Register your product to gain access to bonus material or receive a coupon.
Securing Business Information: Strategies to Protect the Enterprise and Its Network
- By Chrisitan F. Byrnes, Dale Kutnick
- Published Jan 30, 2002 by Addison-Wesley Professional. Part of the IT Best Practices Series, Intel Press series.
Book
- Sorry, this book is no longer in print.
Description
- Copyright 2002
- Dimensions: 7-3/8x9-1/4
- Pages: 256
- Edition: 1st
- Book
- ISBN-10: 0-201-76735-X
- ISBN-13: 978-0-201-76735-3
Securing Business Information provides an approach to security that is derived from numerous successful implementations. The Enterprise Security Plan (ESP) is a six-step process for tailoring enterprise security techniques to the needs of your business.
This book will guide you through these steps to secure your computing infrastructure within the constraints of normal business operations, resources, and today's technology:
- Prepare the enterprise, starting with the staff and their roles.
- Organize a group of security domains and assess the tolerable amount of risk for each.
- Complete a baseline security analysis and derive a set of guiding policies.
- Determine how security policies are being enforced throughout the enterprise.
- Identify gaps and set priorities.
- Plan the projects to implement an appropriately secure enterprise.
020176735XB12132001
Sample Content
Online Sample Chapter
Preparing Your Enterprise for Tighter Security
Downloadable Sample Chapter
Click below for Sample Chapter related to this title:
byrnesch1.pdf
Table of Contents
Preface.
1. Prepare the Enterprise for Security.
The Enterprise Security Charter.
Building the Security Organization.
Security Leadership.
Security Management.
Security Administration.
Resource Ownership.
Where Security Reports.
Building Security Job Descriptions.
Centralizing and Decentralizing Security Functions.
Marketing the Mission within the Enterprise.
Developing a Security Marketing Program.
Marketing Upward.
Marketing Outward.
2. Organize Security by Resource and Domains31
Identifying Resources31
Existing Sources of Resource Identification.
Levels of Information Hierarchy.
Complexity of Classification Schemes.
External Requirements.
Selecting Appropriate Security Levels.
Grouping Resources into Security Domains.
ESP Domain Schemes.
Merging the Domain Schemes.
An Example of Need-based Divisions.
Documenting the Rules for Domain Designation.
3. Complete the Baseline Security Analysis.
Choosing a Policy Model.
Formal Security Policies.
Identity-based Policies.
Role-based Policies54
Researching Existing Policies.
Conducting a Policy Audit.
Finding Documented Policies.
Finding Undocumented Policies.
Creating the Functional Assessment of Security.
Reducing the Scope of the Projects.
4. Complete the Requirements.
Identifying Security Requirements.
Selecting the Sources of Information.
Collecting Information.
Developing Requirements.
Categories of Requirements.
Determining Business Requirements.
Determining Data Management Requirements.
Determining Application Requirements.
Determining Infrastructure Requirements.
Trust Modeling.
Point 1: Establishing Trust Concepts.
Point 2: Applying Trust Concepts.
Point 3: Achieving Trust-based Requirements.
Patterns for Adaptive Infrastructure.
5. Identify Gaps and Prioritize Needs.
Analyzing Gaps.
Assessing Risk.
Analyzing Costs and Benefits.
Assessing Culture.
Prioritizing Projects.
6. Selecting and Planning the Projects.
Determining the Security Strategy.
Shortening the List of Projects.
Selecting Projects.
Reordering Priorities by Duration.
Determining Required Resources.
Planning the Projects.
Sourcing the Projects.
Selecting the Security Products.
Marketing the Projects.
Product Packaging.
Upward Marketing.
Outward Marketing.
What Is Next?
7. Modifying ESP.
Modifying the Baseline Steps.
Pass 1.
Pass 2.
Pass 3.
Pass 4.
Integrating ESP into the Ongoing Security Program.
8. Formulating a Technology Strategy.
Analyzing Technology Maturation.
Projecting Demand Curves.
Assessing Adoption Probability.
9. Security Technologies.
Enforcement Security Technologies.
Identification.
Authentication.
Authorization.
Access Control.
Support Security Technologies.
Auditing.
Administration.
Technology Integration.
10. Two Case Histories.
Meet Y Company.
Step 1. Prepare the Enterprise for Security.
Step 2. Organize Security by Resources and Domains.
Step 3. Complete the Baseline Security Analysis1 57
Step 4. Complete Requirements.
Step 5. Identify Gaps and Prioritize Needs.
Meet Z Company: A Federated Model.
Step 1. Prepare the Enterprise for Security.
Step 2. Organize Security by Resources and Domains.
Step 3. Complete the Baseline Security Analysis.
Step 4. Complete Requirements.
Step 5. Identifying Gaps and Prioritizing Needs.
