LibraryPirate www.ebook3000.com This is an electronic version of the print textbook Due to electronic rights restrictions, some third party content may be suppressed Editorial review has deemed that any suppressed content does not materially affect the overall learning experience The publisher reserves the right to remove content from this title at any time if subsequent rights restrictions require it For valuable information on pricing, previous editions, changes to current editions, and alternate formats, please visit www.cengage.com/highered to search by ISBN#, author, title, or keyword for materials in your areas of interest Readings and Cases in Information Security Law and Ethics Michael E Whitman Herbert J Mattord Copyright 2010 Cengage Learning All Rights Reserved May not be copied, scanned, or duplicated, in whole or in part Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s) Editorial review has deemed that any suppressed content does not materially affect the overall learning experience Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it www.ebook3000.com Readings and Cases in Information Security: Law and Ethics Michael E Whitman, Herbert J Mattord Vice President, Career and Professional Editorial: Dave Garza Executive Editor: Stephen Helba Managing Editor: Marah Bellegarde © 2011 Course Technology, Cengage Learning ALL RIGHTS RESERVED No part of this work covered by the copyright herein may be reproduced, transmitted, stored or used in any form or by any means graphic, electronic, or mechanical, including but not limited to photocopying, recording, scanning, digitizing, taping, Web distribution, information networks, or information storage and retrieval systems, except as permitted under Section 107 or 108 of the 1976 United States Copyright Act, without the prior written permission of the publisher Senior Product Manager: Michelle Ruelos Cannistraci For product information and technology assistance, contact us at Cengage Learning Customer & Sales Support, 1-800-354-9706 Editorial Assistant: Sarah Pickering Vice President, Career and Professional Marketing: Jennifer Ann Baker For permission to use material from this text or product, submit all requests online at cengage.com/permissions Further permissions questions can be e-mailed to permissionrequest@cengage.com Marketing Director: Deborah S Yarnell Senior Marketing Manager: Erin Coffin Associate Marketing Manager: Shanna Gibbs Production Director: Carolyn Miller Production Manager: Andrew Crouth Senior Content Project Manager: Andrea Majot Microsoft ® is a registered trademark of the Microsoft Corporation Library of Congress Control Number: 2010927206 ISBN-13: 978-1-4354-4157-6 ISBN-10: 1-4354-4157-5 Art Director: Jack Pendleton Course Technology 20 Channel Center Street Boston, MA 02210 USA Cengage Learning is a leading provider of customized learning solutions with office locations around the globe, including Singapore, the United Kingdom, Australia, Mexico, Brazil, and Japan Locate your local office at: international.cengage.com/region Cengage Learning products are represented in Canada by Nelson Education, Ltd For your lifelong learning solutions, visit course.cengage.com Visit our corporate website at cengage.com Notice to the Reader Some of the product names and company names used in this book have been used for identification purposes only and may be trademarks or registered trademarks of their respective manufacturers and sellers Course Technology and the Course Technology logo are registered trademarks used under license The programs in this book are for instructional purposes only They have been tested with care, but are not guaranteed for any particular intent beyond educational purposes The author and the publisher not offer any warranties or representations, nor they accept any liabilities with respect to the programs Printed in the United States of America 14 13 12 11 10 Copyright 2010 Cengage Learning All Rights Reserved May not be copied, scanned, or duplicated, in whole or in part Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s) Editorial review has deemed that any suppressed content does not materially affect the overall learning experience Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it To Rhonda, Rachel, Alex and Meghan, thank you for your loving support —MEW To Carola, your example continues to inspire me —HJM Copyright 2010 Cengage Learning All Rights Reserved May not be copied, scanned, or duplicated, in whole or in part Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s) Editorial review has deemed that any suppressed content does not materially affect the overall learning experience Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it www.ebook3000.com Table of Contents PART PREFACE & ACKNOWLEDGMENTS vii PART RUNNING CASE: STRATIFIED CUSTOM MANUFACTURING PART PERSONNEL AND PRIVACY READING 3A Data Privacy Is It Possible? Dr John H Nugent, University of Dallas CASE 3B Coordination between an Information Technology Department and a Human Resources Department A Case Study and Analysis 23 Jeffrey M Stanton, Syracuse University CASE 3C IT Ethics and Security in an Information Security Certification Exam 31 Jeffrey P Landry and J Harold Pardue, University of South Alabama READING 3D An Etymological View of Ethical Hacking 57 Michael E Whitman, Kennesaw State University RUNNING CASE 3E Running Case: Stratified Custom Manufacturing 69 PART RISK MANAGEMENT 73 READING 4A Cyber Insurance and the Management of Information Security Risk 75 Tridib Bandyopadhyay, Kennesaw State University READING 4B Rethinking Risk-based Information Security 85 Herbert J Mattord, Kennesaw State University CASE 4C Video Maze 97 Patricia Morrison, Cape Breton University RUNNING CASE 4D Running Case: Stratified Custom Manufacturing 111 PART MANAGEMENT OF SECURITY TECHNOLOGY 113 READING 5A Cryptography Algorithms Standards: Guidelines for Management 115 Wasim A Al-Hamdani, Kentucky State University READING 5B Cyber Terrorism: Impacts, Vulnerabilities, and U.S Policy 157 Tridib Bandyopadhyay, Kennesaw State University v Copyright 2010 Cengage Learning All Rights Reserved May not be copied, scanned, or duplicated, in whole or in part Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s) Editorial review has deemed that any suppressed content does not materially affect the overall learning experience Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it www.ebook3000.com vi Table of Contents CASE 5C Advanced Topologies, Inc 175 Michael E Whitman and Herbert Mattord READING 5D Web Applications: Vulnerabilities and Remediation 191 Shankar Babu Chebrolu and Vinay Bansal, Cisco Systems READING 5E Managing Secure Database Systems 203 Li Yang, University of Tennessee at Chattanooga RUNNING CASE 5F Running Case: Stratified Custom Manufacturing 213 PART INFORMATION SECURITY PROGRAM MANAGEMENT 215 CASE 6A Information Security Metrics: Legal and Ethical Issues 217 Jennifer L Bayuk, Stevens Institute of Technology READING 6B Impact of Incomplete or Missing Information in a Security Policy 231 Wasim A Al-Hamdani and Wendy D Dixie, Kentucky State University CASE 6C A Review of Information Security Management Requirements as Reflected in U.S Federal Law 245 Jeffrey P Landry, University of South Alabama CASE 6D The Law in Information Security Management 263 Katherine H Winters, University of Tennessee at Chattanooga RUNNING CASE 6E Running Case: Stratified Custom Manufacturing 275 PART INFORMATION SECURITY GOVERNANCE AND REGULATORY COMPLIANCE 277 READING 7A Security