SKIP THE SHIPPING
Use code NOSHIP during checkout to save 40% on eligible eBooks, now through January 5. Shop now.
Register your product to gain access to bonus material or receive a coupon.
This eBook includes the following formats, accessible from your Account page after purchase:
EPUB The open industry format known for its reflowable content and usability on supported mobile devices.
PDF The popular standard, used most often with the free Acrobat® Reader® software.
This eBook requires no passwords or activation to read. We customize your eBook by discreetly watermarking it with your name, making it uniquely yours.
Everything you need to know about information security programs and policies, in one book
In today’s dangerous world, failures in information security can be catastrophic. Organizations must protect themselves. Protection begins with comprehensive, realistic policies. This up-to-date guide will help you create, deploy, and manage them.
Complete and easy to understand, it explains key concepts and techniques through real-life examples. You’ll master modern information security regulations and frameworks, and learn specific best-practice policies for key industry sectors, including finance, healthcare, online commerce, and small business.
If you understand basic information security, you’re ready to succeed with this book. You’ll find projects, questions, exercises, examples, links to valuable easy-to-adapt information security policies...everything you need to implement a successful information security program.
Sari Stern Greene, CISSP, CRISC, CISM, NSA/IAM, is an information security practitioner, author, and entrepreneur. She is passionate about the importance of protecting information and critical infrastructure. Sari founded Sage Data Security in 2002 and has amassed thousands of hours in the field working with a spectrum of technical, operational, and management personnel, as well as boards of directors, regulators, and service providers. Her first text was Tools and Techniques for Securing Microsoft Networks, commissioned by Microsoft to train its partner channel, which was soon followed by the first edition of Security Policies and Procedures: Principles and Practices. She is actively involved in the security community, and speaks regularly at security conferences and workshops. She has been quoted in The New York Times, Wall Street Journal, and on CNN, and CNBC. Since 2010, Sari has served as the chair of the annual Cybercrime Symposium.
Learn how to
· Establish program objectives, elements, domains, and governance
· Understand policies, standards, procedures, guidelines, and plans—and the differences among them
· Write policies in “plain language,” with the right level of detail
· Apply the Confidentiality, Integrity & Availability (CIA) security model
· Use NIST resources and ISO/IEC 27000-series standards
· Align security with business strategy
· Define, inventory, and classify your information and systems
· Systematically identify, prioritize, and manage InfoSec risks
· Reduce “people-related” risks with role-based Security Education, Awareness, and Training (SETA)
· Implement effective physical, environmental, communications, and operational security
· Effectively manage access control
· Secure the entire system development lifecycle
· Respond to incidents and ensure continuity of operations
· Comply with laws and regulations, including GLBA, HIPAA/HITECH, FISMA, state data security and notification rules, and PCI DSS
Chapter 1: Understanding Policy 2
Looking at Policy Through the Ages....................................................................3
The Bible as Ancient Policy ........................................................................4
The United States Constitution as a Policy Revolution ..............................5
Policy Today ...............................................................................................5
Information Security Policy ..................................................................................7
Successful Policy Characteristics ...............................................................8
The Role of Government ...........................................................................13
Information Security Policy Lifecycle ................................................................16
Policy Development ..................................................................................17
Policy Publication .....................................................................................18
Policy Adoption .........................................................................................19
Policy Review ............................................................................................20
Test Your Skills ..................................................................................................22
Chapter 2: Policy Elements and Style 32
Policy Hierarchy .................................................................................................32
Standards..................................................................................................33
Baselines ...................................................................................................34
Guidelines .................................................................................................34
Procedures ................................................................................................35
Plans and Programs..................................................................................36
Policy Format .....................................................................................................36
Policy Audience ........................................................................................36
Policy Format Types .................................................................................37
Policy Components ...................................................................................38
Writing Style and Technique ..............................................................................48
Using Plain Language ...............................................................................48
The Plain Language Movement ................................................................49
Plain Language Techniques for Policy Writing .........................................50
Test Your Skills ..................................................................................................54
Chapter 3: Information Security Framework 64
CIA .....................................................................................................................65
What Is Confidentiality? ............................................................................66
What Is Integrity? ......................................................................................68
What Is Availability? ..................................................................................69
Who Is Responsible for CIA? ....................................................................72
Information Security Framework .......................................................................72
What Is NIST’s Function? .........................................................................72
What Does the ISO Do? ............................................................................74
Can the ISO Standards and NIST Publications Be Used to Build a Framework? ......75
Test Your Skills ..................................................................................................82
Chapter 4: Governance and Risk Management 92
Understanding Information Security Policies ....................................................93
