Assessing and Managing Security Risk in IT Systems / Edition 1

Assessing and Managing Security Risk in IT Systems / Edition 1

by John McCumber
     
 

View All Available Formats & Editions

ISBN-10: 0849322324

ISBN-13: 9780849322327

Pub. Date: 08/28/2004

Publisher: Taylor & Francis

This book is written to push back the advance of security-as-art and supplant it with a structured methodology that functions independent of technology evolution. The author outlines a simple yet thorough process to guide readers in the analysis and mitigation of risks in IT systems. The handbook contains enough detail to ensure practitioners and policy makers can

Overview

This book is written to push back the advance of security-as-art and supplant it with a structured methodology that functions independent of technology evolution. The author outlines a simple yet thorough process to guide readers in the analysis and mitigation of risks in IT systems. The handbook contains enough detail to ensure practitioners and policy makers can apply the concepts of the model. Because it does not delve into technical implications, an in-depth technical background is not necessary, although all technical people can work within its structure. Assessing and Managing Security Risk in IT Systems promises to become the most dog-eared possession for anyone charged with security in IT systems.

Product Details

ISBN-13:
9780849322327
Publisher:
Taylor & Francis
Publication date:
08/28/2004
Edition description:
New Edition
Pages:
288
Product dimensions:
6.20(w) x 9.30(h) x 0.80(d)

Table of Contents

SECURITY CONCEPTS

Using Models
Introduction: Understanding, Selecting, and Applying Models
Understanding Assets
Layered Security
Using Models in Security
Security Models for Information Systems
Shortcomings of Models in Security
Security in Context
Reference

Defining Information Security
Confidentiality, Integrity, and Availability
Information Attributes
Intrinsic versus Imputed Value
Information as an Asset
The Elements of Security
Security Is Security Only in Context

Information as an Asset
Introduction
Determining Value
Managing Information Resources
References

Understanding Threat and Its Relation to Vulnerabilities
Introduction
Threat Defined
Analyzing Threat
Assessing Physical Threats
Infrastructure Threat Issues

Assessing Risk Variables: The Risk Assessment Process
Introduction
Learning to Ask the Right Questions about Risk
The Basic Elements of Risk in IT Systems
Information as an Asset
Defining Threat for Risk Management
Defining Vulnerabilities for Risk Management
Defining Safeguards for Risk Management
The Risk Assessment Process

THE McCUMBER CUBE METHODOLOGY

The McCumber Cube
Introduction
The Nature of Information
Critical Information Characteristics
Confidentiality
Integrity
Availability
Security Measures
Technology
Policy and Practice
Education, Training, and Awareness (Human Factors)
The Model
References

Determining Information States and Mapping
Information Flow
Introduction
Information States: A Brief Historical Perspective
Automated Processing: Why Cryptography Is Not Sufficient
Simple State Analysis
Information States in Heterogeneous Systems
Boundary Definition
Decomposition of Information States
Developing an Information State Map
Reference

Decomposing the Cube for Security Enforcement
Introduction
A Word about Security Policy
Definitions
The McCumber Cube Methodology
The Transmission State
The Storage State
The Processing State
Recap of the Methodology

Information State Analysis for Components and
Subsystems
Introduction
Shortcomings of Criteria Standards for Security Assessments
Applying the McCumber Cube Methodology for Product
Assessments
Steps for Product and Component Assessment
Information Flow Mapping
Cube Decomposition Based on Information States
Develop Security Architecture
Recap of the Methodology for Subsystems, Products, and
Components
References

Managing the Security Life Cycle
Introduction

Safeguard Analysis
Introduction
Technology Safeguards
Procedural Safeguards
Human Factors Safeguards
Assessing and Managing Security Risk in IT Systems
Vulnerability-Safeguard Pairing
Hierarchical Dependencies of Safeguards
Security Policies and Procedural Safeguards
Developing Comprehensive Safeguards: The Lessons of the Shogun
Identifying and Applying Appropriate Safeguards
Comprehensive Safeguard Management: Applying the
McCumber Cube
The ROI of Safeguards: Do Security Safeguards Have a Payoff?

Practical Applications of McCumber Cube Analysis
Introduction
Applying the Model to Global and National Security Issues
Programming and Software Development
Using the McCumber Cube in an Organizational Information
Security Program
Using the McCumber Cube for Product or Subsystem Assessment
Using the McCumber Cube for Safeguard Planning and Deployment
Tips and Techniques for Building Your Security Program
Establishing the Security Program: Defining You
Avoiding the Security Cop Label
Obtaining Corporate Approval and Support
Creating Pearl Harbor Files
Defining Your Security Policy
Defining What versus How
Security Policy: Development and Implementation
Reference

SECTION III APPENDICES

Vulnerabilities
Risk Assessment Metrics
Diagrams and Tables
Other Resources

Customer Reviews

Average Review:

Write a Review

and post it to your social network

     

Most Helpful Customer Reviews

See all customer reviews >