Compliance Auditing: Review and Research Directions 279 Guillermo A Francia, III and Jeffrey S Zanzig, Jacksonville State University READING 7B Global Information Security Regulations, Case Studies, and Cultural Issues 305 Guillermo A Francia, III, Jacksonville State University Andrew P Ciganek, University of Wisconsin at Whitewater CASE 7C Collaboration and Compliance in Health Care: A Threat Modeling Case Study 327 Divakaran Liginlal, Carnegie Mellon University at Qatar Lara Z Khansa, Virginia Polytechnic Institute and State University Jeffrey P Landry, University of South Alabama RUNNING CASE 7D Running Case: Stratified Custom Manufacturing 353 INDEX 355 Copyright 2010 Cengage Learning All Rights Reserved May not be copied, scanned, or duplicated, in whole or in part Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s) Editorial review has deemed that any suppressed content does not materially affect the overall learning experience Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it Preface The need for information security education is self-evident Education is one of the recognized needs to combat the threats facing information security These readings provide students with a depth of content and analytical perspective not found in other textbooks The fundamental tenet of Readings & Cases in Information Security is that Information Security in the modern organization is a problem for management and not a problem of technology—a problem that has important economic consequences and for which management will be held accountable It is a further observation that the subject of information security is not presently widely included in the body of knowledge presented to most students enrolled in schools of business This is true even within areas of concentration such as technology management and IT management This textbook is suitable for course offerings to complement programs that adopt any one of the existing Course Technology textbooks Readings and Cases in Information Security can be used to support Principles of Information Security, or Management of Information Security to further provide educational support for these texts Purpose and Intended Audience This readings text provides instructors and lecturers with materials that give additional detail and depth on the management overview of information security, with emphasis on the legal and ethical issues surrounding these areas These readings and cases can support a senior undergraduate or graduate information security class, or information technology class that requires additional depth in the area of information security The cases can be used to enable individual or team projects, or vii Copyright 2010 Cengage Learning All Rights Reserved May not be copied, scanned, or duplicated, in whole or in part Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s) Editorial review has deemed that any suppressed content does not materially affect the overall learning experience Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it www.ebook3000.com viii Preface used to support classroom discussion or writing assignments This readings text can be used to support course delivery for both information security–driven programs targeted at information technology students and also IT management and technology management curricula aimed at business or technical management students Scope Note that the title denotes support for the management of an information security program or organization Current information security literature now acknowledges the dominant need to protect information, including the protection of the systems that transport, store, and process it, whether those systems are technology or human based The scope of the Readings and Cases text covers fundamental areas of management of information security and the legal and ethical issues associated with these areas The authors and many of the contributors are Certified Information Systems Security Professionals and/or Certified Information Security Managers Features ● Designed for use with other information security textbook offerings, this text adds current research, informed opinion, and fictional scenarios to your classroom ● Prepare students for situations in the information security industry with articles, best practices, and cases relating to today’s security issues ● Create an interactive classroom by using the readings as discussion starters and using the scripted questions when provided in several of the cases ● Some readings and cases have teaching guides to facilitate in-class discussion and learning from the material Overview of the Text In addition to being an introduction to the text, we expect this section will also serve as a guidepost, directing teachers and students to relevant chapters and cases Copyright 2010 Cengage Learning All Rights Reserved May not be copied, scanned, or duplicated, in whole or in part Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s) Editorial review has deemed that any suppressed content does not materially affect the overall learning experience Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it 350 Case 7C of the notable vendor solutions for secure collaboration are Akonix, Baracuda, Facetime, and Symantec Akonix is a market leader in IM security management appliances, while Baracuda’s IM Firewall provides a secure channel and blocks public IM It can also store up to years of logs The data loss prevention tool from Vericept Corporation monitors IM traffic and alerts the security team about any serious breaches All these appliances have network inventory tools that can detect IM traffic and notify the organization of unauthorized IM traffic including VoIP, and P2P, a centralized server to log conversations, an enterprise integration feature to manage user accounts, file transfer blocking, virus protection, and built-in restrictions on incoming URLs Studying UWM’s deployment of their IM infrastructure provides glimpses of important best practices for enterprises It is important to ensure that IM products be kept up to date with the latest patches and security updates A few other best practices may be identified: (i) enabling the latest antivirus software on all IM management servers; (ii) blocking public instant messaging programs; (iii) avoiding the use of third-party IM hosts; (iv) blocking file sharing with external agencies; (v) designing an acceptable use policy that dictates what information can be shared in IM communications; and (vi) installing screen locking software to prevent unauthorized user access to the IM system UWM had a tough time making a compelling case for decision makers to consider adopting these technologies Upon examining UWM’s successful IM deployment, we identified the following drivers, which serve as justification to the adoption of these technologies: (i) online visibility of customer service representative to third parties; (ii) ability to share and collaborate in real time without the inherent delay of emails or pagers; (iii) facilitating interactive and instantaneous conversation; (iv) setting expectation for immediate response; (v) providing the ingredients of a face-to-face interaction Another important lesson learned is with respect to the adoption of enterprise-grade features that provide the level of security or compliance/readiness that they need This helped them minimize exposure of patient data to the various security threats identified earlier Discussion Questions Discuss ways UWM can prevent inappropriate use of IM What technical