Information Security

Protecting the Global Enterprise

Donald L. Pipkin

Publisher: Prentice Hall, 2000, 364 pages

ISBN: 0-13-017323-1

Keywords: Information Security

Last modified: July 29, 2021, 9:27 p.m.

Synopsis

Computer and network security: the technical, legal, and business issues.

In Information Security: Protecting the Global Enterprise, IT security expert Donald Pipkin addresses every aspect of information security: the business issues, the technical process issues, and the legal issues — including the personal liabilities of corporate officers in protecting information assets. Pipkin starts by reviewing the key business issues associated with protecting information assets, and determining the appropriate levels of protection and response to security incidents. Next, he walks through the technical processes required to build a consistent, reasonable information security system, with appropriate intrusion detection and reporting features.

Coverage includes:

  • Inspection: Risk analysis, resource inventory, threat assessment, business impact analysis, safeguards, and more
  • Protection: Information security design, vision, architecture, strategies, frameworks, and implementation
  • Detection: Types of intruders, methods and profiles of detection
  • Reaction: Incident response plans, documentation, determination, notification, assessment, repair, and recovery
  • Reflection: Post-incident procedures, timelines, technical and management responses, process improvements, and public relations.

Whether your role is technical or managerial, no matter what size your enterprise is, Information Security delivers the insight and guidance you need to protect your most vital asset: information.

Table of Contents

    • Prologue: The Future of Business
      • The Business Environment is Changing
      • Business Relationships are Changing
      • Business Information is Changing
      • Information Technology is Changing
      • Information Security Must Change
    • Introduction: Information Security
      • Information is a Business Asset
      • Security is a Business Process
      • Information Security is a Business Requirement
      • Building an Information Security Plan
  • Phase I: Inspection
    • Defining Resources
    • Assessing Threats
    • Evaluating Potential Losses
    • Identifying Vulnerabilities
    • Assigning Safeguards
    • Evaluate Current Status
    1. Resource Inventory
      • Identifying Resources
      • Assigning Ownership
      • Determining Value
      • Security Classification
    2. Threat Assessment
      • Human Error
      • Natural Disasters
      • System Failures
      • Malicious Software
      • Collateral Damage
    3. Loss Analysis
      • Denial of Service
      • Theft of Resources
      • Deletion of Information
      • Theft of Information
      • Disclosure of Information
      • Corruption of Information
      • Theft of Software
      • Theft of Hardware
      • Disruption of Computer Controlled Systems
    4. Identifying Vulnerabilities
      • Location of Vulnerabilities
      • Known Vulnerabilities
      • Security Design Flaw
      • Innovative Misuses
      • Incorrect Implementation
      • Social Engineering
    5. Assigning Safeguards
      • Avoidance
      • Transference
      • Mitigation
      • Acceptance
    6. Evaluation of Current Status
      • Assessment
      • Testing
      • Business Impact Analysis
  • Phase II: Protection
    • Philosophies
    • Principles
    • Policies
    • Procedures
    • Practices
    1. Awareness
      • Appropriate Use
      • Awareness Programs
      • Design Choices
      • Implementation Options
      • Lack of Awareness
    2. Access
      • Global Access
      • Access Methods
      • Access Points as Security Checkpoints
      • Access Servers
      • Abuse of Access
    3. Identification
      • Enterprise Identification
      • Issuance of Identifiers
      • Scope of Use
      • Administration of Identifiers
      • Identity Errors
    4. Authentication
      • Factors of Authentication
      • Authentication Models
      • Authentication Options
      • Authentication Management
      • Subverting Authentication
    5. Authorization
      • What Authorization Provide
      • Granularity of Authorizations
      • Requirements
      • Design Choices
      • Abuse of Authorization
    6. Availability
      • Types of Outages
      • Protecting all Levels
      • Availability Models
      • Availability Classifications
      • Availability Outage
    7. Accuracy
      • Information Lifecycle
      • Information System Accuracy
      • Methods
      • Loss of Accuracy
    8. Confidentiality
      • Information in the Enterprise
      • Confidentiality Concerns
      • Methods of Ensuring Confidentiality
      • Sensitivity Classifications
      • Invasion of Privacy
    9. Accountability
      • Accountability Models
      • Accountability Principles
      • Accounting Events
      • Accountability System Failures
      • Accountability Failures
    10. Administration
      • Enterprise Information Security Administration
      • Administration Process
      • Areas of Administration
      • Administration Errors
  • Phase III: Detection
    • Intruder Types
    • Intrusion Methods
    • Detection Methods
    1. Intruder Types
      • Outside Intruders
      • Inside Intruders
      • Professional Intruders
    2. Intrusion Methods
      • Technical Intrusions
      • Physical Security
      • Social Engineering
    3. Intrusion Process
      • Reconnaissance
      • Gaining Access
      • Gaining Authorizations
      • Achieve Goals
    4. Intrusion Detection Methods
      • Profiles
      • Offline Methods
      • Online Methods
      • Human Methods
  • Phase IV: Reaction
    • Profiles
    • Offline Methods
    • Online Methods
    • Achieve Goals
    1. Response Plan
      • Response Procedures
      • Resources
      • Legal Review
    2. Incident Determination
      • Possible Indicators
      • Probable Indicators
      • Definite Indicators
      • Predefined Situations
    3. Incident Notification
      • Internal
      • Computer Security Incident Organizations
      • Affected Partners
      • Law Enforcement
      • News Media
    4. Incident Containment
      • Stopping the Spread
      • Regain Control
    5. Assessing the Damage
      • Determining the Scope of Damage
      • Determining the Length of the Incident
      • Determining the Cause
      • Determining the Responsible Party
    6. Incident Recovery
      • Setting Priorities
      • Repair the Vulnerability
      • Improve the Safeguard
      • Update Detection
      • Restoration of Data
      • Restoration of Services
      • Monitor for Additional Signs of Attack
      • Restoration of Confidence
    7. Automated Responses
      • Automated Defenses
      • Gathering Counterintelligence
      • Counterstrike
  • Phase V: Reflection
    • Postmortem Documentation
    • Process Management
    • External Follow-up
    1. Incident Documentation
      • Incident Source Information
      • Incident Timelines
      • Technical Summary
      • Executive Summary
    2. Incident Evaluation
      • Identify Processes for Improvement
      • Process Improvement
    3. Public Relations
      • The Right People
      • The Right Time
      • The Right Message
      • The Right Forum
      • The Right Attitude
    4. Legal Prosecution
      • Computer Crime Laws
      • Jurisdiction
      • Collection of Evidence
      • Successful Prosecution
    • Epilogue: The Future of Business
      • A World without Borders
      • Service-based Architecture
      • Basic Business Principles
      • Pervasive Security

    Reviews

    Information Security

    Reviewed by Roland Buresund

    Very Good ******** (8 out of 10)

    Last modified: Nov. 15, 2008, 2:26 a.m.

    Opinion

    This book is not practical, neither is it theoretical. It is geared towards management and tries to give an overview of what is needed to ensure information security. It does this by being extremely descriptive and utilising one step at the time methodology, while in some cases brushing over some details and in others go off-tangent by giving explanations to certain things that should be obvious for information security professionals. Regardless, I really liked the book!

    Recommended reading.

    Comments

    There are currently no comments

    New Comment

    required

    required (not published)

    optional

    required

    captcha

    required