Eric Maiwald, Informatyka
[ Pobierz całość w formacie PDF ]
Security Planning & Disaster Recovery
Eric Maiwald
William Sieglein
McGraw-Hill/Osborne
2600 Tenth Street
Berkeley, California 94710
U.S.A.
To arrange bulk purchase discounts for sales promotions, premiums, or fund-raisers, please
contact McGraw-Hill/Osborne at the above address. For information on translations or book
distributors outside the U.S.A., please see the International Contact Information page
immediately following the index of this book.
Copyright © 2002 by The McGraw-Hill Companies. All rights reserved. Printed in the United
States of America. Except as permitted under the Copyright Act of 1976, no part of this
publication may be reproduced or distributed in any form or by any means, or stored in a
database or retrieval system, without the prior written permission of publisher, with the
exception that the program listings may be entered, stored, and executed in a computer
system, but they may not be reproduced for publication.
1234567890 FGR FGR 0198765432
ISBN 0-07-222463-0
Publisher
Brandon A. Nordin
Vice President
&
Associate Publisher
Scott Rogers
Acquisitions Editor
Jane Brownlow
Project Editor
Janet Walden
Acquisitions Coordinator
Emma Acker
Technical Editor
Ben Rothke
Copy Editor
Claire Splan
Proofreader
Pam Vevea
Indexer
Claire Splan
Computer Designers
Kelly Stanton-Scott, Mickey Galicia
Illustrators
Lyssa Wald, Michael Mueller
Series Design
Peter Hancik, Lyssa Wald
Cover Series Design
Jeff Weeks
This book was composed with Corel VENTURA™ Publisher.
Information has been obtained by McGraw-Hill/Osborne from sources believed to be reliable.
However, because of the possibility of human or mechanical error by our sources, McGraw-
Hill/Osborne, or others, McGraw-Hill/Osborne does not guarantee the accuracy, adequacy, or
completeness of any information and is not responsible for any errors or omissions or the
results obtained from the use of such information.
This book is dedicated to my wife Kay and my two sons, Steffan and Joel, who put up with a
lot of long days and lost time (again) during the writing of this book. –EM
This book is dedicated to my lovely wife Jane—’Tis naught Othello or King Lear, but that WS
did not receive royalties. And to my children Kyle, Haley, and Maggy—YES, I can play now!
–WS
About the Authors
Eric Maiwald is the Chief Technology Officer for Fortrex Technologies, where he oversees
all security research and training activities for the company. He also manages the Fortrex
Network Security Operations Center where all managed services are performed. Mr. Maiwald
also performs assessments, develops policies, and implements security solutions for large
financial institutions, services firms, and manufacturers. He has extensive experience in the
security field as a consultant, security officer, and developer. Mr. Maiwald holds a Bachelors
of Science degree in Electrical Engineering from Rensselaer Polytechnic Institute, a Masters
of Engineering in Electrical Engineering from Stevens Institute of Technology, and is a
Certified Information Systems Security Professional (CISSP).
Mr. Maiwald is a named inventor on patent numbers 5,577,209, “Apparatus and Method for
Providing Multi-level Security for Communications Among Computers and Terminals on a
Network”; 5.872.847, “Using Trusted Associations to Establish Trust in a Computer
Network”; 5,940,591, “Apparatus and Method for Providing Network Security”; and
6,212.636, “Method for Establishing Trust in a Computer Network via Association.”
Mr. Maiwald is a regular presenter at a number of well-known security conferences. He has
also written
Network Security: A Beginner’s Guide,
published by McGraw-Hill/Osborne, and
is a contributing author for
Hacking Linux Exposed
and
Hacker’s Challenge,
also published
by McGraw-Hill/Osborne.
William Sieglein is the Manager of Security Services for Fortrex Technologies, where he
oversees all security consulting and professional services for the company. Mr. Sieglein also
manages information security projects for Fortrex clients, leads risk assessments, develops
policies, and implements security solutions. He has over 20 years experience in the IT
industry, specializing in information security. Mr. Sieglein holds a Bachelors of Science
degree in Computer Science from the University of Maryland and a Masters of Science in
Technical Management from Johns Hopkins University.
Mr. Sieglein has published numerous articles for various publications including
Business
Credit Magazine, Security Advisor,
and
CMP’s iPlanet,
where he was also the security expert
for several months. Mr. Sieglein been a guest speaker for various organizations including the
Information Systems Audit and Controls Association (ISACA), Joint Special Operations
Command (JSOC), and the American Society for Industrial Security (ASIS).
