318Index
S
SABSA model, See Sherwood Applied Business
Architecture (SABSA) model
Sahakian, Curtis E., 59
Salesforce.com, 43
SANS Internet Storm Center, 247
SANS (SysAdmin, Audit, Network, Security) Institute,
287
SAP, 43, 44
Scenario planning, 10, 6869, 83
Schneier, Bruce, 63
Schon, Donald, 10
Schwartz, Peter, 68
SDL, See Security development lifecycle (SDL)
SDL and incident response, 189–190
application, 195196
control objectives, 203–209
design, 197
development, 197
release, 198
requirements, 196197
SDL challenges, 200–202
SDL drivers and benefi ts, 199–200
SDL success factors and lessons learned,
202–203
(SDL)
2
software as a service extension
(SAAS), 198
support/service, 198
veri cation, 197
rapid response, 214
automated responses, 217–218
incident response procedures, 214–217
nonincident-related response procedures, 218
rapid response drivers and bene ts, 219–221
reporting a response procedures, 218–219
response challenges, 221
response success factors and, 221–223
security development lifecycle (SDL) overview,
190191
security incident response overview, 191–193
elements of application development and
response, 195
tactical objectives, 193–195
transition objectives, 209
challenges, 211–212
common collection and dispatch, 209–210
control objectives, 212–214
drivers and bene ts, 210–211
success factors and lessons learned, 212
(SDL)
2
software as a service extension (SAAS), 198
Security, 7
challenges for security groups, 6
groups, challenges for, 6
Security awareness training, 275–277, 280
challenges, 289–291
determining success, 292–293
drivers and bene ts, 283–284
elements, 282
industry training trends and best-practices
examples, 284–286
objectives, 280–282
sta development training, 277
general staff security training, 277–278
requirements, 279
security sta training, 278–279
success factors and lessons learned, 291
training resources, 286289
Security balanced scorecard, 86
“Security by obscurity,” 154
Security Company, 289
Security continuum, 15–16
Security convergence, 29, 91–92
benefi ts, 93
convergence challenges, 97–98
cost savings, 93–94
improved business continuity planning, 9697
improved security and risk management, 9495
more eff ective event/incident management,
95–96
other improvements, 97
regulatory compliance, 96
success factors, 98–99
user experience, 96
defi nition, 93
“Security Convergence: Current Corporate Practices
and Future Trends,” 100
Security culture, creating, 15
Security development lifecycle (SDL), 190–191
attack scenarios
against computer applications, 192
against network connections, 192–193
design, 197
threat modeling, 197
development, 197
lifecycle processes and tasks, 196
principles, 191
release, 198
secure delivery lifecycle processes and tasks, 199
support/service, 198
veri cation, 197
Security incident, 190
Security leadership challenges, 6–7
Security management approach, 7
Security metrics, sources, 4
Security objectives and tactics, 107
Security operations center (SOC), 99
Security services, security in outsourcing of, 261
challenges to outsourcing security services, 265–266
commonly outsourced services, 261–263
outsourcing of security services objectives, 264–265
outsourcing security services control objectives,
267–272
success factors and lessons learned, 266–267
TAF-K11348-10-0301-IDX.indd 318TAF-K11348-10-0301-IDX.indd 318 8/18/10 3:14:06 PM8/18/10 3:14:06 PM
Index319
“Security Simulations:  is Is Only a Test,” (Radcli ),
285
Security strategy, 9, 11, 14
requirements, 7
Security ‘systems integrator’ business model, 59
“Security Training 101,Network World article titled,
278
Sentry, 146
common event detectors and uses, 148
event detection, 147149
physical security, 146 147
Service Level Agreement (SLA), 34, 132
Severity rating criteria, 153
Shared Services Benchmarking Association (SSBA), 67
Shared-risk environments, 129
Shared storage scenario, 133
Shaw, George Bernard, 38
Sherwood Applied Business Architecture (SABSA)
model, 65, 82
Sibbit, David, 10
Signals, 43
Silverstone, Ariel, 4
Six Sigma, 15
SMART/SMARTER goals, 83
Snow, Patrick, 38
Social Media for Competitive Intelligence Seminar, 62
Society of Competitive Intelligence Professionals
(SCIP), 62, 228
Southwest Airlines, 71
Stackpole, Bill, 11, 24
Sta development training, 277
general staff security training, 277–278
security sta training, 278–279
security sta training requirements, 279
Starbucks, 43, 51
Strategic framework, 53–54
additional environmental scan resources, 6768
Blue Ocean strategy versus Red Ocean strategy,
70–71
business drivers, 6566
for enterprise, 6667
business intelligence, 63
competitive intelligence, 6263
environmental scan, 54–55
futurist consultant services, 69–70
industry standards, 56–59
marketplacecustomer base, 59–60
national and international requirements (political
and economic), 61–62
organizational culture, 6061
regulations and legal environment, 55–56
scenario planning, 6869
technical environment and culture, 6364
Strategic planning, 1, 7
challenges for security and, 8–10
essentials
big picture renewal, 34
communication, 5
completion, 5
