BN.com Gift Guide

Information Security: Protecting the Global Enterprise / Edition 1

Paperback (Print)
Used and New from Other Sellers
Used and New from Other Sellers
from $1.99
Usually ships in 1-2 business days
(Save 95%)
Other sellers (Paperback)
  • All (21) from $1.99   
  • New (5) from $32.96   
  • Used (16) from $1.99   

Overview

  • Information security, start to finish: inspection, protection, detection, reaction, and reflection
  • Analyzing your most critical risks and threats
  • Defining an information security strategy and architecture
  • Planning and responding to intruders
  • Legal and public relations implications

Computer and network security: the technical, legal, and business issues.

In Information Security: Protecting the Global Enterprise, IT security expert Donald Pipkin addresses every aspect of information security: the business issues, the technical process issues, and the legal issues—including the personal liabilities of corporate officers in protecting information assets. Pipkin starts by reviewing the key business issues associated with protecting information assets, and determining the appropriate levels of protection and response to security incidents. Next, he walks through the technical processes required to build a consistent, reasonable information security system, with appropriate intrusion detection and reporting features. Coverage includes:

  • Inspection: Risk analysis, resource inventory, threat assessment, business impact analysis, safeguards, and more
  • Protection: Information security design, vision, architecture, strategies, frameworks, and implementation
  • Detection: Types of intruders, methods and profiles of detection
  • Reaction: Incident response plans, documentation, determination, notification, assessment, repair, and recovery
  • Reflection: Post-incident procedures, timelines, technical and management responses, process improvements, and public relations

Whether your role is technical or managerial, no matter what size your enterprise is, Information Security delivers the insight and guidance you need to protect your most vital asset: information.

Read More Show Less

Product Details

  • ISBN-13: 9780130173232
  • Publisher: Prentice Hall
  • Publication date: 5/12/2000
  • Series: HP Professional Series
  • Edition description: New Edition
  • Edition number: 1
  • Pages: 364
  • Product dimensions: 6.92 (w) x 8.97 (h) x 0.86 (d)

Meet the Author

Donald L. Pipkin is a Security Systems Architect for the Internet Security Division of Hewlett-Packard. Don is a noted security expert with fifteen plus years experience in the industry. He is a frequent speaker on the topic both regionally and internationally. He is also the author of Halting the Hacker: A Practical Guide to Computer Security, a contributing author of Unix Security, and he has written security articles for computer publications such as SysAdmin magazine.

Read More Show Less

Read an Excerpt

Preface

Information security is more than computer data security. It is the process of protecting the intellectual property of an organization. This intellectual property is paramount to the organization's survival. Businesses are built on their information — their company secrets. These secrets may be secret ingredients, manufacturing methods, pricing agreements with suppliers, or customer lists. All of these business secrets contribute to the profitability of the company. They all must be protected.

Everyone is involved in, and in some part responsible for, the safekeeping of information. One leak can sink the entire organization. Information must be continuously protected from all sides. This requires that everyone must understand and utilize the security that protects information.

There are no simple answers to the issues of security. Unfortunately, people are all too often convinced that all they need to do to secure their information systems is to install a firewall, improve their authentication method, or write a security policy. True, each of these can help improve security, but none of them is a complete solution.

Dependence on computerized information systems is integral to all aspects of an organization. Information-related problems must be understood and managed, the same as any other business resource. Management must recognize the importance of setting policies, standards, and procedures for the protection of information and allocation of resources to achieve it. This book details the relationship between security policies and procedures and clarifies how they can reduce the chance of losses on information systems. It is a must for anyone who is responsible for information assets or a complete overview of information security.

This book is designed to unveil the breadth of issues that encompasses information security. It is an introduction to information security addressing both the business issues and the fundamental aspects of securing information. It is not going to give you directions to close any specific security problem. However, it will open your eyes to security issues that are often overlooked. It delves into the issues involved with understanding the value of information assets, their potential cost to the organization if they are lost or disclosed, and how to determine the appropriate level of protection and response to a security incident; the technical process involved with building an information security design that is consistent, reasonable, and which utilizes appropriate intrusion detection and reporting systems; and the legal issues which require adequate protection and an appropriate response, so that not only is the information protected but also the corporate officers who are responsible for the safekeeping of the organization's information assets. It describes essential components of an information resource protection process. This process can be applied to information in any location from a personal computer to a large data processing facility. It is necessary in companies of any size — from 50 employees to 50,000 or more.

