Kairab | A Practical Guide to Security Assessments | E-Book | sack.de
E-Book

E-Book, Englisch, 520 Seiten

Kairab A Practical Guide to Security Assessments


1. Auflage 2004
ISBN: 978-0-203-50723-0
Verlag: Taylor & Francis
Format: PDF
 Kopierschutz: Adobe DRM (»Systemvoraussetzungen)

E-Book, Englisch, 520 Seiten

ISBN: 978-0-203-50723-0
Verlag: Taylor & Francis
Format: PDF
 Kopierschutz: Adobe DRM (»Systemvoraussetzungen)

The modern dependence upon information technology and the corresponding information security regulations and requirements force companies to evaluate the security of their core business processes, mission critical data, and supporting IT environment. Combine this with a slowdown in IT spending resulting in justifications of every purchase, and security professionals are forced to scramble to find comprehensive and effective ways to assess their environment in order to discover and prioritize vulnerabilities, and to develop cost-effective solutions that show benefit to the business.

A Practical Guide to Security Assessments is a process-focused approach that presents a structured methodology for conducting assessments. The key element of the methodology is an understanding of business goals and processes, and how security measures are aligned with business risks. The guide also emphasizes that resulting security recommendations should be cost-effective and commensurate with the security risk. The methodology described serves as a foundation for building and maintaining an information security program.

In addition to the methodology, the book includes an Appendix that contains questionnaires that can be modified and used to conduct security assessments.

This guide is for security professionals who can immediately apply the methodology on the job, and also benefits management who can use the methodology to better understand information security and identify areas for improvement.

Kairab A Practical Guide to Security Assessments jetzt bestellen!

Zielgruppe

internal information security professionals; security consultants, IT auditors, infosec management, IT management with security responsibility

Autoren/Hrsg.

Kairab, Sudhanshu

Fachgebiete

Weitere Infos & Material

INTRODUCTION

EVOLUTION OF INFORMATION SECURITY
Distributed Systems
Business-to-Business (B2B) Relationships
Remote Access
Enterprise Resource Planning (ERP)
Information Security Today
Why Protect Information Assets
Growing Role of Internal Audit
Security Standards
Organizational Impacts
Security Certifications
Trends in Information Security

INFORMATION SECURITY PROGRAM AND HOW SECURITY ASSESSMENTS FIT IN
What is an Information Security Program
How Does a Security Assessment Fit In
Why Conduct a Security Assessment
Security Assessment Process
Executive Summary

PLANNING
Define Scope
Staffing
Kickoff Meeting
Develop Project Plan
Set Client Expectations
Executive Summary

INITIAL INFORMATION GATHERING
Gather Publicly Available Information
Gather Information from the Client
Analyze Gathered Information
Prepare Initial Question Sets
Develop and Document Template for Final Report
Executive Summary

BUSINESS PROCESS EVALUATION
General Review of Company and Key Business Processes
Finalize Question Sets for Process Reviews
Meet with Business Process Owners
Analyze Information Collected and Document Findings
Status Meeting with Client
Potential Concerns During This Phase
Executive Summary
TECHNOLOGY EVALUATION
General Review of Technology and Related Documentation
Develop Question Sets for Technology Reviews
Meet with Technology Owners and Conduct Detail Testing
Analyze Information Collected and Document Findings
Status Meeting with Client
Potential Concerns During this Phase
Executive Summary

RISK ANALYSIS AND FINAL PRESENTATION
Risk Analysis
Risk Score Calculation
Document Risks and Develop Recommendations for Draft Report
Discuss Draft Report with Client
Present Final Report to Management
Potential Concerns During this Phase
Executive Summary

INFORMATION SECURITY STANDARDS
International Standards Organization 17799 (ISO 17799)
Common Criteria (CC)
COBIT (Control Objectives for Information (Related) Technology)
ITIL (IT Infrastructure Library) Security Management
SAS (Statement on Auditing Standards) 70
AICPA SysTrust
AICPA WebTrust
RFC 2196 - Site Security Handbook
SANS (SysAdmin, Audit, Network, Security) / FBI Top 20 List
Vendor Best Practices

INFORMATION SECURITY LEGISLATION
Relevance to Security Assessments
HIPAA (Health Insurance Portability and Accountability Act)
GLB Act (Gramm-Leach-Bliley Act)
Sarbanes - Oxley Act
21 CFR Part 11
Safe Harbor
Federal Information Security Management Act
Other Legislative Action

APPENDIX - SECURITY QUESTIONNAIRES/ CHECKLISTS
Questionnaire Structure
Preliminary Checklist to Gather Information
Generic Questionnaire for Business Process Owners
Data Classification
Data Retention
Backup and Recovery
Externally Hosted Services
Physical Security
Employee Termination
Incident Handling
Business to Business (B2B)
Business to Consumer (B2C)
Change Management
User ID Administration
Managed Security
Media Handling
HIPAA Security

Ihre Fragen, Wünsche oder Anmerkungen
Vorname*
Nachname*
Ihre E-Mail-Adresse*
Kundennr.
Ihre Nachricht*
Lediglich mit * gekennzeichnete Felder sind Pflichtfelder.
Wenn Sie die im Kontaktformular eingegebenen Daten durch Klick auf den nachfolgenden Button übersenden, erklären Sie sich damit einverstanden, dass wir Ihr Angaben für die Beantwortung Ihrer Anfrage verwenden. Selbstverständlich werden Ihre Daten vertraulich behandelt und nicht an Dritte weitergegeben. Sie können der Verwendung Ihrer Daten jederzeit widersprechen. Das Datenhandling bei Sack Fachmedien erklären wir Ihnen in unserer Datenschutzerklärung.