Note: Page numbers followed by f or t indicate materials in figures, or tables, respectively
ABAC. See attribute based access control
acceptable use policies (AUPs), 46, 81, 122, 244, 364–365, 387
acceptance of security policies, 25, 360
access control, 69, 83f, 147, 150t
access control list (ACL), 267
access management, 209
access to data, 298
accountability, 118, 129–131, 133–134, 150t, 358, 369, 396
accountability principle, 172–173
accounts, 408
accreditation, 58
achievers, 110
ACL. See access control list
Acme Security, 426
acquisition guidelines, 260
active content, 260
Active Directory (AD), 407
administrative controls, 34, 175
administrative safeguards, 59
administrator training, 417
adversary principle, 174
agentless central management tool, 352
agent software, 352
AIM. See American Imaging Management
Align, Plan, and Organize domain, 7–8
American Imaging Management (AIM), 194
American Institute of Certified Public Accountants (AICPA), 69–70
American Society for Quality (ASQ), 309
analyticals, 110
anomaly-based intrusion detection systems, 408
applicability, statement of, 153
application code errors, 230
application software, 91
approvals of documents, 184–185
architecture operating model, 171–172, 171f
architecture review committee, 382–383
Asia-Pacific Economic Framework (APEC), 72
asset management, 147
attachments, 246
attackers (employee type), 109
attack vector, 307
attribute based access control (ABAC), 83
audit committee, 207
audits, 9–10, 150t, 262, 414, 427
audit storage and records standard, 265
AUPs. See acceptable use policies
authenticated configuration scanner, 413
authenticated vulnerability and patch scanner, 413
authentication, 11–13, 150t, 159, 270, 286, 425
authentication of a workstation, 84
automated controls, 35, 227, 391–393, 399
automated policy distribution, 416–419
automated security controls, 391–393
automated systems verifying compliance, 411–413
automated testing tools, 214–215, 306
automatic declassification, 290
automating, 214
availability, 11, 13–14, 159, 160
avoiders, 109
background checks, 393
back-out plan, 308
backup tapes, 297
bandwidth, 95
baseline OS configuration(s) standard, 264
baseline standards, 154, 254, 257, 263, 267
baseline standards and procedures, 178, 179f
BAU. See business as usual
best fit access privileges, 247
best fit privilege principle, 246
best practices, 68, 162–163, 193, 203, 216–217, 246–247, 275–276, 297, 306, 337, 372–373, 398–399, 427
bolt-on, 371
botnet, 94
BPR. See business process reengineering
breach, 30
Bring Your Own Device (BYOD), 20, 97, 260
brown bag lunches, 368
budget for security, 357
Build, Acquire, and Implement domain, 8–9
building consensus on intent, 184
business associates, 59
business as usual (BAU), 17, 139
business continuity plan (BCP) policy, 335–336
business continuity representative, 322
business, defending, 22
business drivers, 30–31, 191–192
business impact analysis (BIA) policies, 325–326
business liability insurance policies, 47
business operating models, 171f
business process reengineering (BPR), 24, 24f
business requirements, 66
business risks, 29, 215–216, 299–302, 350
business unit (BU), 212
business values, 110
BYOD. See Bring Your Own Device
CA. See confidentiality agreement
California IT infrastructure, 194
candor, 121
cardholder data, 69
carelessness, 228
Center for Internet Security (CIS), 257
centers of excellence, 118
centralized administration tools, 352
CEO. See chief executive officer
certificate authorities (CAs), 426
certificates, 235
certification, 58
change control work order database, 420
change management, 8, 269, 272, 419–421, 427, 428
chief executive officer (CEO), 143
chief finance officer (CFO), 113
chief information officer (CIO), 60, 207, 246
chief information security officer (CISO), 60, 113, 143, 158t, 207–209, 297, 351, 372, 379, 397, 398
chief privacy officer (CPO), 42
Children’s Internet Protection Act (CIPA), 63
Choose your own device (CYOD), 260
C-I-A triad, 159
CIM Query Language (CQL), 425
CIO. See chief information officer
CISO. See chief information security officer
classification schemes, 287
classroom training, 363
clean desk policy, 81
clean-up phase, 331
client-to-site VPN connection, 90
cloud computing, 89
cloud security policies, 276–278
COBIT. See Control Objectives for Information and related Technology
collaboration across business areas, 421
command and control culture, 170
commanders, 109
