did-you-know? rent-now

Amazon no longer offers textbook rentals. We do!

did-you-know? rent-now

Amazon no longer offers textbook rentals. We do!

We're the #1 textbook rental company. Let us show you why.

9781932266962

Security Assessment

by
  • ISBN13:

    9781932266962

  • ISBN10:

    1932266968

  • Format: Paperback
  • Copyright: 1/29/2004
  • Publisher: Elsevier Science
  • Purchase Benefits
  • Free Shipping Icon Free Shipping On Orders Over $35!
    Your order must be $35 or more to qualify for free economy shipping. Bulk sales, PO's, Marketplace items, eBooks and apparel do not qualify for this offer.
  • eCampus.com Logo Get Rewarded for Ordering Your Textbooks! Enroll Now
  • Write a Review Icon Write a Review
List Price: $76.95

Summary

The National Security Agency's INFOSEC Assessment Methodology (IAM) provides guidelines for performing an analysis of how information is handled within an organization: looking at the systems that store, transfer, and process information. It also analyzes the impact to an organization if there is a loss of integrity, confidentiality, or availability. This book shows how to do a complete security assessment based on the NSA's guidelines. This book also focuses on providing a detailed organizational information technology security assessment using case studies. The Methodology used for the assessment is based on the National Security Agency's (NSA) INFOSEC Assessment Methodology (IAM). Examples will be given dealing with issues related to military organizations, medical issues, critical infrastructure (power generation etc). The book is intended to provide an educational and entertaining analysis of an organization, showing the steps of the assessment and the challenges faced during an assessment. It will also provide examples, sample templates, and sample deliverables that readers can take with them to help them be better prepared and make the methodology easier to implement. Everything You Need to Know to Conduct a Security Audit of Your Organization Step-by-Step Instructions for Implementing the National Security Agency's Guidelines Special Case Studies Provide Examples in Healthcare, Education, Infrastructure, and more

