Index
Symbols
201 CMR 17: Standards for the Protection of Personal Information of Residents of the Commonwealth, 15
27002:2013 series (ISO/IEC), 74-75
access controls, 265
asset management, 125
business continuity, 371
communications, 219
cryptography, 301
GLBA requirements, 416
human resources, 157
information security policies guidance, 93
ISADM, 300
operations, 219
origins, 74
physical/environmental security, 189
regulation compliance, 409, 443
security incidents, 329
A
ABCP (Associate Business Continuity Professional), 384
Acceptable Use Policy, 568
applications, 571
authentication, 570
distribution, 568
incident detection/reporting, 573
Internet, 572
messaging, 571
mobile devices, 572
password controls, 570
remote access, 573
acceptance (risk), 109
access controls, 77
authentication, 265
factors, 266
Google 2-step verification, 269
inherence, 269
knowledge-based, 267
possession, 268
discretionary, 271
mandatory, 270
policy statement, 271
role-based, 271
rule-based, 271
defined, 265
email, 239
HIPAA compliance, 449-450, 458-459
identification schemes, 265
infrastructure, 272
layered border security, 273-277
ISO 27002:2013 series, 265
least privilege, 266
lists, 270
need-to-know, 266
NIST, 265
objects, 265
physical security, 192
facilities, 455
insider theft, 195
secure areas, 194
workspaces, 193
remote, 277
authentication, 278
authorization, 279
NIST, 278
portals, 278
VPNs, 278
resource websites, 297
sample policy, 546
administrative/privileged accounts, 551
authentication, 547
authorization, 548
goals/objectives, 546
index, 546
lead author, 553
network segmentation, 548
supporting resources/source material, 552
system, monitoring, 552
teleworking, 550
users, 551
security posture, 266
small businesses, 286
subjects, 265
user, 282
administrative accounts, 283
importance, 282
policy statement, 282
Yahoo! password compromise, 267, 297
accidents, 371
accountability, 71
account data (payment card industry), 484
accounting, 71
acquisition/development phase (SDLC), 302
Active Directory domain controller recovery procedure, 389
ADA (Americans with Disabilities Act), 163, 186
ADCR (Account Data Compromise Recovery), 503
addresses
implementation specifications, 446
IP, 274
Ipv4, 141
MAC, 141
whitelists/blacklists, 275
administrators
accounts
controls, 283
sample policy, 551
safeguards, 413
standards (HIPAA), 446
assigned security responsibility, 448
business associate contracts and other arrangements, 453
information access management, 449-450
security awareness and training, 450-451
security incident procedures, 451
security management process, 447-448
summary, 454
advanced persistent threats (APTs), 230
Advanced Research Project Agency (ARPA), 237
Aeneas Internet and Telephone F4 tornado, 373
AES (Advanced Encryption Standard), 312
Affinity Health Plan HIPAA photocopier breach, 467
AICPA (American Institute of CPAs), 246
Allen, Julia, 122
alpha phase (software), 304
Americans with Disabilities Act (ADA), 163, 186
analyzing logs, 243
antivirus software, 234
“A Plain English Handbook: How to create clear SEC disclosure documents” website, 48
apparent data files, 200
applications. See software
Approved Scanning Vendors (ASVs), 501
APTs (advanced persistent threats), 230
ARPA (Advanced Research Project Agency), 237
ARPANET, 237
assessing. See evaluating
assessors, 97
asset management, 77
classifications
Bell-Lapadula model, 128
Biba model, 128
declassification, 135
defined, 128
Freedom of Information Act, 129
lifecycle, 128
military, 128
national security information, 131-133
non-public personal information, 134
policy statement, 135
reclassification, 136
small business data example, 142-143
hardware, 141
inventory, 139
choosing items to include, 139
controlling entities, 142
disposal/destruction of assets, 142
logical addresses, 141
policy statement, 142
unique identifiers, 140
ISO 27002:2013 guidance, 125
NIST guidance, 125
sample policy, 527
goals/objectives, 527
index, 527
information classification, 528
information ownership, 527
inventory, 529
lead author, 529
supporting resources/source material, 529
assigned security responsibility standard (HIPAA), 448
Associate Business Continuity Professional (ABCP), 384
ASVs (Approved Scanning Vendors), 501
attacks. See incidents
audience, 36
audits
CISA (Certified Information Security Auditor), 98
financial institutions testing, 419
HIPAA technical compliance, 459
information security policies, 98
reports, 98
service providers, 246
Acceptable Use Policy, 570
access controls, 265
factors, 266
Google 2-step verification, 269
inherence, 269
knowledge-based, 267
possession, 268
broken, 310
defined, 71
HIPAA technical compliance, 460
Internet banking, 427
remote access, 278
sample policy, 547
server logs, 244
authorization
discretionary, 271
mandatory, 270
policy statement, 271
role-based, 271
rule-based, 271
CDLC implementation phase, 303
defined, 71
HIPAA Workforce Security, 449
incident response, 559
information security policies, 96, 100
physical access, 192
remote access, 279
SOPs, documenting, 220
availability, 69
defined, 69
distributed denial of service (DDoS) attacks, 70
government data classification, 130
SLAs, 70
threats, 70
awareness (security), 174
B
bankruptcies, 163
consent, 162
credit history, 164
employee rights, 162
employment, 164
financial history, 163
licenses/certifications, 164
motor vehicle records, 163
policy statement, 164
social media, 162
websites, 186
workers’ compensation history, 163
Bangladesh building collapse website, 29
Bank Holding Company Act of 1956, 409
Banking Act of 1933, 409
bankruptcy protection, 163
Bank Service Company Act (BSCA), 420
baselines, 34
BCP (business continuity plan), 380
policy statement, 381
responsibilities, 381
Business Continuity Team (BCTs), 381
governance, 381
policy statement, 383
tactical, 382
BCTs (Business Continuity Teams), 381
Bejtlich, Richard’s blog, 122
Bell-Lapadula classification model, 128
benefits data protection, 166
beta phase (software), 305
BIA (business impact assessment), 378-379
Biba classification model, 128
biometrics, 269
black box assurance tests, 419
blackouts, 198
blended threats, 234
Blue Teaming, 276
Board of Directors. See executive management
border devices
administration/management, 275
content filtering, 275
penetration testing, 276
Boston Marathon Bombings websites, 407
bots, 232
breaches
2013 investigations report, 514
data cards with malware, 491
Global Payments PCI data breach, 503
HIPAA notifications, 468
breach definition, 468
requirements, 469
websites, 481
reporting/notifications
sample policy, 560
broken authentication, 310
brownouts, 198
browser-based data, 200
BSCA (Bank Service Company Act), 420
Bush, President, HSPD-7, 373
business associates contracts and other arrangements standard (HIPAA), 444, 453, 461-462
business as usual (PCI DSS), 487
business continuity, 80
certifications, 384
disaster recovery, 388
Active Directory domain controller example, 389
communications, 389
facilities, 389
infrastructure, 389
mainframe, 389
network, 389
policy statement, 391
procedures, 389
resource websites, 407
service provider dependencies, 390
disaster response plans, 384
command and control centers, 385
communication, 385
organizational structure, 384
relocation strategies, 385-386
resource websites, 406
small businesses, 394
education/training, 384
emergency preparedness
policy statement, 374
regulatory requirements, 372-373
resilience, 372
Tennessee F4 tornado example, 373
ISO/IEC 27002:2013, 371
NIST, 371
operational contingency plans, 387-388
plans, 380
policy statement, 381
sample policy, 564
resource websites, 406
responsibilities, 381
Business Continuity Teams (BCTs), 381
governance, 381
policy statement, 383
tactical, 382
resumption phase, 391
risk management, 374
threat assessments, 375
sample policy, 562
BIA, 563
continuity testing/maintenance, 567
disaster recovery, 566
emergency preparedness, 563
emergency response, 565
goals/objectives, 562
index, 562
lead author, 567
operational contingency plan, 565
plan, 564
supporting resources/source material, 567
testing
importance, 392
policy statement, 394
sample policy, 567
Business Continuity Teams (BCTs), 381
business risk categories, 107
C
C&A (certification and accreditation), 303
CA (Certification Authority), 313
Caesar Cipher, 311
California Security Breach Information Act, 15, 30, 350
capability maturity model (CMM), 98-99, 122-123
cardholder data protection. See PCI DSS
CBCP (Certified Business Continuity Professional), 384
C&C (command and control server), 231
CCFP (Certified Cyber Forensics Professional), 343
certificates (digital)
compromises, 315
defined, 313
resource websites, 327
viewing, 314
certificates of destruction, 202
certification and accreditation (C&A), 303
Certification Authority (CA), 313
