333
Index
Office supplies, 187
Open Source Security Testing Methodology
Manual (OSSTMM), 200–201
Operational impact, 84–86
Operations
backup and recovery, 151
as business recovery activity, 187
handing back to management, 184–85
Organizational security management, 295–
99
convincing management of need, 297–99
organizational structure, 296–97
security group placement, 296
security perceptions, 295
Organized/deliberate destruction, 42–54
acts of sabotage, 44–47
acts of terrorism, 42–44
acts of war, 47–49
arson, 53–54
labor disputes/industrial action, 54
theft, 49–53
See also Emergency Incident Assessment
Packet filters, 103
Password cracking, lix–lx
defined, lx
for self-defense, lxi–lxii
Password management, lvii–lxiii
basic, lvii–lviii
biometric systems, lviii
L0phtCrack (LC5), lx–lxi
SmartCards, lviii
Passwords, lii
attack countermeasures, lxiii
good, characteristics, lix
Patches, 206–7
Penetration testing, 223, 233–34
Perimeter audits, 228–29
Personnel security, 304–5
Petroleum/oil shortage, 55
Physical access, xli
Physical facility questionnaire, 291–94
Physical security, 307
Physical security team, 127–28
Port protection devices (PPDs), lv–lvi
Premises issues, 131
Presidential Decision Directive (PDD) 63
and 67, 13
Preventative controls, 107–15
air conditioning, 111–12
backup/recovery management, 108–9
data backup, 108
electronic file archives, 110
emergency master system shutdown
switches, 114–15
file recovery/restore, 110
fire suppression/control systems, 112–14
gasoline-/diesel-powered generators, 111
heat-resistant/waterproof containers, 114
information archives, 109
offsite storage, 109
smoke detectors/fire extinguishers, 114
subfloor cabling and water detection
system, 114
system restart/recovery, 107–8
UPSs, 110–11
water sensors, 114
Preventative measures, 100–107
antivirus, anti-spyware, anti-spam
software, 105–6
encryption, 104
firewalls, 103–4
intrusion detection and prevention
systems, 105
theft prevention, 107
VPNs and remote access, 100–103
Privacy standards/regulations, xxxv–xxxvi
Production equipment, 189
Production line failure, 57–58
Project initiation, 3
Property
334
damage assessment, 176–81
proprietary/intellectual, theft prevention,
107
Protective measures, 309–10
Proxy servers, 104
Public relations team, 128
Public transportation disruption, 63
Quantitative impact analysis, 29
RAID
configurations, 139
data striping, 138
defined, 138
RAID 0+1, 141
RAID-1, 139
RAID-2, 139–40
RAID-3, 140
RAID-4, 140
RAID-5, 140
RAID-6, 140
RAID-10, 141
RAID-50, 141
See also Storage
Records loss, 60
Recovery
administration and operations, 151
business, 117
cost balancing, 82
critical path, 166
customer service, 150–51
data files, 110
disaster, 117
IT systems, 136–52
key BCP personnel and, 152
key documents and procedures, 152–53
key information/documentation, 151–52
manpower strategies, 118–19
premises and essential equipment, 150
procedures, 133–36
procedures management, 108–9
procedures review, 90–93
processes, 137
secure, 164
strategies, 133
system, 107–8
water-damaged documents, 177
See also Backups
Recovery checklist, 283–89
incident response team, 283–89
systems and operations, 286–89
Recovery site
backup, 181
designating, 181
reassembly at, 182
Recovery strategies, 4
Recovery teams
administration, 121
business (BRT), 120, 172, 250
business function recovery, 121–22
command center, 122
constituting, 120–29
damage assessment, 122
disaster (DRT), 119–20, 158, 165–67
emergency management, 122–23
emergency purchasing, 123
equipment installation, 123–24
executive management, 124
facilities preparation, 124–25
finance, 125–26
functional areas, 120–21
information services, 126–27
leaders, 128–29
legal, 127
members, 129
physical security, 127–28
public relations, 128
Remote journaling, 141–42
defined, 141–42
process, 142
335
Index
Reporting requirements, 19
Reports
business recovery, 185
disaster recovery, 168–69
SAS70, 13
Resource dependencies
determining, 74–81
external computer system, 80
fax, 76
internal work group, 79
job function, 75
LAN/WAN, 79
mainframe computer, 77
personal computer (PC), 76
printer, 78
server/mid-range computer, 77
telephone, 75
unique equipment, 78
vital records, 80
See also Business impact analysis (BIA)
Resource requirements matrix, 81
Restarting system, 107–8
Restoring
application data, 182
data files, 110
data from backups, 182
LANs, 149
See also Recovery
Review, 249
Risk analysis, 300–301
asset identification, 301
threat identification, 301
Risk assessment, 28–94
business, 65–69
business impact analysis, 69–86
defined, 28
elements, 28–29
emergency incident, 30–64
models, 29–30