safeguards should be in place in user workstations within UWM to prevent such inappropriate use from their system? Do you think it is wise for the health care industry to implement IM across their system? Assume you are the CIO of UWM You are asked to justify the deployment of enterprise IM Argue why the benefits outweigh the associated costs and risks Conclusion We examined the threats associated with collaborative technologies in a regulatory context through a case study of the UWM Health System We identified several important contributions: (i) a one-dimensional scorecard composed of a set of objectives, measures, and attainable targets that lays out the business value of collaborating and information sharing in Copyright 2010 Cengage Learning All Rights Reserved May not be copied, scanned, or duplicated, in whole or in part Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s) Editorial review has deemed that any suppressed content does not materially affect the overall learning experience Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it Endnotes 351 health care; (ii) a framework for analyzing the threats to information sharing in the context of HIPAA compliance; and (iii) two interesting use cases that clearly detail threats to HIPAA From a pedagogical perspective, this study provides several useful teaching aids First, the outline of the case study itself has been tested by the authors for several years in the classroom as a template for student projects, which consisted of a case presentation and a case write-up A second notable feature is the presentation of three key concepts This method of presenting a case study is derived from a well-known pedagogical technique called the concept tutor Third, the use cases serve both as practical exercises for students to gain better insights into the problem and exemplars for similar threat modeling exercises The value of this case study extends beyond a pedagogical role to the business world, through teaching the reader how to embed strategic concepts (business drivers, scorecard) with realworld technology (threat modeling) The use cases presented can be easily modeled with the Microsoft Threat modeling (MTM) tool Each use case has been developed by first presenting the most important related concept, followed by a use scenario and the corresponding STRIDE and DREAD models, and finally by suggested enterprise best practices and lessons learned Endnotes Swidersky, F., and Snyder, W (2004) Threat Modeling (1st ed.) Redmond: Microsoft Press Baggs, J G., Schmitt, M H., Mushlin, A I., Mitchell, P H., Eldredge, D H., Oakes, D., and Hutson, A D (1999) “Association between Nurse-Physician Collaboration and Patient Outcomes in Three Intensive Care Units.” Critical Care Medicine, 27(9), 1991–1998 Urwiler, R., and Frolick, M (2008) “The IT Value Hierarchy: Using Maslow’s Hierarchy of Needs as a Metaphor for Gauging the Maturity Level of Information Technology Use within Competitive Organizations.” Information Systems Management, 25 (1), 83–88 Maslow, A (1943) “A Theory of Human Motivation.” Psychological Review, 50, 370–396 Cohn K H., and Allyn, T R (2005) “Making Hospital-Physician Collaboration Work.” Healthcare Financial Management, 59(10), 102–108 Nembhard, I M., Tucker, A L., Bohmer, R M J., Horbar, J D., and Carpenter, J H (2007) “Improving Infant Mortality Rates: The Impact of Front-Line Staff Collaboration on Neonatal Care.” Harvard Business School Working Paper, No 08-002 Cohn K H., Wise A S., and Bellhouse, D E (2005) “What Physicians and Hospital Leaders Can Teach Each Other about Marketing,” in Cohn, K H., Better Communication for Better Care: Mastering Physician-Administrator Collaboration Chicago: Health Administration Press Kohn, L T., Corrigan, J M., and Donaldson, M S (Eds.) (2000) To Err Is Human: Building a Safer Health System Washington, DC: National Academy Press Copyright 2010 Cengage Learning All Rights Reserved May not be copied, scanned, or duplicated, in whole or in part Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s) Editorial review has deemed that any suppressed content does not materially affect the overall learning experience Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it www.ebook3000.com 7C 352 Case 7C “Cisco Drives Innovation in Healthcare With Enhanced Mobility Solutions, Industry Collaboration; Cisc.” (2008) Internet Wire, Feb 25 Issue 10 Kaplan, R S., and Norton, D P (1996) Balanced Scorecard: Translating Strategy into Action Harvard Business School Press 11 Lee, H L., and Whang, W (2000) “Information Sharing in a Supply Chain.” International Journal of Technology Management, 20(3/4), 373–387 12 Swidersky, F., and Snyder, W (2004) Threat Modeling (1st ed.) Washington: Microsoft Press 13 Gans, D., Kralewski, J., Hammons, T., and Dowd, B (2005) “Medical Groups’ Adoption of Electronic Health Records and Information Systems.” Health Affairs, 24(5), 1323–1333 14 Torr, P (2005) “Demystifying the Threat Modeling Process.” IEEE Security & Privacy Magazine, 3(5), 66–70 15 http://en.wikipedia.org/wiki/Use_case 16 Swidersky, F., and Snyder, W (2004) Threat Modeling (1st ed.) Washington: Microsoft Press 17 Beard, K W., and Wolf, E M (2001) “Modification in the Proposed Diagnostic Criteria for Internet Addiction.” Cyberpsychology and Behavior, 4, 377–383 18 Kandell, J J (1998) “Internet Addiction on Campus: The Vulnerability of College Students.” Cyberpsychology and Behavior, 1, 11–17 19 Davis, R A (2001) “A Cognitive-Behavioral Model of Pathological Internet Use.” Computers in Human Behavior, 17, 187–195 Copyright 2010 Cengage Learning All Rights Reserved May not be copied, scanned, or duplicated, in whole or in part Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s) Editorial review has deemed that any suppressed content does not materially affect the overall learning experience Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it Running Case 7D Running Case: Stratified Custom Manufacturing The operations group was a well-knit bunch of guys even though they were scattered all over the world Periodically they would get together either face-to-face in meetings or via a conference call process As with many groups that came from diverse backgrounds with common work objectives, they shared work-related information as well as personal data both verbally and via emails Some of the personal data was outside the company’s guidelines for email usage and could be considered inappropriate and adult-oriented under U.S guidelines But, within the context of the virtual locker room they shared every day, none of them felt it was out of the ordinary for the countries where SCM had operations The managers of some of the operations’ group members allowed this to continue and even added to the dialogs, conversations, and viewings of some interesting materials The materials and emails were confined to the operations network and were not widely distributed except to the intended recipients Shortly after the revision of standards and policies that was implemented in 2009 by corporate, some of these materials seeped into several of the administrative systems and were viewed by people outside the operations group A group of vendors that had access to the administrative systems network inadvertently gained access to the materials One CEO, Shelia Strong, of Make Right Products LLC., felt greatly offended and discussed possible legal action with her legal team They filed a civil suit and began their discovery phase Ellen Winter was the Administrative Security manager