certification background checks, 164
Certified Business Continuity Professional (CBCP), 384
Certified Cyber Forensics Professional (CCFP), 343
Certified Functional Continuity Professional (CFCP), 384
Certified Information Security Auditor (CISA), 98
CERT Insider Threat Blog entry, 195
CFCP (Certified Functional Continuity Professional), 384
chain of custody, 202, 343-344
championing policies, 19
change control, 225
change management processes, 225
communicating changes, 227
documentation, 227
emergency situations, 227
implementing changes, 227
importance, 225
management processes, 225
monitoring, 227
plans, 226
policy statement, 228
resource website, 262
RFCs, 226
sample policy, 541
Chief Information Security Officer (CISO), 101-102, 524
CIA (confidentiality, integrity, availability) triad, 65-66
cryptography
Caesar Cipher, 311
cipher text, 311
decryption, 311
defined, 310
digital signatures, 311
hashing, 311
keys. See keys
message integrity, 311
policy statement, 315
small businesses, 316
high potential impact, 129
low potential impact, 129
moderate potential impact, 129
responsibility, 72
cipher text, 311
CISA (Certified Information Security Auditor), 98
CISO (Chief Information Security Officer), 101-102
Clarity Index, 52
Clarke, Richard, 13
class A fires, 199
class B fires, 199
class C fires, 199
class D fires, 199
assets, 528
Bell-Lapadula model, 128
Biba model, 128
corporate cultures, 6
declassification, 135
defined, 128
Freedom of Information Act, 129
policy statement, 139
sample matrix, 137
lifecycle, 128
military, 128
national security information
derivative classification, 133
Executive Order 13536, 131
listing of classifications, 132-133
original classification, 133
non-public personal information, 134
policy statement, 135
private sector, 128
reclassification, 136
small business data example, 142-143
clear desks/screens, 194-195, 537
client nodes, 313
client synopsis, 95
Clinton, President, PDD-63, 372
closure (incidents), 336
cloud storage, 236
CMM (capability maturity model), 98-99, 122-123
code (secure)
broken authentication, 310
defined, 306
dynamic data verification, 309
injection, 308
input validation, 308
output validation, 309
policy statement, 310
SAMM, 307
session management, 310
cognitive passwords, 267
cold sites, 386
command and control centers (disaster response plans), 385
command and control server (C&C), 231
commercial off-the-shelf software (COTS)
policy statement, 306
releases, 304
SDLC, 304
updates, 305
communication, 79
customer communication business impact assessment, 379
data breach notifications, 353
disasters
recovery, 389
response plans, 385
access, controlling, 239
ARPANET, 237
encryption, 238
hoaxes, 240
IMAP, 237
malware, 238
metadata, 238
policy statement, 241
POP3, 237
SMTP, 237
user errors, 240
equipment, 140
facilities, 538
Internet, 274
ISO 27002:2013 series guidance, 219
sample policy, 540
change control, 541
data replication, 543
email, 543
goals/objectives, 540
index, 540
lead author, 545
logs, 543
malware, 542
patch management, 542
service providers, 544
supporting resources/source material, 545
SOPs, 219
developing, 220
documenting, 220
policy statement, 225
writing resource, 224
transmission security, 460
compliance, 80
culture, 19
officers, 103
components (policy documents), 38
enforcement clauses, 45
exceptions, 44
exemptions, 44
goals/objectives, 42
headings, 42
Policy Definition section, 47
statements, 43
computer equipment, 140
confidentiality, 66-67, 132-134
agreements, 170
cybercrimes, 68
government data classification, 130
hacktivism, 68
Manning WikiLeaks example, 67
protecting, 67
confidentiality, integrity, availability. See CIA triad
consolidated policies, 37
Constitution of the United States of America, 5
containment (incidents), 336
content filtering, 275
contingency plans, 380, 451-452
continuity planning, 374
contracts (service providers), 247
corporate account takeover, 425, 428, 440
corporate cultures
classifications, 6
defined, 5
honoring the public trust, 7
corporate identity theft, 424-425
corporate account takeovers, 428, 440
GLBA Interagency Guidelines Supplement A requirements, 425-426
Identity Theft Data Clearinghouse, 426
Internet banking safeguards, 427
corporate officers. See executive management
correlation (logs), 243
COTS (commercial off-the-shelf software)
policy statement, 306
releases, 304
SDLC, 304
updates, 305
covered entities (HIPAA), 444, 461-462
CPTED (Crime Prevention Through Environmental Design), 191
credit cards. See also PCI DSS
background checks, 164
elements, 484
fraud, 483
growth website, 514
primary account numbers, 484
criminal history background checks, 164
criminal records, 163
critical infrastructure sectors, 2-3
cryptography, 78
asymmetric, 327
Caesar Cipher, 311
cipher text, 311
decryption, 311
defined, 310
digital signatures, 311
encryption, 311
AES, 312
email, 327
importance, 312
regulatory requirements, 312
resource websites, 327
hashing, 311
asymmetric, 313
keyspace, 312
NIST, 314
PKI (Public Key Infrastructure), 313, 327
policy statement, 315
sample policy, 556
symmetric, 313
message integrity, 311
NIST, 301
small businesses, 316
customers
communication business impact assessment, 379
information system, 413
cyber, 13
cyber attack liability website, 123
cybercrimes, 68
cryptography, 301
D
DACs (discretionary access controls), 271
data
apparent files, 200
at rest, 459
breach notifications, 345-346, 560
2013 investigations report, 514
chronology, 346
federal agencies, 349
federal law, 347
New Hampshire law, 352
policy statement, 352
public relations, 353
regulations, 345
small businesses, 353
Veterans Administration, 349-350
browser-based, 200
caches, 200
cardholder protection. See PCI DSS
Bell-Lapadula model, 128
Biba model, 128
declassification, 135
defined, 128
Freedom of Information Act, 129
lifecycle, 128
military, 128
national security information, 131-133
non-public personal information, 134
policy statement, 135
reclassification, 136
small business example, 142-143
cloud storage, 236
cryptography
Caesar Cipher, 311
cipher text, 311
decryption, 311
defined, 310
digital signatures, 311
hashing, 311
keys, 311
keys. See keys
message integrity, 311
policy statement, 315
small businesses, 316
custodians, 104
de-identification, 306
deleting from drives, 201
destruction, 201
dummy, 306
dynamic data verification, 309
employee payroll/benefits protection, 166
hidden files, 200
in motion, 460
integrity, 69
logs
analyzing, 243
authentication server, 244
firewall, 243
inclusion selections, 242
policy statement, 244
prioritization, 242
review regulations, 243
sample policy, 543
syslogs, 242
user access, monitoring, 284-285
web server, 244
metadata, 200
temporary files, 200
users, 104
web caches, 200
Data Compromise Recovery Solution (DCRS), 503
DCRS (Data Compromise Recovery Solution), 503
DDoS (distributed denial of service) attacks, 70, 91, 331-332
debit/credit card fraud, 483
decision states (IDSs/IPSs), 275
decryption, 311
default allow security posture, 266
default deny security posture, 266
defense in depth, 233
defensive controls, 109
definition sections, 53
degaussing, 201
de-identification, 306
deleting data
before equipment disposal, 200
from drives, 201
delivery business functions, 385
Department of Health and Human Services HIPAA security series website, 518
Department of Homeland Security
U.S. Citizenship and Immigration Services Form I-9 Employment Eligibility Verification, 166
“What Is Critical Infrastructure?” website, 29
derivative classification, 133
designated incident handlers (DIHs), 338
destruction (equipment), 201
implementation/maintenance, 555
SDLC, 302
development/acquisition phase, 302
disposal, 303
implementation phase, 303, 555
initiation phase, 302
operations/maintenance phase, 303, 555
policy statement, 304
sample policy, 554
secure code
broken authentication, 310
defined, 306
dynamic data verification, 309
injection, 308
input validation, 308
output validation, 309
policy statement, 310
SAMM, 307
session management, 310
software, 304
releases, 304
sample policy, 555
updates, 305
SOPs, 220
policy statement, 225
writing resource, 224
device and media controls standard (HIPAA compliance), 456-457
digital certificates
compromises, 315
defined, 313
resource websites, 327
viewing, 314
digital non-public personally identifiable information (NPPI), 15-16
digital signatures, 311
DIHs (designated incident handlers), 338
Disaster Recovery Institute website, 519
operational contingency plans, 387-388
recovery, 388
Active Directory domain controller example, 389
communications, 389
facilities, 389
infrastructure, 389
mainframe, 389
network, 389
policy statement, 391
procedures, 389
resource websites, 407
sample policy, 566
service provider dependencies, 390
