acceptable use policy (AUP), 67, 221

acceptance of risk, 24

access control (AC) family, 218

access control lists (ACLs), 230

access controls, 170, 225, 264

access controls testing, 203–204, 203f

access logs, 152, 235

accidents, 30, 146

accountabilities, 384

account management controls, 264

account management policy, 273, 280

account usage, 273

active detective controls, 218

active node, 294

activists, 31

ad hoc, 77

administrative scripts, 275

administrative security controls, 151

administrators, 282

Advanced Encryption Standard (AES), 232

advanced persistent threats (APTs), 31, 190

affinity diagram, 91, 91f

AG. See Attorney General; State Attorney General

alerts, false, 271

alternate assessment procedures, 338–339

alternate locations/sites, 145, 357–362, 366, 371

annual loss expectancy (ALE), 117, 118, 153, 154

annual or recurring costs, 289

annual rate of occurrence (ARO), 117, 153, 154

annual updates, BCP, 345

anomaly-based intrusion detection systems, 393–394

anonymizer site, 391, 392

antivirus protection, 253

antivirus software, 33, 46, 253

application developers, 88

application testing, 204–205

approved countermeasures, 270

architecture, BCP, 329–333

ARO. See annual rate of occurrence

assessment, 59, 137–138, 197

assessment, authorization, and monitoring (CA) family, 219

asset management, 168, 175, 183

asset replacement insurance, 183

asset valuation, 141–142

assumptions and planning principles, BCP, 327–329

asymmetric encryption, 232

attackers, 24, 31, 43, 128

attacks, 145–147, 192

attack surface, 41, 45, 390

Attorney General (AG), 65

audit and accountability (AU) family, 218

audit logs, 218, 219, 228, 272, 273

audits, 16, 198, 200–201

audit trails, 151, 198, 229

AUP. See acceptable use policy

AUP procedure, 221

automated asset management, 168, 177

automated methods, 164–166

automation, 32

availability, 7, 7f, 15, 128–129, 142, 162–164, 189, 243

avoidance of risk, 23

awareness, 151

awareness and training controls, 225–226

awareness and training (AT) family, 218

back-end database, 302f

background checks, 224

backup plan, 24, 222–223, 355, 368

backups, 170, 362

balancing risk and cost, 18

BCP. See business continuity plan

behavior-based IDS, 394

benefits, 97–98, 118, 125, 144, 289

BIA. See business impact analysis

BIA Professional, 319

BIA report, 316

Big Data, 174

billing and financial data, 171

black-hat hackers, 32

blacklist, 143

blogs, 44

bonding insurance, 223–224

boss, 353

botnets, 17, 380, 387, 387f, 388, 393

bottom-up approach, 306

boundary protection, 33

brainstorming, 15, 91

budget for risk mitigation, 289–290

buffer overflow, 40, 41, 196, 230

building replacement costs, 309

business assets, 4, 8–9, 28

business changes, 130

business continuity (BC), 325–326

business continuity plan (BCP), 181–182, 222, 301, 323–347, 350, 370

business functions, 5–6, 313, 314, 317–318

business impact analysis (BIA), 180–181, 222, 244, 299–319, 324, 346, 351

business intelligence (BI), 173

business liability insurance planning, 183

business operations, 179–183, 244–245, 257–261, 364

business risks, 9–14, 10f, 13f

business system priorities, 318t

cameras, 236

Capability Maturity Model Integration (CMMI), 76–77

cause and effect diagram, 95–97, 96f

CBA. See cost-benefit analysis

CBFs. See critical business functions

central incident response team, 382

CERT Coordination Center (CERT/CC), 378

certificate authority (CA), 233

certificates, 233

certification and accreditation records, 16

Certified Information Systems Security Professional (CISSP), 117

chain of custody, 384

change management, 139, 210, 371

Children’s Internet Protection Act (CIPA), 61, 256, 259–260, 263, 279

