INFORMATION SECURITY FOR MANAGERS

Similar documents
What is ISO ISMS? Business Beam

Stock Message Boards

Nine Steps to Smart Security for Small Businesses

SMart esolutions Information Security

Measuring the effectiveness of your ISMS implementations based on ISO/IEC 27001

TARGET2-SECURITIES INFORMATION SECURITY REQUIREMENTS

PTLGateway Data Breach Policy

Cryptography and Network Security Chapter 1

Mastering. Spreadsheets Q

Canada Life Cyber Security Statement 2018

Critical Information Infrastructure Protection Law

RIMS Perk Session Protecting the Crown Jewels A Risk Manager's guide to cyber security March 18, 2015

Objectives of the Security Policy Project for the University of Cyprus

Threat Modeling. Bart De Win Secure Application Development Course, Credits to

E-guide Getting your CISSP Certification

Guide to the implementation and auditing of ISMS controls based on ISO/IEC 27001

Publications. ACH Audit Requirements. A new approach to payments advising SM. Sound Practices Checklists

Guide to Network Defense and Countermeasures Second Edition. Chapter 2 Security Policy Design: Risk Analysis

MASTERING COBOL PROGRAMMING

Information Security in Corporation

CUNY John Jay College of Criminal Justice MATH AND COMPUTER SCIENCE

Incident Response. Tony Drewitt Head of Consultancy IT Governance Ltd

Unit 3 Cyber security

CompTIA Security+ (Exam SY0-401) Course 01 Security Fundamentals

Security for Microsoft Windows System Administrators

In Business Now Series Graphs and Charts Renee Huggett Markets Renee Huggett

Course Outline. CISSP - Certified Information Systems Security Professional

A practical guide to IT security

INFORMATION TECHNOLOGY ( IT ) GOVERNANCE FRAMEWORK

ISO/IEC INTERNATIONAL STANDARD. Information technology Security techniques Code of practice for information security management

Computer Security Policy

Management. Port Security. Second Edition KENNETH CHRISTOPHER. CRC Press. Taylor & Francis Group. Taylor & Francis Group,

BEYOND CJIS: ENHANCED SECURITY, NOT JUST COMPLIANCE

New Guidance on Privacy Controls for the Federal Government

Cryptography and Network Security

Principles of Information Security, Fourth Edition. Chapter 1 Introduction to Information Security

ISO/IEC Information technology Security techniques Code of practice for information security management

Security Policies and Procedures Principles and Practices

MIS5206-Section Protecting Information Assets-Exam 1

Insider Threat Program: Protecting the Crown Jewels. Monday, March 2, 2:15 pm - 3:15 pm

Program and Electronic Projects for the SSC, Electron and Spectrum Computers

716 West Ave Austin, TX USA

ADDING BUSINESS VALUE THROUGH EFFECTIVE IT SECURITY MANAGEMENT

Meeting FFIEC Meeting Regulations for Online and Mobile Banking

LCU Privacy Breach Response Plan

Cybersecurity The Evolving Landscape

The Cyber War on Small Business

Authentication Technology for a Smart eid Infrastructure.

Cryptography and Network Security Overview & Chapter 1. Network Security. Chapter 0 Reader s s Guide. Standards Organizations.

G7 Bar Associations and Councils

Shaking off the silo shackles Information risks, opportunity, and a holistic vision

How to implement NIST Cybersecurity Framework using ISO WHITE PAPER. Copyright 2017 Advisera Expert Solutions Ltd. All rights reserved.

Awareness and training programs OPTUS MACQUARIE UNIVERSITY CYBER SECURITY HUB

COMPUTER FORENSICS: CYBERCRIMINALS, LAWS, AND EVIDENCE BY MARIE-HELEN MARAS

Cyber Security and Data Protection: Huge Penalties, Nowhere to Hide

The University of Queensland

NEW YORK CYBERSECURITY REGULATION COMPLIANCE GUIDE

Internet of Things Toolkit for Small and Medium Businesses

SECURING THE UK S DIGITAL PROSPERITY. Enabling the joint delivery of the National Cyber Security Strategy's objectives

i-pcgrid WORKSHOP 2016 INTERACTIVE REMOTE ACCESS

II.C.4. Policy: Southeastern Technical College Computer Use

Apex Information Security Policy

Risk Management in Electronic Banking: Concepts and Best Practices

Honeypots. Security on Offense. by Kareem Sumner

The author has asserted their right to be identified as the author of this work in accordance with the Copyright, Design and Patents Act 1988.