About the Technical Reviewer
Ben Rothke (
brothke@hotmail.com
) is a Principal Consultant with trustEra
(
www.trustEra.com
). His areas of expertise are in PKI, design and implementation of systems
security, HIPAA, encryption, security architecture and analysis, firewall configuration and
review, cryptography, and security policy development. Mr. Rothke previously worked for
Baltimore Technologies, Ernst & Young, and Citibank and has provided information security
solutions to many Fortune 500 companies.
He is a frequent speaker at industry conferences and has written for many computer
periodicals. Currently, he writes a column for
Unix Review
as well as a monthly security book
review for
Security Management
magazine.
Mr. Rothke is a Certified Information Systems Security Professional (CISSP), a Certified
Confidentiality Officer (CCO), and a member of ISSA, ICSA, IEEE, ASIS & CSI, operating
out of a New York-based office.
Acknowledgments
This book could not have been written without the help of a number of people. Most notable
in their help were those people we work with at Fortrex Technologies, Inc., especially Lee
Kelly for his work on the HIPAA regulations and Andrew Waltz for his research on GLBA.
We would also like to acknowledge the great support of our technical editor, Ben Rothke,
who turned the chapters around very quickly. Of course, none of this could have been possible
without the help from the people at McGraw-Hill/Osborne, most notably Jane Brownlow,
Emma Acker, and Janet Walden.
Introduction
In this e-centric day and age organizations have come to rely on IT infrastructures not just as
an aid to business, but for some, as the core of their business. Safe, secure, and reliable
computing and telecommunications are essential to these organizations. As these
organizations begin to understand the importance of information security, they are developing
security programs that are often under the direction of the CIO.
An information security program includes more than just people and technology. The
programs involve policies, procedures, audits, monitoring, and an investment of time and
money. This book is meant to provide organizations with a broad overview of the security
program, what it should be, who it should include, what it entails, and how it should fit into
the overall organization.
This book is for the security professional who must answer to management about the security
of the organization. In today’s economy, many organizations do not have the ability to hire a
person and dedicate that person to security. Often the person who is given this job is an IT
professional with no specific security training. This book will provide the road map for such
individuals.
The book is divided into four main parts plus some good information in appendices:
Part I: Guiding Principles in Plan Development
Part I is intended to provide guidance on
fundamental issues with security planning. In this part we cover the basic concepts of the role
of information security, laws and regulations, and risk identification.
•
Chapter 1
: The Role of the Information Security Program
Chapter 1
discusses the
overall importance of the information security program. It describes where it fits into
the organization and who should establish its charter, mission, responsibilities, and
authority. It further talks about the relationship of the information security manager
(and the department) to the rest of the organization. It is impossible to build a program
in a vacuum or with bad relationships throughout the organization.
•
Chapter 2
: Laws and Regulations
Many industries have federal or state regulations
that must be followed. Some of these regulations may affect the security program. It is
therefore important for the security department to understand the regulation
requirements. In some cases the existence of the information security program is
clearly dictated by laws and regulations.
•
Chapter 3
: Assessments
This chapter focuses on how organizations go about
identifying the state of their information security efforts. It includes information on
various types of assessments and when they should and should not be used.
Part II: Plan Implementation
Part II discusses the basics of risk management and
mitigation. Once risk has been identified, the mitigation steps must be taken. While the exact
plan will vary for each organization, this part of the book provides the basics.
•
Chapter 4
: Establishing Policies and Procedures
This chapter discusses the
importance of policies and procedures and describes policies and procedures that need
to be created for the organization. The primary focus of this chapter is the order that
they should be created and the approach to use in getting the organization to buy into
what is created.
•
Chapter 5
: Implementing the Security Plan
Policies are nice documents but if they
are not implemented, they do no good. This chapter talks about general guidelines for
implementing good policies.
•
Chapter 6
: Deploying New Projects and Technologies
No organization can afford
to develop everything internally. Security is no different in this regard. Since it is
likely that products will be purchased for the organization and new projects will be
developed internally, this chapter covers how to manage the risk to the organization
through the development process.
•
Chapter 7
: Security Training and Awareness
This chapter discusses the programs
and classes that must be established to make the organization aware of security issues.