and got involved immediately by requiring all data from the systems to be held pending the outcome of the suit Takio Sumi met with his four senior managers to discuss their roles in the suit and how to properly prepare data for the lawyers He specifically 353 Copyright 2010 Cengage Learning All Rights Reserved May not be copied, scanned, or duplicated, in whole or in part Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s) Editorial review has deemed that any suppressed content does not materially affect the overall learning experience Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it www.ebook3000.com 354 Running Case 7D had Robert Germain, his senior manager of Information Security meet with his three managers, which included Ellen Winter, to make sure that SCM had complied with federal rules as well as corporate policy During their investigation Curtis Northman and Ellen found that their standing policies and practices regarding retention of both emails and voice mails had been deleting files that were now needed for the lawsuit by the prosecutors The technicians in charge of maintaining the databases had been overwriting disks to save money and disk space Now it was determined that data needed to comply with the court’s discovery directive had been destroyed or had its embedded native file viewers removed so the data was unable to be decrypted Their actions were part of a set of policies that had not been enforced since the early 2009 reorganization, but instead seemed to have come online as soon as rumors of the lawsuit began to circulate They followed guidelines that they knew were no longer valid corporate policy, and their managers did not realize it until the legal action called upon them to restore emails and saved voice mails Discussion Questions What U.S federal laws apply to this situation? Pick a U.S state or another national government as a point of reference to research and determine which laws apply to this situation What is one of the primary problems found during the implementation planning for the e-discovery project? How does a corporation handle situations like the above where policy nonenforcement or selective enforcement becomes a larger problem? The information systems involved were administrative and operational and had little to no sensitive information on them How does one go about protecting data at a level that is commensurate with its sensitivity, value, and criticality when those parameters can change due to circumstances such as a lawsuit? Copyright 2010 Cengage Learning All Rights Reserved May not be copied, scanned, or duplicated, in whole or in part Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s) Editorial review has deemed that any suppressed content does not materially affect the overall learning experience Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it Index A access policies case study, 345 database systems, 207–208 annualized loss expectancy (ALE), 87, 91 data security, 237–238 applications, web iSec Cert exam case study, 36–40 defense strategies, 196–199 legislation about, 280, 281 overview, 192–193 physical security, 235–236 security principles, 194–195 security matrix, 286 vulnerabilities, 195–196 Accountability Principle, 11 architecture, network, 238–240 accounting controls, 288–291 architecture, web applications, 193–194, 196–199 active attacks, 123 activity metrics, 219 addressing, network security, 238–240 case study, 185–186 American National Standards Institute (ANSI), 117, 118–119, 136, 138, 140–141 ARSO (African Organization for Standardization), 118 policies for, 237–238 security matrix, 286 web applications, 194 authorization, security matrix, 286 authorization, web applications, 194 awareness and training, security, 234–235 B Baldrige National Quality Program, 119 Bandyopadhyay, Tridib, 75, 157 Basel Capital Accord (Basel II), 309 Bayuk, Jennifer L., 217 administration, security matrix, 286 asymmetric algorithms (public key), 128–131, 137–140 Advanced Encryption Standard (AES), 119, 125–126 asymmetric keys, 123 benchmarks, compliance, 297–299 best practices, 87–89 Advanced Topologies, Inc case study attack surface, 195 auditing Biba Model, 291 Bell-LaPadula Model, 291 block algorithms, 124–128 benchmarks and performance dashboards, 297–299 block ciphers, 123, 125–128 database systems, 209–210 Botmaster, 19 expert systems, 292–296 formal models, 291–292 British Standards Institute (BSI), 117, 118, 119 internal accounting controls, 290–291 browser sessions, impersonation threats, 41 overview, 175–177 measurement approaches, 296–297 BSI (British Standards Institute), 117, 118, 119 packet filtering, 181 policies for, 236 proxy servers, 182–183 regulatory compliance, overview, 280–281 business continuity management, 241–243 authenticating users, 185–186 contingency planning, 187–188 digital forensics, 189–190 firewalls, 179–185 intrusion detection and prevention, 188–189 network vulnerabilities, 179 security policies, standards and planning, 177–178 virtual private networks, 186–187 AES (Advanced Encryption Standard), 119, 125–126 AES Key Wrap (AESKW), 128 African Organization for Standardization (ARSO), 118 algorithms See cryptography algorithms Al-Hamdani, Wasim A., 115, 231 Amdocs, 15 American Institute of Certified Public Accountants (AICPA), 284 research directions, 299–300 business enablement, 90, 93 separation issues, accounting and technology, 288–291 C Standard No 5, PCAOB, 284–285 California Security Breach Information Act, 281, 282 Audit Reform and Corporate Disclosure Act, 312 California Senate Bill 1836, 280, 281 audit tables, 44–45 Canada, publicly traded entities, 312 Australia, publicly traded entities, 312 Canada, regulation of government agencies, 311 authenticated encryption mode, 127–128 authentication See also cryptography algorithms block cipher mode, 127–128 Canadian Securities Administrators, 312 Carnegie Mellon CERT, 16–19 case studies 355 Copyright 2010 Cengage Learning All Rights Reserved May not be copied, scanned, or duplicated, in whole or in part Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s) Editorial review has deemed that any suppressed content does not materially affect the overall learning experience Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it www.ebook3000.com 356 Index contingency planning, 187–188 risk assessment, 47–52 copyright laws, 268–269 security threats, 40–47 cultural issues, 316–319 Chebrolu, Shankar Babu, 191 digital forensics, 189–190 firewalls, 179–185 Children’s Online Privacy Protection Act (COPPA), 311 global regulatory issues, 313–316 China, 15 health care, threat modeling Ciganek, Andrew P., 305 business case, 330–335 ciphers See cryptography algorithms for collaborative technologies, 338–343 classified data, 124 annualized loss expectancy (ALE), 87, 91 cyber insurance, 76–79, 82 security breaches, 18–19 Council of Europe, Directive 95/46/EC, 11–13 Council of Europe Cyber Crime Convention, 12 credentials, layered security, 42 CRHFs (collision resistant hash functions), 131–135 overview, 328–330 CMAC (cipher-based message authentication code), 127–128 security and privacy threats, 335–338 CMVP (Cryptographic Module Validation Program), 124 use cases, 343–350 collaborative technology See health care case study Cryptographic Algorithm Validation Program (CAVP), 124 Collection Limitation Principle, 10 Cryptographic Module Validation Program (CMVP), 124 HIPAA, 265–267 instant messaging, 348–350 intrusion detection, 188–189 K-LiWin Consulting, 264–271 personnel, 23–28 privacy, 269–271 