Committee of Sponsoring Organizations (COSO), 61, 66, 67, 201, 202t
Common Configuration Enumeration (CCE), 423
Common Information Model (CIM) over XML, 425
Common Platform Enumeration (CPE), 423
Common Vulnerabilities and Exposures (CVE), 423
Common Vulnerability Score Systems (CVSS), 424
communications plan, 366, 366t
communications protection, system and, 151t
communications security, 147
communications tools, 185
company-owned and personally enabled (COPE), 260
compliance, 29, 31–36, 144–145, 148, 154, 159, 185, 204–206, 216–217, 300, 350
compliance laws, 55–57, 63–64, 389–390
compliance officer, 130
compliance risks, 215
compliance technologies and solutions, 422–427
component priority, 326
component reliance, 326
comprehensive policy framework, 157
computer-based training (CBT), 362
computer use by employees, 389
confidential data, 289
confidential information, 289
confidentiality, 11, 12f, 159–160, 425
confidentiality agreement (CA), 46
configuration management (CM), 150t, 339, 419–420
configuration management database (CMDB), 420
consequence model, 145
consumer rights, 56
content filtering standard, 267
content management tool, 186
contingency planning, 150t
contingent accounts, 243
contingent IDs, 232
continual service improvement, ITIL volume, 71
continuity principle, 174
continuous improvement, 24–25, 124, 301, 302f, 327, 328f
continuous monitoring, 58
contractors, 231, 238–239, 361
control environment, 349
controlling change to IT infrastructure, 22
Control Objectives for Information and related Technology (COBIT), 5, 61, 66, 145, 176, 201, 202t, 370
control partners (CPs), 212, 232, 242–243
control policy branch of policy, 155f
control standards, 153, 178f, 254, 256–257, 266–267, 270–274, 273t, 274
controls types for policies and standards, 175–176
coordinated operating model, 172
corporate mobility policy, 81–82
corrective controls, 35f, 36, 176
COSO. See Committee of Sponsoring Organizations
CPO. See chief privacy officer
CPs. See control partners
critical infrastructure, 55, 163, 218, 222, 280–281, 341
criticality, data classification, 289
cryptography, 147
culture, 38
culture change, 356
customer dissatisfaction, 22
customer satisfaction, 29
customized classification scheme, 291–293
cyberterrorism, 53
cyberwarfare, 53
damage containment and minimization, 330–331
data administrators, 207
database encryption attack scenarios, 295, 296f
data classification, 39, 284–294, 299, 300f, 309–311
data handling policies, 294–298
data labeling and classification, 39
data leakage protection (DLP), 98, 379, 388
data loss protection (DLP), 98
data managers, 130
data minimization, 175
data quality roles, 207
data retention policies, 286–287, 286t, 395
data security administrators, 207
data stewards, 207
data users, 130
declassification, 290
defending the business, 22
defense-in-depth principle, 173
Deliver, Service, and Support domain, 9
demilitarized zone (DMZ), 87, 240, 241f, 266
denial of service (DoS) attack, 13, 261, 318
departmental compliance, 414
Department of Health and Mental Hygiene (DHMH), 279
destruction of data, 298
destruction of information resources, 162
detective controls, 35–36, 35f, 176
developer-related standards, 273t
development environment, 273t
device management, DLP, 99–100
DHMH. See Department of Health and Mental Hygiene
directive and enforcement, 369, 370
directory information, 62
disaster recovery plan (DRP) policies, 337–340
disciplinary action, 107
discipline, 107
discovery management, 85
disposal of data, 298
disruption of system or services, 162
distributed environment, 356
distributed infrastructure, 351–352
Distributed Management Task Force (DMTF), 425
diversified operating model, 171
division of labor, 114
DLP. See data leakage protection
DLP inventory, 99
DLP perimeter, 99
DMZ. See demilitarized zone
DNS. See Domain Name System
documentation for IT security controls, 214
document organization, 176–183
Domain Name System (DNS), 268
domain of responsibility and accountability, 211–213
domains, 79
domains of IT infrastructure, 21f, 77–100, 80f, 207, 253–254
dormant account, 155
DoS attack. See denial of service attack
doubt, 120
drifters, 109
due care, 319
early adopter, 369
e-commerce, 221
ECs. See executive committees
education, 63
eEye Digital Security Retina, 412
electronic PHI (EPHI), 59
e-mail, 81, 286, 287, 368, 388–389
emergency services, 322
employees, 25, 31, 37–38, 45, 108–110, 227, 231, 234–235, 359–365, 385–387