Security awareness is one of the most cost-effective components of the information
security program. In a recent speech, Richard Clark, the President’s cyber-security
advisor, noted that the awareness of employees was critical to an organization’s
security program. He also noted that he and the federal government would be stressing
this topic to industry in the coming months.
•
Chapter 8
: Monitoring Security
The security program is in place. How do you know
that it is working? The only way to know is to monitor it. This chapter discusses the
more useful methods for monitoring.
Part III: Plan Administration
Security programs are no different than any other program
within an organization. Once they are set up and working properly, they must be managed and
administered properly. This part talks about these tasks.
•
Chapter 9
: Budgeting for Security
Just about every organization has a budget
process. The security department must go through it with every other department.
Therefore, it is important for the security department to do it well.
•
Chapter 10
: The Security Staff
Not every security program has a staff but many do.
Choosing the correct individuals for the staff and the correct mix of skills can make or
break the program. This chapter talks about the mix of the team and how to find good
people.
•
Chapter 11
: Reporting
Finally, there is reporting. Without some type of reporting
there is no way for the organization to gauge the effectiveness of the security
department. There is rarely an ROI for security (but this is changing) and thus there
must be other metrics to use to measure the performance of the department.
Part IV: How to Respond to Incidents
All of the planning, risk identification, risk
mitigation, and administration tasks can help an organization to manage risk. However, no
one can ever completely remove risk. This part of the book discusses how to deal with
incidents and disasters when they occur.
•
Chapter 12
: Incident Response
Bad things happen. The security program works
diligently to try to prevent them but they happen anyway. When they do, the security
department must be ready to take the lead in the response.
•
Chapter 13
: Developing Contingency Plans
Disasters of all shapes and sizes occur
to businesses. Because organizations have become so dependent on their IT
infrastructures it is essential that they develop an IT Disaster Recovery Plan and keep
it up to date. This plan will provide policies, procedures, roles, and responsibilities for
preparing for, responding to, and recovering from a variety of disasters. This chapter
explains the key steps in developing an IT DRP.
•
Chapter 14
: Responding to Disasters
How an organization responds to a disaster is
just as important as how an organization plans for a disaster. Often, the response to a
disaster deviates from the plan due to unforeseen circumstances. This chapter
discusses the proper response during a serious disaster.
[ Pobierz całość w formacie PDF ]
zanotowane.pl doc.pisz.pl pdf.pisz.pl upanicza.keep.pl
Security Planning & Disaster Recovery
Eric Maiwald
William Sieglein
McGraw-Hill/Osborne
2600 Tenth Street
Berkeley, California 94710
U.S.A.
To arrange bulk purchase discounts for sales promotions, premiums, or fund-raisers, please
contact McGraw-Hill/Osborne at the above address. For information on translations or book
distributors outside the U.S.A., please see the International Contact Information page
immediately following the index of this book.
Copyright © 2002 by The McGraw-Hill Companies. All rights reserved. Printed in the United
States of America. Except as permitted under the Copyright Act of 1976, no part of this
publication may be reproduced or distributed in any form or by any means, or stored in a
database or retrieval system, without the prior written permission of publisher, with the
exception that the program listings may be entered, stored, and executed in a computer
system, but they may not be reproduced for publication.
1234567890 FGR FGR 0198765432
ISBN 0-07-222463-0
Publisher
Brandon A. Nordin
Vice President
&
Associate Publisher
Scott Rogers
Acquisitions Editor
Jane Brownlow
Project Editor
Janet Walden
Acquisitions Coordinator
Emma Acker
Technical Editor
Ben Rothke
Copy Editor
Claire Splan
Proofreader
Pam Vevea
Indexer
Claire Splan
Computer Designers
Kelly Stanton-Scott, Mickey Galicia
Illustrators
Lyssa Wald, Michael Mueller
Series Design
Peter Hancik, Lyssa Wald
Cover Series Design
Jeff Weeks
This book was composed with Corel VENTURA™ Publisher.
Information has been obtained by McGraw-Hill/Osborne from sources believed to be reliable.
However, because of the possibility of human or mechanical error by our sources, McGraw-
Hill/Osborne, or others, McGraw-Hill/Osborne does not guarantee the accuracy, adequacy, or
completeness of any information and is not responsible for any errors or omissions or the
results obtained from the use of such information.
This book is dedicated to my wife Kay and my two sons, Steffan and Joel, who put up with a
lot of long days and lost time (again) during the writing of this book. –EM
This book is dedicated to my lovely wife Jane—’Tis naught Othello or King Lear, but that WS
did not receive royalties. And to my children Kyle, Haley, and Maggy—YES, I can play now!
