-of-service, 1, 8, 14, 373
detection of, 377
evolution of, 404
insider, 72
scenario, 444
signature updates, 222
Attorney review, 311
Audit
controls, 479
data, collection of, 242
financial statement, 239
reports, 122
settings, 185
Authentication, 366, 481
process, 185
software, 9
B
Backup and recovery, 48, 133, 297–308
Backup tapes, 304
Badge scanning, 332, 334
Balance sheet ratios, 113
Bankruptcy, 117
Baseline security assessment, 59
B2B,
see
Business-to-business
B2C,
see
Business to consumer
BEA Systems WebLogic Integration, 12
Benchmarking, 237
Best-of-breed technology, 25
Best practices, 17, 185
information security, 197
questions based on, 255
technology, 18, 197
third-party knowledge of, 59
vendor, 187, 243
Better Business Bureau Online Privacy Seal, 19
Biometric identification system, 482
British Standards, 229
Budgetary authority, 144
Business
associate contracts, 465
changes to, 67
continuity, 133
management, 232
planning, 32, 321, 322
drivers, 69, 83
enabler, 26
impact, 201
analysis of, 200
calculation of, 200
definition of, 198
AU1706_Idx.fm Page 487 Saturday, August 21, 2004 6:26 PM
488
A Practical Guide to Security Assessments
process(es)
critical, 145
description of, 127
employee knowledge of, 84
questions, 125
–related interviews, 165, 177
review, 166
technology supporting, 127
unit information, 111
Business-to-business (B2B), 170, 361–369
architecture, 366–369
general, 362–365
partnerships, 266
policy, 48
problems, 117
relationships, 5, 6, 108, 362
Business to consumer (B2C), 172, 371–384
database, 374
data integrity, loss of, 375
e-commerce processes, 241
Internet access and, 278
policy, 48
security policy, risks of not having, 372
Web site, 374, 377
Business Process Evaluation, 62, 66, 139–163
analysis of information collected and
documenting of findings, 156–158
executive summary, 162–163
meeting with business process owners,
154–156
interviews, 154–156
potential pitfalls, 156
preparation for meetings, 154
potential concerns, 161
question sets for process reviews, 151–153
review of company and key business
processes, 142–151
business environment, 147
critical business processes, 145–147
management concerns regarding
information security, 151
organization structure, 148–151
planned changes that may impact security,
148
status meeting with client, 158–161
discussion of critical technologies,
160–161
findings, 160
status based on project plan, 160
Business process owners, 271–276
business process–related questions, 271–273
interviews with, 80, 154
meeting with, 154
security-related questions, 273–276
C
Caching, 379
Canadian Institute of Chartered Accountants
(CICA), 19, 21, 240
CAs,
see
Chartered Accountants
Cash flows, 315
CC,
see
Common Criteria
Center for Internet Security benchmarks, 19
CEOs,
see
Chief executive officers
Certified Information Security Manager (CISM),
33
Certified Information Systems Auditor (CISA),
29, 32
Certified Information Systems Security
Professional (CISSP), 9, 29, 30, 411
Certified Public Accountants (CPAs), 20, 239
CFO,
see
Chief financial officer
CFR,
see
Code of Federal Regulations
Change(s)
control committee, 389
emergency, 390
management, 133, 231, 275, 385–390
policy, 385, 412
process, 280
Chartered Accountants (CAs), 20
Chief executive officers (CEOs), 250
Chief financial officer (CFO), 216, 250
Chief information officer (CIO), 149
Chief Information Security Officer (CISO), 149
Chief Security Officer (CSO), 24, 25, 49
CICA,
see
Canadian Institute of Chartered
Accountants
CIO,
see
Chief information officer
CISA,
see
Certified Information Systems
Auditor
Cisco, 18, 243
CISM,
see
Certified Information Security
Manager
CISO,
see
Chief Information Security Officer
CISSP,
see
Certified Information Systems
Security Professional
Clean desk policy, 134, 340
Client(s)
communication, 64, 94
disaster recovery plan of, 461
expectations, 95, 102
feedback, 160
information gathered from 118, 119
lack of cooperation from, 161
learning during interviews with, 123
meetings, preparation for, 259
recommendations to, 212
risk analysis, data encryption and, 479
security weaknesses known by, 208
AU1706_Idx.fm Page 488 Saturday, August 21, 2004 6:26 PM
Index
489
sign-off, 180
status meeting with, 158, 189, 192