What Is Meant by Strategic Alignment? ...................................................94
Regulatory Requirements .........................................................................94
User Versions of Information Security Policies .........................................94
Vendor Versions of Information Security Policies .....................................95
Client Synopsis of Information Security Policies ......................................95
Who Authorizes Information Security Policy? ...........................................96
Revising Information Security Policies: Change Drivers ...........................97
Evaluating Information Security Polices ...................................................97
Information Security Governance ....................................................................100
What Is a Distributed Governance Model? .............................................101
Regulatory Requirements .......................................................................104
Information Security Risk ................................................................................105
Is Risk Bad? ............................................................................................105
Risk Appetite and Tolerance ...................................................................106
What Is a Risk Assessment? ...................................................................106
Risk Assessment Methodologies ............................................................108
What Is Risk Management? ....................................................................109
Test Your Skills ................................................................................................113
Chapter 5: Asset Management 124
Information Assets and Systems .....................................................................125
Who Is Responsible for Information Assets? ..........................................126
Information Classification ................................................................................128
How Does the Federal Government Classify Data? ...............................129
Why Is National Security Information Classified Differently? ..................131
Who Decides How National Security Data Is Classified? .......................133
How Does the Private Sector Classify Data?..........................................134
Can Information Be Reclassified or Even Declassified? .........................135
Labeling and Handling Standards ...................................................................136
Why Label? .............................................................................................136
Why Handling Standards? ......................................................................136
Information Systems Inventory ........................................................................139
What Should Be Inventoried? .................................................................139
Test Your Skills ................................................................................................145
Chapter 6: Human Resources Security 156
The Employee Lifecycle ...................................................................................157
What Does Recruitment Have to Do with Security? ...............................158
What Happens in the Onboarding Phase? .............................................165
What Is User Provisioning? .....................................................................166
What Should an Employee Learn During Orientation? ...........................167
Why Is Termination Considered the Most Dangerous Phase? ...............168
The Importance of Employee Agreements ......................................................170
What Are Confidentiality or Non-disclosure Agreements? .....................170
What Is an Acceptable Use Agreement? ................................................170
The Importance of Security Education and Training .......................................172
What Is the SETA Model? .......................................................................173
Test Your Skills ................................................................................................177
Chapter 7: Physical and Environmental Security 188
Understanding the Secure Facility Layered Defense Model .....................190
How Do We Secure the Site? .................................................................190
How Is Physical Access Controlled? ......................................................192
Protecting Equipment ......................................................................................196
No Power, No Processing? .....................................................................196
How Dangerous Is Fire? .........................................................................198
What About Disposal? ............................................................................200
Stop, Thief! ..............................................................................................203
Test Your Skills ................................................................................................207
Chapter 8: Communications and Operations Security 218
Standard Operating Procedures (SOPs) .........................................................219
Why Document SOPs? ...........................................................................220
Developing SOPs ....................................................................................220
Operational Change Control ............................................................................225
Why Manage Change? ...........................................................................225
Why Is Patching Handled Differently? ....................................................228
Malware Protection..........................................................................................230
Are There Different Types of Malware? ..................................................231
How Is Malware Controlled? ...................................................................233
What Is Antivirus Software? ....................................................................234
Data Replication ..............................................................................................235
Is There a Recommended Backup or Replication Strategy? ..................235
Secure Messaging ...........................................................................................237
What Makes Email a Security Risk? .......................................................237
Are Email Servers at Risk? ......................................................................240
Activity Monitoring and Log Analysis ..............................................................242
What Is Log Management? .....................................................................242
Service Provider Oversight ..............................................................................245
What Is Due Diligence? ...........................................................................245
What Should Be Included in Service Provider Contracts? .....................247
Test Your Skills ................................................................................................252
Chapter 9: Access Control Management 264
Access Control Fundamentals ........................................................................265
What Is a Security Posture? ...................................................................266
How Is Identity Verified? .........................................................................266