Children’s Online Privacy Protection Act (COPPA), 61–62

CIPA. See Children’s Internet Protection Act

circuit breakers, 152, 238–239

CIRT plan, 379–400

CISSP. See Certified Information Systems Security Professional

Class A fires, 236

Class C fires, 236

classification of data, 170–171, 170f, 332

client and stakeholder confidence, 22

closed-circuit television (CCTV), 235, 236

cloud computing, 358, 359, 359f

CM. See configuration management

CMMI. See Capability Maturity Model Integration

COBIT. See Control Objectives for Information and related Technology

cold site, 145, 358, 366, 372

Common Vulnerabilities and Exposures (CVE), 17, 45, 50–52

communication escalation procedures, 394–395

communications, 365

compliance, 56, 67, 253–262

Computer Emergency Response Team (CERT), 378

computer forensics, 384

computer incident, 378

computer incident response teams (CIRTs), 377–401

computer security incident, 378, 400

computer systems, 8

concurrent processing, 341

confidentiality, 7, 7f, 14, 188, 225, 243

configuration and change management section, 141

configuration data, 177

configuration management (CM), 37, 46, 139, 210, 218

connectivity to service customers, 364

content refreshment, BCP, 345

contingency planning, 301–302

contingency planning (CP) family, 218

Contingency Planning Guide, 182

Continual Service Improvement, 76

continuous monitoring, 38, 59

contractors, 335

control categories, 149–150, 217

control costs, 295

Control Objectives for Information and related Technology (COBIT), 70–72

controls, 20, 24, 38, 123–124

control value, 153

coordinating team, 382

coordinator, BCP, 334, 336, 337, 345

COPPA. See Children’s Online Privacy Protection Act

copyright, 173

corrective controls, 218

corruption of file, 225

cost-benefit analysis (CBA), 20–21, 86, 87, 97–98, 157, 264–266, 287–289

cost estimates, 97, 98

costs, 155–156, 244, 276, 287, 288, 304, 305f

countermeasures, 20, 149–152, 269–273–275, 275t, 284–286, 293–295

crackers, 32

crash carts, 333

credentials protection, 226

credit card transaction, 67

credit loss, 310

criminals, 31

critical business functions (CBFs), 246, 246f–248f, 300, 305–306, 313, 317t, 324, 326, 351, 352, 354, 355, 358, 363, 364, 368, 369

criticality of operations, 332

criticality rating, 396t

critical path chart, 104, 104f, 290, 292f, 293

critical resources identification, 306–308, 314

critical roles to critical resources, 316

critical success factors (CSFs), 246, 300, 317, 317f

critical system components, 333

cross-training, 169

current activity updates, 50

customer access, 361

customer checks out, 306

customer data, 172

customer influence, 8

customer information, 307

customer service, 245–246, 369–370

customers loss, 310

CVE. See Common Vulnerabilities and Exposures

cyberattacks, 380

cybersecurity, 49

cyberspace, 49

cyberterrorism, 380

Damage Assessment Team (DAT), 334, 337, 338, 342

dark web, 45

data, 8

data and information assets, 144–145, 169–174

database recovery, 312

database servers, 115, 140–141, 179, 243, 246–249, 306, 315t, 329f–331f

data classification, 170–171, 170f, 332

data collection, 130, 301–302, 319

data consistency, 129–130

data leakage, 391

data loss, 192

data loss prevention program, 225

data mining, 173–174

data range and reasonableness checks, 229–230

data recovery costs, 309

data warehousing, 173–174

DDoS attacks. See distributed denial of service attacks

defaced Web sites, 192

defaults, 45

defense in depth, 253

delegation of authority, 336

Delphi Method, 125

demilitarized zone (DMZ), 40, 99, 199, 251

denial of service (DoS) attacks, 5, 15, 42, 93, 121, 209, 378, 387–388, 398

Department of Defense (DoD) Information Assurance Certification and Accreditation Process (DIACAP), 78–79