This book is derived from numerous presentations to CEOs and CIOs about information security. It addresses the issues from a business perspective, detailing the entire process of information security inside and outside the computer center. It addresses the business concerns of management as they pertain to information security.

In the security evaluations that I have performed for companies both large and small, it has been my experience that organizations have a security "hot button," one aspect of security they have addressed very well, and have overlooked other areas.

This book takes you through the steps of designing an information security program — from evaluating current processes to reviewing incident response procedures. Each section of the book, as follows, addresses one of these major steps which are required for a complete, cohesive information security program:


  • Inspection is the process of determining the current status and evaluating the appropriate level of security. It is this phase that creates a level of understanding of the issues and the organization's ability to address them.
  • Protection is the proactive process of creating an environment that is as secure as possible. This phase examines the ten fundamental aspects of information security and the issues involved.
  • Detection is the reactive process of determining inappropriate activities and alerting responsible individuals. Detection is required for those things that cannot be protected or predicted.
  • Reaction is the process of responding to a security incident. This phase focuses on resolving a security incident to minimize the impact.
  • Reflection is the follow-up processes necessary to evaluate the quality of the security implementation. These post-incident procedures are necessary for the organization to learn from the incident and share that experience.

This book will also explore the fundamental aspects of information security. These basic building blocks are categorized as follows:


  • Awareness is assuring that everyone understands the importance of security.
  • Access defines the medium used to contact the resource.
  • Identification is what is used to identify a user.
  • Authentication is how the user's identity is validated.
  • Authorization is what a user is allowed to do.
  • Availability is the ability to utilize the resource whenever it is needed.
  • Accuracy is the assurance that the information is correct.
  • Confidentiality is keeping the resource from being disclosed.
  • Accountability is assigning responsibility for actions taken on and by the resource.
  • Administration is the ability to manage the security attributes of the information.

Each of these aspects must be addressed to adequately protect your information. After reading this book, you will have the knowledge to analyze your information systems' security needs, to best allocate your security resources, and to put into place the proper policies and procedures in order to secure your information.


Read More Show Less

Table of Contents

Phase I: Inspection

Defining Resources. Assessing Threats. Evaluating Potential Losses. Identifying Vulnerabilities. Assigning Safeguards. Evaluate Current Status.

1. Resource Inventory.

Identifying Resources. Assigning Ownership. Determining Value. Security Classification.

2. Threat Assessment.

Human Error. Natural Disasters. System Failures. Malicious Acts. Malicious Software. Collateral Damage.

3. Loss Analysis.

Denial of Service. Theft of Resources. Deletion of Information. Theft of Information. Disclosure of Information. Corruption of Information. Theft of Software. Theft of Hardware. Disruption of Computer Controlled Systems.

4. Identifying Vulnerabilities.

Location of Vulnerabilities. Known Vulnerabilities. Security Design Flaw. Innovative Misuses. Incorrect Implementation. Social Engineering.

5. Assigning Safeguards.

Avoidance. Transference. Mitigation. Acceptance.

6. Evaluation of Current Status.

Assessment. Testing. Business Impact Analysis.

Phase II: Protection.

Philosophies. Principles. Policies. Procedures. Practices.

7. Awareness.

Appropriate Use. Awareness Programs. Design Choices. Implementation Options. Lack of Awareness.

8. Access.

Global Access. Access Methods. Access Points as Security Checkpoints. Access Servers. Abuse of Access.

9. Identification.

Enterprise Identification. Issuance of Identifiers. Scope of Use. Administration of Identifiers. Identity Errors.

10. Authentication.

Factors of Authentication. Authentication Models. Authentication Options. Authentication Management. Subverting Authentication.

11. Authorization.

What Authorizations Provide. Granularity of Authorizations. Requirements. Design Choices. Abuse of Authorization.

12. Availability.

Types of Outages. Protecting all Levels. Availability Models. Availability Classifications. Availability Outage.

13. Accuracy.

Information Lifecycle. Information System Accuracy. Methods. Loss of Accuracy.

14. Confidentiality.

Information in the Enterprise. Confidentiality Concerns. Methods of Ensuring Confidentiality. Sensitivity Classifications. Invasion of Privacy.

15. Accountability.

Accountability Models. Accountability Principles. Accounting Events. Accountability System Features Accountability Failures.

