did-you-know? rent-now

Amazon no longer offers textbook rentals. We do!

did-you-know? rent-now

Amazon no longer offers textbook rentals. We do!

We're the #1 textbook rental company. Let us show you why.

9780131866911

Security Policies and Procedures : Principles and Practices

by
  • ISBN13:

    9780131866911

  • ISBN10:

    0131866915

  • Edition: 1st
  • Format: Paperback
  • Copyright: 2005-07-18
  • Publisher: Prentice Hall
  • View Upgraded Edition
  • Purchase Benefits
  • Free Shipping Icon Free Shipping On Orders Over $35!
    Your order must be $35 or more to qualify for free economy shipping. Bulk sales, PO's, Marketplace items, eBooks and apparel do not qualify for this offer.
  • eCampus.com Logo Get Rewarded for Ordering Your Textbooks! Enroll Now
  • Write a Review Icon Write a Review
List Price: $145.60

Summary

Security Policies and Procedures: Principles and Practiceswas created to teach information security policies and procedures and provide students with hands-on practice developing a security policy.This book provides an introduction to security policy, coverage of information security regulation and framework, and policies specific to industry sectors, including financial, healthcare and small business.

Table of Contents

Security Series Walk-Through xxiv
Preface xxvii
About the Author xxxi
Acknowledgments xxxii
Quality Assurance xxxiii
PART ONE Introduction to Policy
1(62)
Policy Defined
3(32)
Introduction
3(1)
Defining Policy
4(2)
Looking at Policy Through the Ages
6(3)
The Bible as Ancient Policy
7(2)
The U.S. Constitution as a Policy Revolution
9(1)
Defining the Role of Policy in Government
9(2)
Defining the Role of Policy in Corporate Culture
11(1)
Consistency in Services, Products, and Corporate Culture
11(1)
In Practice: Supporting Organizational Goals
12(2)
Complying with Government Policies
13(1)
Understanding the Psychology of Policy
14(2)
Involving Those Who Know What Is Possible
15(1)
In Practice: The Importance of Knowing What Is Possible
16(3)
Changes in the Environment
18(1)
Introducing a Policy
19(3)
Getting Approval
20(1)
Introducing Policies to the Organization
20(2)
Achieving Acceptance of the Policy
22(2)
Organizational Culture Comes from the Top
22(1)
Reinforcement Through Good Communication
23(1)
Responding to Environmental Changes
23(1)
Enforcing Information Security Policies
24(11)
Enforcing Behavioral Policies
24(1)
Enforcing Technological Policies
25(1)
Summary
25(1)
Test Your Skills
26(9)
The Elements of a Policy
35(28)
Introduction
35(1)
Defining Policy Companions: Standards, Guidelines and Procedures
36(2)
Standards
37(1)
Guidelines
37(1)
Procedures
38(1)
Developing a Policy Style and Format
38(2)
Plan Before You Write
38(2)
In Practice: Using Tables to Publish Policies
40(1)
Defining Policy Elements
41(1)
Statement of Authority
41(1)
In Practice: Example of a Statement of Authority
41(2)
Policy Headings
42(1)
In Practice: Example of a Policy Heading
43(1)
Policy Objectives
43(1)
In Practice: Example of a Policy Objective in Reference to Confidentiality Agreements
44(1)
Policy Statement of Purpose
44(1)
In Practice: Example of a Statement of Purpose
44(1)
Policy Audience
45(1)
In Practice: Example of a Policy Audience
45(1)
Policy Statement
46(1)
In Practice: Example of Policy Statements
46(2)
Policy Exceptions
46(2)
In Practice: Example of Exception to Policy
48(1)
Policy Enforcement Clause
48(1)
In Practice: Example of Policy Enforcement Clause
49(1)
Policy Definitions
49(1)
In Practice: Example of a Definition
50(13)
Summary
51(1)
Test Your Skills
52(11)
PART TWO Information Security Policy Domains
63(324)
Information Security Framework
65(26)
Introduction
65(1)