Department of Homeland Security (DHS), 46, 63–64

desire to damage, 31

detective controls, 20, 218

developers, 11

DHS. See Department of Homeland Security

digital signature, 233, 234f

direct costs, 85, 156, 244, 309

direct revenue, 164

disaster/emergency declaration, 365

disaster preparedness plans, 309

disaster recovery (DR), 12, 325–326, 350, 354, 362

disaster recovery plan (DRP), 182–183, 222, 339, 343, 349–374

disasters, 324, 372

disgruntled employees, 31, 189, 191–192

disk subsystem, 157

distributed denial of service (DDoS) attacks, 5, 42

distributed incident response team, 382

divide-by-zero error, 41

DMZ. See demilitarized zone

documentation, 37

domain controller (DC), 314

domains of IT infrastructure, 12–14, 16–17, 175–179, 193–195, 195f, 205–206, 249–252, 249f, 261–262

doors, locked, 152

DoS attacks. See denial of service attacks

downtime, 164, 325

DRP. See disaster recovery plan

due care, 66–67

due diligence, 66

dynamic SQL, 42

edge testing, 202

education, 225–226

effect, 95

effect rating, 395t

eight Rs of recovery planning, 363

electrical grounding, 152, 238–239

electronic vaulting, 356

elements of BCP, 325–345

e-mail servers, 137–138, 140, 178, 315t

e-mail usage, 226

e-mail whitelist, 143

emergency funds, 362

Emergency Management Team (EMT), 334, 337, 338, 340, 342

employee data, 171

employee training, 24

encryption, 152, 232, 261

end users, 11

Enron, 60, 254

environmental threats, 29, 30

environment identification, 313

equipment, 146, 192, 277, 277f, 281, 309. See also hardware

E-Rate funding, 259

E-Rate program, 61

escalation, 394

ethical hackers, 32

ETL. See extract, transform, and load process

exercises, BCP, 343–344

exploit assessments, 148, 206–211

exploits, 7, 39–46, 206–211

exploit testing, 205

Exploit Wednesday, 45

external threats, 15, 189

external vulnerability assessments, 197

extract process, 174

extract, transform, and load (ETL) process, 174

EY Global Information Security Survey, 33–34

facilities, 145, 179–183, 277–279, 289–290, 308

failover clusters, 24, 162–164, 278, 278f, 279, 281, 282, 293, 294

failures, 30

false alerts, 271

Family Educational Rights and Privacy Act (FERPA), 60–61, 256, 258, 263

fault tolerance, 24, 332, 350–351

FCC. See Federal Communications Commission

FDIC. See Federal Deposit Insurance Corporation

Federal Communications Commission (FCC), 61

Federal Deposit Insurance Corporation (FDIC), 63

Federal Information Security Management Act (FISMA), 56, 57, 219, 255–256, 258, 263