response plans, 384
command and control centers, 385
communication, 385
organizational structure, 384
relocation strategies, 385-386
resource websites, 406
small businesses, 394
resumption phase, 391
discretionary access controls (DACs), 271
disgruntled ex-network administrator termination example, 169
disk wiping, 201
disposal (equipment), 200, 303
chain of custody, 202
data deletion, 200
deleting data from drives, 201
physical destruction, 201
policy statement, 203
sample policy, 539
unscrubbed hard drives, 202
disseminating policies, 19
distributed denial of service. See DDoS attacks
distributed governance model, 101
Chief Information Security Officer, 101-102
Information Security Officer, 101
Information Security Steering Committee, 102-103
DMZs, 272
documentation
changes, 227
HIPAA policies and procedures, 463-464
plain language, 63
SOPs, 220
documents (policy)
components, 38
enforcement clauses, 45
exceptions, 44
exemptions, 44
goals/objectives, 42
headings, 42
Policy Definition section, 47
statements, 43
definition sections, 53
enforcement clauses, 53
plain language, 48
Clarity Index, 52
fisheries example, 49
“A Plain English Handbook: How to create clear SEC disclosure documents,” 48
Plain Language Movement, 49
reference websites, 63
SOP development, 220
styles, 48
domain names, 141
Do-Not-Track Online Act of 2013, 232
DoS attacks, 241
DPPA (Drivers Privacy Protection Act), 163, 186
DRI (Disaster Recovery Institute) website, 384, 519
dual control administrative accounts, 283
due care, 247
dummy data, 306
dynamic data verification, 309
E
education, 174
background checks, 164
business continuity management, 384
records, 163
EFTA (Electronic Fund Transfer Act), 483
egress network traffic, 274
electronic monitoring, 532
electronic protected health information (ePHI), 444
Acceptable Use Policy, 571
ARPANET, 237
policy statement, 241
risks
access, controlling, 239
hoaxes, 240
IMAP, 237
malware, 238
metadata, 238
POP3, 237
SMTP, 237
user errors, 240
sample policy, 543
emergency preparations
policy statement, 374
regulatory requirements, 372-373
resilience, 372
sample policy, 563
Tennessee F4 tornado example, 373
emergency response plans, 384, 565
command and control centers, 385
communication, 385
operational contingency plans, 387-388
organizational structure, 384
recovery, 388
Active Directory domain controller example, 389
communications, 389
facilities, 389
infrastructure, 389
mainframe, 389
network, 389
policy statement, 391
procedures, 389
resource websites, 407
service provider dependencies, 390
relocation strategies, 385-386
resource websites, 406
resumption phase, 391
small businesses, 394
background checks
bankruptcies, 163
consent, 162
credit history, 164
employment, 164
financial history, 163
licenses/certifications, 164
motor vehicle records, 163
right to privacy, 162
social media, 162
workers’ compensation history, 163
electronic monitoring, 532
information security training, 533
recruitment, 158
government clearances, 165
interviews, 160
job postings, 159
policy statement, 161
prospective employees, screening, 161-164, 186
risk, 108
screenings, 531
security clearances, 185
security education, training, and awareness model, 174
HIPAA, 173
importance, 172
policy statement, 175
small businesses, 175
disgruntled ex-network administrator example, 169
policy statement, 169
sample policy, 532
websites, 186
enclave networks, 272
encryption
AES, 312
defined, 311
importance, 312
ransomware, 232
regulatory requirements, 312
resource websites, 327
small businesses, 316
endorsement, 9
energy. See power
enforcement, 12
HIPAA
proactive, 467
State Attorneys General authority, 466
websites, 480
HITECH Act
proactive, 467
State Attorneys General authority, 466
websites, 480
entry authorization, 192
environmental disasters, 371
environmental security, 189
access controls, 192
entry authorization, 192
insider theft, 195
secure areas, 194
workspaces, 193
CPTED, 191
equipment, 196
chain of custody, 202
fire prevention controls, 198-199
resources, 216
facilities, 190
locations, 190
perimeters, 191
resources, 216
HIPAA compliance
device and media controls, 456-457
facility access control, 455
summary, 457
workstation security, 456
workstation use, 456
ISO 27002:2013 series guidelines, 189
safeguards, 413
sample policy, 535
clear desk/clear screen, 537
data centers/communications facilities, 538
entry controls, 536
equipment disposal, 539
goals/objectives, 535
index, 535
lead author, 539
mobile devices/media, 539
physical perimeter, 536
power consumption, 537
secure areas, 537
supporting resources/source material, 539
workspace classification, 536
threats, 375
ePHI (electronic protected health information), 444
equipment, 196
chain of custody, 202
device and media controls standard (HIPAA compliance), 456-457
disposal, 200
data deletion, 200
deleting data from drives, 201
physical destruction, 201
policy statement, 203
sample policy, 539
unscrubbed hard drives, 202
fire prevention controls, 198-199
mobile devices/media, 539
passwords, 286
policy statement, 199
resources, 216
eradicating incidents, 336
Ethernet, 273
Euronet processing system data breach, 491
evacuation plans, 385
business continuity
threats, 375
financial institution testing, 419
HIPAA evaluation standards, 452-453
information security policies, 97-100
audits, 98
capability maturity model, 98-99
independent assessors, 97
PCI DSS compliance, 500
process, 500
report, 501
SAQ, 502
websites, 514
risk
business risk categories, 107
controls, 107
financial institutions, 415-416
HIPAA, 447
impact, 107
inherent risk, 106
likelihood of occurrence, 107
methodologies, 108
NIST methodology, 108
policy statement, 108
residual risk, 107
sample policy, 525
vulnerabilities, 107
threats, 415
evidence handling (incidents), 336
documentation, 341
evidence storage/retention, 344
law enforcement cooperation, 341-342
policy statement, 345
sample policy, 560
exceptions, 44
Chief Information Security Officer, 101-102, 524
cyber attack liability website, 123
duty of care, 97
evaluating information security policies, 97-100
audits, 98
capability maturity model, 98-99
independent assessors, 97
information security governance, 101
information security policy authorization, 96, 100
Executive Order 13256, 132, 155
Exploit Wednesday, 229
F
facilities
communications, 538
data centers, 538
entry controls, 536
HIPAA compliance, 455
layered defense model, 190
locations, 190
perimeters, 191
perimeters, 536
power consumption, 537
recovery, 389
resources, 216
secure areas, 537
FACTA (Fair and Accurate Credit Transaction Act of 2003), 163, 186
FAIR (Factor Analysis of Information Risk), 108
false negative/positive decision state, 275
Family Educational Rights and Privacy Act of 1974 (FERPA), 15, 30, 122, 163
FCBA (Fair Credit Billing Act), 483
FCRA (Fair Credit Reporting Act), 163, 186
FDIC information security standards website, 122
federal agencies data breach notifications, 349
Federal Continuity Directive 1, 373
Federal Information Processing Standard 199, 129-131
Federal Information Processing Standards (FIPS), 73
Federal Information Security Management Act (FISMA) website, 90
Federal Register, 412
Federal Trade Commission (FTC) Safeguards Act, 411
FERPA (Family Educational Rights and Privacy Act of 1974), 15, 30, 122, 163
FFIEC (Federal Financial Institutions Examination Council), 245, 394
FFIEC (Federal Financial Institutions Examination Council) IT Handbook, 262, 417, 518
FIL-44-2008 “Third-Party Risk Guidance for Managing Third-Party Risk,” 420
filtering content, 275
financial history protection, 163
Financial Institution Letter FIL-44-2008 “Third-Party Risk Guidance for Managing Third-Party Risk,” 420
financial institutions (GLBA compliance), 13-14, 409
Board of Directors involvement, 413-415
FFIEC IT InfoBase, 417
financial institutions definition, 410
identity theft, 424-427, 440-441
Interagency Guidelines, 412
Privacy Rule, 409
program effectiveness, monitoring, 421
regulatory
agencies/rules, 411
oversight, 410
reports, 422
Safeguards Act, 411
Security Guidelines, 409
service provider oversight, 420-421, 440
threat assessment, 415
financial risk, 107
FIPS-199 (Federal Information Processing Standard), 129-131
FIPS (Federal Information Processing Standards), 73
fires
containment/suppression, 199
detection, 199
first-party risks, 111
FISMA (Federal Information Security Management Act), 90, 243
Five A’s, 71
“Five Principles of Organizational Resilience” website, 406
flowchart format, 223
FOIA (Freedom of Information Act), 129
forensics (incident investigations), 342-343, 368-369
formatting drives, 201
Form I-9, 166
Form W-4, 166
defined, 72
ISO, 74
27000 series, 74
27002:2013 Code of Practice, 74-80
members, 74
NIST, 72
Computer Security Division mission, 72
