Table of Contents
Chapter 1
Introduction ..........................................................................................1
Chapter 2
Evolution of Information Security.......................................................5
Introduction................................................................................................................5
Distributed Systems and the Internet ........................................................................5
Business-to-Business (B2B) Relationships...............................................................6
Remote Access...........................................................................................................6
Enterprise Resource Planning (ERP) ........................................................................7
Information Security Today.......................................................................................9
Why Protect Information Assets?..............................................................................9
The Internet and the Availability and Accessibility of Information .............10
Shift from Paper-Based to Electronic-Based Information ............................11
Integration of Systems ...................................................................................11
Legislation......................................................................................................13
Cyber-Related Threats ...................................................................................14
Growing Role of Internal Audit ..............................................................................15
Security Standards ...................................................................................................16
Best Practice Standards..................................................................................17
Technical Standards .......................................................................................18
Marketplace Standards...................................................................................19
Better Business Bureau (BBB) Online Privacy Seal ........................19
AICPA/CICA WebTrust Program......................................................21
Organizational Impacts............................................................................................23
Rise of the Chief Security Officer.................................................................24
Autonomous Departments Devoted to Information Security........................27
Independence and the Ability to Escalate .........................................27
Expertise.............................................................................................28
Security Certifications .............................................................................................29
Vendor-Neutral Certifications ........................................................................30
Certified Information Systems Security Professional (CISSP).........30
Certified Information Systems Auditor (CISA) ................................32
System Administration and Network Security Certifications
(SANS) — GIAC (Global Information Assurance
Certification) .......................................................................33
CISM (Certified Information Security Manager)..............................33
Vendor-Specific Certifications .......................................................................34
Trends in Information Security ...............................................................................34
Focus on the Overall Information Security Program....................................35
Security Spending Is Tightening ...................................................................37
AU1706_book.fm Page ix Tuesday, August 17, 2004 11:02 AM
Growing Awareness of Information Security ................................................38
Outsourcing Security Functions.....................................................................38
Government Regulations................................................................................42
Notes ........................................................................................................................42
Chapter 3
The Information Security Program and How a Security
Assessment Fits In .............................................................................45
What Is an Information Security Program?............................................................45
Security Strategy............................................................................................45
Security Policies and Procedures...................................................................47
Security Organization.....................................................................................49
Executive Support ..........................................................................................50
Training and Awareness .................................................................................51
Toolsets...........................................................................................................53
Enforcement ...................................................................................................54
How Does a Security Assessment Fit In?...............................................................55
Why Conduct a Security Assessment?....................................................................58
Obtaining an Independent View of Security .................................................58
Managing Security Risks Proactively............................................................59
Determining Measures to Take to Address Any Regulatory Concerns ........60
Justification for Funds....................................................................................61
The Security Assessment Process ...........................................................................62
Executive Summary.................................................................................................65
Chapter 4
Planning..............................................................................................67
Defining the Scope ..................................................................................................67
Business Drivers.............................................................................................69
Proactive Approach to Security .........................................................70
Regulatory Concerns..........................................................................70
Justification for Additional Funds for Information Security
Initiatives.............................................................................71
Security Incident Has Occurred.........................................................71
Disgruntled Employees......................................................................72
Changes in the IT Environment.........................................................73
Mergers and Acquisitions ..................................................................73
Scope Definition.............................................................................................74
Analysis..............................................................................................76
Define the Scope of Work..................................................................77
Potential Scope Issues....................................................................................79
Scope Creep .......................................................................................79
Incorrect Assumptions........................................................................79
Lack of Standards ..............................................................................80
Staffing ...............................................................................................80
Consultant’s Perspective ................................................................................82
AU1706_book.fm Page x Tuesday, August 17, 2004 11:02 AM
Client’s Perspective........................................................................................83
Internal Employees ............................................................................83
Third-Party Consultants .....................................................................84
Kickoff Meeting.......................................................................................................87
Develop Project Plan ...............................................................................................92
Set Client Expectations ...........................................................................................94
Understanding the Meaning of a Security Assessment.................................94
Key Communications.....................................................................................97
Status Meetings..................................................................................97
Deliverable Template .........................................................................98
Executive Summary...............................................................................................100
Defining Scope.............................................................................................100
Staffing .........................................................................................................100
Kickoff Meeting ...........................................................................................101
Develop Project Plan....................................................................................101
Set Client Expectations................................................................................102
Notes ......................................................................................................................102
Chapter 5
Initial Information Gathering...........................................................103
Benefits of Initial Preparation ...............................................................................103
Credibility with the Customer .....................................................................103
Ability to Ask the Right Questions .............................................................104
Gather Publicly Available Information..................................................................105