Federally Funded Research and Development Centers (FFRDCs), 50

Federal Trade Commission (FTC), 64–65

FERPA. See Family Educational Rights and Privacy Act

FFRDCs. See Federally Funded Research and Development Centers

fiduciary responsibility, 66

financial checks, 224

financial data, 171

Financial Privacy Rule, 60

fire detection and suppression, 152, 236–237

fire insurance, 265

firewall appliance, 93

firewall policy, 93

firewalls, 46, 85, 92, 93, 152, 177, 198, 199, 201, 230–231, 231f, 251, 390

firewalls control network traffic, 201, 201f

fishbone diagram, 96

FISMA. See Federal Information Security Management Act

formjacking, 31

forums, 44

FTC. See Federal Trade Commission

full-blown DRP test, 370

full-scale exercises, 344

functional controls, 217–218

functional description of systems, 331–332

functional exercises, 343–344

functionality testing, 202

funds, emergency, 362

fuses, 238

future costs, 22

GAISP. See Generally Accepted Information Security Principles

Gantt chart, 103–104, 103f, 290, 292f

gap analysis, 210, 253

gas systems, 237

GDPR. See General Data Protection Regulation

General Data Protection Regulation (GDPR), 77–78, 256–257, 260, 263

general liability insurance, 183

Generally Accepted Information Security Principles (GAISP), 70

GLBA. See Gramm-Leach-Bliley Act

goodwill, 8

Gramm-Leach-Bliley Act (GLBA), 60

greed, 30

Group Policy settings, 274

Group Policy tool, 140

guards, 152, 235

guidelines, 12

guidelines for compliance, 67–79

hackers, 32, 189

hardening a server, 45, 46, 177

hardware, 117, 121, 144, 166–167, 177, 179, 364

headquarters server, 332

Health Insurance Portability and Accountability Act (HIPAA), 57–59, 85–87, 89–94, 172, 253, 255, 257, 263, 300

heating, ventilation, and air conditioning (HVAC) systems, 152, 237

hidden costs, 276

HIDS. See host-based intrusion detection systems

high impact, 9, 19

HIPAA. See Health Insurance Portability and Accountability Act

hire additional personnel, 169

historical data review, 146, 191

historical documentation review, 265–266

host-based intrusion detection systems (HIDS), 38, 156

hot site, 145, 358–359, 366

hubs, 177

human threats, 15, 29–30, 189

humidity detection, 152, 237–238

Hurricane checklist, 337t

HVAC systems. See heating, ventilation, and air conditioning systems

identification and authentication (IA) family, 218–219

IDS. See intrusion detection system

IEC. See International Electrotechnical Commission

IIS. See Internet Information Services

image servers, 364

impact, 9, 17–19, 18t, 19t, 90, 119, 130–131, 154

impact level, MAO, 308, 308t

implicit deny philosophy, 283

inactive node, 294

inappropriate usage, 379, 399–400

incident response (IR), 16, 38, 219, 223

incidents, 197, 327–328, 380, 387–388, 393–394

indirect costs, 86, 156, 244, 310

indirect revenue, 164

industrial property, 173

information assets, 144–145, 169–174

information security vulnerability names, 51–52

information systems security gap, 252–253

Information Technology Infrastructure Library (ITIL), 48, 74–76, 131

Information Technology Laboratory (ITL), 47–48, 69

information technology (IT) laws, 56–62

initial costs, 288–289

initial purchase cost, 276–277, 289

in-place controls, 149, 216

in-place countermeasures, 149, 270

input validation, 33, 151, 230

installation costs, 279, 290

insurance, 23, 32, 59, 151, 223–224, 237

intangible value, 8

integrity, 7, 7f, 14, 188, 234, 243

intellectual property (IP), 66, 172–173

intentional threats, 15, 30–32

internal system clocks, 229

internal threats, 15, 189, 190

internal users, 189, 191

internal vulnerability assessments, 197

International Electrotechnical Commission (IEC), 73–74

International Organization for Standardization (ISO), 72–73

Internet, 13

Internet access, 246

Internet Assigned Numbers Authority (IANA), 231

Internet Information Services (IIS), 41

Internet service providers (ISPs), 333

intrusion detection and prevention system (IDPS), 198–199

intrusion detection system (IDS), 38, 46, 198, 199f, 218, 271, 390

intrusion prevention system (IPS), 46, 198

inventory management, 175

IP. See intellectual property

IPS. See intrusion prevention system

IR. See incident response

Ishikawa diagram, 96

ISO. See International Organization for Standardization

IT appliances, 143

ITIL. See Information Technology Infrastructure Library

IT infrastructure changes, 345

IT infrastructure domains, 175–179, 193–195, 195f, 205–206, 249–252, 249f, 261–262