Information Assurance Framework, 73
information security publications, 73
resource websites, 91
PCI DSS, 486
fraud
corporate account takeover fraud advisory, 428, 440
credit/debit card, 483
hyperlinks, 239
Freedom of Information Act (FOIA), 129
FTC (Federal Trade Commission)
Safeguards Act, 411
full-scale testing (business continuity), 393
functional exercises (business continuity), 392
G
GE (General Electric) Candidate Data Protection Standards, 160
general availability (software), 305
Genesco v. Visa lawsuit, 504
Glass-Steagall Act, 409
GLBA (Gramm-Leach-Bliley), 13-14, 409
data breach notifications, 347-348
FFIEC IT InfoBase, 417
financial institutions definition, 410
Interagency Guidelines, 412
Board of Directors involvement, 413-415
identity theft, 424-427, 440-441
program effectiveness, monitoring, 421
reports, 422
service provider oversight, 420-421, 440
threat assessment, 415
ISO 27002:2013 requirements, 416
logs, 243
Privacy Rule, 409
agencies/rules, 411
oversight, 410
Safeguards Act, 411
Security Guidelines, 409
Global Payments, Inc. data breach, 491, 503
go live (software), 305
2-step password verification process, 269
data centers website, 190
governance
business continuity, 381
distributed model, 101
Chief Information Security Officer, 101-102
Information Security Officer, 101
Information Security Steering Committee, 102-103
organizational roles/responsibilities, 103
“Governing for Enterprise Security:CMU/SEI-20050TN-023 2005” website, 122
regulatory requirements, 104
authorization/oversight, 523
Chief Information Security Officer, 524
goals/objectives, 522
index, 522
Information Security Steering Committee, 524
lead author, 526
supporting resources/source material, 526
website, 123
Gramm-Leach-Bliley Act. See GLBA
graphic format, 222
group-based access, 450
guest networks, 272
guiding principles
defined, 5
information security policies, 96
Toyota, 6
H
policy statement, 139
sample matrix, 137
Hannaford Bros. Supermarkets data breach, 491
hard drives
data, deleting, 201
unscrubbed, 202
hashing, 311
headings (policies), 42
healthcare. See HIPAA; HITECH Act
health clearinghouses/plans, 444
Health Information Technology for Economic and Clinical Health. See HITECH Act
Health Insurance Portability and Accountability Act of 1996. See HIPAA
Heartland Payment Systems data breach, 491
HHS HIPAA security series website, 518
hidden files, 200
hierarchical format, 221
hierarchy (policies), 33
baselines, 34
guidelines, 34
plans, 36
procedures, 35
high potential impact, 129
HIPAA (Health Insurance Portability and Accountability Act of 1996), 14, 444
administrative standards, 446
assigned security responsibility, 448
business associate contracts and other arrangements, 453
information access management, 449-450
security awareness and training, 450-451
security incident procedures, 451
security management process, 447-448
summary, 454
breach notifications, 348-349, 468-469
business associates changes, 465
categories, 445
covered entities, 444
Department of Health and Human Services HIPAA security series website, 518
enforcement/compliance, 445
Affinity Health Plan photocopier breach, 467
proactive, 467
State Attorneys General authority, 466
violations, 466
websites, 480
implementation specifications, 446
log reviews, 243
organizational requirements, 461-463
physical standards, 455
device and media controls, 456-457
facility access control, 455
summary, 457
workstations, 456
policies and procedures standards, 463-464
resource websites, 479
security awareness and training requirement, 173
subcontractor liability, 465
technical standards, 458
audit controls, 459
integrity controls, 459
person or entity authentication, 460
summary, 461
transmission security, 460
HITECH (Health Information Technology for Economic and Clinical Health) Act, 14, 348
breach notifications, 348-349, 468-469
business associates, 465
enforcement
proactive, 467
State Attorneys General authority, 466
violations, 466
websites, 480
overview, 464
resource websites, 480
subcontractor liability, 465
hoaxes, 240
honoring the public trust, 7
host-based IDSs/IPSs, 275
hot sites, 386
Huffington Post Edward Snowden article website, 155
human resources, 77
background checks
bankruptcies, 163
consent, 162
credit history, 164
employee right to privacy, 162
employment, 164
financial history, 163
licenses/certifications, 164
motor vehicle records, 163
social media, 162
workers’ compensation history, 163
employee
ISO 27002:2013/NIST guidance, 157
recruitment, 158
government clearances, 165
interviews, 160
job postings, 159
policy statement, 161
prospective employees, screening, 161-164, 186
sample policy, 530
electronic monitoring, 532
employee agreements, 533
employee termination, 532
goals/objectives, 530
index, 530
information security training, 533
lead author, 534
personnel screenings, 531
recruitment, 531
supporting resources/source material, 534
user provisioning, 532
security clearances, 185
security education, training, and awareness model, 174
HIPAA, 173
importance, 172
NIST SP 800-16 SETA model, 173
policy statement, 175
small businesses, 175
disgruntled ex-network administrator example, 169
policy statement, 169
websites, 186
Hurricane Sandy websites, 407
hybrid malware, 231
hyperlinks, 239
I
I-9 form, 166
ICA (International CPTED Association), 191
identification
access controls, 265
subjects. See authentication
identity-based access, 450
corporate account takeovers, 428, 440
GLBA Interagency Guidelines Supplement A requirements, 425-426
Identity Theft Data Clearinghouse, 426
Internet banking safeguards, 427
IDSs (intrusion detection systems), 274-275, 297
IMAP (Internet Message Access Protocol), 237
Immigration Reform and Control Act of 1986 (IRCA), 166
impact assessment (business continuity), 378
customer communication example, 379
defined, 378
high potential, 129
information security risk, 107
low potential, 129
metrics, 378
moderate potential, 129
policy statement, 380
process, 378
implementation, 20
changes, 227
HIPAA, 446
SDLC, 303
systems, 555
inappropriate usage incidents, 333
Acceptable Use Policy, 573
classification, 558
communicating, 339
data breach notifications, 345-346
chronology, 346
federal agencies, 349
federal law, 347
New Hampshire law, 352
policy statement, 352
public relations, 353
regulations, 345
small businesses, 353
Veterans Administration, 349-350
definition, 557
HIPAA compliance, 451
inappropriate usage, 333
intentional unauthorized access, 331
investigating
documentation, 341
evidence storage/retention, 344
law enforcement cooperation, 341-342
policy statement, 345
ISO 27002:2013, 329
malware, 332
NIST, 329
organizational responses, 329
reporting, 334
responses
authority, 559
coordinators (IRCs), 338
plans (IRPs), 559
training, 340
sample policy, 557
classification, 558
data breach/notifications, 560
definition, 557
evidence handling, 560
goals/objectives, 557
index, 557
IRP, 559
lead author, 561
response authority, 559
supporting resources/source material, 561
US-CERT (United States-Computer Emergency Readiness Team), 330
inclusive information security policies, 12
independent assessors, 97
independent audit reports, 246
indicators (incidents), 336
information, 8
assets. See asset management
Assurance Framework, 73
custodians, 72
owners, 72
information security, 76
Audit and Control Association (ISACA), 98, 519
championing, 19
change drivers, 97
characteristics, 8
attainable, 11
endorsed, 9
enforceable, 12
inclusive, 12
realistic, 10
relevant, 10
CIA (confidentiality, integrity, availability). See CIA
client synopsis, 95
defined, 7
digital non-public personally identifiable information, 15-16
duty of care, 97
audits, 98
capability maturity model, 98-99
independent assessors, 97
FDIC standards, 122
Five A’s, 71
governance
Chief Information Security Officer, 101-102
distributed model, 101
Gramm-Leach-Bliley (GLBA), 13-14
Health Insurance Portability and Accountability Act of 1996 (HIPAA), 14
Information Security Officer, 101
Information Security Steering Committee, 102-103
organizational roles/responsibilities, 103
regulatory requirements, 104
guiding principles, 96
integrated approaches, 94
lifecycle
defined, 16
review, 20
NIST guidance, 93
objective, 8
parallel approaches, 94
regulatory requirements, 94
risk
acceptance, 109
appetite, 106
assessment methodologies, 108
controls, 107
cyber-insurance, 111
defined, 105
impact, 107
inherent, 106
likelihood of occurrence, 107
NIST assessment methodology, 108
residual risk, 107
response policy statement, 110
risk management oversight policy statement, 106
taking risks, 105
vulnerabilities, 107
Steering Committee, 102-103, 524
strategic alignment, 94
student records, 15
user versions, 94
vendor versions, 95
Information Security Officer (ISO), 101, 122