implementation schedule, 4
metrics, 4–5
preparation, 3
strategies and actions/focusing plan, 4
getting started, 7–15
metaphor analysis and, 10–13
as process, 13–14
requirements for successful, 14–15
timing of conduct, 10
value proposition, 8
Strategic planning, security
barriers, 31
change, resisting, 34
honing organizational strategic planning
skills, 32
inside/outside organizational input/output, 31–32
niches, voids and examples, 33
organizations out of touch with business realities,
34–35
outsourcing, 34
overcoming negative perceptions of security,
33–34
strategic business principles and workplace
politics, 32–33
technology, ever-new, 35
thinking ahead and executing, 32
trust, building/keeping, 35
developing thinking skills, 35–36
anticipation, 38
communication, 38
evaluation, 38–39
exibility practice, 3940
focus long distance/practice short distance, 37–38
inquiry, 37
scanning, 36–37
time management, 36
essentials, 20
extended enterprise, big picture, 21
exibility and fl uidity, developing, 22
linking with organization strategic plan, 22
importance, 17–18
keys to success, 24
communication, 28–29
connection to core values, 26–27
core competencies, 27–28
implementation, 29–30
passion (emotional energy) and speed of planning
and adapting, 25–26
simplicity, 24–25
methods and models, 18–19
myths, 3031
planning methods and models, 19
timing for, 23
tools, 20
Strategic planning facilitation, types of, 78
TAF-K11348-10-0301-IDX.indd 319TAF-K11348-10-0301-IDX.indd 319 8/18/10 3:14:06 PM8/18/10 3:14:06 PM
320Index
Strategic planning process, 3
evaluation, 56
Strategic planning tools, 70
“Strategizing with Visual Metaphors” (Sibbit), 10
Strategy, 1, 3
“Strategy jam” metaphor, 11, 12
need for adaptive skills, 12–13
need for collaboration, 12
need for responsiveness, 12
Success factors and lessons learned, 9899, 158, 212,
233, 256–257, 266–267, 291
Supervision, competent, 235–245
supervisor attributes, 236
cautious hirer, 238
enforcing, 238
observant, 238
trained, 236
supervisory attributes, 238
forced leave, 240–241
isolated, 239
least privilege, 239
rescreened, 240
rotated, 239–240
separation of duties, 238–239
target deception, 247–251
target retaliation, 245–247
Surveillance, 146–147, 159, 160
control objectives, 162–163
SWOT analysis, 36, 4546, 54–55, 82
SYSLOG, 185
T
Tactics, 103
objectives identifi cation, 107–108
commona lit y principle, 115 116
economy principle, 111–112
rst principles, 108
least privilege principle, 114–115
maintenance of reserves (coverage) principle,
112113
observation principle, 108–109
preparedness principle, 110111
redundancy principle, 113114
response principle, 109
timeliness principle, 109
tactical framework, 103–104
facilitiesphysical attack scenarios, 104–105
IT systems—logical attack scenarios, 106–107
Target deception, 247–251
code reviewed, 250–251
execution reviewed, 250
hardened, 248
isolated, 248
malicious code implantation, 248
malware protected, 250
privilege restricted/execution restricted, 250
scanned, 250
Target retaliation, 245–247
Technical culture(s), 64
Technical environment, 64
TechRepublic (Yahoo News), 190
reat modeling, 197
Timeliness, 109–110
To er, Alvin, 53
Tower Group, 66
TQM magazine, 43
Training, security awareness, 275–277
awareness training challenges, 289–291
awareness training drivers and bene ts, 283–284
awareness training elements, 282
awareness training objectives, 280–282
determining success, 292–293
development process, 282
industry training trends and best-practices examples,
284–286
sta development training, 277
general staff security training, 277–278
security sta training, 278–279
security sta training requirements, 279
success factors and lessons learned, 291
training resources, 286289
Transglobal Secure Collaboration Program (TSCP), 287
Transition objectives, 209
challenges, 211–212
common collection and dispatch, 209–210
control objectives, 212–214
drivers and bene ts, 210–211
success factors mad lessons learned, 212
Tregoe, Bill, 31
Trusted System Evaluation Criteria (TSEC) model, 124
Tsu, Sun, 39, 83
U
Uncoupled scenarios, 139
V
Value chain, 57
Value proposition, 45
Value system, 58
e Verizon 2009 “Data Breach Investigation Report,
235
Verizon Communications, 267
Vision, mission, and strategic initiatives, 8083
analysis, 8283
mission statement, 81
strategic initiatives, 81–82
vision statement, 8081
W
WabiSabiLabi (WSLabi), 227
TAF-K11348-10-0301-IDX.indd 320TAF-K11348-10-0301-IDX.indd 320 8/18/10 3:14:06 PM8/18/10 3:14:06 PM
Index321
Washington Mutual Savings and Loan (WaMu),
26–27
Weizenbaum, Joseph, 210
Wharton/ASIS Program for Security Executives, 288
White-hat hackers, 231
Whittle, Ralph, 9
Whyte, David, 72
Willemssen, Joel C., 97
Windows attack vectors and scenarios, 194
Windows Vista, 131
Winkler, Ira, 228
World Wide Web Consortium (W3W), 61
Z
Zoho, 43
TAF-K11348-10-0301-IDX.indd 321TAF-K11348-10-0301-IDX.indd 321 8/18/10 3:14:06 PM8/18/10 3:14:06 PM
TAF-K11348-10-0301-IDX.indd 322TAF-K11348-10-0301-IDX.indd 322 8/18/10 3:14:06 PM8/18/10 3:14:06 PM
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset