Index
497
breach, 372
function, ownership of, 149
incident(s), 71
backup, 300
data classification policy and, 285
employee termination and, 346
past, 130, 272, 313, 327, 346
management practices, 30
Officer, 440, 441
organization, 49, 65
outsourcing of, 220
patch levels, 185
personnel, 78
policy(ies), 47
documentation, 121
employee compliance with, 51
enforcement of, 54, 55
fragmented, 35
interpretation of, 80
lack of, 268
lack of enforcement, 36
noncompliance with, 23
questionnaires and checklists, 255–258
-related events, 70
-related questions, 132
roadmap, 86, 141, 226, 212, 215, 228
services, managed, 220
strategy, 46
system-enforced, 202
training, provider of, 242
transmission, 482
view of as business enabler, 26
view of as revenue enabler, 25
vulnerabilities, 265
weaknesses
client knowledge of, 208
risks associated with, 71
Security Operations Center (SOC), 408, 410
Selling, general, and administrative expenses
(SG&A), 114
Servers
critical, 185
proxy, 269
Service level agreement (SLA), 41, 236, 303, 312,
313, 364
monitoring of, 365
performance metrics, 405
scope of service, 406
specifications, 322
Service Level Objectives (SLOs), 303
SG&A,
see
Selling, general, and administrative
expenses
Shareware, 54, 182
Single point of contact (SPOC), 90, 92
SLA,
see
Service level agreement
SLOs,
see
Service Level Objectives
SOC,
see
Security Operations Center
Social engineering, 336, 482
Soft tokens, 482
Software
anti-virus, 453
authentication, 9
maintenance, 39
malicious, 453
standards, 265
updates, 40
SPOC,
see
Single point of contact
SQL,
see
Structure query language
Standards,
see also
Information security standards
best practice, 17
encryption, 365
hardware, 265
ISO 17799, 9, 17, 69, 132, 283, 248, 415
lack of, 80
marketplace, 17, 19
password, 457
software, 265
Statement on Auditing Standards (SAS) 70, 239,
412
Status meetings, 97, 158, 189, 192
Structure query language (SQL), 13, 60, 384
SysAdmin, Audit, Network, Security (SANS), 19,
33, 242
System
hardening measures, 73
logs, 48, 293
settings, required changes to, 181
SysTrust, 240
T
TCO,
see
Total cost of ownership
TCP/IP,
see
Transmission Control
Protocol/Internet Protocol
Technical documents, 121
Technical testing, 78
Technology
best-practice standards, 197
owners
generic questionnaire for meetings with,
277–281
identification of, 91
lack of cooperation from, 191
meeting with, 174
understanding of security assessment by,
176
Technology evaluation, 62, 66, 165–192
analysis of information collected and
documenting of findings, 187–189
AU1706_Idx.fm Page 497 Saturday, August 21, 2004 6:26 PM
498
A Practical Guide to Security Assessments
development of question sets for technology
reviews, 170–174
executive summary, 191–192
general review of technology and related
documentation, 166–170
meeting with technology owners and
conducting of detailed testing, 174–186
common detailed technology testing,
184–186
hands-on testing, 177–184
interviews, 176–177
potential concerns, 189–191
status meeting with client, 189
Telephone callback system, 482
Testing
client approval for, 189
manual vs. automated, 181
process for conducting, 184
time, 189
tool selection, 182
Theft, proprietary information, 8
Third-party ASP, 309
Third-party consultants, 84, 85
Threat(s)
cyber-related, 10, 14
disgruntled employee, 349
Tolerable downtime, 128, 365
Tool licensing issues, 181
Toolsets, 53, 65, 150
Total cost of ownership (TCO), 37
Trade journals, 116
Transmission Control Protocol/Internet Protocol
(TCP/IP), 32
Transmissions security, 482
U
Unauthorized access, 325
UNIX, 76, 85–86
Unscheduled material events, report of, 115
User ID(s)
administration, 133, 391–401, 476
disabling of, 395
uniqueness of, 394
U.S. Securities Act of 1933, 7
V
Value Added Network (VAN), 366
VAN,
see
Value Added Network
VC,
see
Venture capital
Vendor(s)
anti-virus, 453
best practices, 243
management, 39
-neutral certifications, 30
-recommended best practices, 187
-specific certifications, 34
Venture capital (VC), 315
Virtual private network (VPN), 11, 41, 186, 366
clientless, 148
configuration, 186
remote access via, 266
Viruses, 1, 8
VPN,
see
Virtual private network
Vulnerability(ies)
assessment, 96
managed, 220
tools, 53
exploiting of, 265
management, 73
process-focused, 178
W
Web
-based offerings, 110
presence, dependency on, 110
server
administrator access to, 382
hardening, 376
Web site
B2C, 374
company, 107
defaced, 71, 210, 337
management team listed on company,109
review, 107
WebTrust, 19, 21, 241
Seal programs, 23
Security certification, 22
Wireless networks, 56
Workforce
mobility of, 266
security, HIPAA, 441
Workstation security, 471
X
XML,
see
eXtensible Markup Language
Y
Yahoo!, 111, 117
AU1706_Idx.fm Page 498 Saturday, August 21, 2004 6:26 PM
..................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.