Encrypting File System (EFS), 358
encryption, 43, 69, 84, 246, 248, 256–257, 294–297
end users, 79
Enron, 61
enterprise data management (EDM), 268
enterprise risk management (ERM), 217
entitlement, 12
entrepreneurial business, 133
environmental hazard, 299
Equifax, 400
ERM. See enterprise risk management
ethics principle, 173
European Telecommunications Standards Institute (ETSI), 72
evangelists, 189
evidence, 66
exceptions, 192
exceptions to standards, 156
exclusions, security policies, 62
executive, 130
executive committees (ECs), 208, 398
executive governance, 208f
executive management, 120–122, 355, 379–380, 396–398
executive management sponsorship, 355
exit interview, 124
expectations, 119
eXtensible Configuration Checklist Description Format (XCCDF), 423
external audit, 10
external auditors, 130
external connection committee, 382, 383
external information system services connect standard, 266
false negatives, 418
Family Educational Rights and Privacy Act (FERPA), 62–63
Family Policy Compliance Office, 62
FCC. See Federal Communications Commission
Federal Communications Commission (FCC), 63
Federal ESIGN Act, The, 14
Federal Financial Institutions Examination Council (FFIEC), 60
Federal Information Processing Standards (FIPS), 18, 203t
Federal Information Security Management Act (FISMA), 57–58, 203t, 406, 423
financial auditors, 242
FIPS. See Federal Information Processing Standards
firecall-ID process, 237, 237f
firewall, 86
firewall baseline security standard, 265
first line of defense, in layered security approach, 212
FISMA. See Federal Information Security Management Act
five pillars of IA model, 11
flat network, 86
flat organizational structure, 115, 116
forensic evidence, 332
“For official use only” (FOUO), 289
FOUO. See “For official use only”
framework document, 140
framework domain model, 201, 201f
gateway committees, 381
General Data Protection Regulation (GDPR), 71–72
globalization, 53
governance, 15–17, 60, 206, 216, 370–372
governance and compliance framework, 213–216
governance, risk management, and compliance (GRC), 186, 216–217
governance vs. management organizational structure, 380–381, 381f
government laptop compromised, 248
grace period for compliance, 184
Gramm-Leach-Bliley Act (GLBA), 59–60, 310
granularity, 160
grass-roots employees, 385–386
GRC. See governance, risk management, and compliance
Group Policy, 411, 416f, 417, 421
guests and general public, 232, 239–241
guidelines, 17, 19, 156, 178, 179f, 255, 259–260, 267, 269, 275
guidelines on active content and mobile code, 260
guideline template, 183
hard copy dissemination of policies, 367
harden, 240
head of information management role, 207
health care, 95
healthcare clearinghouses, 59
healthcare providers, 59
Health Insurance Portability and Accountability Act (HIPAA), 58–59, 280, 301, 429–430
health plans, 59
heartbeat routine, 229
“Heartbleed” (security bug), 229
help desk, 325
help desk management, 85
hierarchical organizations, 117–119, 381–385
higher costs, 22
high-impact risk, 292
highly sensitive classification, 290–291
HIPAA. See Health Insurance Portability and Accountability Act
holding individuals accountable, 26
honeypot, 396
hop, 96
HR. See human resources
hubs, 86
human resources (HR), 38, 122–125, 145, 185, 364, 397, 398
human resources (HR) representative, 321
IA. See information assurance
identification, 150t
IDSs. See intrusion detection systems
IEC. See International Electrotechnical Commission
implementation, 103, 105, 372–373
inappropriate usage, 318
inbound traffic, 261
incident response, 150t, 317, 324
incident response team (IRT), 210, 316–317, 319
incidents, 22, 316–319, 321, 322, 323f, 333–334
independent auditor, 213
individual participation, 175
individuals, 64
industry-standard policy frameworks, 145–146
information assurance (IA), 10–15, 159–160
information classification standard, 272
information dissemination, 365–368
information protection, 285–286
information recovery, 287, 288t
information resources, 162
information retention, 286–287, 286t
information security, 57, 61, 145, 148, 324
information security aspects of business continuity management, 148
information security business challenges, 92–100
information security chain, weakest link in, 226–231
information security gap, 410
information security incident management, 148
information security officer (ISO), 127
information security organizational structure, 208f