Table of Contents

Introduction xxv
Chapter 1 Laying the Foundation for Your Assessment
1(44)
Introduction
2(1)
Determining Contract Requirements
3(17)
What Does the Customer Expect?
4(16)
Customer Definition of an Assessment
11(5)
Sources for Assessment Work
Contract Composition
What Does the Work Call For?
What Are the Timelines?
16(2)
Understand the Pricing Options
18(2)
Understanding Scoping Pitfalls
20(7)
Common Areas of Concern
21(6)
Customer Concerns
21(1)
Customer Constraints
21(1)
"Scope Creep" and Timelines
22(1)
Uneducated Salespeople
23(1)
Bad Assumptions
24(1)
Poorly Written Contracts
25(2)
Staffing Your Project
27(3)
Job Requirements
27(3)
Networking and Operating Systems
27(1)
Hardware Knowledge
28(1)
Picking the Right People
28(2)
Adequately Understanding Customer Expectations
30(6)
The Power of Expectations
30(1)
What Does the Customer Expect for Delivery?
30(1)
Adjusting Customer Expectations
30(1)
Educating the Customer
31(1)
Helping the Customer Understand the Level of Effort
31(1)
Explaining Timeline Requirements
31(1)
Understand the Commitment
32(15)
Project Leadership
32(1)
Constant Communication with the Customer
32(1)
Constant Communication with Team Members
33(1)
Timeliness of the Effort
34(1)
Long Nights, Impossible Odds
35(1)
Initial Resistance Fades to Cooperation
35(1)
Case Study: Scoping Effort for the Organization for Optimal Power Supply
36(3)
Summary
39(1)
Best Practices Checklist
40(2)
Frequently Asked Questions
42(3)
Chapter 2 The Pre-Assessment Visit
45(36)
Introduction
46(1)
Preparing for the Pre-Assessment Visit
47(6)
Questions You Should Ask
48(4)
Determining the Network Environment of the Assessment Site
48(2)
Determining the Security Controls of the Assessment Site
50(1)
Understanding Industry Concerns for the Assessment Site
50(2)
Scheduling
52(1)
Understanding Special Considerations
53(28)
Managing Customer Expectations
53(7)
Defining the Differences Between Assessment and Audit
54(2)
Results, Solutions, and Reporting
56(1)
Interference on Ops
57(1)
Impact on Organization Security
58(2)
Defining Roles and Responsibilities
60(5)
Who Is the Decision Maker?
61(1)
Who Is the Main Customer POC?
61(1)
Who Is the Assessment Team Leader?
62(1)
Suggestions for the Assessment Team
63(1)
Possible Members of the Customer Team
63(2)
Planning for the Assessment Activities
65(6)
Developing Mission Identification
66(1)
Understanding Industry Differences
67(1)
Relating the Mission to Pre-Assessment Site Visit Products
68(1)
Defining Goals and Objectives
69(1)
Understanding the Effort: Setting the Scope
69(1)
Information Request
69(1)
Coordinate
70(1)
Establish Team Needs for Remaining Assessment
70(1)
Industry and Technical Considerations
70(1)
Case Study: The Bureau of Overt Redundancy
71(4)
The Organization
71(4)
Summary
75(1)
Best Practices Checklist
76(1)
Frequently Asked Questions
77(4)
Chapter 3 Determining the Organization's Information Criticality
81(38)
Introduction
82(4)
Identifying Critical Information Topics
86(7)
Associating Information Types with the Mission
90(3)
Common Issues in Defining Types
91(1)
Common Mistakes in Defining Types
92(1)
Identifying Impact Attributes
93(6)
Common Impact Attributes
95(2)
Confidentiality
96(1)
Integrity
96(1)
Availability
96(1)
Additional Impact Attributes
97(2)
Based on Regulatory or Legal Requirements
97(1)
Personal Preference
98(1)
Recommendation of a Colleague
99(1)
Creating Impact Attribute Definitions
99(9)
Understanding the Impact to the Organization
99(1)
Can We Live Without This Information?
100(1)
Example Impact Definitions
100(4)
High, Medium, and Low
100(3)
Numbered Scales
103(1)
Creating the Organizational Information
104(4)
Criticality Matrix
Prioritizing Impact Based on Your Definitions
105(2)
The Customer Perception of the Matrix
107(1)
Case Study: Organizational Criticality at TOOT
108(5)
TOOT Information Criticality Topics
109(1)
Identifying Impact Attributes
110(1)
Creating Impact Definitions
110(1)
Creating the Matrix
111(2)
Summary
113(2)
Best Practices Checklist
115(1)
Frequently Asked Questions
116(3)
Chapter 4 System Information Criticality
119(32)
Introduction
120(1)
Stepping into System Criticality
121(2)
Defining High-Level Security Goals
123(7)
Locating Additional Sources of Requirements
126(2)
Determining System Boundaries
128(1)
Physical Boundaries
128(1)
Logical Boundaries
128(2)
Defining the Systems
130(4)
What Makes a System Critical?
132(1)
Breaking the Network into Systems
133(1)
What Makes Sense?
134(1)
Creating the System Criticality Matrix
134(6)
The Relationship Between OICM and SCM
135(5)
Refining Impact Definitions
136(1)
A Matrix for Each System
137(1)
Unexpected Changes
138(2)
Case Study: Creating the SCM for TOOT
140(5)
Locating System Boundaries
140(1)
Completing the System Criticality Matrix
141(4)
Summary
145(2)
Best Practices Checklist
147(2)
Frequently Asked Questions
149(2)
Chapter 5 The System Security Environment
151(32)
Introduction
152(2)
Understanding the Cultural and Security Environment
154(5)
The Importance of Organizational Culture
154(2)
Adequately Identifying the Security Environment
156(3)
Defining the Boundaries
159(3)
Physical Boundaries
160(1)
Logical Boundaries
161(1)
Never the Twain Shall Meet-Or Should They?
162(1)
Identifying the Customer Constraints and Concerns
162(5)
Defining Customer Constraints
163(3)
Types of Operational Constraints
163(1)
Types of Resource Constraints
164(1)
Environmental Constraints
164(1)
Architectural Constraints
165(1)
Determining Customer Concerns
166(1)
Why Are You There in the First Place?
166(1)
Specific Criteria to Assess
166(1)
Handling the Documentation Identification and Collection
167(7)
What Documentation Is Necessary?
169(2)
Policy
169(1)
Guidelines/Requirements
169(1)
Plans
170(1)
Standard Operating Procedures
170(1)
User Documentation
170(1)
Obtaining the Documentation
171(1)
Use the Customer Team Member
171(1)
Tracking the Documents
171(1)
Determining Documentation Location
172(1)
What If No Documentation Exists?
172(12)
Ad Hoc Security
173(1)
Case Study: Higher Education
174(5)
Summary
179(1)
Best Practices Checklist
179(2)
Frequently Asked Questions
181(2)
Chapter 6 Understanding the Technical Assessment Plan
183(36)
Introduction
184(1)
Understanding the Purpose of the Technical Assessment Plan
184(6)
The TAP: A Plan of Action
187(1)
The TAP: A Controlled and Living Document
187(1)
Linking the Plan to Contract Controls
188(2)
Understanding the Format of the TAP
190(10)
Point of Contact
191(1)
Mission
192(1)
Organizational Information Criticality
193(1)
System Information Criticality
194(1)
Customer Concerns and Constraints
195(1)
System Configuration
196(1)
Interviews
197(1)
Documents
198(2)
Timeline of Events
200(1)
Customizing and Modifying the TAP to Suit the Job at Hand
200(2)
Modifying the Nine NSA-Defined Areas
201(1)
Level of Detail
201(1)
Format
202(1)
Case Study: The Bureau of Overt Redundancy
202(13)
The BOR TAP
202(18)
Contact Information
203(1)
Mission
204(2)
Organization Information Criticality
206(2)
System Information Criticality
208(1)
Concerns and Constraints
209(1)
System Configuration
209(1)
The Interview List
210(1)
Documentation
211(2)
Events Timeline
213(2)
Summary
215(1)
Best Practices Checklist
216(1)
Frequently Asked Questions
217(2)
Chapter 7 Customer Activities
219(50)
Introduction
220(1)
Preparing for the Onsite Phase
220(6)
Assessment Team Preparation
221(3)
Administrative Planning
222(1)
Technical Planning
223(1)
Customer Preparation
224(2)
Scheduling
225(1)
Communication
225(1)
Setting the Onsite Tone
226(6)
Understanding the Opening Meeting (The Inbriefing)
227(1)
Conducting the Opening Meeting
228(1)
Meeting Format
228(1)
Information to Take Away
228(1)
Establishing and Maintaining the Onsite Expectations
229(1)
Understanding the Process
229(1)
Understanding the Results
230(1)
Keeping the Customer Involved
230(2)
Continued Customer Education
230(1)
Information Exchange
231(1)
NSA IAM Baseline INFOSEC Classes and Categories
232(14)
Management Aspects
233(3)
INFOSEC Documentation
234(1)
INFOSEC Roles and Responsibilities
234(1)
Contingency Planning
235(1)
Configuration Management
236(1)
Technical Aspects
236(7)
Identification and Authentication
237(1)
Account Management
238(1)
Session Controls
239(1)
Auditing
240(1)
Malicious Code Protection
240(1)
Maintenance
241(1)
System Assurance
241(1)
Networking/Connectivity
242(1)
Communications Security
243(1)
Operational Aspects
243(3)
Media Controls
243(1)
Labeling
244(1)
Physical Environment
244(1)
Personnel Security
245(1)
Education Training and Awareness
245(1)
The Fine Art of the Interview
246(8)
Interview Characteristics
246(3)
Whom Do I Interview?
247(1)
Interview Scheduling
248(1)
Interview Environment
248(1)
Attributes of a Successful Interviewer
249(5)
Breaking the Barriers
249(3)
Gaining Needed Information
252(2)
Case Study: Interviews With University Staff
254(10)
The Management Interview
258(2)
The Technical Interview
260(11)
Group Interview with Computer Science Systems Administrators
260(2)
Individual Interview with Marcia
262(2)
Summary
264(1)
Best Practices Checklist
265(1)
Frequently Asked Questions
266(3)
Chapter 8 Managing the Findings
269(40)
Introduction
270(1)
Demonstration Versus Evaluation
271(5)
What Are System Demonstrations?
271(2)
The Good and the Bad
272(1)
What Are System Evaluations?
273(3)
Manual Checks
274(1)
Tailored Scripts
274(1)
Tools
274(2)
Findings and Dependencies
276(2)
When Is a Finding Considered Dependent?
277(1)
Is It Good or Bad? Does It Matter?
278(1)
Mapping Findings to Requirements and Constraints
278(3)
Justification
279(2)
Mapping Requirements
280(1)
Creating Recommendation Road Maps
281(3)
Cost Effectiveness
281(1)
Applicability
281(1)
Importance
282(1)
Users
282(1)
Options for Increasing the Security Posture
282(2)
The Yugo Implementation
283(1)
The Ford Solution
284(1)
The Cadillac Solution
284(1)
Case Study: Medical Management
284(21)
System Description
286(1)
Information Criticality
286(1)
Summary of Findings
287(23)
Excerpt of Findings
288(10)
Recommendation Road Map
298(7)
Summary
305(1)
Best Practices Checklist
305(2)
Frequently Asked Questions
307(2)
Chapter 9 Leaving No Surprises
309(24)
Introduction
310(1)
Determining the Audience for the Closeout Meeting
310(2)
Who Is Your Audience?
311(1)
Who Should Attend?
311(1)
Organizing the Closeout Meeting
312(2)
Determining Time and Location
312(1)
Time of Meeting
313(1)
Day of Week
313(1)
Meeting Room
313(1)
Determining Supply List for the Closeout Meeting
313(1)
Other Concerns about the Meeting
314(1)
Understanding the Meeting Agenda
314(8)
Review of the Assessment Plan
315(4)
Review of Organization Information Criticality
315(1)
Systems Information Criticality
316(2)
Customer Concerns and Constraints
318(1)
Reviewing Goals, Purpose, and Scope
319(1)
Reviewing the Critical Vulnerabilities
319(2)
Findings
320(1)
Discussion
320(1)
Recommendation(s)
321(1)
Reviewing the Process and Looking Forward
321(1)
Who Was Involved?
321(1)
What Has Been Done?
321(1)
How Much Time Did it Take?
322(1)
What Happens Next?
322(1)
Who Should Be Involved?
322(1)
What Can the Customer Expect in the Final Report?
322(1)
We Came, We Saw, Now What?
322(2)
What Happens Next?
323(1)
Who Needs to Be Involved?
323(1)
How Things Progress from Here
323(1)
When Can the Client Expect a Finished Product?
323(1)
Case Study: Software Creation and Solutions Inc. (SCS)
324(5)
Summary
329(1)
Best Practices Checklist
329(2)
Frequently Asked Questions
331(2)
Chapter 10 Final Reporting 333(34)
Introduction
334(1)
Preparing for Analysis
334(2)
Consolidating and Correlating Assessment Information
334(2)
Assessment Team Meetings
335(1)
Assessment Team Writing Assignments
335(1)