ITL. See Information Technology Laboratory

IT systems, 180, 318

job rotation, 67, 169

just-in-time philosophy, 329

key personnel, 335–336

knowledge of process, 165

LAN. See local area network

LAN Domain, 13, 17, 177, 207, 250, 261–262

LAN-to-WAN Domain, 13, 17, 177, 207, 250–251, 262

laptop control, 190

late delivery penalty costs, 309

laws and regulations, 56–62, 253

leaders, 10

leadership from management, 353

legal and compliance requirements, 263

liability insurance, 183

likelihood, 17–19, 18t, 19t

load process, 174

local area data, 192–193

local area network (LAN), 177, 250

locked doors, 152, 235

logon identifier, 151, 228

log reviews, 229

loss, 5, 14–15, 145

lost opportunity costs, 22

lost revenue, 8

low impact, 9, 19

MAC flood attack, 208–209

maintenance (MA) family, 219

malicious code, 379

malicious hackers, 32

malware, 16, 189, 379, 388–389, 398–399

management, 99, 140–141, 158, 361

management control class, 150

management support, 132, 329, 353

managers, 10

mandatory vacations, 67

man-made threats, 15

mantraps, 208

manual methods, 164–165

map business functions, 181

Marine One helicopter plans, 392

market share, 310

maximum acceptable outage (MAO), 244, 300, 308–310, 308t, 311t, 315, 315t, 325, 351

maximum age of passwords, 274

maximum tolerable period of disruption (MTPD), 308

Media Access Control (MAC), 208

media protection (MP) family, 219

medium impact, 9, 19

memory, 157

metrics for vulnerabilities, 200

Microsoft Office Project, 101

milestone plan chart, 102–103, 290, 291f

milestones, 101

minimum age of passwords, 274

mission-critical business functions and processes, 181, 317–318

mission-critical operations, 368–369

mission-critical systems, 179, 246, 324

mitigation, 23–24, 34–38, 45–46, 123, 155–157

MITRE Corporation, 17, 47, 50–52

mobile code, 388

modeling, 146–147

modems, 178

Morris worm, 380

multipartite virus, 399

multiple component incidents, 379, 393–394

names of computers, 148

National Cybersecurity and Communications Integration Center (NCCIC), 49

National Institute of Science and Technology Risk Management Framework (RMF), 104–105

National Institute of Standards and Technology (NIST), 47–49, 69–70, 150, 166, 182, 217–220, 243, 256, 301, 304

natural events, 146

natural threats, 15, 189

NCCIC. See National Cybersecurity and Communications Integration Center

Nessus tool suite, 148

network components, 8

network firewall, 85

network infrastructure section, 140

networking service servers, 179

network interface card (NIC), 157

network load balancing, 280

Nimda virus, 41

NIST. See National Institute of Standards and Technology

NIST SP 800-53, 217

Nmap network mapping tool, 148

nodes, 162, 163

noncompliance costs, 86, 309

nonrepudiation techniques, 219, 234, 272, 273

normalization, 364

notification/activation phase of BCP, 181, 336–339

objectives, 84–87, 180–181

objectives of BIA, 304–312, 304f

offensive content, 259

Office of Government Commerce (OGC), 74

Office of Management and Budget (OMB), 226

off-site data storage, 355–357

OGC. See Office of Government Commerce

OLTP databases. See online transactional processing databases

online transactional processing (OLTP) databases, 173, 312

online website purchase, 305–306

OpenPGP, 234

open ports, 148

operating system (OS), 144, 148, 166

operational characteristics, 137–138

operational control class, 150

operational impact, 156, 283

operations recovery, 369–370

order of succession, 336

order processing application, 306

organizational policies, 66–67

organization data, 171–172

organization functions knowledge, 354–355

organization historical data, 191–192

organizations risk, 372

OS. See operating system

outage, 86

outage reports, 197

out-of-pocket costs, 22

output analysis, 201

outsourcing, 23

overlapping countermeasures, 271–272

pan, tilt, and zoom (PTZ) cameras, 236

passive detective controls, 218

password policy, 273

passwords, 148, 196, 201, 273–274

patches, 45, 252

patch management, 37–38

Patch Tuesday, 38

Payment Card Industry Data Security Standard (PCI DSS), 67–69, 247, 255, 256, 260–261, 263