COBIT,
see
Control Objectives for Information
Technology
Code of Federal Regulations (CFR), 251
Commercial Off the Shelf (COTS) package, 375
Common Criteria (CC), 232, 233
Communication, lack of, 129
Company
backup strategy, 301
credit cards, 345
data, secure, 367
e-mail functionality, 279
layoffs, 104
password practices, 396
reputation, 372
-specific information, access to, 319
strategic direction of, 142
tolerance for downtime, 319
Web site, 107
Compliance reviews, 40
Computer Fraud and Abuse Act, 246
Computer Security Institute, 8, 72
Confidential data, classification of, 287
Confidentiality, breach of, 323
Consumer information, privacy of, 245
Contingency plan
HIPAA, 460
strategies, 32
Continuing professional education (CPE), 30
Control Objectives for Information Technology
(COBIT), 234
control objectives, 236
Framework document, 234, 236
Implementation Tool Set, 235
management guidelines, 237
Cookies, 379
COTS package,
see
Commercial Off the Shelf
package
Covered entities, compliant, 431
CPAs,
see
Certified Public Accountants
CPE,
see
Continuing professional education
Credibility, lost, 255
Critical data, 129, 302
Critical servers, 185
Cryptography, 31, 32
CSO,
see
Chief Security Officer
Customer(s)
confidence, loss of, 380
credibility with, 103
information
compromised, 196
privacy of, 57
stolen, 372
loss of, 312, 319
responsibilities, 407
Cyber threats, 10, 14, 15
D
Data
audit, 242
backup, 475
center, physical security of, 336
classification, 283–289
confidentiality, 12, 323, 423
critical, 169, 464
destruction, 295
encryption, 479
identification of critical, 46
integrity, 12
labeling, 288
loss, 322
owners
backup and recovery strategy, 299
retention period, 294
paper-based, 307
restoration, 274
retention, 133, 291–295, 298
unavailable, 301
Decryption, 479
Default IDs, 477
Deliverable
final, 99
template, 97, 98, 102
Denial-of-service attacks, 1, 8, 14, 373
Department of Homeland Security Web site, 253
Digital certificates, 366
Digital Millennium Copyright Act, 246
Digital signatures, 482
Disaster Recovery Institute, 461
Disaster recovery plan, 275, 365, 408, 461, 467,
468
Distributed systems, 5
Draft report, 227, 228
Due diligence process, 320
Dumb terminals, 5
E
E-commerce, 1, 37, 170, 272
environment, site down in, 319
initiative, 55
revenues generated through, 61
systems, availability requirements, 12
transaction, fraudulent, 380
vendors, 147
AU1706_Idx.fm Page 489 Saturday, August 21, 2004 6:26 PM
490
A Practical Guide to Security Assessments
EDI,
see
Electronic data interchange
Electronic data interchange (EDI), 6, 361
Electronic files, destruction of, 293
E-mail
down, 187
forward command, 10
security tips via, 452
Employee(s)
building access provided to, 331
compliance, 51
disgruntled, 72, 334, 349
HIPAA provisions affecting, 451
information, 11
knowledge of company, 83
new, 393
number of, 108
termination, 133, 273, 343–350
turnover, 70
voice mail, 381
Encryption, 301, 320, 366, 479, 484
Enron scandal, 15, 58, 245, 250
Enterprise Resource Planning (ERP), 5, 7, 12
Equipment protection, 338
ERP,
see
Enterprise Resource Planning
European Commission Directive on Data
Protection, 252
Executive support, 50, 51
eXtensible Markup Language (XML), 361
External audit reports, 122
Externally hosted services, 309–324
Extranet, 6
F
Facility
access requirements, 468
security plan, 468
Family Educational Rights and Privacy Act
(FERPA), 116, 330
FBI,
see
Federal Bureau of Investigation
FDA,
see
Food and Drug Administration
Fear, Uncertainty, and Doubt (F.U.D.), 218
Federal Bureau of Investigation (FBI), 8, 72, 242
Federal Food, Drug, and Cosmetic Act, 251
Federal Information Security Management Act
(FISMA), 252, 253
Federal Register, 425, 432, 467, 470
Federal Trade Commission (FTC), 13, 248, 323
investigation, 13
requirements of, 66
FERPA,
see
Family Educational Rights and
Privacy Act
Final report
presentation of, 224
template for, 134, 138
Financial fraud, 8
Financial information, 109
Financial services, backup processes of, 297
Financial statements, 130, 239
Firewall(s), 9, 169
architecture, 213
B2C application in front of, 378
deployment, 378
managed, 221
placement, 186
review, 193
vendors, 221
FISMA,
see