Planning the Goals of an Information Security Program
66(7)
``C'' Is for Confidentiality
67(2)
``I'' Is for Integrity
69(1)
``A'' Is for Availability
70(2)
The ``Five A's'' of Information Security
72(1)
Classifying Data and Information
73(1)
In Practice: Classifying Your Telecommunications Information
74(1)
Identifying Information Ownership Roles
75(1)
The ISO 17799/BS 7799 Code of Practice for Information Security Management
76(2)
Using the Ten Security Domains of the ISO 17799:2000
78(13)
Security Policy
78(1)
Organizational Security
79(1)
Asset Classification and Control
79(1)
Personnel Security
79(1)
Physical and Environmental Security
79(1)
Communications and Operations Management
80(1)
Access Control
80(1)
System Development and Maintenance
80(1)
Business Continuity Management
81(1)
Compliance
81(1)
Is It Possible to Have Too Many Policies?
81(1)
Summary
82(1)
Test Your Skills
82(9)
Security Policy Documents and Organizational Security Policies
91(26)
Introduction
91(1)
Composing a Statement of Authority
92(2)
Who Should Sign the Statement of Authority?
92(1)
What Message Should the Statement of Authority Convey?
93(1)
The Role of Security Champion
93(1)
In Practice: Sample Statement of Authority
94(1)
Security Policy Document Policy--A Policy About a Policy
95(3)
Is There a Relationship Between the Organization's Security Policy Document and Federal Law?
95(2)
The Need for an Employee Version of Security Policies
97(1)
Policies Are Dynamic
97(1)
In Practice: Information Security Policy Document Objective and Ownership Policy
98(2)
Managing Organizational Security
100(1)
Creating an Organizational Structure that Supports the Goals of Information Security
100(1)
In Practice: Information Security Infrastructure Policy
101(3)
Who Else Has Access?
103(1)
In Practice: Identification of Risks from Third Parties Policy
104(2)
Outsourcing Is a Growing Trend
105(1)
In Practice: Security Requirements in Outsourcing Contracts Policy
106(11)
Summary
108(1)
Test Your Skills
108(9)
Asset Classification
117(32)
Introduction
117(1)
What Are We Trying to Protect?
118(2)
Information Systems
119(1)
Who Is Responsible for Information Assets?
119(1)
In Practice: Information Ownership Policy
120(2)
Information Classification
122(3)
Government and Military Classification Systems
122(2)
Commercial Classification Systems
124(1)
In Practice: Footprinting and the Four-Step Hacking Process
125(2)
In Practice: Information Classification Policy
127(2)
Information Classification Labeling and Handling
129(1)
Information Labeling
129(1)
Familiar Labels
129(1)
Information Handling
129(1)
Information Classification Program Lifecycle
130(2)
Information Classification Procedures
130(1)
Reclassification/Declassification
130(2)
In Practice: Information Classification Handling and Labeling Policy
132(1)
Value and Criticality of Information Systems
133(4)
How Do We Know What We Have?
134(1)
Asset Inventory Methodology
134(1)
Asset Inventory Characteristics and Attributes
135(1)
System Characterization
136(1)
In Practice: Inventory of Information System Assets Policy
137(12)
Summary
140(1)
Test Your Skills
141(8)
Personnel Security
149(36)
Introduction
149(1)
First Contact
150(2)
Job Descriptions
151(1)
The Interview
151(1)
In Practice: Job Recruitment and Descriptions Policy
152(2)
Who Is This Person?
154(4)
Types of Background Checks
156(2)
In Practice: Personnel Screening Policy
158(2)
The Importance of Employee Agreements
160(2)
Confidentiality Agreements
160(1)
Information Security Affirmation Agreements
160(2)
In Practice: Personnel Agreements Policy
162(2)
Why Is Security Education and Training Important?
164(3)
SETA for All
165(1)
Influencing Behavior with Security Awareness
166(1)