information systems
Acceptable Use Policy, 568
agreement, 568
applications, 571
authentication, 570
distribution, 568
incident detection/reporting, 573
Internet, 572
messaging, 571
mobile devices, 572
password controls, 570
remote access, 573
access controls. See access controls
acquisition, development, and maintenance. See SDLC
commercial off-the-shelf software/open source software, 304-306
defined, 126
inventory, 139
choosing items to include, 139
controlling entities, 142
disposal/destruction of assets, 142
logical addresses, 141
policy statement, 142
unique identifiers, 140
ISADM, 300
secure code
broken authentication, 310
defined, 306
dynamic data verification, 309
injection, 308
input validation, 308
output validation, 309
policy statement, 310
SAMM, 307
session management, 310
Security Association, Inc. (ISSA) website, 519
systems development lifecycle, 302
development/acquisition phase, 302
disposal phase, 303
implementation phase, 303, 555
initiation phase, 302
operations/maintenance phase, 303, 555
policy statement, 304
Information Technology Laboratory (ITL), 72-73
infrastructure access controls, 272
disaster recovery, 389
equipment, 140
layered border security, 273
border device administration/management, 275
content filtering, 275
penetration testing, 276
remote, 277
authentication, 278
authorization, 279
NIST, 278
remote access portals, 278
VPNs, 278
ingress network traffic, 274
inherence authentication, 269
inherent risk, 106
initial responses (incidents), 336
initiation phase (SDLC), 302
injection, 308
input validation, 308
insecure code, 306
insider theft, 195
Institute of Internal Auditors website, 519
integrated approaches, 94
data, 69
government data classification, 130
HIPAA technical compliance, 459
system, 69
threats, 69
intentional unauthorized access incidents, 331
Interagency Guidelines (financial institutions), 412
Board of Directors involvement, 413-415
Identity Theft Data Clearinghouse, 426
Internet banking safeguards, 427
Supplement A requirements, 425-426
program effectiveness, monitoring, 421
reports, 422
service provider oversight, 420-421, 440
threat assessment, 415
internal auditors, 103
Internal Revenue Service Form W-4 Employee’s Withholding Allowance Certificate, 166
Internal Security Assessors (ISAs), 501
internal use data, 134
International CPTED Association (ICA), 191
International Information Systems Security Certification Consortium (ISC2) website, 519
International Organization for Standardization. See ISO
Acceptable Use Policy, 572
applications security risks, 308
broken authentication, 310
dynamic data verification, 309
injection, 308
input validation, 308
output validation, 309
policy statement, 310
session management, 310
banking safeguards, 427
caches, 200
communications, 274
Message Access Protocol (IMAP), 237
server logs, 244
interviews (job), 160
intrusion detection systems (IDSs), 274-275, 297
intrusion prevention systems (IPSs), 274-275, 297
inventories, 139
assets, 529
disposal/destruction, 142
choosing items to include, 139
controlling entities, 142
logical addresses, 141
policy statement, 142
unique identifiers, 140
investigating incidents, 336
documentation, 341
evidence storage/retention, 344
law enforcement cooperation, 341-342
policy statement, 345
IP (Internet Protocol)
addresses, 274
domain names, 141
IPsec, 278
Ipv4 addresses, 141
Ipv6 addresses, 141
IPSs (intrusion prevention systems), 274-275, 297
IRCA (Immigration Reform and Control Act of 1986) website, 186
IRCs (incident response coordinators), 338
IRPs (incident response plans), 559
IRTs (incident response teams), 338
ISACA (Information Systems Audit and Control Association), 98, 519
ISADM (information systems acquisition, development, and maintenance). See SDLC
ISAs (Internal Security Assessors), 501
ISC2 (International Information Systems Security Certification Consortium) website, 519
ISO (Information Security Officer), 101
ISO (International Organization for Standardization), 72-74
access controls, 265
asset management, 125
business continuity management, 371
communications, 219
cryptography, 301
GLBA requirements, 416
healthcare regulation compliance, 443
human resources, 157
information security policies guidance, 93
ISADM, 300
operations, 219
origins, 74
physical/environmental security, 189
regulation compliance, 409
security incidents, 329
members, 74
responsibilities, 127
ISSA (Information Systems Security Association, Inc.) website, 519
IT InfoBase, 417
ITL (Information Technology Laboratory) bulletins, 73
IT Security Standards comparison website, 91
J
Jackson, Tennessee F4 tornado, 373
job postings, 159
K
keyloggers, 231
keys, 312
defined, 311
keyspace, 312
management, 556
NIST, 314
PKI (Public Key Infrastructure), 313, 327
symmetric, 313
knowledge-based authentication, 267
Krebs, Brian blog, 428
L
labeling
classifications, 136
policy statement, 139
language (regulations), 412
LANs (local area networks), 273
layered border security, 273
border device administration/management, 275
content filtering, 275
penetration testing, 276
layered defense model, 190
access controls, 192
entry authorization, 192
insider theft, 195
secure areas, 194
workspaces, 193
locations, 190
perimeters, 191
least privilege access controls, 266
license background checks, 164
lifecycles
classification, 128
recruitment. See recruitment
policies
defined, 16
review, 20
systems development. See SDLC
likelihood of occurrence, 107
Linux root, 232
local area networks (LANs), 273
location threats, 376
lockscreen ransomware, 232
logs
analyzing, 243
authentication server, 244
data inclusion selections, 242
data prioritization, 242
defined, 242
firewall, 243
management, 242
policy statement, 244
review regulations, 243
sample policy, 543
syslogs, 242
user access, monitoring, 284-285
web server, 244
low potential impact, 129
M
MAC (Media Access Control) addresses, 141
MACs (mandatory access controls), 270
mainframe recovery, 389
maintenance
business continuity, 393-394, 567
payment card industry
information security policies, 495-496
vulnerability management programs, 490-491
SDLC, 303
systems, 555
antivirus software, 234
APTs (advanced persistent threats), 230
bots, 232
hybrid, 231
rootkits, 232
Trojans, 231
viruses, 231
worms, 231
controlling, 233
data card breaches, 491
email, 238
policy statement, 235
sample policy, 542
managing
border devices, 275
keys, 556
logs, 242
risks
acceptance, 109
cyber-insurance, 111
defined, 109
financial institutions, 416-418
mandatory access controls (MACs), 270
Manning, Private Bradley, 67
Massachusetts
Security Breach Notification Law, 350
Standards for the Protection of Personal Information of Residents of the Commonwealth, 15, 30
maximum tolerable downtime (MTD), 378
MBCP (Master Business Continuity Professional), 384
mean time to repair (MTTR), 247
Media Access Control (MAC) addresses, 141
medical records, protecting, 14
member information system, 413
memory cards, 268
merchants. See PCI DSS
Merriam-Webster Online cyber definition website, 30
message integrity, 311
messaging. See email
Microsoft patches, 229
Miller, Andrew James, 342
mobile devices/media, 205
Acceptable Use Policy, 572
sample policy, 539
websites, 386
moderate potential impact, 129
monitoring
changes, 227
financial institutions security programs, 421
payment card industry networks, 494-495
service providers, 247
systems, 552
motor vehicle records, 163
MTD (maximum tolerable downtime), 378
MTTR (mean time to repair), 247
multifactor authentication, 266
multilayer authentication, 266
N
NACD (National Association of Corporate Directors), 96
NACHA Corporate Account Takeover Resource Center website, 428
NAC (network access control) systems, 279
National Institute of Standards and Technology. See NIST
national security information classifications
derivative classification, 133
Executive Order 13536, 131
listing of classifications, 132-133
original classification, 133
NCAS (National Cyber Awareness System), 330
NCCIC (National Cybersecurity and Communications Integraiton Center), 330
need-to-know access controls, 266
negative corporate cultures, 6
networks
access control (NAC) systems, 279
disaster recovery, 389
equipment, 140
infrastructure, 272
layered border security, 273
border device administration/management, 275
content filtering, 275
penetration testing, 276
monitoring, 552
payment card industry, 494-495
remote access controls, 277
authentication, 278
authorization, 279
NIST, 278
remote access portals, 278
teleworking, 280-281, 298, 550
VPNs, 278
policy statement, 273
sample policy, 548
neutral corporate cultures, 6
New Hampshire data breach notification website, 352
New York cybersecurity websites, 63
NIST (National Institute of Standards and Technology), 72
access controls, 265
asset management, 125