question-and-answer approach, metrics, 222–224 collision resistant hash functions (CRHFs), 131–135 crime, computer attacks, 17–19 cross-site scripting (XSS), 195–196 cryptography algorithms Commission on Critical Infrastructure Protection (PCCIP), 166–168 asymmetric algorithms (public key), 128–131 Committee of Sponsoring Organizations, 284–285 case study, 184–185 Common Policy Root CA, 138 block cipher mode, 123, 125–128 digital signatures, 123, 132, 135–136 reclassification, government archives, 250–251 communication security policies, 238–240 risk management program, 224–226 compliance See regulations and compliance key management framework, 140–143 Sarbanes-Oxley, 267–268 computational models, auditing, 292 overview, 122–124 sphere of control, metrics, 226–227 computer attacks, incidence of, 17 Project Elvis, 14–15 Computer Crime Act (Thailand), 316 public key infrastructure (PKI), 128–131, 137–140 state laws, 264–271 Stratified Custom Manufacturing, running case, 1–6, 69–71, 111–112, 213–214, 275–276, 353–354 virtual private networks, 26–28, 186–187 Computer Fraud and Abuse Act, 250, 253–255, 271, 281, 282 concurrent log-ins, 41 standards, introduction to, 116–118 confidentiality, 127–128 See also cryptography algorithms; privacy standards organizations, list of, 118–122 connection pool leaks, 40–41 stream cipher, 123, 126–127 CAVP (Cryptographic Algorithm Validation Program), 124 contingency planning, case study, 187–188 CEN, 118 Control Objectives for Information and Related Technology (COBIT), 285–286, 297–299 Cenartech case, 23–30 CENELEC, 118 CERT, Carnegie Mellon, 16–19 cookies, 194 certificate authority, 135–140 COPANT (Pan American Standards Commission), 118 certification exam copyright laws, 268–269, 311 case overview, 32–36 hash functions, 123, 131–135 ethical and legal issues, 52–55 Corporate Law Economic Reform Program (CLERP), 312 exam development, 36–40 costs symmetric algorithms, 124–128 C2 security, 205 cultural differences case studies, 313–319 cyber crime, 313 electronic commerce, 309–311 financial and banking services, 309 government agencies, 311 overview, 306–307 privacy protections, 307–309 publicly traded entities, 312 Copyright 2010 Cengage Learning All Rights Reserved May not be copied, scanned, or duplicated, in whole or in part Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s) Editorial review has deemed that any suppressed content does not materially affect the overall learning experience Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it Index research directions, 319–321 Data Protection Act, UK (1998), 11–13 cyber crime, 313, 315–316 Data Quality Principle, 10 cyber insurance daylight savings time, 55 economics of, 76–79 needs assessment, 79–81 providers and products, 81–84 cyber terrorism national policy and, 166–168 overview, 159–166 reality check, 168–170 USA Patriot Act, 255–258 DCL (Data Control Language), 209–210 DDL (Data Definition Language), 209–210 de facto standards, 116 See also standards, cryptography denial of service threats, 40–41 DES (Data Encryption Standard), 124–126 3DES (Triple-DES), 125 D DAC (discretionary access control), 206–208 data access control policies, 237–238 database systems digital certificates, 135–136 access control, 207–208 digital forensics, case study, 189–190 auditing, 209–210 Digital Millennium Copyright Act, 268–269 hardening, best practices, 204–205 overview, 203–204 regulations and compliance, 205–206 digital rights, 311 Data Control Language (DCL), 209–210 disasters, policies for, 235–236, 241–243 Data Definition Language (DDL), 209–210 discretionary access control (DAC), 206–208 Data Encryption Standard (DES), 124–126 Dixie, Wendy D., 231 DML (Data Manipulation Language), 208, 210 Document Object Model, cross-site scripting, 195–196 due diligence, 89, 93 Organization for Economic Cooperation and Development (OECD), 10–11 overview, 9–10 sovereign states activities and issues, 13–19 U.S approach, 13 email security, 137–140, 238–240 encryption See also cryptography algorithms case study, 184–185 hash functions, 131–135 Project Elvis, 14–15 Enterprise Resource Planning (ERP) system, 292 environmental security controls, 235–236 equipment, policies about, 235–236 ethics case overview, 32–36 ethical and legal issues, 52–55 exam development, 36–40 risk assessment, 47–52 security threats, 40–47 ETSI (European Telecommunications Standard Institute), 117, 118, 122 European Committee for Electrotechnical Standardization, 118 European Committee for Standardization, 118 European regulations, 11–13 data mapping, 206 Data Protection Act, UK (1998), 11–13 elliptic curve algorithms, 128 information security certification exam disabled user access, 54–55 Council of Europe Directive 95/46/EC, 11–13 Electronic Transactions Act (Singapore), 310 Directive 2004/109/EC, 312 Directive 93/6/EEC, 309 data privacy electronic signatures, 123, 132, 135–136 hacking, 58–65 securing communications, 208 Data Manipulation Language (DML), 208, 210 Electronic Records Management and Federal Records Act, 247, 248 digital signatures, 123, 132, 135–136 replication, securing, 208–209 data integrity See also cryptography algorithms Electronic Communications Privacy Act, 271 Deutsches Institut für Bautechnik (DIBt), 118 development versions, applications, 43–44 357 E Economic Espionage Act, 271 E-Government Act of 2002, 249, 252 Eighth Data Protection Principle, 11–12 electronic commerce, global regulations, 309–311, 314 European Telecommunications Standard Institute (ETSI), 117, 118, 122 European Union, financial and banking regulations, 309 European Union, publicly traded entities, 312 expert systems, auditing, 292–296 Electronic Commerce Act of Malta, 309–310 F Electronic Commerce Act of the Philippines, 310 Federal Information Security Management Act, 282, 311 Copyright 2010 Cengage Learning All Rights Reserved May not be copied, scanned, or duplicated, in whole or in part Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s) Editorial review has deemed that any suppressed content does not materially affect the overall learning experience Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it www.ebook3000.com 358 Index Federal Managers and Financial Integrity Act, 249, 252 Federal PKI, 137 Federal Property and Administration Service Act, 249, 252 financial and banking services regulations, 309, 314 sovereign states activities and issues, 13–19 GMS mobile telephone communications, 127 HIPAA, 265–267, 280, 281, 283, 308, 337–338 Goal/Question/Metric (GQM), 296–297 HMAC, 134 governing policies Financial Executives International (FEI), 284 business continuity management, 241–243 financial impact data access control, 237–238 annualized loss expectancy (ALE), 87, 91 cyber insurance, 76–79, 82 security breaches, 18–19 Financial Instruments and Exchange Law, 312 IANA (Internet Assigned Numbers Authority), 121 network and communication security, 238–240 Iceland, privacy protection, 307 physical security, 235–236 risk management, 240 security policies, 238–240 government-owned communications, 14 web applications, 198–199 Government Paperwork Elimination Act, 249, 252 Francia, Guillermo A., III, 279, 305 Freedom of Information Act and Electronic Freedom of Information Act, 247, 248 G human resources departments, 23–30 management responsibility, 233–235 government agencies, regulation of, 311, 314–315 FPKI architecture, 137–138 Homeland Security Act, 313 I case study, 179–185 forensics, case study, 189–190 Hollings Manufacturing Extension Partnership, 119 incident management, 240–241 