16. Administration.

Enterprise Information Security Administration. Administration Process. Areas of Administration. Administration Errors.

Phase III: Detection.

Intruder Types. Intrusion Methods. Detection Methods.

17. Intruder Types.

Outside Intruders. Inside Intruders. Professional Intruder.

18. Intrusion Methods.

Technical Intrusions. Physical Security. Social Engineering.

19. Intrusion Process.

Reconnaissance. Gaining Access. Gaining Authorizations. Achieve Goals.

20. Intrusion Detection Methods.

Profiles. Offline Methods. Online Methods. Human Methods.

Phase IV: Reaction.

Incident Response Philosophies. Incident Response Plan.

21. Response Plan.

Response Procedures. Resources. Legal Review.

22. Incident Determination.

Possible Indicators. Probable Indicators. Definite Indicators. Predefined Situations.

23. Incident Notification.

Internal. Computer Security Incident Organizations. Affected Partners. Law Enforcement. News Media.

24. Incident Containment.

Stopping the Spread. Regain Control.

25. Assessing the Damage.

Determining the Scope of Damage. Determining the Length of the Incident. Determining the Cause. Determining the Responsible Party.

26. Incident Recovery.

Setting Priorities. Repair the Vulnerability. Improve the Safeguard. Update Detection. Restoration of Data. Restoration of Services. Monitor for Additional Signs of Attack. Restoration of Confidence.

27. Automated Response.

Automated Defenses. Gathering Counterintelligence. Counterstrike.

Phase V: Reflection.

Postmortem Documentation. Process Management. External Follow-up.

28. Incident Documentation.

Incident Source Information. Incident Timeline. Technical Summary. Executive Summary.

29. Incident Evaluation.

Identify Processes for Improvement. Process Improvement.

30. Public Relations.

The Right People. The Right Time. The Right Message. The Right Forum. The Right Attitude.

31. Legal Prosecution.

Computer Crime Laws. Jurisdiction. Collection of Evidence. Successful Prosecution.

Epilogue: The Future of Business.

A World without Borders. Service-based Architecture. Basic Business Principles. Pervasive Security.

Read More Show Less

Preface

Preface

Information security is more than computer data security. It is the process of protecting the intellectual property of an organization. This intellectual property is paramount to the organization's survival. Businesses are built on their information — their company secrets. These secrets may be secret ingredients, manufacturing methods, pricing agreements with suppliers, or customer lists. All of these business secrets contribute to the profitability of the company. They all must be protected.

Everyone is involved in, and in some part responsible for, the safekeeping of information. One leak can sink the entire organization. Information must be continuously protected from all sides. This requires that everyone must understand and utilize the security that protects information.

There are no simple answers to the issues of security. Unfortunately, people are all too often convinced that all they need to do to secure their information systems is to install a firewall, improve their authentication method, or write a security policy. True, each of these can help improve security, but none of them is a complete solution.

Dependence on computerized information systems is integral to all aspects of an organization. Information-related problems must be understood and managed, the same as any other business resource. Management must recognize the importance of setting policies, standards, and procedures for the protection of information and allocation of resources to achieve it. This book details the relationship between security policies and procedures and clarifies how they can reduce the chance of losses on information systems. It is a must for anyone who is responsible for information assets or a complete overview of information security.

This book is designed to unveil the breadth of issues that encompasses information security. It is an introduction to information security addressing both the business issues and the fundamental aspects of securing information. It is not going to give you directions to close any specific security problem. However, it will open your eyes to security issues that are often overlooked. It delves into the issues involved with understanding the value of information assets, their potential cost to the organization if they are lost or disclosed, and how to determine the appropriate level of protection and response to a security incident; the technical process involved with building an information security design that is consistent, reasonable, and which utilizes appropriate intrusion detection and reporting systems; and the legal issues which require adequate protection and an appropriate response, so that not only is the information protected but also the corporate officers who are responsible for the safekeeping of the organization's information assets. It describes essential components of an information resource protection process. This process can be applied to information in any location from a personal computer to a large data processing facility. It is necessary in companies of any size — from 50 employees to 50,000 or more.

This book is derived from numerous presentations to CEOs and CIOs about information security. It addresses the issues from a business perspective, detailing the entire process of information security inside and outside the computer center. It addresses the business concerns of management as they pertain to information security.