Teaching a Skill with Security Training
166(1)
Security Education Is Knowledge Driven
167(1)
Investing In Training
167(1)
In Practice: Information Security Education, Training, and Awareness Policy
167(2)
Security Incident Reporting Is Everyone's Responsibility
169(2)
Incident Reporting Training
169(1)
Security Reporting Mechanisms
170(1)
Testing the Procedures
170(1)
In Practice: Security Incident Awareness and Reporting Policy
171(14)
Summary
172(1)
Test Your Skills
173(12)
Physical and Environmental Security Policies and Procedures
185(28)
Introduction
185(1)
Designing Secure Areas
186(2)
Securing the Perimeter
187(1)
In Practice: Physical Security Perimeter Policy
188(1)
Implementing Physical Entry Controls
189(1)
In Practice: Physical Entry Controls Policy
189(2)
Securing Offices, Rooms, and Facilities
190(1)
In Practice: Securing Offices, Rooms, and Facilities Policy
191(2)
Working In Secure Areas
192(1)
In Practice: Working In Secure Areas Policy
193(1)
Securing Equipment
194(1)
Equipment Siting and Protection
195(1)
In Practice: Equipment Siting and Protection Policy
195(2)
No Power, No Processing
196(1)
In Practice: Power Supply Policy
197(2)
Secure Disposal and Reuse of Equipment
198(1)
In Practice: Secure Disposal and Reuse of Equipment Policy
199(2)
General Controls
201(1)
Clear Desk and Clear Screen
201(1)
In Practice: Clear Desk and Clear Screen Policy
202(1)
Removing Company Policy
203(1)
In Practice: Removal of Property Policy
203(10)
Summary
204(1)
Test Your Skills
205(8)
Communications and Operations Management
213(58)
Introduction
213(1)
Standard Operating Procedure
214(6)
Why Document Operating Procedures?
214(1)
Developing Standard Operating Procedure Documentation
214(5)
Authorizing SOP Documentation
219(1)
Protecting SOP Documentation
219(1)
SOP Change Management
220(1)
In Practice: Standard Operating Procedures Documentation Policy
220(1)
Operational Change Control
221(2)
Step 1: Assessment
222(1)
Step 2: Logging Changes
222(1)
Step 3: Communication
222(1)
In Practice: Operational Change Control Policy
223(1)
Incident Response Program
224(6)
Incidents and Severity Levels
225(1)
What Is a Designated Incident Handler?
225(3)
Incident Reporting, Response, and Handling Procedures
228(1)
Analyzing Incidents and Malfunctions
229(1)
Reporting Suspected or Observed Security Weaknesses
229(1)
Testing Suspected or Observed Security Weaknesses
230(1)
In Practice: Incident Response Program Policy
230(2)
Malicious Software
232(3)
What Is Malware?
232(1)
Malware Controls
233(2)
In Practice: Malicious Software Policy
235(1)
Information System Backup
236(3)
Defining a Backup Strategy
237(1)
The Importance of Test Restores
237(2)
In Practice: Information System Backup Policy
239(1)
Managing Portable Storage
240(4)
Controlling Non-Company-Owned Removable Media
242(1)
Controlling Company-Owned Removable Media that Leaves Company Premises
243(1)
Storing Removable Media
243(1)
In Practice: Management of Portable Storage Devices and Removable Media Policy
244(3)
Secure Reuse and Disposal of Media
246(1)
Outsourcing Media Removal
247(1)
When In Doubt, Check the Log
247(1)
In Practice: Secure Reuse and Disposal of Media Policy
247(4)
Security of Media While In Transit
248(1)
Only Authorized Couriers Need Apply
249(1)
Physically Protecting the Media During Transport
250(1)
Security Controls Related to Transporting Media
250(1)
In Practice: Security of Media in Transit Policy
251(3)
Securing Data on Publicly Avalable Systems
252(1)
Publishing Data and Respecting the Law
253(1)
The Need for Penetration Testing
253(1)
In Practice: Publicly Available Systems Policy
254(1)
Securing E-Mail
255(3)
Is E-Mail Different than Other Forms of Communication?
255(2)
