Contents
Part I Information Assurance Basics
Chapter 1 Developing an Information Assurance Strategy
Legal and Regulatory Requirements
Strategic, Tactical, and Operational
Concise, Well-Structured, and Extensible
Chapter 2 The Need for Information Assurance
Protection of Critical and Sensitive Assets
Compliance to Regulations and Circulars/Laws
Meeting Audit and Compliance Requirements
Providing Competitive Advantage
Chapter 3 Information Assurance Principles
The MSR Model of Information Assurance
Information Assurance: Business Enabler
Information Assurance: Protects the Fabric of an Organization’s Systems
Information Assurance: Cost Effective and Cost Beneficial
Information Assurance: Shared Responsibilities
Information Assurance: Robust Approach
Information Assurance: Reassessed Periodically
Information Assurance: Restricted by Social Obligations
Implications from Lack of Information Assurance
Penalties from a Legal/Regulatory Authorities
Operational Losses and Operational Risk Management
Chapter 4 Information Assurance Concepts
Confidentiality, Integrity, and Availability
Nonrepudiation and Authentication
Identification, Authentication, Authorization, and Accountability
Privacy’s Relationship to Information Assurance
Assets, Threats, Vulnerabilities, Risks, and Controls
Chapter 5 Organizations Providing Resources for Professionals
Organizations Providing Resources for Professionals
(ISC)2 International Information System Security Certification Consortium
Computing Technology Industry Association
Information System Audit and Control Association
Information System Security Association
Disaster Recovery Institute, International
Chapter 6 Information Assurance Management System
Security Considerations for the Information Asset Life Cycle
Chapter 7 Current Practices, Regulations, and Plans for Information Assurance Strategy
Part II Information Assurance Planning Process
Chapter 8 Approaches to Implementing Information Assurance
Key Components of Information Assurance Approaches
Levels of Controls in Managing Security
Balancing Information Assurance and Associated Costs
Chapter 9 Organizational Structure for Managing Information Assurance
Importance of Managing Information Assurance as a Program
Structure of an Information Assurance Organization
Information Assurance Staffing
Technology and Service Providers
Information Technology Infrastructure Library
Organizational Change Maturity Model
Outsourcing and Cloud Computing
Information Classification and Handling
Information Labeling and Handling
Information Classification (Categorization) Example
Chapter 11 Information Assurance Risk Management
Integration with Other Management Practices
Chapter 12 Information Assurance Policy
Policy and Other Governance Functions
Policy in Relation to Standards
Policy in Relation to Guidelines
Policy in Relation to Procedures
Chapter 13 Human Resource Assurance
Include Security in Job Scope/Description
Defined Level of Confidentiality or Sensitivity
Use of Legal Documents to Protect Information
Monitoring and Privacy Expectations
Employee Training and Awareness
Termination or Change of Employment
Chapter 14 Advantages of Certification, Accreditation, and Assurance
Purpose of Certification and Accreditation
Primary Roles for Supporting Certification and Accreditation
Certification and Accreditation Process
Considerations for Product Evaluation, Certification, and Accreditation
Part III Risk Mitigation Process
Chapter 15 Information Assurance in System Development and Acquisition
Benefits of Incorporating Security Considerations
Overview of the System Development Life Cycle
Information Assurance in the System Development Life Cycle
Information Assurance in the System or Service Acquisition Life Cycle
Chapter 16 Physical and Environmental Security Controls
Physical and Environmental Security Controls
Physical Security of Premises and Offices
Chapter 17 Information Assurance Awareness, Training, and Education (AT&E)
Design, Development, and Assessment of Programs
Information Assurance Awareness
Information Assurance Training
Information Assurance Education
Chapter 18 Preventive Information Assurance Tools
Preventive Information Assurance Tools
Cryptographic Protocols and Tools
Network Intrusion Prevention System
Preventive Information Assurance Controls
Change Management and Configuration Management
Media Controls and Documentation
Content-Dependent Access Control
Context-Dependent Access Control
Centralized Access Control Administration
Decentralized Access Control Administration
Part IV Information Assurance Detection and Recovery Processes
Chapter 20 Information Assurance Monitoring Tools and Methods
Host Intrusion Detection System
Network Intrusion Detection System
Security Information and Event Management (SIEM)
Vulnerability Scanner Standards
Database Vulnerability Scanner
The Concept of Continuous Monitoring and Authorization
Chapter 21 Information Assurance Measurements and Metrics
Importance of Information Assurance Measurement
Information Assurance Measurement Process
Importance of Information Assurance Metrics
Information Assurance Metrics Program
Corrective Action Identification
Corrective Action Applications
Importance of Incident Handling
Phase 2: Detection/Identification
Importance of Computer Forensics
Prerequisites of a Computer Forensic Examiner
Establishing a Computer Forensics Team
Chapter 24 Business Continuity Management
Importance of Business Continuity Management
Critical Success Factors for BCM Implementation
Business Continuity Management Processes
Stage 1: Recognize BCP Is Essential
Stage 2: Identify the Business Needs
Stage 3: Develop BCM Strategies
Stage 4: Developing and Implementing a BCM Response
Stage 5: Developing a BCM Culture
Stage 6: Execute, Test, Maintain, and Audit
Business Continuity in the Cloud
Chapter 25 Backup and Restoration
Part V Application of Information Assurance to Select Industries
Overview of Information Assurance Approach
Healthcare-Specific Terminology
Information Assurance Management
Regulations and Legal Requirements
Information Assurance Risk Management
Policy, Procedures, Standards, and Guidance
Certification, Accreditation, and Assurance
Information Assurance in System Development and Acquisition
Physical and Environmental Security Controls
Awareness, Training, and Education
Continuous Monitoring, Incident Response, and Forensics
Business Continuity and Backups
Overview of the Information Assurance Approach
Information Assurance Management
Regulations and Legal Requirements
Information Assurance Risk Management
Policy, Procedures, Standards, and Guidance
Certification, Accreditation, and Assurance
Information Assurance: System Development and Acquisition
Physical and Environmental Security Controls
Awareness, Training, and Education
Continuous Monitoring, Incident Response, and Forensics
Business Continuity and Backups
Chapter 28 Industrial Control Systems
Overview of the Information Assurance Approach
Industrial Control–Specific Language
Information Assurance Management
Regulations and Legal Requirements
Information Assurance Risk Management
Policy, Procedures, Standards, and Guidance
Certification, Accreditation, and Assurance
Information Assurance in System Development and Acquisition
Physical and Environmental Security Controls
Awareness, Training, and Education
Continuous Monitoring, Incident Response, and Forensics
Business Continuity and Backups
A Suggestions for Critical Thinking Exercises
Vulnerability: Organizational Shortcomings
Vulnerability: Technical Shortcomings
Vulnerability: Procedural Shortcomings
D Sample Information Assurance Policy for Passwords
Choosing an Effective Password
Other Common Precautions to Protect a Password
F Select Privacy Laws and Regulations by Country/Economy or State
G Information System Security Checklist
H References and Sources of Information