Review of Assessment Information
336(1)
Understanding Findings (Doing the Analysis)
336(9)
What Is Risk?
336(2)
Analysis Objectives
338(2)
Verify Perceived Vulnerabilities
338(1)
Identify Additional Vulnerabilities
339(1)
New Critical Findings
339(1)
Previously Identified Critical Findings
340(1)
Communicating with the Customer
340(1)
Determine the Customer's Security Posture
340(5)
Environmental Threats
341(1)
Human Threats
341(1)
Vulnerability Classification
342(1)
Positive Findings
342(1)
Negative Findings
342(2)
Multiple Recommendations for Each Finding
344(1)
Creating and Formatting the Final Report
345(10)
Executive Summary
346(1)
Executive Summary Content
346(1)
Introduction
347(2)
Customer and Assessment Company Information
348(1)
Assessment Process Description
348(1)
Purpose of the Assessment
349(1)
System Description
349(2)
The Customer's Mission Is Important
349(1)
Information Criticality
349(1)
System Criticality
350(1)
Actual System Description
350(1)
A Picture Is Worth a Thousand Words
350(1)
INFOSEC Analysis
351(2)
Topic Areas
351(1)
Identifying the Findings
352(1)
Discussion of the Findings
352(1)
Recommendations for Improving Security Posture
352(1)
Conclusion
353(1)
Delivering the Final Report
354(1)
Cover Letter
354(1)
Attach the Assessment Plan
354(1)
Customer Acknowledgment
355(1)
Case Study: Analyzing Findings for Important Internet Services Provided, Inc.
355(8)
Executive Summary
356(1)
Organizational Assessment Findings Summary
356(1)
INFOSEC Analysis
357(4)
Organizational Assessment Findings
357(1)
High-Severity Findings
358(2)
Medium-Severity Findings
360(1)
Conclusion
361(1)
Results
362(1)
Summary
363(1)
Best Practices Checklist
364(1)
Frequently Asked Questions
365(2)
Chapter 11 Tying Up Loose Ends 367(34)
Introduction
368(1)
Examining Document Retention
368(18)
Public Domain Documentation
369(1)
Customer Documentation
370(1)
Documentation Generated by the Assessment Team
370(2)
Controlling What Is Retained
372(5)
Contract Concerns
373(2)
Liability Concerns
375(1)
Other Retention Concerns
376(1)
Performing Customer Followup
377(7)
Understanding the Followup Process
380(1)
Showing Adequate Concern
380(1)
Utilizing Multiple Means for Followup
383(1)
Asking the Right Questions
383(1)
Designating Responsibility for Following Up
384(1)
Tracking the Followup Process
385(1)
Evaluating Lessons Learned
386(16)
Understanding the Value of Lessons Learned
387(1)
Why Are Lessons Learned So Important?
387(1)
Identifying Lessons Learned
388(2)
What Have We Learned Here?
388(2)
Utilizing Lessons Learned
390(3)
Integrating Lessons Learned into the Business Process
390(2)
Making It Repeatable
392(1)
Case Study: The University of Science
393(3)
Understanding the Requirements
393(1)
What Should We Keep?
393(1)
What Should We Destroy?
394(1)
Designating a Followup POC
394(1)
What Have We Learned?
395(1)
Summary
396(1)
Best Practices Checklist
397(1)
Frequently Asked Questions
398(3)
Appendix A Forms, Worksheets, and Templates 401(16)
IAM Pre-Assessment Site Visit Checklist
402(2)
IAM Planning Survey
404(4)
Types of Documents That Require Tracking
408(3)
Policy Documents
408(1)
Guideline/Requirements Documents
409(1)
System Security Plan Documents
409(1)
User Documents
410(1)
Document-Tracking Templates
411(1)
Elements of the Technical Assessment Plan
412(5)
The Interview List
413(1)
The Assessment Timeline
414(3)
Index 417

Supplemental Materials

What is included with this book?

The New copy of this book will include any supplemental materials advertised. Please check the title of the book to determine if it should include any access cards, study guides, lab manuals, CDs, etc.

The Used, Rental and eBook copies of this book are not guaranteed to include any supplemental materials. Typically, only the book itself is included. This is true even if the title states it includes any access cards, study guides, lab manuals, CDs, etc.

Rewards Program