quantitative impact analysis, 29
reliable, 30
report, 68–69
Risk-benefit analysis, 66–67
Risk certification, 26–27
defined, 26
elements, 26
results, 27
Risk level matrix, 68
Risk management, 27, 117
assessment, 28–94
defined, 27
processes, 27
risk managers, 28
Risk(s)
assessing, 23–94
assumption, 97
avoidance, 98
limitation, 98
management analysis, 216
planning, 98–99
priorities, 216
testing, 198–99
transference, 99–100
Role-based access control (RBAC), xlviii
SAS70 reports, 13
Scheduled maintenance, 246
Secure gateways, lvi
Secure recovery, 164
Security
checklists, 222–23
cost, 309
ease of use vs., 309
goals, 59
group placement in organization, 296
information, 193, 197–200
need, convincing management, 297–99
organizational structure, 296–97
perceptions, 295
personnel, 304–5
physical, 307
336
system, 306–7
time-based, 219–20
training, 300
Security education, xxxiii–xl
awareness, xxxiv
GLBA, xxxvi, xxxvii–xxxviii
HIPAA, xxxiii–xl, xxxvi
NAIC, xxxvi–xxxvii
policy dissemination/enforcement, xxxiii
privacy standards/regulation, xxxv–xxxvi
social engineering and, xxxv
target, xxxiv
Security management, 295–321
alerts and advisories, 302–3
areas of responsibility, 299–300
awareness programs, 299–300
convincing management of need, 297–99
e-mail, 305
employee termination procedures, 303–4
incident handling, 301–2
Internet use, 305
organizational, 295–99
organizational structure, 296–97
personnel security, 304–5
practices, lxiii–lxiv
risk analysis, 300–301
security group placement, 296
security perceptions, 295
sensitive information, 305–6
training, 304
warning banners, 303
Security policies, 307–12
Access Policy, 311
Accountability Policy, 311
approach, 308
Authentication Policy, 311
Availability Statements, 311
components, 310–12
Computer Technology Purchasing
Guidelines, 312
definition and purpose, 310
development, auditor’s role, 208–10
establishment of, xliii
good, 310
Network Maintenance Policy, 311
protective measures implementation, 309–
10
review, 312
static, 210
threat likelihood, 309
Violations Reporting Policy, 312
what needs protection, 308
Security professionals
accountability, 321
certification, 315–18
hiring, 315
identifying, 314–15
insider threats and, 313–14
management of, 318–21
organizational structure, 319–20
reporting relationships, 320
working relationships, 320
Security-related jobs, 318
Security testing, 197–200
concepts and application, 198
confidentiality, 199
frequency, 199–200
open source methodology manual, 200–
201
results, measurement and interpretation,
199
risks, 198–99
thoroughness, 199
traceability, 199
Sensitive information, 60–61, 305–6
Server clustering, 143–44
asymmetric clusters, 143
defined, 143
illustrated, 143
symmetric clusters, 144
Servers
defined, 149
337
Index
loss of, 149
proxy, 104
Service continuity, 228
Service interruption measurement, 84
Shadowing, 143
SmartCards, lviii
Smoke detectors, 114
Social engineering, xxxi–xxxii, xxxv
Software
application, 227
backup, 148–49
COTS, 203–4
piracy, 51
system, 227–28
Standby operating systems, 145
State Emergency Operations Center (SEOC),
163
Storage, 137–45
disk replication, 142–43
electronic vaulting, 144
NAS, 145
RAID, 138–41
remote journaling, 141–42
SAN, 145
server clustering, 143–44
shadowing, 143
virtualization, 145
Storage area networks (SANs), 145
Subscription fraud, 51
System logs review, 223
System patches, 206–7
Systems Development Life Cycle (SDLC), 8–
11
defined, 8
development/acquisition phase, 10
disposal phase, 11
implementation phase, 10
needs analysis and initiation phase, 9
operation and maintenance phase, 10–11
phases illustration, 9
System security, 306–7
System software, 227–28
Telecommunications Act of 1996, 14
Telecommunications fraud, 50–51
Testing, 4
budget, 196–97
business recovery process, 194–97
concepts and application, 198
environment, setting, 195
feedback questionnaires, 196
frequency, 199–200
penetration, 223, 233–34
plan confidentiality, 199
results, measurement and interpretation,
199
risks, 198–99
scenarios, 195
scope/objectives development, 194–95
security, 197–201
team, training, 197
thoroughness, 199
traceability, 199
Tests
control/monitor, 196
data, confidentiality, 199
data, preparing, 196
identifying who conducts, 196
Theft(s), 49–53
categories, 50–51
computer component, 50
internal, 49–50
preventative measures, 52–53
proprietary information, 51
proprietary/intellectual property,
prevention, 107
See also Organized/deliberate destruction
Threat Risk Assessment (TRA), 24–25
Threats
determining, 23–27
environmental, 23
..................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.