Home Page Icon
Home Page
Table of Contents for
Assessing and Managing Security Risk in IT Systems
Close
Assessing and Managing Security Risk in IT Systems
by John McCumber
Assessing and Managing Security Risk in IT Systems
COVER PAGE
OTHER INFORMATION SECURITY BOOKS FROM AUERBACH
TITLE PAGE
COPYRIGHT PAGE
DEDICATION
INTRODUCTION
HOW TO USE THIS TEXT
WHAT YOU WILL NOT SEE
ACKNOWLEDGMENTS
THE TEXT
TERMS AND DEFINITIONS
REFERENCES
I SECURITY CONCEPTS
1: USING MODELS
INTRODUCTION: UNDERSTANDING, SELECTING, AND APPLYING MODELS
UNDERSTANDING ASSETS
LAYERED SECURITY
USING MODELS IN SECURITY
SECURITY MODELS FOR INFORMATION SYSTEMS
SHORTCOMINGS OF MODELS IN SECURITY
SECURITY IN CONTEXT
REFERENCE
2: DEFINING INFORMATION SECURITY
CONFIDENTIALITY, INTEGRITY, AND AVAILABILITY
INFORMATION ATTRIBUTES
INTRINSIC VERSUS IMPUTED VALUE
INFORMATION AS AN ASSET
THE ELEMENTS OF SECURITY
CONFIDENTIALITY
INTEGRITY
AVAILABILITY
SECURITY IS SECURITY ONLY IN CONTEXT
3: INFORMATION AS AN ASSET
INTRODUCTION
DETERMINING VALUE
MANAGING INFORMATION RESOURCES
REFERENCES
4: UNDERSTANDING THREAT AND ITS RELATION TO VULNERABILITIES
INTRODUCTION
THREAT DEFINED
ANALYZING THREAT
ASSESSING PHYSICAL THREATS
INFRASTRUCTURE THREAT ISSUES
5: ASSESSING RISK VARIABLES: THE RISK ASSESSMENT PROCESS
INTRODUCTION
LEARNING TO ASK THE RIGHT QUESTIONS ABOUT RISK
THE BASIC ELEMENTS OF RISK IN IT SYSTEMS
INFORMATION AS AN ASSET
DEFINING THREAT FOR RISK MANAGEMENT
DEFINING VULNERABILITIES FOR RISK MANAGEMENT
DEFINING SAFEGUARDS FOR RISK MANAGEMENT
THE RISK ASSESSMENT PROCESS
II THE MCCUMBER CUBE METHODOLOGY
6: THE MCCUMBER CUBE
INTRODUCTION
THE NATURE OF INFORMATION
CRITICAL INFORMATION CHARACTERISTICS
CONFIDENTIALITY
INTEGRITY
AVAILABILITY
SECURITY MEASURES
TECHNOLOGY
POLICY AND PRACTICE
EDUCATION, TRAINING, AND AWARENESS (HUMAN FACTORS)
THE MODEL
OVERVIEW
USE OF THE MODEL
REFERENCES
7: DETERMINING INFORMATION STATES AND MAPPING INFORMATION FLOW
INTRODUCTION
INFORMATION STATES: A BRIEF HISTORICAL PERSPECTIVE
AUTOMATED PROCESSING: WHY CRYPTOGRAPHY IS NOT SUFFICIENT
SIMPLE STATE ANALYSIS
INFORMATION STATES IN HETEROGENEOUS SYSTEMS
BOUNDARY DEFINITION
DECOMPOSITION OF INFORMATION STATES
STEP 1: DEFINING THE BOUNDARY
STEP 2: MAKE AN INVENTORY OF ALL IT RESOURCES
STEP 3: DECOMPOSE AND IDENTIFY INFORMATION STATES
DEVELOPING AN INFORMATION STATE MAP
REFERENCE
8: DECOMPOSING THE CUBE FOR SECURITY ENFORCEMENT
INTRODUCTION
A WORD ABOUT SECURITY POLICY
DEFINITIONS
THE MCCUMBER CUBE METHODOLOGY
THE TRANSMISSION STATE
TRANSMISSION: CONFIDENTIALITY
TRANSMISSION: INTEGRITY
TRANSMISSION: AVAILABILITY
THE STORAGE STATE
STORAGE: CONFIDENTIALITY
STORAGE: INTEGRITY
STORAGE: AVAILABILITY
THE PROCESSING STATE
PROCESSING: CONFIDENTIALITY
PROCESSING: INTEGRITY
PROCESSING: AVAILABILITY
RECAP OF THE METHODOLOGY
9: INFORMATION STATE ANALYSIS FOR COMPONENTS AND SUBSYSTEMS
INTRODUCTION
SHORTCOMINGS OF CRITERIA STANDARDS FOR SECURITY ASSESSMENTS
APPLYING THE MCCUMBER CUBE METHODOLOGY FOR PRODUCT ASSESSMENTS
STEPS FOR PRODUCT AND COMPONENT ASSESSMENT
INFORMATION FLOW MAPPING
DEFINE THE BOUNDARY
TAKE AN INVENTORY OF INFORMATION RESOURCES AND COMPONENTS
DECOMPOSE AND IDENTIFY ALL INFORMATION STATES
CUBE DECOMPOSITION BASED ON INFORMATION STATES
CALL OUT THE INFORMATION STATE COLUMN
DECOMPOSE BLOCKS BY ATTRIBUTE
IDENTIFY EXISTING AND POTENTIAL VULNERABILITES
DEVELOP SECURITY ARCHITECTURE
DESCRIBE REQUIRED SAFEGUARDS
COST OUT ARCHITECTURE COMPONENTS AND ENFORCEMENT MECHANISMS
RECAP OF THE METHODOLOGY FOR SUBSYSTEMS, PRODUCTS, AND COMPONENTS
REFERENCES
10: MANAGING THE SECURITY LIFE CYCLE
11: SAFEGUARD ANALYSIS
INTRODUCTION
TECHNOLOGY SAFEGUARDS
PROCEDURAL SAFEGUARDS
HUMAN FACTORS SAFEGUARDS
VULNERABILITY-SAFEGUARD PAIRING
HIERARCHICAL DEPENDENCIES OF SAFEGUARDS
SECURITY POLICIES AND PROCEDURAL SAFEGUARDS
DEVELOPING COMPREHENSIVE SAFEGUARDS: THE LESSONS OF THE SHOGUN
IDENTIFYING AND APPLYING APPROPRIATE SAFEGUARDS
COMPREHENSIVE SAFEGUARD MANAGEMENT: APPLYING THE MCCUMBER CUBE
THE ROI OF SAFEGUARDS: DO SECURITY SAFEGUARDS HAVE A PAYOFF?