Where Is This Information Found?.......................................................................105
Company Web Site.......................................................................................107
General Company News ..................................................................107
Operations-Related Information ......................................................108
Planned Initiatives............................................................................109
Management Team...........................................................................109
Financial Information.......................................................................109
Web-Based Offerings .......................................................................110
Sense of Dependency on the Web Presence....................................110
Financial Statements ....................................................................................111
Form 10K — Annual Report...........................................................111
Form 10Q — Quarterly Report .......................................................115
Form 8K — Report of Unscheduled Material Events ....................115
Trade Journals ..............................................................................................116
Other Articles on the Internet ......................................................................117
Gather Information from the Client ......................................................................117
Analyze Gathered Information..............................................................................123
Prepare Initial Question Sets.................................................................................123
Business Process–Related Questions...........................................................125
Significant Business Processes and Supporting Technologies........126
Integration Points with Other Departments.....................................129
Past Security Incidents.....................................................................130
AU1706_book.fm Page xi Tuesday, August 17, 2004 11:02 AM
Planned Initiatives............................................................................132
Other Interviewee-Specific Questions .............................................132
Traditional Security-Related Questions.......................................................132
Develop and Document Template for Final Report..............................................134
Executive Summary...............................................................................................136
Gather Publicly Available Information........................................................137
Gather Information Using an Initial Questionnaire ....................................137
Analyze Gathered Info.................................................................................137
Prepare Initial Question Sets .......................................................................138
Develop and Document Template for Final Report ....................................138
Chapter 6
Business Process Evaluation............................................................139
General Review of Company and Key Business Processes .................................142
Critical Business Processes..........................................................................145
Business Environment..................................................................................147
Planned Changes That May Impact Security..............................................148
Organization Structure .................................................................................148
Management Concerns Regarding Information Security............................151
Finalize Question Sets for Process Reviews.........................................................151
Meet with Business Process Owners ....................................................................154
Preparation for Meetings .............................................................................154
Interviews with Process Owners..................................................................154
Potential Pitfalls ...........................................................................................156
Analyze Information Collected and Document Findings.....................................156
Status Meeting with Client....................................................................................158
Findings........................................................................................................160
Status Based on Project Plan.......................................................................160
Discussion of Critical Technologies ............................................................160
Potential Concerns During This Phase .................................................................161
Executive Summary...............................................................................................162
Chapter 7
Technology Evaluation.....................................................................165
General Review of Technology and Related Documentation...............................166
Develop Question Sets for Technology Reviews..................................................170
Meet with Technology Owners and Conduct Detailed Testing............................174
Interviews.....................................................................................................176
Hands-On Testing.........................................................................................177
Reasons for Conducting Detailed Testing .......................................177
Test Planning and Related Considerations ......................................180
Manual vs. Automated Testing ........................................................181
Tool Selection...................................................................................182
Process for Conducting Detailed Technology Testing ....................183
Common Detailed Technology Testing .......................................................184
AU1706_book.fm Page xii Tuesday, August 17, 2004 11:02 AM
Analyze Information Collected and Document Findings.....................................187
Status Meeting with Client....................................................................................189
Potential Concerns During This Phase .................................................................189
Executive Summary...............................................................................................191
Chapter 8
Risk Analysis and Final Presentation ..............................................193
Risk Analysis and Risk Score Calculation ...........................................................193
Risk Score Calculation.................................................................................197
Business Impact ...............................................................................198
Calculation of Business Impact.......................................................200
Analysis of Business Impact ...........................................................200
Probability — Medium ....................................................................200
Potential Impact to the Business — Medium .................................201
Level of Control...............................................................................201
Determination of Risk Score ...........................................................204
Finalize Findings and Risks ..................................................................................205
Finalize Wording for Findings.....................................................................205
Document Risks and Criticality...................................................................209
Develop Recommendations and Prepare Draft Report.........................................210
Develop and Document Recommendations.................................................212
Characteristics of Good Recommendations ................................................214
Address the Risk ..............................................................................214
Provide Enough Detail.....................................................................215
Cost Effectiveness (Return on Security Investment).......................215
Other General Recommendations................................................................218
Ongoing Assessment........................................................................219
Managed Security Services..............................................................220
Discuss Draft Report with Client..........................................................................222
Present Final Report to Management....................................................................224
Potential Concerns During This Phase .................................................................226
Executive Summary...............................................................................................227
Notes ......................................................................................................................228
Chapter 9
Information Security Standards .......................................................229
International Standards Organization 17799 (ISO 17799) ...................................229
Use in a Security Assessment......................................................................232
Common Criteria (CC)..........................................................................................232
Structure of the Common Criteria...............................................................233
Use in a Security Assessment......................................................................233
COBIT (Control Objectives for Information [Related] Technology)...................234
COBIT Structure..........................................................................................234
IT Governance Self Assessment ......................................................235
Management’s IT Concern Diagnostic............................................236
AU1706_book.fm Page xiii Tuesday, August 17, 2004 11:02 AM
..................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.