Information Security Oversight Office (ISOO), 290
information security policies, 33–36, 56, 57t, 69, 145, 146
information security program charter, 143
information security representatives, 321
information security risk assessment, 60
Information Systems Audit and Control Association (ISACA), 5, 61, 202t, 276
information systems security (ISS), 3–10, 7f, 161–162, 397, 398, 407–411
information systems security life cycle, 5
information systems security policies, 3–26
Information Technology and Infrastructure Library (ITIL), 67, 70–71, 202t, 419, 419f
information technology security policy enforcement, 394–396
information technology subject matter experts (SMEs), 321
Information Technology Support Division (ITSD), 279
infrastructure security policies, 251
insider threat, 21
insufficient support from leadership, 120
integrated audit, 242
integration principle, 173
intellectual property (IP), 38–39
Intelligent Platform Management Interface (IPMI), 352
interactive, 243
internal audit, 10
internal auditors, 130
internal classification, 291
Internal Control-Integrated Framework, 422–423
internal control principle, 173–174
internal documents versus external documents, 18, 18f
International Electrotechnical Commission (IEC), 146
International Organization for Standardization (ISO), 67, 146, 202t
Internet backbone, 96
Internet Control Message Protocol (ICM), 261–262
Internet filters, 63
Internet Protocol (IP), 262
Internet proxy, 266
intranet, 367
intrusion detection systems (IDSs), 264, 408
intrusion prevention system (IPS), 264, 408
inventory, 40, 41, 58, 66, 99, 352
inventory management system, 85
IP. See intellectual property
IRT. See incident response team
IRT coordinator, 325
IRT manager, 325
ISACA. See Information Systems Audit and Control Association
ISO. See information security officer; International Organization for Standardization
ISO/IEC 38500, 10
ISO/IEC 27002 standard, 146–148, 164, 178
ISOO. See Information Security Oversight Office
ISS. See information systems security
issue-specific standards, 153
IT auditors, 242
IT function management and operations personnel, 246
ITIL. See Information Technology and Infrastructure Library
IT infrastructure, 22
IT infrastructure domains, 21f, 77–100, 80f, 253–254, 254f
IT infrastructure security policies, 251–256, 275–281
IT infrastructure standardization, 354
IT responsibility approach, physical domains of, 206
ITSD. See Information Technology Support Division
IT security policies, 162–163, 169–195, 200–206, 215–222, 349f, 372–374
IT security program managers, 246
IT service management (ITSM), 71
job descriptions, 131
KLOC (1,000 lines of code), 230
label, 39
lack of regulatory compliance, 23
LAN domain policies, 261–265, 263t
LAN-to-WAN Domain, 80, 87–88, 88f, 95–96, 266–267
layered defense, 246
layered security approach, 211, 253
layers of security, 253
leaders, 128
leading practice, 68
learning sessions, 368
least access privileges, 247
least privilege principle, 174, 246
legal classification schemes, 288
legal costs, 47
legal department, 185
lessons learned process, 191, 334
liability of organization, minimizing, 44–47
limited adverse effect, 292
line management, 385
line of business (LOB), 209
LOB. See line of business
logical control, 34
log management, 85
log mode, 41
log server, 236
low risks, 292
maintenance, 150t
malicious code, 318
Malicious Code Protection standard, 257
management, 120–122, 206, 322, 324–325
mandatory declassification, 290
manufacturing, wireless technology, 95
maximum tolerable downtime (MTD), 326, 336
MBTI. See Myers-Briggs Type Indicator
mean time to recovery (MTTR), 326
mean time to repair, 326
measurement, 29
media protection, 150t
Metcalfe’s law, 225
metrics, 37
metrics team, 209
military classification schemes, 289–290
misconfiguration remediation, 413
mission-critical data, 291
mitigating risk exposure, 36–44
mitigation strategies, 304–305
MITRE Corporation, 423
mobile device domain policies, 260–261
mobile devices, 97
modification of information, 162
Monitor, Evaluate, and Assess domain, 9–10
monitoring, 93, 218–219, 265, 370–372
multidisciplinary principle, 173
multifactor authentication, 90
Myers-Briggs Type Indicator (MBTI), 110
NASA Raspberry Pi, 248
National Institute of Standards and Technology (NIST), 20, 58, 146, 149, 150t–151t, 203t, 220–221, 261, 401, 406, 413
national security, 64
nation-states, 53
NDA. See nondisclosure agreement