business continuity management, 371
communications guidance, 219
Computer Security Division mission, 72
data at rest/in motion, 459-460
digital forensics, 342
firewalls, 274
human resources guidance, 157
Information Assurance Framework, 73
information security
guidance, 93
publications, 73
intrusion detection and prevention systems, 275
malware protection, 230
operations guidance, 219
physical/environmental security, 189
regulation compliance, 409, 443
remote access controls, 278
resource websites, 91
Risk Management Framework (RMF), 108
security incidents, 329
SP 800-16 SETA model, 173
special publications website, 516
teleworking, 280
non-disclosure agreements, 170
non-discretionary access controls, 271
non-public personally identifiable information. See NPPI
notifications
chronology, 346
federal agencies, 349
federal law, 347
New Hampshire law, 352
policy statement, 352
public relations, 353
regulations, 345
sample policy, 560
small businesses, 353
Veterans Administration, 349-350
breach definition, 468
requirements, 469
Safe Harbor Provisions, 468
websites, 481
identity theft requirements, 426
incidents, 336
NPPI (non-public personally identifiable information), 15-16, 134
defined, 134
elements, 134
GLBA protection, 409
O
objectives (policies), 42
objects
access controls, 265
capability authorization model, 270
OCR (Office of Civil Rights), 445
OCSP (Online Certificate Status Protocol), 315
OCTAVE (Operationally Critical Threat, Asset and Vulnerability Evaluation), 108
OEPs (occupant emergency plans), 385
offensive controls, 109
Old Testament of the Bible, 4-5
one-time passcodes (OTPs), 268
Online Certificate Status Protocol (OCSP), 315
open mail relay, 240
open security posture, 266
open source software
policy statement, 306
releases, 304
SDLC, 304
Open Web Application Security Project. See OWASP
operating system software, 140
Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE), 108
OPERATION PAYBACK DDoS attack, 332
operations, 78
business functions, 386
change management processes, 225
communicating changes, 227
documentation, 227
emergency situations, 227
implementing changes, 227
importance, 225
monitoring, 227
plans, 226
policy statement, 228
RFCs, 226
contingency plans, 387
examples, 387
operating procedures, 388
policy statement, 388
sample policy, 565
data backups/replication
policy statement, 236
recommendations, 235
testing, 236
delivery functions, 385
disasters, 371
access, controlling, 239
ARPANET, 237
encryption, 238
hoaxes, 240
IMAP, 237
malware, 238
metadata, 238
policy statement, 241
POP3, 237
SMTP, 237
user error, 240
ISO 27002:2013 series guidance, 219
logs
analyzing, 243
authentication server, 244
data inclusion selections, 242
data prioritization, 242
defined, 242
firewall, 243
management, 242
policy statement, 244
review regulations, 243
syslogs, 242
web server, 244
malware, 230
antivirus software, 234
APTs (advanced persistent threats), 230
controlling, 233
email, 238
policy statement, 235
sample policy, 540
change control, 541
data replication, 543
email, 543
goals/objectives, 540
index, 540
lead author, 545
logs, 543
malware, 542
patch management, 542
service providers, 544
SOP, 541
supporting resources/source material, 545
SDLC, 303
service provider oversight, 245
contracts, 247
independent audit reports, 246
monitoring, 247
policy statement, 248
SOPs, 219
developing, 220
documenting, 220
policy statement, 225
writing resource, 224
oral law, 3
organizations
business associate contracts and other arrangements HIPAA compliance, 453
data breach notifications public relations, 353
disaster response structure, 384
HIPAA compliance standards, 461-463
incident responses, 329
resilience, 372
orientations (employee), 167-168
original classification, 133
OTPs (one-time passcodes), 268
out-of-band authentication, 268
out-of-wallet questions, 267
output validation, 309
OWASP (Open Web Application Security Project), 307
defined, 307
security risks, 308
broken authentication, 310
dynamic data verification, 309
injection, 308
input validation, 308
output validation, 309
policy statement, 310
session management, 310
ownership (assets), 126
data owners, 126
Information Security Officer role, 127
management, 527
policy statement, 127
P
PANs (primary account numbers), 484
parallel approaches, 94
Acceptable Use Policy, 570
cognitive, 267
equipment, 286
Google 2-step verification process, 269
managing, 229
Microsoft, 229
sample policy, 542
Patch Tuesday, 229
Payment Card Industry Data Security Standard. See PCI DSS
payroll data protection, 166
PCI DSS (Payment Card Industry Data Security Standard), 104, 483
account data, 484
business as usual, 487
cardholder data environment, 484
compliance, 499
merchants required, 499
SAQ, 502
websites, 514
credit card elements, 484
framework, 486
Global Payments data breach, 503
log reviews, 243
malware breaches, 491
payment security standards council documents library website, 518
primary account numbers, 484
resource websites, 515
six core principles, 486
build and maintain secure network/systems, 488-489
implement strong access control measures, 492-493
maintain information security policy, 495-496
maintain vulnerability management program, 490-491
protect cardholder data, 489-490
regularly monitor and test networks, 494-495
system components, 484
version 3.0 updates, 487
PCI Security Standards Council website, 501
PDD-63 (Presidential Decision Directive 63) Critical Infrastructure Protection, 372
penetration testing (border devices), 276
perimeter networks, 272
personal health records, 348
personal identity theft, 424-425
GLBA Interagency Guidelines Supplement A requirements, 425-426
Identity Theft Data Clearinghouse, 426
Internet banking safeguards, 427
personal records reported compromised example, 203
personnel. See employees
person or entity authentication standard (HIPAA compliance), 460
access controls, 192
entry authorization, 192
insider theft, 195
secure areas, 194
workspaces, 193
CPTED, 191
equipment, 196
chain of custody, 202
fire prevention controls, 198-199
resources, 216
facilities, 190
locations, 190
perimeters, 191
resources, 216
HIPAA compliance
device and media controls, 456-457
facility access control, 455
summary, 457
workstation security, 456
workstation use, 456
ISO 27002:2013 series guidelines, 189
safeguards, 413
sample policy, 535
clear desk/clear screen, 537
data centers/communications facilities, 538
entry controls, 536
equipment disposal, 539
goals/objectives, 535
index, 535
lead author, 539
mobile devices/media, 539
physical perimeter, 536
power consumption, 537
secure areas, 537
supporting resources/source material, 539
workspace classification, 536
threats, 375
PKI (Public Key Infrastructure), 313, 327
Clarity Index, 52
defined, 48
fisheries example, 49
“A Plain English Handbook: How to create clear SEC disclosure documents,” 48
Plain Language Movement, 49
reference websites, 63
SOP development, 220
PLAIN (Plain Language Action and Information Network), 50-51, 63
plans, 36
business continuity, 380
certifications, 384
disaster recovery, 388-391, 407
education/training, 384
policy statement, 381, 386-387
relocation strategies, 385-386
resource websites, 406
resumption phase, 391
sample policy, 564
small businesses, 394
disaster recovery, 566
operational contingency, 387
examples, 387
operating procedures, 388
policy statement, 388
sample policy, 565
policies
championing, 19
components, 38
enforcement clauses, 45
exceptions, 44
exemptions, 44
goals/objectives, 42
headings, 42
Policy Definition section, 47
statements, 43
definition sections, 53
disseminating, 19
enforcement clauses, 53
formats, 36
audience, 36
good characteristics, 8
attainable, 11
endorsed, 9
enforceable, 12
inclusive, 12
realistic, 10
relevant, 10
hierarchy, 33
baselines, 34
guidelines, 34
plans, 36
procedures, 35
lifecycle
defined, 16
review, 20
plain language, 48
Clarity Index, 52
defined, 48
fisheries example, 49
“A Plain English Handbook: How to create clear SEC disclosure documents,” 48
Plain Language Movement, 49
reference websites, 63
SOP development, 220
styles, 48
POP3 (Post Office Protocol), 237
ports, 274
positive corporate cultures, 7
possession authentication, 268
post-incident activity, 336
power, 196
blackouts, 198
brownouts, 198
policy statement, 199
resources, 215
spikes, 198
surges, 198
precursors (incidents), 336
presidential policies/directives
critical infrastructure sectors, 3, 30
Executive Order 13563-Improving Regulation and Regulatory Review, 62
Executive Order-Improving Government Regulations, 62
HSPD-7 Critical Infrastructure Identification, Prioritization, and Protection, 373
Memorandum on Plain Language in Government Writing, 62
PDD 63 Critical Infrastructure Protection, 372
prevention control (malware), 233
