Information_Security_Fundamentals
Information Security FUNDAMENTALS Copyright 2005 by CRC Press, LLC. All Rights Reserved. AUERBACH PUBLICATIONS www.auerbach-publications.com To Order Call: 1-800-272-7737 • Fax: 1-800-374-3401 E-mail: orders@crcpress.com Asset Protection and Security Management Handbook POA Publishing ISBN: 0-8493-1603-0 Building a Global Information Assurance Program Raymond J. Curts and Douglas E. Campbell ISBN: 0-8493-1368-6 Building an Information Security Awareness Program Mark B. Desman ISBN: 0-8493-0116-5 Critical Incident Management Alan B. Sterneckert ISBN: 0-8493-0010-X Cyber Crime Investigator's Field Guide Bruce Middleton ISBN: 0-8493-1192-6 Cyber Forensics: A Field Manual for Collecting, Examining, and Preserving Evidence of Computer Crimes Albert J. Marcella, Jr. and Robert S. Greenfield ISBN: 0-8493-0955-7 The Ethical Hack: A Framework for Business Value Penetration Testing James S. Tiller ISBN: 0-8493-1609-X The Hacker's Handbook: The Strategy Behind Breaking into and Defending Networks Susan Young and Dave Aitel ISBN: 0-8493-0888-7 Information Security Architecture: An Integrated Approach to Security in the Organization Jan Killmeyer Tudor ISBN: 0-8493-9988-2 Information Security Fundamentals Thomas R. Peltier ISBN: 0-8493-1957-9 Information Security Management Handbook, 5th Edition Harold F. Tipton and Micki Krause ISBN: 0-8493-1997-8 Information Security Policies, Procedures, and Standards: Guidelines for Effective Information Security Management Thomas R. Peltier ISBN: 0-8493-1137-3 Information Security Risk Analysis Thomas R. Peltier ISBN: 0-8493-0880-1 Information Technology Control and Audit Fredrick Gallegos, Daniel Manson, and Sandra Allen-Senft ISBN: 0-8493-9994-7 Investigator's Guide to Steganography Gregory Kipper 0-8493-2433-5 Managing a Network Vulnerability Assessment Thomas Peltier, Justin Peltier, and John A. Blackley ISBN: 0-8493-1270-1 Network Perimeter Security: Building Defense In-Depth Cliff Riggs ISBN: 0-8493-1628-6 The Practical Guide to HIPAA Privacy and Security Compliance Kevin Beaver and Rebecca Herold ISBN: 0-8493-1953-6 A Practical Guide to Security Engineering and Information Assurance Debra S. Herrmann ISBN: 0-8493-1163-2 The Privacy Papers: Managing Technology, Consumer, Employee and Legislative Actions Rebecca Herold ISBN: 0-8493-1248-5 Public Key Infrastructure: Building Trusted Applications and Web Services John R. Vacca ISBN: 0-8493-0822-4 Securing and Controlling Cisco Routers Peter T. Davis ISBN: 0-8493-1290-6 Strategic Information Security John Wylder ISBN: 0-8493-2041-0 Surviving Security: How to Integrate People, Process, and Technology, Second Edition Amanda Andress ISBN: 0-8493-2042-9 A Technical Guide to IPSec Virtual Private Networks James S. Tiller ISBN: 0-8493-0876-3 Using the Common Criteria for IT Security Evaluation Debra S. Herrmann ISBN: 0-8493-1404-6 OTHER INFORMATION SECURITY BOOKS FROM AUERBACH Copyright 2005 by CRC Press, LLC. All Rights Reserved. AUERBACH PUBLICATIONS A CRC Press Company Boca Raton London New York Washington, D.C. Information Security FUNDAMENTALS Thomas R. Peltier Justin Peltier John Blackley Copyright 2005 by CRC Press, LLC. All Rights Reserved. This book contains information obtained from authentic and highly regarded sources. Reprinted material is quoted with permission, and sources are indicated. A wide variety of references are listed. Reasonable efforts have been made to publish reliable data and information, but the author and the publisher cannot assume responsibility for the validity of all materials or for the consequences of their use. Neither this book nor any part may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, microfilming, and recording, or by any information storage or retrieval system, without prior permission in writing from the publisher. The consent of CRC Press does not extend to copying for general distribution, for promotion, for creating new works, or for resale. Specific permission must be obtained in writing from CRC Press LLC for such