PBX equipment, 178

PCI DSS. See Payment Card Industry Data Security Standard

penetration testing, 204. See also exploit assessments

permissions, 33, 203, 204, 211

perpetrators, 42–45

personally identifiable information (PII), 59, 166

personally identifiable information processing and transparency (PT) family, 220

personnel, 144, 151

personnel assets, 169

personnel interviews, 200–201

personnel location control form, 339, 339t

personnel policies, 264

personnel security (PS) family, 219

phishing attempts, 190

phone branch exchange (PBX), 178

phone tree, 372

physical access, 264

physical and environment protection (PE) family, 219

physical controls, 38, 152, 235–239

physical environment, 24

piggybacking, 208

PII. See personally identifiable information

pirated files, 17

plan deactivation, 341–342

plan maintenance, BCP, 344–345

planned controls, 149, 216–220

planned countermeasures, 149, 270

planning (PL) family, 219

plan of action and milestones (POAM), 86, 87, 94, 100–102, 158, 280, 293

POAM. See plan of action and milestones

policies, 12, 37, 150, 220–222

positive brand image, 310

power grids, 278, 278f

preliminary system information, 316

Pretty Good Privacy (PGP), 234

preventive controls, 20, 217

principle of least privilege, 32, 33, 192

principle of need to know, 32, 33, 192

principle of proportionality, 20

prior events, 16

priorities in BCP, 328

priority of an incident, 395–397

privacy, 226

privacy standards (HIPAA), 58

private CA, 233

private data, 144–145, 171

private key, 233, 234

probability of risk, 119, 154

procedural controls, 150, 220–227

procedures, 37, 93, 150, 220–222

process analysis, 201

processor, 156

productivity, 164

product liability insurance, 183

product shipment phase, 303f

professional liability insurance, 183, 224

profitability, 21–22

program management (PM) family, 219

program manager (PM), BCP, 334

programmers, 43

project management software, 101, 290, 293

project scope, 244

proprietary data, 145, 171

protection barriers, 236

proximity card, 235

proxy servers, 62, 178, 259, 259f

public data, 171

public goodwill, 310

public key, 233, 234

public key infrastructure (PKI), 233–234

publicly traded company, 63

public relations (PR), 261, 383, 394

public server discovery, 43

purchase costs, 289

purpose of BCP, 326

qualitative analysis survey results, 121, 122t

qualitative methodology, 154

qualitative risk assessment, 119–120

quantitative risk assessment, 116–118, 126–127

RA. See risk assessment

RAID. See redundant array of independent disks; redundant array of inexpensive disks

ransomware, 31

reasonableness, 18–19, 19t

reasonableness checks, 230

recommendations to mitigate risks, 86, 94–99

recommended countermeasures, 284, 288

reconstitution phase, BCP, 182, 340–342

recovering databases, 312

recovery activities, 364

recovery goal, 340

recovery models, 312

recovery objectives, 311t

recovery of lost opportunities, 310

recovery phase of BCP, 182

recovery planning, 339, 363, 367

recovery point objective (RPO), 310

recovery priorities identification, 315, 316t

recovery procedures, 367–369

recovery requirements identification, 304, 310–312

recovery steps and procedures in a DRP, 367–369

recovery time objective (RTO), 310, 351, 355

recovery value, 141–142

recovery without BIA, 307

redundancy, 145, 361

redundant array of inexpensive disks (RAID), 123, 332, 350–351

regulations, 62–66

relationship of costs, 305f

remediation plan, 210

Remote Access Domain, 14, 17, 178, 208, 251–252, 262

remote journaling, 357

removable media, 221

repair costs, 8

replacement value, 141

report, BIA, 316

reporting, 90, 94–100, 133, 158

reputation, 9

reputation of an organization, 394

residual risk, 24–25, 35, 132

resource allocation, 131

responsibilities, 85, 89–92, 333–336, 383–384

restoration horror stories, 356

restricted activities, 226

return on investment (ROI), 265

reverse engineering, 45

review process for BCP, 345

rights, 33

risk acceptance, 131–132

risk analysis, 59

risk assessment (RA), 20, 46, 90, 111–133, 136–140, 157–158, 219, 253, 262, 269, 272–273, 301