What Is Authorization? ............................................................................270
Infrastructure Access Controls ........................................................................272
Why Segment a Network? ......................................................................272
What Is Layered Border Security? ..........................................................273
Remote Access Security .........................................................................277
User Access Controls ......................................................................................282
Why Manage User Access? ....................................................................282
What Types of Access Should Be Monitored? .......................................284
Test Your Skills ................................................................................................289
Chapter 10: Information Systems Acquisition, Development, and Maintenance 300
System Security Requirements .......................................................................301
Secure Code ....................................................................................................306
Cryptography ...................................................................................................310
Test Your Skills ................................................................................................318
Chapter 11: Information Security Incident Management 328
Organizational Incident Response ...................................................................329
What Is an Incident? ...............................................................................330
How Are Incidents Reported? .................................................................334
What Is an Incident Response Program? ...............................................335
What Happened? Investigation and Evidence Handling ........................340
Data Breach Notification Requirements ..........................................................345
Is There a Federal Breach Notification Law? ..........................................347
Does Notification Work? .........................................................................351
Test Your Skills ................................................................................................355
Chapter 12: Business Continuity Management 370
Emergency Preparedness ...............................................................................371
What Is a Resilient Organization? ...........................................................372
Business Continuity Risk Management ...........................................................374
What Is a Business Continuity Threat Assessment? ..............................375
What Is a Business Continuity Risk Assessment? ..................................376
What Is a Business Impact Assessment? ...............................................378
The Business Continuity Plan ..........................................................................380
Roles and Responsibilities ......................................................................381
Disaster Response Plans ........................................................................384
Operational Contingency Plans ..............................................................387
The Disaster Recovery Phase .................................................................388
The Resumption Phase ...........................................................................391
Plan Testing and Maintenance ........................................................................392
Why Is Testing Important? ......................................................................392
Plan Maintenance ...................................................................................393
Test Your Skills ................................................................................................397
Chapter 13: Regulatory Compliance for Financial Institutions 408
The Gramm-Leach-Bliley Act (GLBA) ..............................................................409
What Is a Financial Institution? ...............................................................410
What Are the Interagency Guidelines? ...................................................412
What Is a Regulatory Examination? ........................................................423
Personal and Corporate Identity Theft ............................................................424
What Is Required by the Interagency Guidelines Supplement A? ..........425
What Is Required by the Supplement to the Authentication in an Internet Banking Environment Guidance? ...427
Test Your Skills ................................................................................................431
Chapter 14: Regulatory Compliance for the Healthcare Sector 442
The HIPAA Security Rule .................................................................................444
What Is the Objective of the HIPAA Security Rule? ................................444
Enforcement and Compliance ................................................................445
How Is the HIPAA Security Rule Organized? ..........................................445
What Are the Physical Safeguards? .......................................................455
What Are the Technical Safeguards? .....................................................458
What Are the Organizational Requirements? ..........................................461
What Are the Policies and Procedures Standards? ................................463
The HITECH Act and the Omnibus Rule..........................................................464
What Changed for Business Associates? ...............................................465
What Are the Breach Notification Requirements? ..................................468
Test Your Skills ................................................................................................471
Chapter 15: PCI Compliance for Merchants 482
Protecting Cardholder Data .............................................................................483
What Is the PCI DDS Framework? ..........................................................486
Business-as-Usual Approach .................................................................487
What Are the PCI Requirements? ...........................................................487
PCI Compliance ...............................................................................................499
Who Is Required to Comply with PCI DSS? ...........................................499
What Is a Data Security Compliance Assessment? ................................500
What Is the SAQ?....................................................................................502
Are There Penalties for Noncompliance? ...............................................503
Test Your Skills ................................................................................................505
Appendix A: Information Security Program Resources 516
National Institute of Standards and Technology (NIST) Special Publications ..........516
Federal Financial Institutions Examination Council (FFIEC) IT Handbooks .....518
Department of Health and Human Services HIPAA Security Series ...............518
Payment Security Standards Council Documents Library ..............................518
Information Security Professional Development and Certification Organizations ......519
Appendix B: Sample Information Security Policy 520
Appendix C: Sample Information Systems Acceptable Use Agreement and Policy 568
Index