need to know, 11
Nessus, 412
network infrastructure, 157, 158
network monitoring, 221
network segmentation, 69, 87, 264
network traffic monitoring, 264
new employee orientation, 364
newsletters, 365
NIST. See National Institute of Standards and Technology
Nmap network scanner, 412
nondisclosure agreement (NDA), 46
nonpublic personal information (NPI), 174
nonrepudiation, 11, 14–15, 159, 426
nontechnical hindrances, 356
NPI. See nonpublic personal information
OCC. See Office of the Comptroller of the Currency
Office of Management and Budget (OMB), 57
Office of the Comptroller of the Currency (OCC), 215
OMB. See Office of Management and Budget
Open SSL, 229
OpenVAS, 412
Open Vulnerability and Assessment Language (OVAL), 423
operational consistency, 47–49
operational control, 208f
operational deviation, 49
operational risk committee, 209, 382, 384–385
operational risks, 215, 299–300
operations security, 147
opinion letters, 70
organizational acceptance, 417–418
organizational baggage, 121
organizational challenges, 356–358
organizational culture, 170, 210–211
organizational incentives, 121
organizational roles, 206
organizational structure, 112–119, 207–210, 208f
organizational support at all levels, 25
organization’s position, statement of, 153
outdated technology, 352–354, 353f
ownership, 126
PAA. See privileged-level access agreement
password security, 189
patch compliance, 414
patch management, 85, 247, 307–309, 411
patch remediation, 413
Payment Card Industry Data Security Standard (PCI DSS), 43, 68–69, 87, 203t, 218–219, 381, 400, 416
PCI DSS. See Payment Card Industry Data Security Standard
PC Magazine, 40
penetration test, 418
penetration testing, 220
people as weakest link in security, 226–231
performers, 109
perimeter, DLP, 99
permission, security policies, 62
personal accountability, 369
personal data, 391
personally identifiable information (PII), 42, 174
personnel security, 151t
physical and environmental protection, 151t
physical and environmental security, 147
physical control, 34
physical domains of IT responsibility approach, 206
physical hazard, 299
physical safeguards, 59
physical security controls, 175
physical security policy, 81
physical transport of data, 298
PII. See personally identifiable information
PKI. See public key infrastructure
Plan-Do-Act-Check cycle, 194
planning, 151t
pleasers, 109
PMLC. See project management life cycle
point-of-sale (POS) system, 165, 218
points of contact, 154
policies, 3, 17–19, 22–23, 30–31, 122–125, 141f, 153, 158t, 170–176, 177f, 184–195, 407
policies and standards design considerations, 170–176
policies and standards implementation, 184–192
policies and standards maintenance, 193
policy acceptance and enforcement, 25–26
policy and compliance team, 209
policy and standards library, 173, 177f, 186–187, 192–193
policy awareness and understanding, 25
policy-centered security principle, 174
policy change control board, 190–191
policy compliance, 393, 411–415, 421
policy definitions document, 19
policy frameworks, 17, 139, 142, 145–146, 158, 159
policy implementation issues, 368–370
policy library framework, 141f
policy management software, 393
policy principles document, 18
poor decisions, 360
post-implementation assessment, 309
posting organizational security policies on the Intranet, 367–368
press inquires, 334
pretexting, 227
preventive security controls, 176
pride, 106
principles for policy and standards development, 172–174
privacy policy, 81
private key, 426
private sector incident response policies, 340–341
private sector IT security policy framework, 218–219
private sector policy framework development, 163–164
private sector security policies, 194, 400, 427–429, 428f
private sector user domain policies, 247–249
private WANs, 97
privilege creep, 234
privileged-level access agreement (PAA), 244–245
procedure document, 254, 259–260
procedures, 3, 17–19, 154–155, 259, 267, 269, 272, 275
production data for testing control standard, 272
production environment, 273t
productivity, 386
program and functional managers, 246
program framework policy, 143–156
program-level policy, 145
program management, 151t
programmers, 229
prohibited information, 289
project committee, 382
project life cycle (PLC), 382
project management life cycle (PMLC), 272
promiscuous mode, 264
proportionality principle, 173
protocols, 407
publication of documents, 185–187
public classification, 291
public interest, 64
public key infrastructure (PKI), 272, 426
public record, 42
public relations (PR) representative, 322
public sector incident response policies, 341
public sector IT infrastructure security policies, 279–280
public sector IT security policy framework, 218–221
public sector policy framework development, 164
public sector security policies, 194–195, 373–374, 400–401
publishing policy and standards library, 185–187
purpose specification, 175
QA. See quality assurance
QC. See quality control
Qualified Security Assessor (QSA), 69
qualitative analysis, 303
quality assurance (QA), 15–16, 309
quality control (QC), 15–16, 309
quantitative methods, 303
RADIUS. See Remote Authentication Dial In User Service
Raspberry Pi attack, 248
RBAC. See role based access control
RCSA. See risk and control self-assessment
reassessment principle, 173
recovery classification scheme, 287, 288t
recovery controls, 176
recovery of operations, 331
recovery point objectives (RPOs), 337
recovery time objective (RTO), 336
redundancy, 119
regulations, 31, 53, 54, 390, 391
regulator audit, 10
regulatory compliance, lack of, 23
relevance, 37
remote access domain, 80, 89–91, 97–98, 270–271
remote authentication, 89
Remote Authentication Dial In User Service (RADIUS), 270
remote maintenance standard, 264
remote network connectivity, 90
repeatable behavior, 48
repetition, security awareness program, 37
replicated operating model, 172
reputational risks, 216
residual risk, 49
resiliency, 38
response controls, 176
responsibilities, 126–129, 144, 153–154
retail, wireless technology, 95
retention classification scheme, 286, 286t
retention policy, 287
reviews for documents, 184–185
rewarding and recognizing behavior, 26
Riptech consulting firm, 340–341
risk acceptance, 304
risk and control self-assessment (RCSA), 302–303, 350
risk assessments, 58, 59, 151t, 303
risk avoidance, 304
risk committee, 209
risk culture, 38
risk evaluation domain, 205f, 206
risk governance domain, 205, 205f
risk management, 161, 204–206, 209, 216, 300–302, 302f, 304–305, 389–390
risk management policies, 310–311
risk response domain, 205f, 206
risk transference, 304
roadshow, 186
role based access control (RBAC), 82
router, 86
router baseline security standard, 265
routine user-related transactions, 263
safe zone, 110
sampling guidelines, 214
SAP. See security awareness policy
Sarbanes-Oxley (SOX) Act, 61–62, 157, 310
SCCM. See System Center Configuration Manager
scope, 144
SDLC. See Systems Development Life Cycle
SEC. See Securities and Exchange Commission
second line of defense, in layered security approach, 212–213
Secret data, 289
secure network, 69
Securities and Exchange Commission (SEC), 61, 157
security administration, 209
Security Administrators Integrated Network Tool (SAINT), 412
security assessment and authorization, 150t
security awareness policy (SAP), 134, 245–246, 360–362, 362t
security awareness program, 37, 124, 187, 372, 374
security awareness training, 245–246, 362–364
security baseline, 407–409, 411–415
security classification, 285–286
security compliance committee, 382, 384
Security Configuration Benchmark, 257
Security Content Automation Protocol (SCAP), 413, 423–424
security control mapping, 66
security controls, 32–36, 35f, 58, 65–66, 175–176, 214–215, 293, 294t, 391–394
security event, 200
security gap, 410
security management system, 85
security monitoring, 60
security newsletter, 188
security operations team, 210
security policies, 29, 30, 33t, 66–68, 92–100, 103, 105, 114, 122–123, 133–134, 143, 148, 229, 231, 234, 295, 301, 305, 308, 372–374, 394–396, 395f, 405, 406, 408, 410, 427
security policy compliance, 31, 415–422, 427
security policy enforcement, 377–401
security policy framework documents, 139
security policy frameworks, 199–206, 216–217
security policy implementation, 104–105, 372–374
security settings baseline, 414
security standards, 153
security token, 306
security violations, 134
segmented network, 87
self-assessment, 10
Self-Assessment Questionnaire (SAQ), 69
self-regulation, 53
senior management commitment, 37
sensitive business transactions, 263
sensitive but unclassified (SBU) data, 289
sensitive classification, 290, 291
separation of duties (SOD), 93, 211–213, 235, 298
separation of duty principle, 174
serious adverse effect, 292
server baseline configuration(s), 265
server performance, 408
service accounts, 243
service auditor, 70
service design, ITIL volume, 71