risk elements, 286–287

risk-handling strategies, 23–25

risk identification, 14–19, 90

risk level calculation, 119

risk management, 19–22, 46–52, 90, 243–253

risk mitigation, 90, 242–243, 262–264, 346, 400

risk mitigation plan, 269, 276–283, 289–295

risk mitigation security controls, 239

risk prioritization, 120–123, 283–286

risk response identification, 20

risks, 4, 5

risks posed by lack of process, 11–12

risks posed by people, 10–11

risks posed by technology, 12–14, 13f

risk statements, 98–99

rogueware, 31

routers, 230–231, 231f, 250

rules of behavior, 151, 226–227

saboteurs, 31

safeguards, 60, 112, 262

safeguard value, 117, 118, 153

SAINT. See System Administrator’s Integrated Network Tool

sales and cash flow loss, 309

Sarbanes-Oxley Act (SOX), 60, 172, 255, 258, 263

scaling out/up, 281

scope, 87–89, 114–115, 180, 243, 244

scope creep, 87, 88, 202, 244, 364

scope of BCP, 326–327

scope of BIA, 302–304

scope statement, 132, 327

script checking account usage, 273

script kiddies, 42, 207

SEC. See Securities and Exchange Commission

Securities and Exchange Commission (SEC), 63

security, 10, 10f, 44, 58, 151, 204, 222–223, 262, 264, 293–294

Security and Privacy Controls for Federal Information Systems and Organizations, 217