In the security evaluations that I have performed for companies both large and small, it has been my experience that organizations have a security "hot button," one aspect of security they have addressed very well, and have overlooked other areas.

This book takes you through the steps of designing an information security program — from evaluating current processes to reviewing incident response procedures. Each section of the book, as follows, addresses one of these major steps which are required for a complete, cohesive information security program:

  • Inspection is the process of determining the current status and evaluating the appropriate level of security. It is this phase that creates a level of understanding of the issues and the organization's ability to address them.
  • Protection is the proactive process of creating an environment that is as secure as possible. This phase examines the ten fundamental aspects of information security and the issues involved.
  • Detection is the reactive process of determining inappropriate activities and alerting responsible individuals. Detection is required for those things that cannot be protected or predicted.
  • Reaction is the process of responding to a security incident. This phase focuses on resolving a security incident to minimize the impact.
  • Reflection is the follow-up processes necessary to evaluate the quality of the security implementation. These post-incident procedures are necessary for the organization to learn from the incident and share that experience.

This book will also explore the fundamental aspects of information security. These basic building blocks are categorized as follows:

  • Awareness is assuring that everyone understands the importance of security.
  • Access defines the medium used to contact the resource.
  • Identification is what is used to identify a user.
  • Authentication is how the user's identity is validated.
  • Authorization is what a user is allowed to do.
  • Availability is the ability to utilize the resource whenever it is needed.
  • Accuracy is the assurance that the information is correct.
  • Confidentiality is keeping the resource from being disclosed.
  • Accountability is assigning responsibility for actions taken on and by the resource.
  • Administration is the ability to manage the security attributes of the information.

Each of these aspects must be addressed to adequately protect your information. After reading this book, you will have the knowledge to analyze your information systems' security needs, to best allocate your security resources, and to put into place the proper policies and procedures in order to secure your information.

Read More Show Less

Customer Reviews

Be the first to write a review
( 0 )
Rating Distribution

5 Star

(0)

4 Star

(0)

3 Star

(0)

2 Star

(0)

1 Star

(0)

Your Rating:

Your Name: Create a Pen Name or

Barnes & Noble.com Review Rules

Our reader reviews allow you to share your comments on titles you liked, or didn't, with others. By submitting an online review, you are representing to Barnes & Noble.com that all information contained in your review is original and accurate in all respects, and that the submission of such content by you and the posting of such content by Barnes & Noble.com does not and will not violate the rights of any third party. Please follow the rules below to help ensure that your review can be posted.

Reviews by Our Customers Under the Age of 13

We highly value and respect everyone's opinion concerning the titles we offer. However, we cannot allow persons under the age of 13 to have accounts at BN.com or to post customer reviews. Please see our Terms of Use for more details.

What to exclude from your review:

Please do not write about reviews, commentary, or information posted on the product page. If you see any errors in the information on the product page, please send us an email.

Reviews should not contain any of the following:

  • - HTML tags, profanity, obscenities, vulgarities, or comments that defame anyone
  • - Time-sensitive information such as tour dates, signings, lectures, etc.
  • - Single-word reviews. Other people will read your review to discover why you liked or didn't like the title. Be descriptive.
  • - Comments focusing on the author or that may ruin the ending for others
  • - Phone numbers, addresses, URLs
  • - Pricing and availability information or alternative ordering information
  • - Advertisements or commercial solicitation

Reminder:

  • - By submitting a review, you grant to Barnes & Noble.com and its sublicensees the royalty-free, perpetual, irrevocable right and license to use the review in accordance with the Barnes & Noble.com Terms of Use.
  • - Barnes & Noble.com reserves the right not to post any review -- particularly those that do not follow the terms and conditions of these Rules. Barnes & Noble.com also reserves the right to remove any review at any time without notice.
  • - See Terms of Use for other conditions and disclaimers.
Search for Products You'd Like to Recommend

Recommend other products that relate to your review. Just search for them below and share!

Create a Pen Name

Your Pen Name is your unique identity on BN.com. It will appear on the reviews you write and other website activities. Your Pen Name cannot be edited, changed or deleted once submitted.

 
Your Pen Name can be any combination of alphanumeric characters (plus - and _), and must be at least two characters long.

Continue Anonymously

    If you find inappropriate content, please report it to Barnes & Noble
    Why is this product inappropriate?
    Comments (optional)