overview, 231–233 Financial Services Modernization Act, 280, 281, 282, 309 firewalls high-throughput authenticated encryption mode, 128 3GPP (Third Generation Partnership Project), 117, 122 Gramm-Leach Bliley Act, 280, 281, 282, 309 IEC (International Electrotechnical Commission), 117, 121 IEEE (Institute of Electrical and Electronics Engineers), 117, 121–122, 129–130 IETF (Internet Engineering Task Force), 117, 121, 141–142 IMPACT (International Multilateral Partnership Against Cyber Terrorism), 165 impersonation threats, 41 incident response, 44–45, 240–241 individualism-collectivism, 318 Individual Participation Principle, 11 H information coordination, 23–26, 335–338 hacking Information Flow Model, 291 Galois/Counter Mode (GCM), 128 allure of, 60–61 Generally Accepted Information Security Practices (GAISP), 87, 89 ethical hacker, defined, 61–64 overview, 217–221 German Bundesnachrichtendienst (BND), 14 overview, 58–59 penetration testing, 64–65 question-and-answer approach, 222–224 information metrics Germany, 15 hardening, database systems, 204–205 global regulations hash functions, 123, 131–135 risk management program, case, 224–226 health care case study sphere of control, case, 226–227 case studies, 313–316 information security certification exam cultural issues, 316–319 business case, 330–335 cyber crime, 313 overview, 328–330 case overview, 32–36 electronic commerce, 309–311 security and privacy threats, 335–338 ethical and legal issues, 52–55 government agencies, 311 threat modeling, collaborative technology, 338–343 risk assessment, 47–52 overview, 306–307 use cases, 343–350 financial and banking services, 309 privacy protections, 307–309 publicly traded entities, 312 Health Insurance Portability and Accountability Act See HIPAA research directions, 319–321 hierarchical federal PKI, 138 exam development, 36–40 security threats, 40–47 information security metrics, 289–290 Information Security Professional (InfoSecProf), role of, 263–264 Copyright 2010 Cengage Learning All Rights Reserved May not be copied, scanned, or duplicated, in whole or in part Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s) Editorial review has deemed that any suppressed content does not materially affect the overall learning experience Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it Index Information Systems Audit and Control Association (ISACA), 297 Information Systems Security Association (ISSA), 87, 89 input validation, 197 instant messaging, case study, 348–350 ITU (International Telecommunication Union), 117, 120–121 cyber crime, 313 J financial and banking services, 309 Japan, publicly traded entities, 312 government agencies, 311 K Institute of Internal Auditors (IIA), 284 key hash functions, 131–135 Institute of Managment Accountants (IMA), 284 key management framework, 140–143 intellectual property issues, 53–54 K-LiWin Consulting, case study, 264–271 internal control metrics, 289 International Electrotechnical Commission (IEC), 117, 121 international issues See global regulations International Measurement Evaluation Programme (IRMM), 118 International Multilateral Partnership Against Cyber Terrorism (IMPACT), 165 electronic commerce, 309–311 overview, 306–307 Institute of Electrical and Electronics Engineers (IEEE), 117, 121–122, 129–130 internal accounting controls, 290–291 359 privacy protections, 307–309 publicly traded entities, 312 keyed algorithms, defined, 123 Government Paperwork Elimination Act, 252 Gramm-Leach-Bliley Act, 282 Khansa, Lara Z., 327 HIPAA, 266–267, 283 implications for managers, 258–259 L measurement approaches, 296–297 Landry, Jeffrey P., 31, 245, 327–328 National Archives and Records Act, 247, 248 language, Natural Language Processing (NLP) tools, 15 overview, 280–281 layered security, 42 privacy, case study, 269–271 legal issues and compliance Privacy Act, 251 benchmarks and performance dashboards, 297–299 research directions, 299–300, 319–321 California Security Breach Information Act, 282 risk assessment model, 89–90, 92–93 digital signatures, 136 certificate exam case, 52–55 hash standards, 133 characteristics of, 283–288 Sarbanes-Oxley, case study, 267–268 key management framework, 141–142 Computer Fraud and Abuse Act, 253–255, 282 overview, 117, 118, 119–120 cyber terrorism vulnerability, 163–164 International Organization for Standardization (ISO) PKI, 130, 138–139 International Telecommunication Union (ITU), 117, 120–121 Internet Assigned Numbers Authority (IANA), 121 Internet Engineering Task Force (IETF), 117, 121, 141–142 Electronic Records Management and Federal Records Act, 247, 248 expert systems, 292–296 federal law, overview, 245–250 Federal Managers Financial Integrity Act, 252 Internet security policy, 238–240 Federal Property and Administration Service Act, 252 IRMM (International Measurement Evaluation Programme), 118 ISO See International Organization for Standardization (ISO) separation issues, accounting and technology, 288–291 state laws, 264–271 E-Government Act, 252 Internet Research Task Force (IRTF), 121 intrusion detection and prevention, case study, 188–189 Sarbanes-Oxley Act, 283 formal models, 291–292 Freedom of Information Act and Electronic Freedom of Information Act, 247, 248 global regulations Israel, 15 case studies, 313–316 IT Governance Institute, 285–286 cultural issues, 316–319 Title III, Federal Information Security Management Act, 253 USA Patriot Act, 255–258 Liginlal, Divakaran, 327 line of business platform metric, 225–226 log-on/off, 209–210 loss expectancy, annualized, 87, 91 loss of service, 235–236, 241–243 Lourdes, Cuba, 15 M MAC (mandatory access control), 206–208 MAC (message authentication code), 127–128, 131–135 Copyright 2010 Cengage Learning All Rights Reserved May not be copied, scanned, or duplicated, in whole or in part Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s) Editorial review has deemed that any suppressed content does not materially affect the overall learning experience Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it www.ebook3000.com 360 Index Malcolm Baldrige National Quality Award, 119 Malta, electronic commerce regulations, 309–310 Malta, privacy protection, 307–308 malware e-mail security, 239–240 increase in, 17 web applications defense strategies, 196–199 N National Archives and Records Act, 247, 248 National Archives and Records Act, 247, 248 overview, 246 National Center for Standards and Certification Information (NCSCI), 116 Title III, Federal Information Security Management Act, 253 National Information Assurance Training Standard, 246 National Information Infrastructure Protection Act, 271 security principles, 194–195 National Institute of Standards and Technology (NIST), 117, 119, 246 See also NIST 4012 standard vulnerabilities, 195–196 National Instruments (NI), 312 overview, 192–193 management responsibilities, policies, 233–235, 246 mandatory access control (MAC), 206–208 manipulation detection codes (MDCs), 131–135 mapping, databases, 206 Mattord, Herbert J., 85, 175 merge replication, 208–209 message authentication code (MAC), 127–128, 131–135 national security letters, 256–258 national standardization organizations, 118 Microsoft Baseline Security Analyzer (MBSA), 205 MICs (message integrity codes), 131–135 NCSCI See National Center for Standards and Certification Information (NCSCI) network security policies, 238–240 NIST 4012 standard Computer Fraud and Abuse Act, 253–255 E-Government Act, 252 Electronic Records Management and Federal Records Act, 247, 248 federal laws, chart of, 248–250 modification detection codes (MDCs), 131–135 Federal Property and Administration Service Act, 252 monitoring metrics, 220–221 Freedom of Information Act and Electronic Freedom of Information Act, 247, 248 Multilateral Instruments (MI), 312 multiple browser sessions, 41 MySQL, 205 online surveys, 222–224 Organization for Economic Cooperation and Development (OECD), 10–11 Federal Managers Financial Integrity Act, 252 Morrison, Patricia, 97 one-way hash functions (OWHFs), 131–135 Natural Language Processing (NLP) tools, 15 Millennium Year Issue (Y2K), 16 Montevideo Convention (1933), 13–14 OECD (Organization for Economic Cooperation and Development), 10–11 operating system security metric, 225, 226–227 NIST (National Institute of Standards and Technology), 117, 119, 246 sphere of control, case, 226–227 O National Strategy to Secure Cyberspace, 166–168 metrics, information risk management program, case, 224–226 Nugent, John H., Openness Principle, 11 network addressing, 238–240 question-and-answer approach, 222–224 USA Patriot Act, 255–258 Norway, cyber crime regulations, 313 National Standards Body, UK, 118, 119 message integrity codes (MICs), 131–135 overview, 217–221 Privacy Act, 251 Government Paperwork Elimination Act, 252 implications for managers, 258–259 ownership, information, 234 P Pacific Area Standards Congress (PASC), 118 Pakistan, cyber crime regulations, 313 Pan American Standards Commission (COPANT), 118 Pardue, J Harold, 31 passive attacks, 123 password protections, 237–238 case study, 23–28 layered security, 42 patches, 198, 205 PCCIP (Commission on Critical Infrastructure Protection), 166–168 penetration testing, 64–65 performance dashboards, 297–299 personnel, 7–8, 23–28 Philippines, electronic commerce regulations, 310 phishing, 43–44 physical security policies, 235–236 Copyright 2010 Cengage Learning All Rights Reserved May not be copied, scanned, or duplicated, in whole or in part Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s) Editorial review has deemed that any suppressed content does not materially affect the overall learning experience Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it Index piracy, 234, 268–269, 311 PKCS (Public-Key Cryptography Standards), 117, 122 PKI (Public Key Infrastructure), 117, 122, 123, 128–131, 137–140 policies access and use, 36–40 case study, 177–178 exam proctors, 37–40 information security metrics, 289–290 security Prosecutorial Remedies and Tools Against the Exploitation of Children Today Act (PROTECT), 313 Federal Property and Administration Service Act, 252 pseudorandom generator, 123 Freedom of Information Act and Electronic Freedom of Information Act, 247, 248 Public Company Accounting Oversight Board (PCAOB), 267–268 Public-Key Cryptography Standards (PKCSs), 117, 122 cultural issues, 316–319 Purpose Specification Principle, 11 data access control, 237–238 incident management, 240–241 question-and-answer approach, case, 222–224 physical security, 235–236 risk management, 240 Post Telephone and Telegraph (PTT), 14 R data privacy, overview, 9–10 global protections, 307–309, 313–314 overview, 7–8 Privacy Act, 248, 251 process controls, designing, 37 proctor policies, 37–40 production versions, applications, 43–44 Project Echelon, 15 Project Elvis, 14–15 Project Rahab, 14 privacy protections, 307–309 publicly traded entities, 312 Government Paperwork Elimination Act, 252 RBAC (role-based access control), 206–208 Gramm-Leach-Bliley Act, 282 RC4, 127 reflected cross-site scripting, 195–196 regional standards boards, 118 regulations and compliance certificate exam case, 52–53 overview, 306–307 radio communication standards, 120 principle of least privilege, 195 Children’s Online Privacy Protection Act, 311 financial and banking services, 309 research directions, 319–321 registration authority, 137 case study, 269–271, 335–338 electronic commerce, 309–311 government agencies, 311 power distance, 318–319 privacy See also cryptography algorithms case studies, 313–316 cyber crime, 313 Quality Function Deployment, 297 overview, 231–233 global publicly traded entities, regulation of, 312 Q network and communication security, 238–240 formal models, 291–292 public keys, 123, 128–131, 137–140 business continuity management, 241–243 management responsibility, 233–235 361 benchmarks and performance dashboards, 297–299 HIPAA, 266–267, 283 implications for managers, 258–259 measurement approaches, 296–297 National Archives and Records Act, 247, 248 California Security Breach Information Act, 282 Organization for Economic Cooperation and Development (OECD), 10–11 characteristics of, 283–288 Privacy Act, 251 compliance, overview, 280–281 research directions, 299–300 Computer Fraud and Abuse Act, 253–255, 282 risk assessment model, 89–90, 92–93 Council of Europe’s Directive 95/46/EC, 11–13 Sarbanes-Oxley Act, 267–268, 283 database systems, 205–206 separation issues, accounting and technology, 288–291 E-Government Act, 252 Electronic Records Management and Federal Records Act, 247, 248 expert systems, 292–296 federal law, overview, 245–250 Federal Managers Financial Integrity Act, 252 Title III, Federal Information Security Management Act, 253 UK Data Protection Act (1998), 11–13 USA Patriot Act, 255–258 remediation metrics, 219–220 remote access, 26–28, 237–238 Copyright 2010 Cengage Learning All Rights Reserved May not be copied, scanned, or duplicated, in whole or in part Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s) Editorial review has deemed that any suppressed content does not materially affect the overall learning experience Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it www.ebook3000.com 362 Index replication, database systems, 208–209 security threats, 40–47 reverse mapping, 206 industry survey, 90–94 risk assessment and management logs, case study, 22–30 case study, security metrics, 224–226 matrix, 286–287 metrics certificate exams case, 47–52 internal controls, 289–290 cyber insurance overview, 217–221 economics of, 76–79 needs assessment, 79–81, 81–82 providers and products, 81–84 industry survey, 90–94 legislation about, 280, 281 new approaches, 86–90 overview, 73–74, 76 policies for, 240 security metrics, overview, 217–221 question-and-answer approach, 222–224 risk management program, case, 224–226 sphere of control, case, 226–227 national policy, 166–168 new approaches, 89–90 policies business continuity management, 241–243 standards, introduction to, 116–118 standards organizations, list of, 118–122 stream cipher, 126–127 symmetric algorithms, 124–126 Security and Freedom through Encryption Act, 271 Security Safeguards Principle, 11 Shaver, Russell, signatures, digital, 123 Singapore, electronic commerce regulations, 310 Singapore, privacy protection, 308 Six Sigma, 297 snapshot replication, 208–209 software piracy, 234 role-based access control (RBAC), 206–208 data access control, 237–238 sovereign states activities, 13–19 role-based security, 45–47 incident management, 240–241 sphere of control case, 226–227 Romania, privacy protection, 308 management responsibility, 233–235 SQL injection, 195–196 network and communication security, 238–240 SQL Server, replication architecture, 208–209 overview, 231–233 SQL slammer worm, 208 physical security, 235–236 SSL (Secure Sockets Layer) protocol, 127 RSA algorithms, 128 RSA Laboratories Public-Key Cryptography Standards, 122, 129 running case, Stratified Custom Manufacturing, 1–6, 69–71, 111–112, 213–214, 275–276, 353–354 risk management, 240 SQL Server, hardening, 204–205 standards, compliance with, 92–93 