Log In
Or create an account ->
Imperial Library
Home
About
News
Upload
Forum
Help
Login/SignUp
Index
Title Page
Copyright
Information Security Handbook
Credits
About the Author
About the Reviewers
www.PacktPub.com
Why subscribe?
Customer Feedback
Preface
What this book covers
What you need for this book
Who this book is for
Conventions
Reader feedback
Customer support
Downloading the color images of this book
Errata
Piracy
Questions
Information and Data Security Fundamentals
Information security challenges
Evolution of cybercrime
The modern role of information security
IT security engineering
Information assurance
The CIA triad
Organizational information security assessment
Risk management
Information security standards
Policies
Training
Key components of an effective training and awareness program
Summary
Defining the Threat Landscape
What is important to your organization and who wants it?
Compliance
Hackers and hacking
Black hat hacker
White hat or ethical hacker
Blue hat hacker
Grey hat hacker
Penetration testing
Hacktivist
Script kiddie
Nation state
Cybercrime
Methods used by the attacker
Exploits
Hacker techniques
Methods of conducting training and awareness
Closing information system vulnerabilities
Vulnerability management
The case for vulnerability management
Summary
Preparing for Information and Data Security
Establishing an information security program
Don't start from scratch, use a framework
Security program success factors
Executive or board support
Supporting the organization's mission
Rightsizing information security for the organization
Security awareness and training program
Information security built into SDLC
Information security program maturity
Information security policies
Information security program policy
Operational policy
System-specific policy
Standards
Procedures
Guidelines
Recommended operational policies
Planning policy
Access control policy
Awareness and training policy
Auditing and accountability policy
Configuration management policy
Contingency planning policy
Identification and authentication policy
Incident response policy
Maintenance policy
Media protection policy
Personnel security policy
Physical and environmental protection policy
Risk assessment policy
Security assessment policy
System and communications protection policy
System and information integrity policy
Systems and services acquisitions policy
Summary
Information Security Risk Management
What is risk?
Who owns organizational risk?
Risk ownership
What is risk management?
Where is your valuable data?
What does my organization have that is worth protecting?
Intellectual property trade secrets
Personally Identifiable Information – PII
Personal Health Information – PHI
General questions
Performing a quick risk assessment
Risk management is an organization-wide activity
Business operations
IT operations
Personnel
External organization
Risk management life cycle
Information categorization
Data classification looks to understand
Data classification steps
Determining information assets
Finding information in the environment
Disaster recovery considerations
Backup storage considerations
Types of storage options
Questions you should ask your business users regarding their information's location
Questions you should ask your IT organization regarding the information's location
Organizing information into categories
Examples of information type categories
Publicly available information
Credit card information
Trade secrets
Valuing the information and establishing impact
Valuing information
Establishing impact
Security control selection
Information security frameworks
Security control implementation
Assessing implemented security controls
Authorizing information systems to operate
Monitoring information system security controls
Calculating risk
Qualitative risk analysis
Identifying your organizations threats
Identifying your organizations vulnerabilities
Pairing threats with vulnerabilities
Estimating likelihood
Estimating impact
Conducting the risk assessment
Management choices when it comes to risk
Quantitative analysis
Qualitative risk assessment example
Summary
Developing Your Information and Data Security Plan
Determine your information security program objectives
Example information security program activities
Elements for a successful information security program
Analysis to rightsizing your information security program
Compliance requirements
Is your organization centralized or decentralized?
Centralized
Decentralized
What is your organization's business risk appetite?
How mature is your organization?