We Can Be Our Own Worst Enemy
257(1)
Compromising the E-Mail Server
257(1)
In Practice: E-Mail and E-Mail Systems Policy
258(13)
Summary
259(1)
Test Your Skills
260(11)
Access Control
271(40)
Introduction
271(1)
What Is a Security Posture?
272(3)
To Deny All or Not to Deny All... That Is the Question
272(1)
Least Privilege to Perform Business Activities
272(1)
Do You Need to Know, Or Just Want to Know?
273(1)
How Do We Know Who Needs What?
273(1)
Who Decides Who Needs What?
274(1)
In Practice: Access Control Policy
275(1)
Managing User Access
276(3)
One to Authorize, Another to Implement, and Another to Keep Watch
276(1)
User Access Management
276(2)
Promotions, Terminations, and Other Changes
278(1)
With Privilege Comes Responsibility
278(1)
In Practice: User Access Management Policy
279(2)
Keeping Passwords Secure
281(2)
Don't Ask, Don't Tell
281(2)
In Practice: Password Use Policy
283(2)
User Authentication for Remote Connections
285(4)
IPSec and the Virtual Private Network
285(1)
RADIUS and TACACS+
286(1)
Hardware Tokens
287(1)
Challenge/Response Protocol
287(1)
Private Lines
288(1)
Address Checking and Dial-Back Controls
288(1)
Testing, 1, 2, 3
288(1)
In Practice: User Authentication for Remote Connections Policy
289(1)
Mobile Computing
290(3)
Yet Another Risk Assessment!
290(1)
Approved or Prohibited?
290(3)
In Practice: Mobile Computing Policy
293(1)
Telecommuting
294(2)
The Telecommuting Environment
295(1)
In Practice: Telecommuting Policy
296(2)
Monitoring System Access and Use
298(3)
What Will We Need to Monitor?
299(1)
Review and Retention
300(1)
Is Monitoring Legal?
301(1)
In Practice: Monitoring System Access and Use Policy
301(10)
Summary
303(1)
Test Your Skills
303(8)
Systems Development and Maintenance
311(40)
Introduction
311(1)
What Are the Risks to the Organization?
312(1)
Systems Devlopment
312(1)
Systems Maintenance
312(1)
Security Requirements of Systems
313(2)
Risk Assessments
313(1)
Independent Third-Party Consultants: A Requirement?
313(1)
Adding Control After Implementation
314(1)
In Practice: Security Requirements of Systems Policy
315(2)
The Things that Should Never Happen to Sensitive Data!
317(1)
Data Loss
317(1)
Data Modification
317(1)
Data Misuse
318(1)
Sloppy Code vs. Secure Code
318(4)
System Owners
318(1)
Input Validation: An Introduction
319(1)
Advanced Input Validation
320(1)
Testing the Plausability of Data Inputs
320(1)
Output Validation
321(1)
In Practice: Security in Application Systems Policy
322(1)
Risk Assessments and Cryptography
323(1)
In Practice: Breaking the Caesar Cipher
323(6)
Risk Assessment
325(1)
Confidentiality, Integrity, Authentication, Nonrepudiation
325(2)
Keepers of the Keys
327(1)
Key Management
327(1)
Encryption and Business Partners
328(1)
In Practice: Cryptographic Controls Policy
329(1)
Operating System and Application Software Stability
330(5)
Only Stable Versions Should Be Deployed on Production Servers
331(1)
Updates: Required, Dangerous, or Both?
331(2)
Updates: When Should They Be Applied?
333(1)
Updates: Who Should Apply Them?
333(1)
Testing Environment Concerns
334(1)
In Practice: Security of System Files, Development, and Support Processes Policy
335(16)
Summary
337(1)
Test Your Skills
337(14)
Business Continuity Management
351(36)
Introduction
351(1)
What Is a Disaster?
352(2)
Risk Assessment and Business Impact Analysis (BIA)
353(1)
In Practice: Business Continuity Assessment Policy
354(2)
Disaster Strikes Without Warning
356(3)
A Plan of Action
357(1)
Business Continuity Plan (BCP) Components
357(2)
In Practice: Business Continuity Plan Policy
359(1)
Understanding Roles and Responsibilities
360(2)
Defining Expectations
360(1)
Who's In Charge?
361(1)
In Practice: Business Continuity Team Policy
362(1)
Preparing for Disaster
363(3)
Organizational Structure
364(1)
Command Center Location
364(1)
Notification of Personnel
364(1)
Relocation of Operations
364(1)
Alternate Data Center Sites
365(1)
Responding to a Disaster
366(2)
Detection
366(1)
Notification
366(1)
Declaration
366(1)
Activation
367(1)
Planning for Contingencies
368(1)
Business Contingency Procedures
368(1)
Business Contingency Documentation
369(1)
Recovering from Disaster
369(1)
Recovery Strategies
369(1)
Procedures
369(1)
In Practice: E-mail System Recovery
370(2)
Recovery Manual
371(1)
Testing and Maintaining the Plan
372(3)
Testing Methods
372(1)
Maintaining the Plan
373(1)
Agreements with Vendors
373(1)
Auditing the Plan
374(1)
In Practice: Business Continuity Plan Testing and Maintenance Policy
375(12)
Summary
376(1)
Test Your Skills
377(10)
PART THREE Regulatory Compliance
387(140)
Regulatory Compliance for Financial Institutions
389(36)
Introduction
389(1)
What Is the Gramm-Leach-Bliley Act?
390(6)
To Whom Does the GLBA Pertain?
391(1)
Who Enforces GLBA?
392(1)
FFIEC to the Rescue
393(1)
Understanding the GLBA Security Regulations
394(1)
What Are Interagency Guidelines?
394(1)
Development and Implementation of an Information Security Program
395(1)
Involving the Board
396(1)
Delegating Information Secuirity Tasks
396(1)
Assessing Risk
397(3)
Information and Information Systems Inventory
398(1)
Identifying and Assessing Threats
398(2)
Mitigating Controls
400(1)
Managing Risk
400(11)
Using the ISO Framework for Achievin Risk Management Objectives
402(1)
Logical and Administrative Access Controls
402(4)
Physical Security
406(1)
Data Security
406(1)
Malicious Code
407(1)
Systems Development, Acquisition, and Maintenance
407(1)
Personnel Security
408(1)
Electronic and Paper-Based Media Handling
408(1)
Logging and Data Collection
409(1)
Service Provider Oversight
409(1)
Intrusion-Detection and Response
409(1)
Business Continuity Considerations
410(1)
Training, Training, and More Training!
410(1)
Testing the Controls
411(1)
Adjusting the Program, Reporting to the Board, and Implementing the Standards
411(1)
Adjusting the Program
412(1)
Reporting to the Board
412(1)
Effective Date of Compliance
412(1)
What's Different About the FTC Safeguards Act?
412(3)
Objectives
413(1)
Elements
413(2)
Identity Theft and Regulatory Compliance
415(10)
Responding to Identity Theft
415(2)
The FTC and Identity Theft
417(1)
Summary
417(1)
Test Your Skills
418(7)
Regulatory Compliance for the Healthcare Sector
425(38)
Introduction
425(1)
Understanding the Security Rule
426(4)
HIPAA Goals and Objectives
427(1)
HIPAA Key Principles
427(1)
Penalties for Noncompliance
428(1)
Security Rule Organization
428(1)
Implementation Specifications
429(1)
Administrative Safeguards
430(12)
The Security Management Process §164.308(a)(1)(i)
430(3)
Assigned Security Responsibility §164.308(a)(2)
433(1)
Workforce Security §164.308(a)(3)
434(1)
Information Access Management §164.308(a)(4)
435(1)
Security Awareness and Training §164.308(a)(5)
436(2)
Security Incident Procedures §164.308(a)(6)
438(1)
Contingency Plans §164.308(a)(7)
439(2)
Evaluation §184.308(a)(8)
441(1)
Business Associate Contracts and Other Arrangements §164.308(b)(1)
441(1)
Physical Safeguards
442(5)
Facility Access Controls §164.310(a)(1)
442(2)
Workstation Use §164.310(b)
444(1)
Workstation Security §164.310(b)
445(1)
Device and Media Controls §164.310(d)(1)
445(2)
Technical Safeguards
447(4)
Access Control §164.312(a)(1)
448(1)
Audit Controls §164.312(b)
449(1)
Integrity Controls §164.312(c)(1)
449(1)
Person or Entity Authentication §164.312(d)
450(1)
Transmission Security §164.312(e)(1)
451(1)
Organization Requirements
451(3)