See also NIST 4012 standard S rethinking risk-based security, 86–89 risk assessment, 80–81 standards, cryptography Safe Harbor, 12 role-based, 45–47 Sarbanes-Oxley Act, 267–268, 280, 281, 283, 286–287, 290–291, 312, 315 technology SECG (Standards for Efficient Cryptography Group), 117, 122, 129 secret key, 123 Secure Hash Standard, 132 Secure Sockets Layer (SSL), 127 security awareness and training, 234–235 certification exams, case study asymmetric algorithms (public key), 128–131 block cipher mode, 123, 125–128 asymmetric algorithms (public key), 128–131 case study, 184–185 block cipher mode, 127–128 cryptography, overview of, 122–124 cryptographic hash functions, 131–135 cryptography, overview, 122–124 cyber terrorism vulnerability, 163 digital signature, 135–136 digital signatures, 123, 132, 135–136 hash functions, 123, 131–135 introduction to, 116–118 key management framework, 140–143 Project Elvis, 14–15 ethical and legal issues, 52–55 key management framework, 140–143 exam development, 36–40 overview, 113–114 public key infrastructure, 128–131, 137–140 overview, 32–36 public key infrastructure (PKI), 137–140 standards organizations, list of, 118–122 risk assessment, 47–52 Copyright 2010 Cengage Learning All Rights Reserved May not be copied, scanned, or duplicated, in whole or in part Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s) Editorial review has deemed that any suppressed content does not materially affect the overall learning experience Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it Index stream cipher, 123, 126–127 symmetric algorithms, 124–128 Standards for Efficient Cryptography Group (SECG), 117, 122, 129 technical standards See standards, cryptography technology, security 363 Time Metrics, 297 Title III, Federal Information Security Management Act, 250, 253 asymmetric algorithms (public key), 128–131 traffic analysis, 123 Stanton, Jeffrey M., 23 state laws block cipher mode, 127–128 Triple Data Encryption Algorithm (TDEA), 125 transactional replication, 208–209 California Senate Bill 1836, 280, 281 cryptographic hash functions, 131–135 case study, HIPAA, 264–271 cryptography, overview, 122–124 Trojan Horse, 207 case study, privacy, 269–271 cyber terrorism vulnerability, 163 overview, 264 digital signature, 135–136 Trusted Computer System Evaluation Criteria (TCSEC), 207, 291 privacy, 308 key management framework, 140–143 U overview, 113–114 U S federal law storage, email, 239–240 stored cross-site scripting, 195–196 Stratified Custom Manufacturing, running case, 1–6, 69–71, 111–112, 213–214, 275–276, 353–354 stream ciphers, 123, 126–127 Sun Microsystems, Project Elvis, 14–15 surveys public key infrastructure (PKI), 137–140 standards, introduction to, 116–118 standards organizations, list of, 118–122 copyright laws, 268–269, 311 stream cipher, 126–127 symmetric algorithms, 124–126 Technology Innovation Program, 119 risk-based security methods, 90–94 telecommunication standards, 120–121, 127 symmetric keys, 123 T terrorism cyber terrorism, overview, 159–166 defined, 158–159 target metrics, 219 national policy and, 166–168 TCSEC (Trusted Computer System Evaluation Criteria), 207, 291 reality check, 168–170 TDEA (Triple Data Encryption Algorithm), 125 technical policies business continuity management, 241–243 data access control, 237–238 incident management, 240–241 management responsibility, 233–235 network and communication security, 238–240 overview, 231–233 chart of federal laws, 248–250 Computer Fraud and Abuse Act, 250, 253–255, 271, 281, 282 question-and-answer metrics, 222–224 symmetric algorithms, 124–128 Triple-DES (3DES), 125 USA Patriot Act, 255–258 cyber crime, 313, 315–316 E-Government Act, 249, 252 electronic commerce, 311 Electronic Records Management and Federal Records Act, 247, 248 Federal Managers Financial Integrity Act, 249, 252 Federal Property and Administration Service Act, 249, 252 Freedom of Information Act and Electronic Freedom of Information Act, 247, 248 Thailand, Computer Crime Act (CCA), 316 Government Paperwork Elimination Act, 249, 252 Third Generation Partnership Project (3GPP), 117, 122 Gramm-Leach-Bliley Act, 280, 281, 282, 309 threat modeling case study business case, 330–335 HIPAA, 266–267, 280, 281, 283, 308, 337–338 for collaborative technology, 338–343 implications for managers, 258–259 overview, 328–330 National Archives and Records Act, 247, 248 security and privacy threats, 335–338 use cases, 343–350 physical security, 235–236 Threat-Vulnerability-Asset (TVA) paradigm, 87–89 risk management, 240 time, 55 overview, 245–247, 280, 281 Privacy Act, 248, 251, 309 publicly traded entities, 312 regulating government agencies, 311 Copyright 2010 Cengage Learning All Rights Reserved May not be copied, scanned, or duplicated, in whole or in part Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s) Editorial review has deemed that any suppressed content does not materially affect the overall learning experience Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it www.ebook3000.com 364 Index Sarbanes-Oxley, 267–268, 280, 281, 283, 286–287, 290–291, 312, 315 V W Title III, Federal Information Security Management Act, 250, 253 validation, web applications, 194–195, 197 Web Application Firewalls (WAF), 198–199 Vansal, Vinay, 191 web applications verification policies, 38–40 defense strategies, 196–199 USA Patriot Act, 250, 255–258, 271, 313 Video Maze case overview, 192–193 uncertainty avoidance, 316–318 unclassified data, 124 United Nations, International Telecommunication Union (ITU), 120–121 United Nations Commission on International Trade Law (UNCITRAL), 310–311 United States regulations, 11–13 network diagram 2, 104 overview, 98–103 Web site policies, 239–240 planning guidelines, 108–109 Whitman, Michael E., 57, 175 printer specifications, 108 Winters, Katherine H., 263 server specifications, 105–106 Wired Equivalent Privacy (WEP), 127 software specifications, 107–108 store layout, 105 unkeyed algorithms, 123 unkeyed hash functions, 131–135 virtual private networks (VPNs), 26–28 Use Limitation Principle, 11 case study, 186–187 viruses, 17, 192–193, 239–240 user access See access policies VPD (virtual private database), 207–208 user access, disabilities, 54–55 vulnerabilities, case study, 179 user impersonation, 41 vulnerabilities, web applications, 192–193, 198 usernames, 237–238 vulnerabilities, 195–196 PC specifications, 106–107 virtual private database (VPD), 207–208 USA Patriot Act, 250, 255–258, 271, 313 security principles, 194–195 X XSS (cross-site scripting), 195–196 Y Yang, Li, 203 Y2K, 16 Z Zanzig, Jeffrey S., 279 Copyright 2010 Cengage Learning All Rights Reserved May not be copied, scanned, or duplicated, in whole or in part Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s) Editorial review has deemed that any suppressed content does not materially affect the overall learning experience Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it ... Acknowledgments and Thanks The authors would like to thank the following individuals for their assistance in making Readings and Cases in Information Security: Law and Ethics a reality ● To the hardworking,... issues in the private and public domains including interdependent IT security risks in supply chain management firms and cyber insurance, and (ii) Information and Communications Technology issues in. .. Pamplin College of Business, at Virginia Polytechnic Institute and State University She received a Ph.D in Information Systems, an M.S in Computer Engineering, and an MBA in Finance and Investment