Helping to guarantee success
Business alignment
Information security is a business project not an IT project
Organizational change management
Key information security program plan elements
Develop your information security program strategy
Establish key initiatives
Define roles and responsibilities
Defining enforcement authority
Pulling it all together
Summary
Continuous Testing and Monitoring
Types of technical testing
SDLC considerations for testing
Project initiation
Requirements analysis
System design
System implementation
System testing
Operations and maintenance
Disposition
SDLC summary
Continuous monitoring
Information security assessment automation
Effective reporting of information security status
Alerting of information security weakness
Vulnerability assessment
Business relationship with vulnerability assessment
Vulnerability scanning
Vulnerability scanning process
Vulnerability resolution
Penetration testing
Phases of a penetration test
Difference between vulnerability assessment and penetration testing
Examples of successful attacks in the news
Point of sale system attacks
Cloud-based misconfigurations
Summary
Business Continuity/Disaster Recovery Planning
Scope of BCDR plan
Business continuity planning
Disaster recovery planning
Focus areas for BCDR planning
Management
Operational
Technical
Designing the BCDR plan
Requirements and context gathering – business impact assessment
Inputs to the BIA
Outputs from the BIA
Sample BIA form
Define technical disasters recovery mechanisms
Identify and document required resources
Conduct a gap analysis
Develop disaster recovery mechanisms
Develop your plan
Develop recovery teams
Establish relocation plans
Develop detailed recovery procedures
Test the BCDR plan
Summary
Incident Response Planning
Do I need an incident response plan?
Components of an incident response plan
Preparing the incident response plan
Understanding what is important
Prioritizing the incident response plan
Determining what normal looks Like
Observe, orient, decide, and act – OODA
Incident response procedure development
Identification – detection and analysis
Identification – incident response tools
Observational (OODA) technical tools
Orientation (OODA) tools
Decision (OODA) tools
Remediation – containment/recovery/mitigation
Remediation - incident response tools
Act (Response) (OODA) tools
Post incident activity
Lessons-learned sessions
Incident response plan testing
Summary
Developing a Security Operations Center
Responsibilities of the SOC
Management of security operations center tools
Security operation center toolset design
Using already implemented toolsets
Security operations center roles
Log or information aggregation
Log or information analysis
Processes and procedures
Identification – detection and analysis
Events versus alerts versus incidents
False positive versus false negative/true positive versus true negative
Remediation – containment/eradication/recovery
Security operations center tools
Security operations center advantages
MSSP advantages
Summary
Developing an Information Security Architecture Program
Information security architecture and SDLC/SELC
Conducting an initial information security analysis
Purpose and description of the information system
Determining compliance requirements
Compliance standards
Documenting key information system and project roles
Project roles
Information system roles
Defining the expected user types
Documenting interface requirements
Documenting external information systems access
Conducting a business impact assessment
Inputs to the BIA
Conducting an information categorization
Developing a security architecture advisement program
Partnering with your business stakeholders
Information security architecture process
Example information security architecture process
Summary
Cloud Security Consideration
Cloud computing characteristics
Cloud computing service models
Infrastructure as a Service – IaaS
Platform as a Service – PaaS
Software as a Service – SaaS
Cloud computing deployment models
Public cloud
Private cloud
Community cloud
Hybrid cloud
Cloud computing management models
Managed service provider
Cloud service provider
Cloud computing special consideration
Cloud computing data security
Data location
Data access
Storage considerations
Storage types
Storage threats
Storage threat mitigations
Managing identification, authentication, and authorization in the cloud computing environment
Identification considerations
Authentication considerations
Authorization considerations
Integrating cloud services with the security operations center
Cloud access security brokers
Special business considerations
Summary
Information and Data Security Best Practices
Information security best practices
User accounts
Limit administrator accounts
Using a normal user account where possible
Least privilege/role separation
Password security
Least functionality
Updates and patches
Secure configurations
Step 1: Developing a policy that enforces secure configuration baselines
Step 2: Developing secure configuration baselines
Step 3: Integrating secure configuration baselines into the SDLC
Step 4: Enforcing secure configuration baselines through automated testing and remediation
Application security
Conducting a web application inventory
Least privileges
Cookie security
Web application firewalls
Implementing a secure coding awareness program
Network security
Remote access
Wireless
Mobile devices
Summary
← Prev
Back
Next →
← Prev
Back
Next →