security identifier (SID), 228

security policy, 32, 264

senior management support, 132

sensitivity of data, 332

separation of duties, 37, 67

server fingerprinting, 43

server rooms, 237, 238f

servers, 40, 250, 251, 277, 281, 281f, 282, 330f, 332

Service Design, 74

service level agreement (SLA), 245

Service Operation, 76

service pack (SP), 168

services, 74–76

session timeout, 151, 228

share value loss, 309

simulation, 370

single loss expectancy (SLE), 117, 153

single point of failure (SPOF), 115, 163, 169

site restoration, 341

SLE. See single loss expectancy

sniffer, 232

sniffing attacks, 208

social engineering, 5–6, 196, 208

social engineering attacks, 208

software, 85, 144, 192, 364

software applications, 8

software assets, 167–169

software testing, 227

SOX. See Sarbanes-Oxley Act

spear phishing, 190

SPOF. See single point of failure

SQL. See Structured Query Language

SQL injection attack, 17, 42, 205, 287

SSCP. See Systems Security Certified Practitioner

stakeholders, 87, 300, 313–314

standards, 12

standards for compliance, 67–79

State Attorney General (AG), 65

stored procedures, 287

strategy of BCP, 328

Structured Query Language (SQL), 42

supplies, 145, 179–183

supply chain risk management (SR) family, 220

surveys, 121, 123–125

survivability, 21–22

switches, 177, 208, 250

symmetric encryption, 232

SYN flood attack, 42

system, 147

system access, 142, 162–164

system administrators, 10–11

System Administrator’s Integrated Network Tool (SAINT), 148

system and communications protection (SC) family, 219

system and information integrity (SI) family, 219–220

system and services acquisition (SA) family, 220

System/Application Domain, 14, 17, 178–179, 208, 252, 262

system availability, 142

System Center Configuration Manager (SCCM), 202

system configuration data, 171

system description, BCP, 329–333

system functions, 142–144, 164–166

system logs, 16, 151, 198, 229

system points of contact (POCs), 316

system process data, 172

system resources, 316

Systems Security Certified Practitioner (SSCP), 79, 117

system testing, 202–205

tabletop exercises, 343

tailgating, 208

tangible value, 8

TCP SYN flood attack, 209–210, 209f

teams, BCP, 334–335

technical controls, 38, 150–152, 227–234

technical environment, 24

Technical Recovery Team (TRT), 335, 339, 340, 342

technology protection measure (TPM), 259, 259f

telecommunications, 333

telecommuters, 335–336

temperature detection, 152, 237–238

testing, BCP, 342–343, 345

testing exercise, 343–344

test restores, 223, 285, 286, 356

theft of assets, 176

threat assessment, 188–195

threat modeling, 146–147

threats, 4–7, 7f, 14–15, 28–34, 84, 85, 90, 145–147, 272–273, 284, 285t

threat/vulnerability pairs, 34–35, 34f, 35t, 39, 155, 272, 275, 275t

three-barrier protection, 236

time clock services via cloud computing, 359

time to implement, 280–283

toolkits, 384

top-down approach, 306, 319

Top Secret data, 170

total cost of security, 22

total risk, 25

total tangible value, 8

training, 33, 37, 151, 342

training costs, 279–280, 290

transactions, 173, 204

transaction testing, 204–205

transferring risk, 23

transform process, 174

Transmission Control Protocol (TCP), 209

Trojan horses, 388, 389

trouble reports, 16

unapproved recommendations, 140

unauthorized access, 121, 379, 389–391, 399

uncertainty level, 129

unintentional access, 190

unintentional threats, 29–30

uninterruptible power supply (UPS), 19, 279

United States Computer Emergency Readiness Team (US-CERT), 47, 49–50, 128

universal serial bus (USB) drive, 360

update information, 177–179

UPS. See uninterruptible power supply

usability, 10, 10f, 204

U.S. Attorney General (U.S. AG), 65–66

US-CERT. See United States Computer Emergency Readiness Team

use access controls, 32

user access, 361

user and computer management section, 140

User Domain, 12, 16, 176, 207, 249–250, 261

U.S. Federal Sentencing Guidelines for Organizational Ethics, 254

vandals, 31

VAs. See vulnerability assessments

vendor data, 172

vendors, 335

version control, 37

video cameras, 152

virtualization, 358, 359

virtual private networks (VPNs), 14, 178, 245, 251, 333

viruses, 190, 388

VPNs. See virtual private networks

vulnerabilities, 4, 5, 7–8, 16–17, 34–39, 43, 84, 85, 91, 147–148, 221, 272–273

vulnerability assessments (VAs), 39, 46, 147–148, 195–206

vulnerability scans, 199–200

WAN. See wide area network

WAN Domain, 13–14, 17, 178, 207, 251, 262

WAN link, 329, 329f

war dialing, 252

warehouse, 248

warm site, 145, 360–361, 366

water detection, 152, 237

weak passwords, 148

Web defacing, 121

Web farm, 280, 282f, 293, 368, 369f

web of trust, 234

Web servers, 115, 140, 179, 246, 247, 315t, 368

Website, 85, 88–90, 93

Web site purchase, online, 305–306

Web sites, 192

well-known ports, 231, 251, 391

WEP. See Wired equivalent privacy

white-hat hackers, 32

whitelist, 143

whois tool, 148

wide area network (WAN), 13, 251, 329

Wi-Fi Protected Access (WPA), 194

WIPO. See World Intellectual Property Organization

Wired equivalent privacy (WEP), 194

workers, 248

Workstation Domain, 12, 17, 176–177, 207, 250, 261

WorldCom, 254

World Intellectual Property Organization (WIPO), 173

worms, 388

written records, 165

zombies, 16, 380, 387