E-Book, Englisch, Band 32, 244 Seiten
Frye Network Security Policies and Procedures
1. Auflage 2007
ISBN: 978-0-387-47955-2
Verlag: Springer US
Format: PDF
Kopierschutz: 1 - PDF Watermark
E-Book, Englisch, Band 32, 244 Seiten
Reihe: Advances in Information Security
ISBN: 978-0-387-47955-2
Verlag: Springer US
Format: PDF
Kopierschutz: 1 - PDF Watermark
Company network administrators are compelled today to aggressively pursue a robust network security regime. This book aims to give the reader a strong, multi-disciplinary understanding of how to pursue this goal. This professional volume introduces the technical issues surrounding security as well as how security policies are formulated at the executive level and communicated throughout the organization. Readers will gain a better understanding of how their colleagues on 'the other side of the fence' view the company's security and will thus be better equipped to act in a way that forwards the company's goals.
Autoren/Hrsg.
Weitere Infos & Material
1;Table of Contents;6
2;List of Figures;7
3;Preface;8
4;Acknowledgments and Dedication;9
5;Chapter 1 Information Technology and Its Role in the Modern Organization;10
5.1;Chapter Objectives;10
5.2;1.1 Information Technology's Role in an Organization's Processes;10
5.2.1;1.1.1 Cats and Dogs ( Technical Workers and Management);11
5.3;1.2 The Role Policies Play in an Organization;12
5.4;1.3 Incidents That Have Made Security and Accountability Major Issues;13
5.5;1.4 The Book's Organization;16
6;Chapter 2 The Extent of an Organization's Connectivity;20
6.1;Chapter Objectives;20
6.2;2.1 Access in the Age of the Extended Enterprise;20
6.3;2.2 The Players;23
6.3.1;2.2.1 Customer-Facing Employees;23
6.3.2;2.2.2 Internal Functional Employees;25
6.3.3;2.2.3 Internal Support Employees;27
6.3.4;2.2.4 Management;28
6.3.5;2.2.5 External Players;29
6.4;2.3 Locations from Which Access is Required;30
6.4.1;2.3.1 Fixed Locations;31
6.4.2;2.3.2 Mobile Locations;31
6.5;2.4 Conclusion;32
6.6;2.5 Discussion Questions;33
7;Chapter 3 Network Physical Components;36
7.1;Chapter 3 Objective;36
7.2;3.1 Introduction;36
7.3;3.2 Computers;36
7.4;3.3 Connectors;38
7.5;3.4 Firewalls;40
7.6;3.5 Conclusion;41
7.7;3.7 Discussion Questions;42
8;Chapter 4 Legitimate Networl^ Access;44
8.1;Chapter 4 Objective;44
8.2;4.1 Introduction;44
8.3;4.2 The Three Somethings;44
8.3.1;4.2.1 Something You Are;44
8.3.2;4.2.2 Something You Know;45
8.3.3;4.2.3 Something You Have;46
8.4;4.4 Conclusion;46
8.5;4.5 Discussion Questions;46
9;Chapter 5 Illegitimate Network Access;48
9.1;Chapter 5 Objective;48
9.2;5.1 Introduction;48
9.3;5.2 The Profiles;48
9.3.1;5.2.1 Criminals;48
9.4;5.3 The Paths to Intrusion;50
9.5;5.4 Malware;50
9.6;5.5 Conclusion;51
9.7;5.6 Questions for Discussion;51
10;Chapter 6 Encryption;54
10.1;Chapter 6 Objective;54
10.2;6.1 Introduction;54
10.3;6.2 The Information Sent Over Networks;54
10.4;6.3 Encryption;55
10.5;6.4 Authentication;56
10.6;6.5 Conclusion;56
10.7;6.6 Discussion Questions;57
11;Chapter 7 Balanced Scorecard;58
11.1;Chapter Objectives;58
11.2;7.1 Introduction to the Balanced Scorecard;58
11.2.1;7.1.1 The Balanced Scorecard's Views;58
11.2.2;7.1.3 Dysfunctional Processes;62
11.3;7.2 How a Balanced Scorecard Succeeds;62
11.4;7.3 Conclusion;64
11.5;7.4 Discussion Questions;64
12;Chapter 8 Sarbanes-Oxley;66
12.1;Chapter Objectives;66
12.2;8.1 Scandal Leads to Regulation;66