service integration, 172
service level agreements (SLAs), 7, 383
service operation, ITIL volume, 71
services, 408
service standardization, 172
service strategy, ITIL volume, 71
service transition, ITIL volume, 71
severe/catastrophic adverse effect, 292
severity classification, 329
shared services, 113
shareholders, 64
Simple Network Management Protocol (SNMP), 424–425
simplicity principle, 174
single sign-on, 253
site-to-site VPN connection, 90
SLAs. See service level agreements
SMEs. See subject matter experts
sniffer, 87
social engineering, 220, 227, 360
social networking policy, 82
social networking sites, 388
SOD. See separation of duties
soft skills, 108
SOX, 382
SOX Act. See Sarbanes-Oxley Act
span of control, 115
spear phishing, 228
SQL. See Structured Query Language
standardization, 354
standards, 17–19, 153–154, 170–176, 177f, 184–195
standards development, 158
“standards in waiting,” 156
standards library framework, 141f
stateful firewall, 262
state government service, 279
stateless firewall, 262
Statement on Standards for Attestation Engagements No. 16 (SSAE16), 69–70
state privacy laws, 295
statistical sample, 214
status reports, 332
storage of data, 298
Structured Query Language (SQL), 240, 425
subject matter expert (SME), 154, 321, 397
supervisory control and data acquisition (SCADA) systems, 292
support services, 325
switch, 86
Symantec Altiris, 412
Symantec Ghost, 409
system access policy, 81
system accounts, 243
system administrators, 323
system and communications protection, 151t
system and information integrity, 151t
system and services acquisition, 151t
system/application domain, 80, 91–92, 98–100, 271–274, 273t
systematic declassification, 290
System Center Configuration Manager (SCCM), 412
systems administrators, 231, 235–237
Systems Development Life Cycle (SDLC), 147
system security plan, 58
Systems Management Server (SMS), 412
system software, 91
system-specific standard, 154
Target Corporation and Trustwave Holdings Inc., 165
target state, 350
teamwork, 111
technical control, 34
technical hazard, 299
technical personnel, 185
technical safeguards, 59
technical security controls, 175
technology auditors, 242
telecommunication policies, 274–275
templates for policies and standards, 179–183
testing for compliance, 215
testing, monitoring and, 66
third line of defense, in layered security approach, 213
threat, 8
threat vector, 350
three-class scheme, 288
three-lines-of-defense model, 212f
timeliness principle, 173
tone at the top, 37
Top Secret data, 289
town hall meeting, 357
training, 187–191, 245–246, 360–364, 417
transmission of data, 298
triage, 329
trouble ticket, 237
two-factor authentication, 89
Type II SSAE16 audit, 70
Type I SSAE16 audit, 70
unauthenticated vulnerability scanner, 413
unauthorized access, 161, 247, 317, 318
unauthorized disclosure, 161–162
unblocking, 63
unclassified data, 289
unclear purpose, 120
unified operating model, 172
unique identity, 247
unmanageable complexity, 121
unrestricted information, 289
updates for security documents, 192–193
U.S. Department of Education, 62
U.S. Department of Energy system, 400
use limitation, 175
use of data, 298
user actions and traffic, 386–389
user domain, 81–84, 92–93, 231–243, 246–249
user proxy, 267
user training, 417
user types, 356
U.S. military classification scheme, 289
value delivery, 217
vendor governance committee, 382, 383
vetting, patch management, 308
video feeds, 95
virtual private network (VPN), 88, 253
Voice over Internet Protocol (VoIP), 95, 274
VoIP. See Voice over Internet Protocol
VPN. See virtual private network
VPN concentrators, 89
VPN connectivity, types of, 91f
vulnerabilities, 8, 230, 304, 305
vulnerability assessments, 305–306
vulnerability management program, 69
WAN. See wide area network
WAN domain, 79–80, 88–89, 96–97, 268–269
WAN router security standard, 268
weakest link in security chain, 226–231
Web-Based Enterprise Management (WBEM), 425
Web crawler, 221
Web graffiti, 96
Web services, 269
Web Services for Management (WS-Management) protocol, 425
Web services standard, 269
Website defacement, 96
whaling, 228
wide area network (WAN), 266
Wi-Fi access point (AP) security standard, 264
Wi-Fi hotspot, 219
wireless connectivity, 94, 261
workstation, 257
Workstation Domain, 79, 84–86, 93–94
Workstation Domain policies, 256–260, 258t
WorldCom, 61
zero day, 307
zero-day vulnerability, 410
Zip code lookup application, 240
18.191.68.18