primary account numbers (PANs), 484
principle of least privilege website, 297
printers, 140
prioritizing log data, 242
privacy
honoring the public trust, 7
officers, 103
user account monitoring, 285
Privacy Rule (GLBA), 409
private sector data classifications, 134
procedures, 35
productivity software, 140
programs. See plans
prospective employee screening, 161-162
bankruptcies, 163
consent, 162
credit history, 164
employment, 164
financial history, 163
licenses/certifications, 164
motor vehicle records, 163
policy statement, 164
right to privacy, 162
social media, 162
websites, 186
workers’ compensation history, 163
protected data, 134
protocols, 274
IMAP, 237
IP
addresses, 274
domain names, 141
IPsec, 278
Ipv4 addresses, 141
Ipv6 addresses, 141
OCSP, 315
POP3, 237
SMTP, 237
public data, 134
Public Doublespeak Committee, 49
public key cryptography, 313, 327
Public Key Infrastructure (PKI), 313, 327
Q – R
QSAs (Qualified Security Assessors), 501
RA (Registration Authority), 313
ratings (regulatory examinations), 423-424
RBACs (role-based access controls), 271, 450
RCs (release candidates), 305
realistic information security policies, 10
recovery
business continuity, 380
disasters, 388
Active Directory domain controller example, 389
communications, 389
facilities, 389
infrastructure, 389
mainframe, 389
network, 389
policy statement, 391
procedures, 389
resource websites, 407
resumption phase, 391
sample policy, 566
service provider dependencies, 390
emergencies, 372
incidents, 336
payment card data breaches, 503
point objective (RPO), 378
time objective (RTO), 378
recruitment, 158
government clearances, 165
interviews, 160
job postings, 159
policy statement, 161
prospective employees, screening, 161-162
bankruptcies, 163
consent, 162
credit history, 164
employment, 164
financial history, 163
licenses/certifications, 164
motor vehicle records, 163
policy statement, 164
right to privacy, 162
social media, 162
websites, 186
workers’ compensation history, 163
sample policy, 531
Red Teaming, 276
reducing
risk, 109
Registration Authority (RA), 313
regulations
agencies, 411
compliance
data breach notifications, 345
federal agencies, 349
Veterans Administration, 349-350
defined, 13
digital non-public personally identifiable information, protecting, 15-16
emergency preparedness requirements, 372-373
encryption, 312
FERPA (Family Educational Rights and Privacy Act of 1974), 15
GLBA. See GLBA
Health Insurance Portability and Accountability Act of 1996. See HIPAA
HITECH Act. See HITECH Act
language, 412
log reviews, 243
PCI DSS. See PCI DSS
requirements
governance, 104
information security, 94
risk, 108
release candidates (RCs), 305
relocation strategies (disaster response), 385-386
remote access controls, 277
Acceptable Use Policy, 573
authentication, 278
authorization, 279
NIST, 278
portals, 278
remote access portals, 278
teleworking, 280
NIST, 280
policy statement, 281
sample policy, 550
websites, 298
Yahoo! telecommuting ban, 281
VPNs, 278
reporting
audits, 98
data breaches, 560
financial institutions regulation compliance, 422
incidents, 334
independent audits, 246
PCI DSS compliance, 501
Requests for Change (RFCs), 226
residual risks, 107
responses
business continuity, 380
disasters, 384
command and control centers, 385
communication, 385
operational contingency plans, 387-388
organizational structure, 384
relocation strategies, 385-386
resource websites, 406
small businesses, 394
emergencies, 565
closure/post-incident activity, 336
communication, 339
containment, 336
detection/investigation, 336
documentation, 336
eradication/recovery, 336
indicators, 336
initial responses, 336
notifications, 336
policy statement, 337
precursors, 336
preparations, 336
sample policy, 559
training, 340
risks, 525
responsibilities
assigned security, 448
business continuity, 381
Business Continuity Teams (BCTs), 381
governance, 381
policy statement, 383
tactical, 382
data owners, 126
incident management personnel, 338
Information Security Officer, 127
information security roles, 103
resumption plans
business continuity, 380
disaster recovery, 391
reviewing policies, 20
RFCs (Requests for Change), 226
Risk Management Framework (RMF), 108
assessment, 447
avoidance, 110
continuity planning, 374
threat assessments, 375
cyber-insurance, 111
access, 239
encryption, 238
hoaxes, 240
IMAP, 237
malware, 238
metadata, 238
POP3, 237
SMTP, 237
user errors, 240
business risk categories, 107
controls, 107
impact, 107
inherent risk, 106
likelihood of occurrence, 107
methodologies, 108
NIST methodology, 108
policy statement, 108
residual risk, 107
vulnerabilities, 107
financial institutions
information security
acceptance, 109
appetite, 106
assessment methodologies, 108
controls, 107
cyber-insurance, 111
defined, 105
impact, 107
inherent, 106
likelihood of occurrence, 107
NIST assessment methodology, 108
residual risk, 107
response policy statement, 110
risk management oversight policy statement, 106
taking risks, 105
vulnerabilities, 107
management
acceptance, 109
defined, 109
reducing, 109
response policy statement, 110
assessment, 525
authorization/oversight, 523
goals/objectives, 522
index, 522
lead author, 526
management oversight, 525
response, 525
supporting resources/source material, 526
sharing, 110
transfers, 110
“Risk, Threat, and Vulnerability 101” website, 122
RMF (Risk Management Framework), 108
ROC (Report on Compliance), 500-501
role-based access controls (RBACs), 271, 450
roles
incident management personnel, 338
information security responsibilities, 103
rollback strategies (software), 305
rootkits, 232
root (Unix/Linux), 232
RPO (recovery point objective), 378
RTO (recovery time objective), 378
rule-based access controls, 271
S
S. 418: Do-Not-Track Online Act of 2013, 232
Safeguards Act, 411
Safe Harbor Provision (HIPAA), 468
SAMM (Software Assurance Maturity Model), 307, 327
SANS Institute website, 519
SAQ (self-assessment questionnaire), 502
Sarbanes-Oxley Act of 2002 (SoX), 162-164, 186
SB 1386: California Security Breach Information Act, 15
SBA disaster response resources, 395
screen scrapers, 231
SDLC (systems development lifecycle), 302
commercial off-the-shelf software/open source software, 304
policy statement, 306
releases, 304
updates, 305
development/acquisition phase, 302
disposal phase, 303
implementation phase, 303, 555
initiation phase, 302
operations/maintenance phase, 303, 555
policy statement, 304
sample policy, 554
secret data classification, 132
sector-based regulations
data breach notifications
emergency preparedness, 373
secure areas
controls, 194
sample policy, 537
secure code
broken authentication, 310
defined, 306
dynamic data verification, 309
injection, 308
input validation, 308
output validation, 309
policy statement, 310
SAMM, 307
session management, 310
security
domains, 65
frameworks. See frameworks
incidents. See incidents
posture, 266
Security Information and Event Management (SIEM), 242
segmenting networks, 548
segregation of duties, 283
self-assessment questionnaire (SAQ), 502
semi-trusted networks, 272
sensitive but unclassified data classification, 133
sensitive customer information. See NPPI
sequencing logs, 243
servers
farms, 190
service level agreements (SLAs), 70, 390
contracts, 247
dependencies
disaster recovery, 390
financial institutions oversight, 420-421, 440
independent audit reports, 246
monitoring, 247
policy statement, 248
sample policy, 544
session management, 310
SETA (security education, training, and awareness), 174
HIPAA, 173
importance, 172
NIST SP 800-16 SETA model, 173
policy statement, 175
severity levels (incidents), 333-335
sharing risk, 110
shelter-in-place plans, 385
shoulder surfing, 194
SIEM (Security Information and Event Management), 242
signatures (logs), 243
Simple Mail Transfer Protocol (SMTP), 237
simple step format, 221
simulations (business continuity testing), 392
single-factor authentication, 266
singular policies, 37
six PCI DSS core principles, 486
build and maintain secure network/systems, 488-489
implementing strong access control measures, 492-493
maintain information security policy, 495-496
protect cardholder data, 489-490
regularly monitor and test networks, 494-495
vulnerability management program maintenance, 490-491
slammer worm website, 261
SLAs (service level agreements), 70, 390
sloppy code, 306
Small Business Administration disaster response resources, 395
small businesses
access control, 286
corporate account takeover website, 428
data breach notifications, 353
data classification/handling example, 142-143
disaster response plans, 394
encryption, 316
IT security staff, 249
SMTP (Simple Mail Transfer Protocol), 237
SOC1 reports, 246
SOC2 reports, 246
SOC3 reports, 246
Acceptable Use Policy, 571
antivirus, 234