12.3;8.2 SOX Described;66
12.3.1;8.2.1 The Consequences of Violating SOX;68
12.3.2;8.2.3 Due Diligence with Offsite Partners;71
12.3.3;8.2.5 Compliance is Costly;73
12.3.4;8.2.6 Mid- Course Corrections?;73
12.4;8.3 Applying the Balanced Scorecard to SOX;74
12.5;8.4 Conclusion;75
12.6;8.5 Discussion Questions;75
13;Chapter 9 Physical Security;78
13.1;Chapter Objectives;78
13.2;9.1 Physical Security- Easily Overlooked;78
13.3;9.2 Where to Locate Computer Equipment;79
13.4;9.3 Employee Identification Procedures;81
13.5;9.4 Employees Transitioning Out of the Organization;85
13.6;9.5 Visitor Policy;87
13.7;9.6 Applying the Balanced Scorecard to Physical Security;91
13.8;9.7 Conclusion;95
13.9;9.8 Discussion Questions;95
14;Chapter 10 Disaster Recovery;98
14.1;Chapter Objectives;98
14.2;10.1 Disaster is Always Just around the Corner;98
14.3;10.2 Factors to Be Considered in Formulating a Disaster Recovery Plan;99
14.4;10.3 An Organization's Processes;100
14.5;10.4 Data as a Critical Element of Business Continuity;104
14.6;10.5 Restoring the Original Site;105
14.7;10.5 Applying the Balanced Scorecard to Disaster Recovery;106
14.8;10.6 Conclusion;109
14.9;10.7 Discussion Questions;109
15;Chapter 11 Initial Employee Communication;112
15.1;Chapter Objectives;112
15.2;11.1 The Overall Purpose of Initial Employee Communication;112
15.3;11.2 Some Examples of ''Confidential Information";113
15.4;11.3 Non-Disclosure Agreements;115
15.5;11.4 Non-Compete Agreements;117
15.6;11.5 Policies Relative to Employee IT Use;118
15.7;11.6 The Consequences of Violating the Employee Agreement;120
15.8;11.7 Applying the Balanced Scorecard to Initial Employee Communication;122
15.9;11.8 Conclusion;124
15.10;11.9 Discussion Questions;124
16;Chapter 12 The Human Element;126
16.1;Chapter Objectives;126
16.2;12.1 Humans- The Weakest Link in the Chain;126
16.3;12.2 Social Engineering;131
16.3.1;12.2.1 The Mentality of a Successful Social Engineer;131
16.3.2;12.2.2 How a Social Engineer Uses What Your Parents Taught You to Their Advantage;132
16.4;12.3 Countering the Social Engineer;134
16.5;12.4 Relevant Policies;135
16.6;12.5 Applying the Balanced Scorecard to the Human Element;137
16.7;12- 6 Summary;138
16.8;12.7 Discussion Questions;139
17;Chapter 13 Email, Instant Messaging and Phishing;140
17.1;Chapter Objectives;140
17.2;13.1 Email and Instant Messaging are Crucial but Vulnerable;140
17.3;13.2 Email;141
17.4;13.3 Instant Messaging;145
17.5;13.4 Phishing;149
17.6;13.5 Fighting the Phishers;155
17.7;13.6 List of Potential Vendors;157
17.8;13.7 Applying the Balanced Scorecard to Email, Instant Messaging and Phishing;158
17.9;13.8 Conclusion;160
17.10;13.9 Questions for Discussion;161
18;Chapter 14 Network Administration;162
18.1;Chapter Objectives;162
18.2;14.1 The Network Administrator's Role;162
18.3;14.2 The Key Business Process Issue Influencing a Network Administrator;164
18.4;14.3 Network Administrators are Key Players in an Organization's Business Processes;164
18.5;14.4 Applying the Balanced Scorecard to the Management Aspects of Network Administration;165
18.6;14.5 Conclusion;166
18.7;14.6 Questions for Discussion;166
19;Chapter 15 Network Monitoring;168
19.1;Chapter Objectives;168
19.2;15.1 Monitoring the Network;168
19.3;15.2 IDS' Relevance to the Enterprise;169
19.4;15.3 Applying the Balanced Scorecard to the Management Aspects of Network Administration;170