11. Security Follow-Up Projects.
Y Company.
Marketing Program.
General Policy Revision and Domain Perimeter Repair.
Security Technology Improvements and Administration Policy Changes.
Considerations.
Z Company.
Establishing Minimum Security Criteria.
Policy Structure Creation.
Backbone Access Control.
12. Single-Point Administration through Role-based Authorization.
Single-Point Administration through Role-based Authorization.
Why Single-Point Administration Is Needed.
Role-based Authorization.
13. Single Sign-On.
The Security Fabric: Integrating the Tiers.
SSO Terminology.
Identification.
Strong Authentication and Authorization Management.
Product Architectures.
Script-based SSO Tools.
Broker-based SSO Tools.
How to Succeed at SSO.
Installability and Scalability.
SSO Planning Projects.
Evaluation Criteria for SSO Products.
Checklist of questions to ask in evaluating SSO products.
Appendix A: Sample Request For Proposal.
Request for Proposal.
Implementation of Secure Single Sign-On and Single-Point Administration.
I. Overview.
II. Environment.
Configuration.
III. Vendor Instructions.
IV. Requirements.
V. Implementation.
VI. Contract Terms.
VII. Vendor Financial Proposal.
Appendix B: Further Reading.
Glossary.
Index. 020176735XT01242002
Preface
Securing Business Information addresses one of the most prominent chal-lenges in e-Business: how to keep enterprise data secure in a distributed environment.
Starting in 1997, META Group developed information on security for distributed systems to serve a group of clients who were adapting to the new demands of on-line commerce. Working with these clients, META Group researchers found that security managers often have no distributed-systems experience, while those with distributed-systems experience have little or no security background. Both groups needed answers to the same questions: Where should we start? What process should we use to define appropriate security for our heterogeneous environment? In answer to these questions,
Securing Business Information provides the Enterprise Security Plan, a six- part process to help you implement the highest level of achievable security for your enterprise.
020176735XP01242002
Index
access control 139
administration 140
features 141
integration 140
lists (ACLs) 132
platform support 140
user-based 140
Ace/Server 122
ActiveX 136
administrative domain 38
adoption
probability of 116
analysis
cost/benefit vs. risk 86
gap 72
internal market 1
Strength, Weakness, Opportunities, and Threats (SWOT) 20
upward market 171
attack simulation 144
auditing 142
authentication 127
authorization
individual 133
role-based scheme 7
technology-domain 133
authorization servers 133
backbone access control 178
baseline
gaps between strategic requirements 82
modifying the steps 107
biometrics 124
face recognition 125
fingerprint recognition 125
hand-geometry recognition 125
signature recognition 125
voice recognition 126
bleeding-edge 116
boot control 141
briefing document 28
broker platform 205
business-to-business (B2B) 72, 134
business-to-consumer (B2C) 134
business-unit security officers 163
C/B 91
centralized authorization 69
certificate authority (CA) 130
certification 29
change 199
class
definitions of 34
classification scheme
complexity of 33
coached interview 62
collaborate patterns 79
Component Object Model (COM) 136
Computer Security Institute (CSI) 85
Control Objectives for Information and Technology (COBIT) 178
cost/benefit analysis 82
crossover point 127
cultural assessment 87
customers
vs. business partners 66
Data Center 155
Data Encryption Standard (DES) 141
data management 66
data-warehousing 67
Delphi method 84
digital signature 132
Distributed Computing Environment (DCE) 128
security 195
domain definitions
purpose of 35
domain schemes 35
early adopters 114
early majority enterprises 114
e-Business 71
Elliptic Curve Cryptography (ECC) 129
Encrypted File System (EFS) 142
encryption 68, 141
end-user device 205
enforcement technologies 120
branches of 119
Engineering Division 155
enterprise security charter 2, 22
Enterprise Security Plan (ESP) 1, 193
administering 6
domain schemes 36
implementing 110
integrating into the security program 111
enterprise security policy 160
establishing minimum security criteria 175
evaluation checklist 176
eCommerce
security planning 76
Facilitated Risk Assessment Process (FRAP) 85
failure, redundancy, and recovery 205
Formal Security Policies 52
Gantt chart 97
gap analysis 72
general public 114
Generalized System Security Application-Programming Interface (GSSAPI) 128, 194
geographic domain 36
granularity 34, 94
coarse 32
excessive 187
fine-resource 32
hard tokens 122
headquarters 155
heterogeneity 199, 201
heterogeneity factor (HF) 201
heuristic scanning 138
hinge point 115
identification 194
Identity-based Policies 52
Information Architecture Group (IAG) 102
intrusion detection 143
inventory system
implementation of 32
IP Network 157
job descriptions
samples of 11
Kerberos 69, 128, 140, 202
key management 69