12: PRACTICAL APPLICATIONS OF MCCUMBER CUBE ANALYSIS
INTRODUCTION
APPLYING THE MODEL TO GLOBAL AND NATIONAL SECURITY ISSUES
PROGRAMMING AND SOFTWARE DEVELOPMENT
USING THE MCCUMBER CUBE IN AN ORGANIZATIONAL INFORMATION SECURITY PROGRAM
USING THE MCCUMBER CUBE FOR PRODUCT OR SUBSYSTEM ASSESSMENT
USING THE MCCUMBER CUBE FOR SAFEGUARD PLANNING AND DEPLOYMENT
TIPS AND TECHNIQUES FOR BUILDING YOUR SECURITY PROGRAM
ESTABLISHING THE SECURITY PROGRAM: DEFINING YOU
AVOIDING THE SECURITY COP LABEL
OBTAINING CORPORATE APPROVAL AND SUPPORT
CREATING PEARL HARBOR FILES
DEFINING YOUR SECURITY POLICY
DEFINING WHAT VERSUS HOW
SECURITY POLICY: DEVELOPMENT AND IMPLEMENTATION
REFERENCE
III APPENDICES
APPENDIX A VULNERABILITIES
INTRODUCTION
THE PROBLEM: VULNERABILITY MEANS DIFFERENT THINGS
THE APPROACH: INTRODUCING A NEW TERM—EXPOSURE
DISTINGUISHING BETWEEN VULNERABILITIES AND EXPOSURES
DEFINITION
SHORT DESCRIPTION
DEFINITIONS
RATIONALE
EXAMPLES
WHAT IS A CVE CANDIDATE?
THE TWO WAYS NEW SECURITY ISSUES BECOME CANDIDATES
DATA SOURCES
CANDIDATE NUMBERING AUTHORITIES
HOW LONG IT TAKES FOR CANDIDATES TO BECOME OFFICIAL CVE ENTRIES
HOW CANDIDATES ARE AFFECTED BY CVE CDS
THE CANDIDATE NUMBERING PROCESS
CVE CANDIDATES
CANDIDATE NUMBERING AUTHORITY
CVE EDITOR
PHASES OF A CVE CANDIDATE
FROM CANDIDATE TO CVE ENTRY
TO LEARN MORE
MITRE
REFERENCE
APPENDIX B RISK ASSESSMENT METRICS
OVERVIEW OF THE BASIC RISK ASSESSMENT PROCESS
RISK ASSESSMENT METRICS
THREAT METRICS
VULNERABILITY METRICS
ASSET METRICS
BASELINE RISK FACTORS
SAFEGUARD CALCULATIONS
OBTAINING RISK ASSESSMENT DATA
RISK ASSESSMENT DECISION SUPPORT TOOLS
REFERENCE
APPENDIX C DIAGRAMS AND TABLES
INTRODUCTION
REFERENCE
APPENDIX D OTHER RESOURCES
INTRODUCTION
THREAT INFORMATION
VULNERABILITY AND SAFEGUARD INFORMATION
ASSET INFORMATION
Search in book...
Toggle Font Controls
Playlists
Add To
Create new playlist
Name your new playlist
Playlist description (optional)
Cancel
Create playlist
Sign In
Email address
Password
Forgot Password?
Create account
Login
or
Continue with Facebook
Continue with Google
Sign Up
Full Name
Email address
Confirm Email Address
Password
Login
Create account
or
Continue with Facebook
Continue with Google
Prev
Previous Chapter
Assessing and Managing Security Risk in IT Systems
Next
Next Chapter
Assessing and Managing Security Risk in IT Systems
Table 7.2 Inventory Checklist
⁏
Network Systems Topology Map
⁏
Inventory Lists
⁏
Equipment Lists
⁏
Thorough Walkthrough
⁏
Other Documentation
Add Highlight
No Comment
..................Content has been hidden....................
You can't read the all page of ebook, please click
here
login for view all page.
Day Mode
Cloud Mode
Night Mode
Reset