19.5;15.4 Conclusion;170
19.6;15.5 Questions for Discussion;170
20;Chapter 16 Executive Communication;172
20.1;Chapter Objectives;172
20.2;16.1 Executive Communication is Crucial in Shaping Employee Behavior;172
20.3;16.2 Ronald Coase's Transaction Cost Economics;174
20.4;16.3 Leibenstein's Theory of X-lnefficiency;176
20.4.1;16.3.1 The Individual is the Proper Unit of Analysis;177
20.4.2;16.3.3 Inert Areas;179
20.4.3;16.3.5 Activity, Pace, Quality and Time;181
20.5;16.4 Mari Sako's Analysis of Trust;182
20.5.1;16.4.1 Arms- Length and Obligational Contractual Relationships;182
20.5.2;16.4.3 Trust's Role in Transaction Cost Economics;184
20.6;16.5 Applying the Balanced Scorecard to Executive Communication;185
20.7;16.6 Conclusion;186
20.8;16.7 Questions for Discussion;186
21;Chapter 17 Information Security Awareness;188
22;Chapter 18 Synthesis and Conclusion;204
22.1;Chapter Objectives;204
22.2;18.1 The Current State of an Organization's Operational Environment;204
22.3;18.3 Enterprise Architecture;211
22.4;18.4 Enterprise Architecture Rationale;213
22.5;18.5 Conclusion;215
23;Chapter 19 Draft Policies;218
23.1;Chapter Objectives;218
23.2;19.1 Draft Policies;218
23.2.1;19.1.1 The Policy Policy;219
23.2.2;19.1.2 Business Process Documentation Policy;221
23.2.3;19.1.3 Awareness Training;223
23.2.4;19.1.4 Regulatory Compliance;225
23.2.5;19.1.5 Physical Security;226
23.2.6;19.1.7 Initial Employee Communication;229
23.2.7;19.1.8 Email and Instant Messaging;230
23.2.8;19.1.9 Network Access;231
24;Bibliography;234
25;Index;246
Chapter 3 Network Physical Components (p. 27-28)
Chapter 3 Objective
This chapter will discuss the various physical components of an organization's network.
3.1 Introduction
In a modern organization there will be a significant IT posture, relative to the size of the operation. While modem connectivity has improved an organization's ability to operate in an extended enterprise spanning all comers of the world, as discussed in Chapter 2, it has also put them at risk for theft, fraud, data loss and hacking, as the examples from Chapter 1 established. To provide the background for the communication, policy and enterprise architecture discussions to follow in later chapters, the next few chapters will discuss the various physical and software-based elements of an organization's IT environment. Chapters 14 and 15 cover network administration and monitoring. As the emphasis of this book is on the policies facilitating a well-stmctured enterprise, the directly technical aspects of the issues are covered in sufficient depth to provide the reader with an overview of the subject matter.
3.2 Computers
3.2.1 Desktops and Laptops
Virtually everyone with an office job uses a computer for at least parts of their job, even if it is only as a typewriter substitute. The desktop computer (Figure 3.1) is the most common piece of hardware used to perform work and to access the Intemet, while the laptop (Figure 3.2) is the choice of consultants, especially those who travel and must work on airplanes, in hotel rooms and on cafe tables, often with one or more colleagues sharing the space. Desktops are the more powerful of the two systems, but laptops now have capabilities sufficient to perform all routine work and at the high end have the ability to perform complex and resource-intensive functions such as economic analysis.