–WS
About the Authors
Eric Maiwald is the Chief Technology Officer for Fortrex Technologies, where he oversees
all security research and training activities for the company. He also manages the Fortrex
Network Security Operations Center where all managed services are performed. Mr. Maiwald
also performs assessments, develops policies, and implements security solutions for large
financial institutions, services firms, and manufacturers. He has extensive experience in the
security field as a consultant, security officer, and developer. Mr. Maiwald holds a Bachelors
of Science degree in Electrical Engineering from Rensselaer Polytechnic Institute, a Masters
of Engineering in Electrical Engineering from Stevens Institute of Technology, and is a
Certified Information Systems Security Professional (CISSP).
Mr. Maiwald is a named inventor on patent numbers 5,577,209, “Apparatus and Method for
Providing Multi-level Security for Communications Among Computers and Terminals on a
Network”; 5.872.847, “Using Trusted Associations to Establish Trust in a Computer
Network”; 5,940,591, “Apparatus and Method for Providing Network Security”; and
6,212.636, “Method for Establishing Trust in a Computer Network via Association.”
Mr. Maiwald is a regular presenter at a number of well-known security conferences. He has
also written
Network Security: A Beginner’s Guide,
published by McGraw-Hill/Osborne, and
is a contributing author for
Hacking Linux Exposed
and
Hacker’s Challenge,
also published
by McGraw-Hill/Osborne.
William Sieglein is the Manager of Security Services for Fortrex Technologies, where he
oversees all security consulting and professional services for the company. Mr. Sieglein also
manages information security projects for Fortrex clients, leads risk assessments, develops
policies, and implements security solutions. He has over 20 years experience in the IT
industry, specializing in information security. Mr. Sieglein holds a Bachelors of Science
degree in Computer Science from the University of Maryland and a Masters of Science in
Technical Management from Johns Hopkins University.
Mr. Sieglein has published numerous articles for various publications including
Business
Credit Magazine, Security Advisor,
and
CMP’s iPlanet,
where he was also the security expert
for several months. Mr. Sieglein been a guest speaker for various organizations including the
Information Systems Audit and Controls Association (ISACA), Joint Special Operations
Command (JSOC), and the American Society for Industrial Security (ASIS).
About the Technical Reviewer
Ben Rothke (
brothke@hotmail.com
) is a Principal Consultant with trustEra
(
www.trustEra.com
). His areas of expertise are in PKI, design and implementation of systems
security, HIPAA, encryption, security architecture and analysis, firewall configuration and
review, cryptography, and security policy development. Mr. Rothke previously worked for
Baltimore Technologies, Ernst & Young, and Citibank and has provided information security
solutions to many Fortune 500 companies.
He is a frequent speaker at industry conferences and has written for many computer
periodicals. Currently, he writes a column for
Unix Review
as well as a monthly security book
review for
Security Management
magazine.
Mr. Rothke is a Certified Information Systems Security Professional (CISSP), a Certified
Confidentiality Officer (CCO), and a member of ISSA, ICSA, IEEE, ASIS & CSI, operating
out of a New York-based office.
Acknowledgments
This book could not have been written without the help of a number of people. Most notable
in their help were those people we work with at Fortrex Technologies, Inc., especially Lee
Kelly for his work on the HIPAA regulations and Andrew Waltz for his research on GLBA.
We would also like to acknowledge the great support of our technical editor, Ben Rothke,
who turned the chapters around very quickly. Of course, none of this could have been possible
without the help from the people at McGraw-Hill/Osborne, most notably Jane Brownlow,
Emma Acker, and Janet Walden.
Introduction
In this e-centric day and age organizations have come to rely on IT infrastructures not just as
an aid to business, but for some, as the core of their business. Safe, secure, and reliable
computing and telecommunications are essential to these organizations. As these
organizations begin to understand the importance of information security, they are developing
security programs that are often under the direction of the CIO.
An information security program includes more than just people and technology. The
programs involve policies, procedures, audits, monitoring, and an investment of time and
money. This book is meant to provide organizations with a broad overview of the security
program, what it should be, who it should include, what it entails, and how it should fit into
the overall organization.
This book is for the security professional who must answer to management about the security
of the organization. In today’s economy, many organizations do not have the ability to hire a
person and dedicate that person to security. Often the person who is given this job is an IT
professional with no specific security training. This book will provide the road map for such
individuals.
