| Preface | xiii |
| Acknowledgments | xvii |
1 | The need for a proactive approach | 1 |
1.1 | Introduction | 1 |
1.2 | The reality of the modern enterprise | 3 |
1.3 | Evolution of organizational structures | 4 |
1.4 | Evolution of technical infrastructure | 5 |
1.5 | Limitations of policy-driven decision making | 7 |
1.6 | Education and awareness | 9 |
1.6.1 | Management awareness | 9 |
1.6.2 | The technology trap | 10 |
1.6.3 | Awareness of end users | 10 |
1.7 | Operational issues | 11 |
1.7.1 | Complexity | 11 |
1.7.2 | Scalability | 13 |
1.8 | New challenges | 14 |
1.8.1 | Trust | 14 |
1.8.2 | Privacy | 16 |
1.9 | Introducing The (not so) Secure Bank | 17 |
1.10 | Summary | 19 |
| References | 20 |
2 | Management techniques | 23 |
2.1 | Knowledge and experience | 23 |
2.2 | Information relating to security incidents and vulnerabilities | 25 |
2.3 | Risk analysis and risk management | 27 |
2.4 | Strategy and planning | 30 |
2.5 | Policy and standards | 32 |
2.6 | Processes and procedures | 34 |
2.7 | Methodologies and frameworks | 36 |
2.8 | Awareness and training | 38 |
2.9 | Audits | 40 |
2.10 | Contracts | 41 |
2.11 | Outsourcing | 42 |
2.12 | Summary | 43 |
| References | 44 |
3 | Technical tools | 47 |
3.1 | Overview | 47 |
3.2 | Classification of security tools | 48 |
3.3 | Host-oriented tools | 49 |
3.3.1 | Security layers | 49 |
3.3.2 | The native operating system security subsystem | 50 |
3.3.3 | Authentication and authorization | 51 |
3.3.4 | System integrity | 52 |
3.3.5 | System access control | 56 |
3.3.6 | System security monitoring | 58 |
3.3.7 | Data confidentiality and integrity | 60 |
3.4 | Network-oriented tools | 62 |
3.4.1 | Network authentication and authorization | 62 |
3.4.2 | Network integrity | 65 |
3.4.3 | Network access control | 68 |
3.4.4 | Network security monitoring | 71 |
3.4.5 | Data confidentiality and integrity | 72 |
3.5 | Supporting infrastructure | 74 |
3.5.1 | PKI | 74 |
3.5.2 | Smart cards and cryptographic modules | 76 |
3.5.3 | Authentication devices | 79 |
3.6 | Summary | 80 |
| References | 81 |
4 | A proactive approach: Overview | 85 |
4.1 | Introduction | 85 |
4.2 | The consolidation period and strategic-planning cycles | 86 |
4.3 | Deciding on a personal strategy | 87 |
4.4 | The consolidation period | 89 |
4.4.1 | Planning | 89 |
4.4.2 | Establishing contact with stakeholders | 90 |
4.4.3 | Identifying major issues | 91 |
4.4.4 | Classifying issues | 92 |
4.4.5 | Implementing short-term solutions | 95 |
4.4.6 | Identifying quick wins | 98 |
4.4.7 | Implementing initial management-control mechanisms | 99 |
4.5 | The strategic-planning cycle | 100 |
4.5.1 | Overview | 100 |
4.5.2 | Definition of a strategy | 101 |
4.5.3 | Production of a strategic plan | 102 |
4.5.4 | Execution of the strategic plan | 102 |
4.5.5 | Monitoring for further improvement | 104 |
4.6 | The core deliverables | 105 |
4.7 | Summary | 106 |
| References | 107 |
5 | The information-security strategy | 109 |
5.1 | The need for a strategy | 109 |
5.2 | Planning | 110 |
5.3 | Analysis of the current situation | 111 |
5.4 | Identification of business strategy requirements | 114 |
5.5 | Identification of legal and regulatory requirements | 117 |
5.6 | Identification of requirements due to external trends | 119 |
5.7 | Definition of the target situation | 122 |
5.8 | Definition and prioritization of strategic initiatives | 123 |
5.9 | Distribution of the draft strategy | 126 |
5.10 | Agreement and publication of final strategy | 127 |
5.11 | Summary | 128 |
| References | 129 |
6 | Policy and standards | 131 |