Business Associates Contracts §164.314(a)(1)
451(2)
Standard Requirements for Group Health Plans §164.314(b)(1)
453(1)
Policies and Procedures
454(9)
Policies and Procedures §164.316(a)
454(1)
Documentation §164.316(b)(1)
454(1)
Summary
455(1)
Test Your Skills
456(7)
Information Security Regulatory Compliance for Critical Infrastructure
463(20)
Introduction
463(1)
E-Government Is Becoming a Reality
464(3)
Security at a National Level
464(1)
Elements Required for Compliance
465(1)
NIST to the Rescue
466(1)
NIST Publications to Address FISMA
466(1)
The FISMA Implementation Project
467(1)
The Future of FISMA
467(1)
Protecting the Privacy of Student Records
467(3)
What Is the Objective of FERPA?
468(1)
What Is an Educational Record?
468(1)
Types of Educational Records
469(1)
What Does FERPA Have to Do with Information Security?
469(1)
It All Started with a Corporate Scandal
470(2)
What Does SOX Have to Do with Information Security?
471(1)
Adopting a Control Framework
471(1)
Relevancy of ISO 17799:2000
472(11)
ISO 17799 Security Domain Recap
473(1)
Summary
474(1)
Test Your Skills
475(8)
Security Policies and Practices for Small Businesses
483(44)
Introduction
483(1)
What Is a Small Business?
484(2)
What Should a Small Business Do?
485(1)
Additional Considerations
485(1)
What Policies Should a Small Business Have?
486(1)
How Should the Policies Be Presented?
486(1)
Why Have a Confidentiality Policy?
486(3)
Make It Legal
487(1)
Not One, not Two, but Five
488(1)
Structure of the Agreement
488(1)
Protect the Agreement
488(1)
What Is Acceptable Behavior?
489(3)
Ownership
489(1)
In Practice: Business-Centric Use of Bandwidth?
490(1)
Hardware and Software
491(1)
Misuse of Resources
491(1)
Internet Use--Where to Draw the Line?
492(2)
Monitoring, Logging, and Blocking Internet Traffic
492(1)
Transmitting Data
493(1)
Keeping Corporate E-Mail Secure
494(4)
In Practice: The Power of a Single E-Mail Over a Company's Future
495(1)
Business Use Only
496(1)
Clear Text Communications
496(1)
Misuse of Resources
497(1)
Reporting and Responding to Incidents
498(2)
Incident Reporting
498(1)
Incident Response
499(1)
Incident Response Plan
500(1)
Managing Passwords
500(2)
Password Characteristics
500(1)
In Practice: Creating Memorable Complex Passwords
501(1)
Password Review
502(1)
Protecting Information
502(4)
Is Classification Really Necessary?
502(1)
Information Labeling
503(1)
Information Protection
504(1)
In Practice: Dumpster Diving
505(1)
Protecting from Malware
506(4)
Viruses, Worms, Trojans, and Spyware, Oh My!
506(1)
Protection Requirements
507(1)
Don't Forget About the Users
508(1)
Patch Management
508(2)
Securing Remote Access
510(1)
Extending the Internal Network
510(1)
Controlling Change
511(2)
Why Does a Small Business Need a Change Control Policy?
512(1)
Data Backup and Recovery
513(14)
Business Depends upon the Ability to Access Data
513(1)
Types of Backups
514(1)
Storage of Backup Media
514(1)
Testing Restoration
515(1)
Summary
515(1)
Test Your Skills
516(11)
Appendix A: Resources for Information Security Professionals 527(2)
Appendix B: Employee Information Security Policy Affirmation Agreement 529(10)
Glossary 539(6)
References 545(16)
Index 561

Supplemental Materials

What is included with this book?

The New copy of this book will include any supplemental materials advertised. Please check the title of the book to determine if it should include any access cards, study guides, lab manuals, CDs, etc.

The Used, Rental and eBook copies of this book are not guaranteed to include any supplemental materials. Typically, only the book itself is included. This is true even if the title states it includes any access cards, study guides, lab manuals, CDs, etc.

Rewards Program