The book is divided into four main parts plus some good information in appendices:
Part I: Guiding Principles in Plan Development
Part I is intended to provide guidance on
fundamental issues with security planning. In this part we cover the basic concepts of the role
of information security, laws and regulations, and risk identification.
•
Chapter 1
: The Role of the Information Security Program
Chapter 1
discusses the
overall importance of the information security program. It describes where it fits into
the organization and who should establish its charter, mission, responsibilities, and
authority. It further talks about the relationship of the information security manager
(and the department) to the rest of the organization. It is impossible to build a program
in a vacuum or with bad relationships throughout the organization.
•
Chapter 2
: Laws and Regulations
Many industries have federal or state regulations
that must be followed. Some of these regulations may affect the security program. It is
therefore important for the security department to understand the regulation
requirements. In some cases the existence of the information security program is
clearly dictated by laws and regulations.
•
Chapter 3
: Assessments
This chapter focuses on how organizations go about
identifying the state of their information security efforts. It includes information on
various types of assessments and when they should and should not be used.
Part II: Plan Implementation
Part II discusses the basics of risk management and
mitigation. Once risk has been identified, the mitigation steps must be taken. While the exact
plan will vary for each organization, this part of the book provides the basics.
•
Chapter 4
: Establishing Policies and Procedures
This chapter discusses the
importance of policies and procedures and describes policies and procedures that need
to be created for the organization. The primary focus of this chapter is the order that
they should be created and the approach to use in getting the organization to buy into
what is created.
•
Chapter 5
: Implementing the Security Plan
Policies are nice documents but if they
are not implemented, they do no good. This chapter talks about general guidelines for
implementing good policies.
•
Chapter 6
: Deploying New Projects and Technologies
No organization can afford
to develop everything internally. Security is no different in this regard. Since it is
likely that products will be purchased for the organization and new projects will be
developed internally, this chapter covers how to manage the risk to the organization
through the development process.
•
Chapter 7
: Security Training and Awareness
This chapter discusses the programs
and classes that must be established to make the organization aware of security issues.
Security awareness is one of the most cost-effective components of the information
security program. In a recent speech, Richard Clark, the President’s cyber-security
advisor, noted that the awareness of employees was critical to an organization’s
security program. He also noted that he and the federal government would be stressing
this topic to industry in the coming months.
•
Chapter 8
: Monitoring Security
The security program is in place. How do you know
that it is working? The only way to know is to monitor it. This chapter discusses the
more useful methods for monitoring.
Part III: Plan Administration
Security programs are no different than any other program
within an organization. Once they are set up and working properly, they must be managed and
administered properly. This part talks about these tasks.
•
Chapter 9
: Budgeting for Security
Just about every organization has a budget
process. The security department must go through it with every other department.
Therefore, it is important for the security department to do it well.
•
Chapter 10
: The Security Staff
Not every security program has a staff but many do.
Choosing the correct individuals for the staff and the correct mix of skills can make or
break the program. This chapter talks about the mix of the team and how to find good
people.
•
Chapter 11
: Reporting
Finally, there is reporting. Without some type of reporting
there is no way for the organization to gauge the effectiveness of the security
department. There is rarely an ROI for security (but this is changing) and thus there
must be other metrics to use to measure the performance of the department.
Part IV: How to Respond to Incidents
All of the planning, risk identification, risk
mitigation, and administration tasks can help an organization to manage risk. However, no
one can ever completely remove risk. This part of the book discusses how to deal with
incidents and disasters when they occur.
•
Chapter 12
: Incident Response
Bad things happen. The security program works
diligently to try to prevent them but they happen anyway. When they do, the security
department must be ready to take the lead in the response.
•
Chapter 13
: Developing Contingency Plans
Disasters of all shapes and sizes occur
to businesses. Because organizations have become so dependent on their IT
infrastructures it is essential that they develop an IT Disaster Recovery Plan and keep
it up to date. This plan will provide policies, procedures, roles, and responsibilities for
preparing for, responding to, and recovering from a variety of disasters. This chapter
explains the key steps in developing an IT DRP.
•
Chapter 14
: Responding to Disasters
How an organization responds to a disaster is
just as important as how an organization plans for a disaster. Often, the response to a
disaster deviates from the plan due to unforeseen circumstances. This chapter
discusses the proper response during a serious disaster.
[ Pobierz całość w formacie PDF ]