commercial off-the-shelf. See COTS
development, 302
commercial off-the-shelf software/open source software, 304
development/acquisition phase, 302
disposal, 303
implementation phase, 303, 555
initiation phase, 302
operations/maintenance phase, 303, 555
policy statement, 304
sample policy, 555
antivirus, 234
APTs (advanced persistent threats), 230
controlling, 233
data card breaches, 491
email, 238
sample policy, 542
policy statement, 306
releases, 304
secure code
broken authentication, 310
defined, 306
dynamic data verification, 309
injection, 308
input validation, 308
output validation, 309
policy statement, 310
SAMM, 307
session management, 310
updates, 305
Software Assurance Maturity Model (SAMM), 307
SOPs (standard operating procedures), 219
developing, 220
policy statement, 225
writing resource, 224
documenting, 220
sample policy, 541
SoX (Sarbanes-Oxley Act), 162-164, 186
Special Publication 800 series, 73
SSAE16 (Standards for Attestation Engagements 16) audit reports, 246
standard operating procedures. See SOPs
State Attorneys General HIPAA enforcement, 466
state data breach notification laws, 350-351
statements (policies), 43
storage
cloud, 236
evidence, 344
media, 140
strategic alignment, 94
structured reviews (business continuity), 392
student records, protecting, 15
Stuxnet, 234
subcontractor liability (HIPAA), 465
subjects (access controls), 265
identification, 266
inherence authentication, 269
knowledge-based authentication, 267
possession authentication, 268
Supplement to the Authentication in an Internet Banking Environment Guidance, 427
Supplier Relationship domain, 79
symmetric key cryptography, 313
syslogs, 242
systems
commercial off-the-shelf software/open source software, 304
policy statement, 306
releases, 304
SDLC, 304
updates, 305
development lifecycle, 302
development/acquisition phase, 302
disposal phase, 303
implementation phase, 303, 555
initiation phase, 302
operations/maintenance phase, 303, 555
policy statement, 304
sample policy, 554
information
defined, 126
integrity, 69
monitoring, 552
payment card industry, 484
secure code
broken authentication, 310
defined, 306
dynamic data verification, 309
injection, 308
input validation, 308
output validation, 309
policy statement, 310
SAMM, 307
session management, 310
T
tabletop exercises (business continuity), 392
tactical business continuity responsibilities, 382
Target data breach, 491
technical safeguards, 413
technology service providers (TSPs), 420
Telework Enhancement Act of 2010, 280
teleworking access controls, 280
NIST, 280
policy statement, 281
sample policy, 550
websites, 298
Yahoo! telecommuting ban, 281
temporary files, 200
Tennessee F4 tornado, 373
termination (employees), 168-169, 186
testing
business continuity plans
importance, 392
policy statement, 394
sample policy, 567
financial institutions regulation compliance, 419-420
payment card industry networks, 494-495
Texas Breach Notification Law, 350
third-parties. See vendors
threats
availability, 70
business continuity, 375
confidentiality, 68
financial institutions, 415
information security risk, 106
integrity, 69
sources, 107
Title 11 of the U.S. Bankruptcy Code, 163
Tomlinson, Ray, 237
top secret data classification, 132
Toyota guiding principles, 6, 29
training, 174
business continuity management, 384
employees, 533
financial institutions regulation compliance, 418-419
incident response, 340
transactional risks, 415
transfers (risk), 110
transmission security standard (HIPAA compliance), 460
trend analysis (logs), 243
Trojans, 231
trusted networks, 272
TSPs (technology service providers), 420
Tufts University Information Technology Resource Security Policy website, 62
U
unclassified data classification, 132
unique identifiers (assets), 140
United States
Army Clarity Index, 52
Computer Emergency Readiness Team (US-CERT), 330
Constitution, 5
Government Printing Office Public Law 107 – 347 – E-Government Act of 2002 website, 90
Unix root, 232
unscrubbed hard drives, 202
The Untouchables, 68
untrusted networks, 272
updates (software), 305
URSIT (Uniform Rating System for Information Technology), 423-424
users
access controls, 282
administrative accounts, 283
importance, 282
policy statement, 282
sample policy, 551
authentication, 547
authorization, 548
data users, 104
information security policies versions, 94
V
validation
disaster recovery resumption phase, 391
levels (PCI compliance), 499-500
disaster recovery dependencies, 390
financial institutions oversight, 420-421, 440
information security policies versions, 95
risks, 111
sample policy, 544
service provider oversight, 420-421, 440
version control (information security policies), 38-39, 94-95, 521
Veterans Administration data breach notifications, 349-350
Veterans Affairs Information Security Act, 349
viruses, 231
visitor management systems, 192
VPNs (virtual private networks), 278
vulnerabilities. See risks
W
W-4 form, 166
W32.Stuxnet, 234
waiver process, 44
warm sites, 386
war rooms (disaster response plans), 385
web. See Internet
websites
2013 data breach investigations, 514
access control resources, 297
Americans with Disabilities Act, 186
asymmetric key cryptography, 327
background checks, 186
Bangladesh building collapse, 29
Boston Marathon Bombings, 407
business continuity resources, 406
California Security Breach Information Act, 30
CCFP, 343
certificates, 327
change control resources, 262
change drivers, 123
corporate account takeovers, 440
CPTED, 191
credit card growth, 514
cyber attack liability, 123
cyber-insurance, 123
data breach notifications resources, 368-369
DDoS attacks, 91
Department of Health and Human Services HIPAA security series, 518
Department of Homeland Security, “What Is Critical Infrastructure?,” 29
disasters
recovery, 407
response, 406
Do-Not-Track Online Act of 2013, 232
DPPA, 186
duty of care, 122
email encryption, 327
employee
lifecycle, 185
terminations, 186
encryption, 327
Energy Star, 215
environmental security protection resources, 216
equipment passwords, 286
Executive Order 13256, 155
Fair and Accurate Credit Transactions Act of 2003, 186
FCRA, 186
FDIC information security standards, 122
Federal Register, 412
FFIEC IT Handbook, 262, 417, 518
FISMA (Federal Information Security Management Act), 90
Five Principles of Organizational Resilience, 406
Freedom of Information Act, 129
FTC identity theft, 440
GE Candidate Data Protection Standards, 160
Google data centers, 190
governance, 123
“Governing for Enterprise Security:CMU/SEI-20050TN-023 2005,” 122
Gramm-Leach-Bliley Act, 30
hacktivism, 91
hashing, 327
breach notifications, 481
resources, 479
HITECH Act, 480
Huffington Post Edward Snowden article, 155
Hurricane Sandy, 407
I-9 form, 166
IDSs/IPSs, 297
incident evidence handling, 368-369
Information Security Officer role, 122
Institute of Internal Auditors, 519
IRCA, 186
ISC2, 519
ISSA, 519
IT Security Standards comparison website, 91
Krebs, Brian blog, 428
Massachusetts Standards for the Protection of Personal Information of Residents of the Commonwealth, 30
Merriam-Webster Online cyber definition, 30
NACHA Corporate Account Takeover Resource Center, 428
New Hampshire data breach notifications, 352
New York cybersecurity, 63
NIST
resources, 91
special publications, 516
Omnibus Rule, 480
PCI DSS resources, 515
PCI Security Standards Council, 501, 518
plain language
Action and Information Network, 50-51
fisheries example, 50
PLAIN, 63
Plain Writing Act of 2010, 62
resources, 63
power resources, 215
presidential critical infrastructure security policies, 30
Executive Order 13563-Improving Regulation and Regulatory Review, 62
Executive Order-Improving Government Regulations, 62
HSPD-7, 373
Memorandum on Plain Language in Government Writing, 62
principle of least privilege, 48, 297
ransomware, 262
“Risk, Threat, and Vulnerability 101,” 122
SANS Institute, 519
Sarbanes-Oxley Act of 2002, 162, 186
security clearances, 185
service provider oversight, 440
slammer worm, 261
Small Business Administration disaster response resources, 395
spyware, 262
state security breach notification laws, 351
teleworking, 298
Toyota guiding principles, 6, 29
Tufts University Information Technology Resource Security Policy, 62
U.S. Government Printing Office Public Law 107 – 347 – E-Government Act of 2002, 90
WikiLeaks, 91
Yahoo! password compromise, 267, 297
white-box assurance tests, 419
whitelists, 275
willful damage disasters, 371
wireless IDSs/IPSs, 275
WLANs (wireless local area networks), 273
workers’ compensation history protection, 163
workforce
defined, 448
security standard (HIPAA), 448-449
workspaces, 193
classification, 536
standards (HIPAA compliance), 456
worms, 231
writing SOPs resource, 224
writing style. See plain language
Y – Z
Yahoo!
telecommuting ban, 281
zero-day exploit, 238