Federal Information Security
Management Act
Floppy disks, disposal of, 420
Flowcharting, 158
Food and Drug Administration (FDA), 251
Fraud, financial, 8
Freeware, 54, 182
FTC,
see
Federal Trade Commission
F.U.D.,
see
Fear, Uncertainty, and Doubt
Funds, justification for, 61, 66
G
GAAS,
see
Generally Accepted Auditing
Standards
GASSP,
see
Generally Accepted System Security
Principles
Generally Accepted Auditing Standards (GAAS),
17
Generally Accepted System Security Principles
(GASSP), 17, 18
GIAC,
see
Global Information Assurance
Certification
GISRA,
see
Government Information Security
Reform Act
GLBA,
see
Gramm–Leach–Bliley Act
Global Information Assurance Certification
(GIAC), 33
Google, 117
Government Information Security Reform Act
(GISRA), 252
Government regulations, 42
Gramm–Leach–Bliley Act (GLBA), 13, 60, 109,
245
companies forced to have information security
programs by, 70
company compliance with, 273
company information security and, 147
knowledge, consultants with, 85
safeguarding of paper documents under, 330
security assessment required by, 260
security requirements, 249
signing of into law, 248
AU1706_Idx.fm Page 490 Saturday, August 21, 2004 6:26 PM
Index
491
Guard-controlled physical access, 336
Guest IDs, 477
H
Hacker(s), 10, 54, 349
prime target for, 267
publicized stories of, 371
tools, 14
Hands-on testing, 139, 177, 179
process, 184
production environment, 180
skill set, 181
Hardware standards, 265
Health care
clearinghouse, 426, 447
companies, backup processes of, 297
Health information, electronic protected, 449
Health Insurance Portability and Accountability
Act (HIPAA), 13, 60, 69, 109, 245,
see also
HIPAA security
assigned security responsibility, 439
business associate contracts, 465
companies forced to have information security
programs by, 70
company compliance with, 273
company information security and, 147
contingency plan, 460
covered entity, 425, 428
emergency mode operation plan, 462
evaluation, 464
information access management, 446
introduction of, 246
knowledge, consultants with, 85
noncompliance policy, 437
password management, 456
questionnaires, 258
requirements, 423
risk management, 436
safeguarding of paper documents under, 330
sanctions for noncompliance, 438
termination procedures, 445
workforce security, 441
Health maintenance organization (HMO), 425
High-speed remote access, 7
HIPAA,
see
Health Insurance Portability and
Accountability Act
HIPAA security, 423–485
administrative procedures, 432–466
assigned security responsibility, 439–441
business associate contracts, 465–466
contingency plan, 460–464
evaluation, 464–465
information access management, 446–450
security awareness and training, 450–458
security incident procedures, 458–460
security management process, 433–439
workforce security, 441–446
applicable data and processes, 428–431
compliance process, 472
covered entity, 425–428
physical safeguards, 466–470
questionnaire structure, 424–425
regulations, 424, 430
requirements, 74, 431–432
compliance date for, 248
goal of, 247
technical safeguards, 475–484
access control, 475–479
audit controls, 479–480
integrity, 480–481
person or entity authentication, 481–482
transmission security, 482–484
use of questionnaire, 423–424
workstation-related requirements, 470–475
device and media controls, 473–475
workstation security, 471–472
workstation use, 470–471
HMO,
see
Health maintenance organization
HR,
see
Human resources
Human resources (HR), 57, 76, 292, 449
lack of communication between other
departments and, 343
use of IT resources discussed by, 276
I
ID card, 332
IDS,
see
Intrusion detection systems
Incident(s)
detection methods, 131
handling, 133, 242, 275, 328, 351–360, 365
classification of incident, 353–354
general, 351–353
investigation of incident, 356–359
post-incident analysis, 359–360
process, 459
reporting of incident, 354–356
management, 34, 231
media handling, 417
response process, 131, 321
Income statement, 113
Incremental backups, 299
Information
access management, HIPAA, 446
analysis, 156, 158
availability of, 10
business unit, 111
AU1706_Idx.fm Page 491 Saturday, August 21, 2004 6:26 PM
..................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.