large office 156
leading-edge technology 114
lifecycle-based domain 44
Lightweight Directory-Access Protocol (LDAP) 130
management white paper 105
market identification 16
market research
and analysis 17
marketing 2
analyzing outward markets 26
analyzing upward markets 23
applying 15
communication plan 104, 172
communications 20
creating messages for the outward audience 27
creating messages for the upward audience 24
crucial to ESP 15
developing outward communications 27
developing product packages for upward markets 23
different approaches to upward and outward audiences 18
identifying targets of upward marketing 22
identifying the targets of outward marketing 26
program 16
using market research 20
marketing campaign
first step 170
media
using in Outward Marketing communications 28
network access control 142
Object Linking and Embedding (OLE) 136
OLE custom control (OCX) 137
Open Group (formerly Open Software Foundation) 128
operating system dependence 205
organizational domain 37
Outward marketing 104, 170, 173
outward markets
developing product packages for 27
paradigms
centralized vs. distributed 8
password
mandated change 122
strong 122
pattern
adaptive infrastructure 79
identifying behavior 27
of operation 47
perimeter window 48
point products 101
policy
consistent 14
finding documented and undocumented 56
identity-oriented statement 53
reviewing 174
security 47
structure creation 176
policy audit 143
conducting a 56
preference list 200
priorities
reordering by duration 95
process
domain-definition 36
product packaging 20, 103, 171
production
scheduling 25
projects
marketing 103
planning 97
prioritizing 90
reducing the scope of 58
tactical vs. strategic 90
Public-Key Infrastructure (PKI) 128
publish patterns 79
Rank It 84
RBA 185
real cost of ownership (RCO) 203
relational database management system (RDBMS) 32
request for proposal (RFP) 99, 203
requirements
achieving trust-based 76
building a list of 64
categories of 64
collecting 62
determing business 65
determining infrastructure 70
tactical 68
tactical vs. strategic 115
resource owner 5
resource(s)
constraints 16
control of 189
determining required 96
hierarchy 32
identifying 31
list 34
mapping 38
organizing 39
organizing issues by application 41
organizing issues by security class 40
securing 8
security 7
security classification of 33
sources of information 33
type of 33
resource-based domain 39
defining the scheme 42
risk assessment 82, 83
rogue 136
applications 138
controlling 139
methods for controlling 138
role
administrative assistant (AA) 185
administrator 171
central administrator 189
Chief Executive Officer (CEO) 2, 178
Chief Information Officer (CIO) 8, 62, 151
Chief Security Officer (CSO) 162, 165, 178
Director of Security 4, 11
executive management 2
general manager 171
local administrator 189
lower management 2
middle management 2
programmer 6
resource owner 5, 6, 8, 33, 38, 171
security administrator 4, 6, 10, 13, 14, 190, 201, 203
security director 6
security manager 4, 6, 10, 12, 13, 17, 24, 28, 31, 36, 39, 44, 52
sponsor for the marketing program 17
systems administrator 172
systems analysts 17
technical manager 171
technicians 171
role definition 185
Role-Based Administration (RBA) 135, 184, 189, 200
alternative approaches to 187
cost of 191
establishing 185
issues in implementing 191
roles 188
assigning 14
creation of 189
RSA algorithm 129
script model 197
script variability 200
Secure Sockets Layer (SSL) 134
secured resource platform 205
SecurID 122
security
administration 182
audit 190
auditing 142
decisions regarding 28
developing a functional assessment of 57
evaluating the security program 29
identifying the requirements 61
management 8
mapping 39
program 2
selecting security products 101
security administrator
differences between security manager and 3
security staff
reporting to the CIO 9
selective application 187
Sesame 127, 195
signature scanning 138
Simple Network Management Protocol (SNMP) 144
Single Sign-On (SSO) 128, 140, 151, 161, 181, 194
developing an ESP project for 200
evaluating products 204
limiting factors 198
terminology 194
tools 146
Single-Point Administration (SPA) 134, 151, 161, 181, 183, 194
defining 192
Small Office 156
smart card 123, 195
SNA Network 157
soft tokens 123
solution
authorization 195
sourcing strategy 98
SSO 103
staff changes
assessing the impact of 65
stovepipe 9
surveys 17
System Administrator Tool for Analyzing Networks (SATAN) 145
technical white paper 105
technologies
matching vs. identification 127
technology-based domain 42
tools
@Risk 83
broker-based SSO 197
certificate-management 136
modeling 83
risk audit 83
Risk Watch 84
security 55
systems management 35
transact patterns 79
trust 72, 130
trust concepts
applying 74
establishing 72
trust modeling
vs. risk assessment 74
upward marketing 104, 109, 170, 172
developing communications 23
using media in 24
vendor viability 206
Virtual Private Network (VPN) 167
virus 135
methods for controlling 138
Web Single Sign On (Web SSO) 134