copying. Direct all inquiries to CRC Press, 2000 N.W. Corporate Blvd., Boca Raton, Florida 33431. Trademark Notice: Product or corporate names may be trademarks or registered trademarks, and are used only for identification and explanation, without intent to infringe. Visit the CRC Press Web site at www.crcpress.com © 2005 by CRC Press LLC Auerbach is an imprint of CRC Press LLC No claim to original U.S. Government works International Standard Book Number 0-8493-1957-9 Library of Congress Card Number 2004051024 Printed in the United States of America 1 2 3 4 5 6 7 8 9 0 Printed on acid-free paper Library of Congress Cataloging-in-Publication Data Peltier, Thomas R. Information security fundamentals / Thomas R. Peltier, Justin Peltier, John Blackley. p. cm. Includes bibliographical references and index. ISBN 0-8493-1957-9 (alk. paper) 1. Computer security. 2. Data protection. I. Peltier, Justin. II. Blackley, John A. III. Title. QA76.9.A25P427 2004 005.8—dc22 2004051024 Copyright 2005 by CRC Press, LLC. All Rights Reserved. Dedication To our spouses, friends, children, and colleagues; without them we would be without direction, support, and joy. AU1957_C000.fm Page v Monday, September 20, 2004 3:19 PM Copyright 2005 by CRC Press, LLC. All Rights Reserved. Contents Acknowledgments Introduction Chapter 1 Overview 1.1 Elements of Information Protection 1.2 More Than Just Computer Security 1.2.1 Employee Mind-Set toward Controls 1.3 Roles and Responsibilities 1.3.1 Director, Design and Strategy 1.4 Common Threats 1.5 Policies and Procedures 1.6 Risk Management 1.7 Typical Information Protection Program 1.8 Summary Chapter 2 Threats to Information Security 2.1 What Is Information Security? 2.2 Common Threats 2.2.1 Errors and Omissions 2.2.2 Fraud and Theft 2.2.3 Malicious Hackers 2.2.4 Malicious Code 2.2.5 Denial-of-Service Attacks 2.2.6 Social Engineering 2.2.7 Common Types of Social Engineering 2.3 Summary Chapter 3 The Structure of an Information Security Program 3.1 Overview 3.1.1 Enterprisewide Security Program AU1957_C000.fm Page vii Monday, September 20, 2004 3:19 PM Copyright 2005 by CRC Press, LLC. All Rights Reserved. 3.2 Business Unit Responsibilities 3.2.1 Creation and Implementation of Policies and Standards 3.2.2 Compliance with Policies and Standards 3.3 Information Security Awareness Program 3.3.1 Frequency 3.3.2 Media 3.4 Information Security Program Infrastructure 3.4.1 Information Security Steering Committee 3.4.2 Assignment of Information Security Responsibilities 3.4.2.1 Senior Management 3.4.2.2 Information Security Management 3.4.2.3 Business Unit Managers 3.4.2.4 First Line Supervisors 3.4.2.5 Employees 3.4.2.6 Third Parties 3.5 Summary Chapter 4 Information Security Policies 4.1 Policy Is the Cornerstone 4.2 Why Implement an Information Security Policy 4.3 Corporate Policies 4.4 Organizationwide (Tier 1) Policies 4.4.1 Employment 4.4.2 Standards of Conduct 4.4.3 Conflict of Interest 4.4.4 Performance Management 4.4.5 Employee Discipline 4.4.6 Information Security 4.4.7 Corporate Communications 4.4.8 Workplace Security 4.4.9 Business Continuity Plans (BCPs) 4.4.10 Procurement and Contracts 4.4.11 Records Management 4.4.12 Asset Classification 4.5 Organizationwide Policy Document 4.6 Legal Requirements 4.6.1 Duty of Loyalty 4.6.2 Duty of Care 4.6.3 Federal Sentencing Guidelines for Criminal Convictions 4.6.4 The Economic Espionage Act of 1996 4.6.5 The Foreign Corrupt Practices Act (FCPA) 4.6.5 Sarbanes–Oxley (SOX) Act 4.6.6 Health Insurance Portability and Accountability Act (HIPAA) 4.6.7 Gramm–Leach–Bliley Act (GLBA) 4.7 Business Requirements AU1957_C000.fm Page viii Monday, September 20, 2004 3:19 PM Copyright 2005 by CRC Press, LLC. All Rights Reserved. . Standards 3.3 Information Security Awareness Program 3.3.1 Frequency 3.3.2 Media 3.4 Information Security Program Infrastructure 3.4.1 Information Security. Management 1.7 Typical Information Protection Program 1.8 Summary Chapter 2 Threats to Information Security 2.1 What Is Information Security? 2.2 Common