6.1 | Some introductory remarks on documentation | 131 |
6.2 | Designing the documentation set | 132 |
6.3 | Policy | 135 |
6.3.1 | The purpose of policy statements | 135 |
6.3.2 | Identifying required policy statements | 136 |
6.3.3 | Design and implementation | 137 |
6.3.4 | The Secure Bank--Policy statements | 139 |
6.4 | Establishing a control framework | 140 |
6.5 | Standards | 143 |
6.5.1 | Types of standards | 143 |
6.5.2 | External standards | 144 |
6.5.3 | Internal standards | 147 |
6.5.4 | Agreement and distribution of standards | 148 |
6.6 | Guidelines and working papers | 150 |
6.7 | Summary | 150 |
| References | 151 |
7 | Process design and implementation | 155 |
7.1 | Requirements for stable processes | 155 |
7.2 | Why processes fail to deliver | 156 |
7.2.1 | Productivity issues | 156 |
7.2.2 | Adaptability issues | 157 |
7.2.3 | Acceptance issues | 158 |
7.3 | Process improvement | 159 |
7.3.1 | Methods for process improvement | 159 |
7.3.2 | Improving productivity | 161 |
7.3.3 | Improving adaptability | 165 |
7.3.4 | Improving acceptance | 166 |
7.4 | The Secure Bank: Improving the authorization and access-control procedure | 168 |
7.4.1 | Planning | 168 |
7.4.2 | The current process | 168 |
7.4.3 | Identifying the target situation | 171 |
7.4.4 | Planning incremental improvements | 172 |
7.4.5 | Implementing improvements | 174 |
7.5 | Continuous improvement | 176 |
7.6 | Summary | 177 |
| References | 178 |
8 | Building an IT security architecture | 181 |
8.1 | Evolution of enterprise IT infrastructure | 181 |
8.2 | Problems associated with system-focused approaches | 182 |
8.3 | A three-phased approach | 184 |
8.4 | The design phase | 185 |
8.4.1 | Planning | 185 |
8.4.2 | Agreeing on basic design principles | 186 |
8.4.3 | Modeling the IT infrastructure | 187 |
8.4.4 | Risk analysis | 192 |
8.4.5 | Identifying logical components | 194 |
8.4.6 | Obtaining signoff of the concept | 198 |
8.5 | The implementation phase | 198 |
8.5.1 | Planning considerations | 198 |
8.5.2 | Production of a phased implementation plan | 200 |
8.5.3 | Preparing proposals | 202 |
8.5.4 | Selection of commercial packages | 203 |
8.5.5 | Testing and integration | 205 |
8.5.6 | SLAs and support contracts | 206 |
8.5.7 | Technical training | 208 |
8.6 | Administration and maintenance phase | 208 |
8.6.1 | Routine administration and maintenance | 209 |
8.6.2 | Managing vulnerabilities | 209 |
8.6.3 | Managing incidents | 210 |
8.6.4 | Managing risk using risk indicators | 212 |
8.7 | Summary | 213 |
| References | 213 |
9 | Creating a security-minded culture | 215 |
9.1 | Introduction | 215 |
9.2 | Techniques for introducing cultural change | 217 |
9.3 | Internal marketing and sales | 219 |
9.4 | Support and feedback | 221 |
9.5 | Security-awareness training | 222 |
9.5.1 | The security-awareness program | 222 |
9.5.2 | Planning considerations | 223 |
9.5.3 | Defining the objectives | 224 |
9.5.4 | Identifying the audience | 224 |
9.5.5 | Identifying the message | 227 |
9.5.6 | Developing the material | 228 |
9.5.7 | Defining tracking and follow-up procedures | 231 |
9.5.8 | Delivering the pilot phase | 231 |
9.6 | Security skills training | 232 |
9.6.1 | General remarks | 232 |
9.6.2 | The information-security team | 233 |
9.6.3 | Other staff | 236 |
9.7 | Involvement initiatives | 237 |
9.8 | Summary | 238 |
| References | 239 |
Appendix | Fast risk analysis | 241 |
A.1 | Introduction | 241 |
A.2 | The method | 241 |
A.3 | A worked example | 243 |
A.4 | Comments | 243 |
| About the author | 249 |
| Index | 251 |