AN ANALYSIS OF CYBER CRIME AND INTERNET SECURITY

Computer Literacy - A Beginners' Guide

Internet copy. EasyGo security policy. Annex 1.3 to Joint Venture Agreement Toll Service Provider Agreement

Building Secure Systems: Problems and Principles. Dennis Kafura

Security in Computing

ARCHITECTURE AND CAD FOR DEEP-SUBMICRON FPGAs

Express Monitoring 2019

Information Security Policy

INTELLIGENCE DRIVEN GRC FOR SECURITY

Crises Control Cloud Security Principles. Transputec provides ICT Services and Solutions to leading organisations around the globe.

ISO27001:2013 The New Standard Revised Edition

Aspects of Identity. IGF November BCS Security Community of Expertise

How AlienVault ICS SIEM Supports Compliance with CFATS

ISO/IEC Information technology Security techniques Code of practice for information security controls

ISO/TR TECHNICAL REPORT. Financial services Information security guidelines

Governance Ideas Exchange

NYDFS Cybersecurity Regulations: What do they mean? What is their impact?

STANDARD INFORMATION SHARING FORMATS. Will Semple Head of Threat and Vulnerability Management New York Stock Exchange

ISO/IEC INTERNATIONAL STANDARD. Information technology Code of practice for information security management

KALASALINGAM UNIVERSITY

IS Today: Managing in a Digital World 9/17/12

TEL2813/IS2820 Security Management

University of Sunderland Business Assurance PCI Security Policy

IMF IT-Incident Management and IT-Forensics

Mark Your Calendars: NY Cybersecurity Regulations to Go into Effect

Forensics and Active Protection

Cyber fraud and its impact on the NHS: How organisations can manage the risk

Introduction. Controlling Information Systems. Threats to Computerised Information System. Why System are Vulnerable?

An Introduction To Security Planning

CYBER SECURITY AND THE PENSIONS INDUSTRY Karen Tasker 1 February 2018

Cyber Criminal Methods & Prevention Techniques. By

Canadian Access Federation: Trust Assertion Document (TAD)

VANGUARD POLICY MANAGERTM

West Midlands Regional Cyber Crime Unit

Hong Kong Access Federation (HKAF) Identity Management Practice Statement (IMPS)

Transcription:

INFORMATION SECURITY FOR MANAGERS

INFORMATION SECURITY FOR MANAGERS William Caelli Dennis Longley Michael Shain M stockton press

Macmillan Publishers Ltd, 1989 Softcover reprint of the hardcover 1st edition 1989 978-0-333-46203-4 All rights reserved. No part of the publication may be reproduced or transmitted, in any form or by any means, without permission. Published in the United States and Canada by STOCKTON PRESS 1989 15 East 26th Street, New York, N.Y. 10010. Library of Congress Cataloging-in-Publication Data Caelli, William. Information security for managers/by William Caelli, Dennis Longley, and Michel Shain. p.cm. Includes index. ISBN 978-0-935859-73-7: $100.00 1. Electronic data processing departments - Security measures. 2. Computers- Access control. I. Longley, Dennis. II. Shain, Michael. III. Title. HF5548.37.C34 1989 658.4'78 - dc20 89-4614 CIP Published in the United Kingdom by MACMILLAN PUBLISHERS LTD (Journals Division), 1989 Distributed by Globe Book Services Ltd Brunei Road, Houndmills Basingstoke, Hants RG21 2XS British Library Cataloguing in Publication Data Caelli, Bill Information security for managers. 1. Computer systems. Security measures. Management aspects I. Title II. Longley, Denis III. Shain, Michael 658.4'78 ISBN 978-1-349-10139-9 ISBN 978-1-349-10137-5 (ebook) DOI 10.1007/978-1-349-10137-5

Introduction How seriously should management take information security? Until recently only a few managers fully appreciated how their day-to-day business administration was dependent on the availability and integrity of their data processing services. Several things are changing this, including the growing recognition of information as an asset, and the continuing development of information technology and its application in a business context. But at the same time the existence of information technology is providing new weapons for those intent on causing damage or criminal gain. Automation of clerical processes makes information systems more vulnerable, because they no longer require the prudent manual checks and balances which were once an unspoken part of the job. When combined with the pressures of cost of implementation and timescale, this has meant that few, if any, security controls have been built into systems from the outset. It may be realised only when it is too late that protective controls have been sacrificed; security vulnerabilities are invisible until an incident occurs. Thus, as information systems have become more valuable to their users they have also become more vulnerable to attack. They have consequently become more attractive targets for criminal and terrorist groups, holding the possibility of high rewards for minimal effort, and with little chance of detection until it is too late. A single, compromised password can lead to fraud involving electronic funds transfer (EFT), or to the exposure of corporate secrets through industrial espionage. All managers have to deal with risk as a natural part of business life. No one can absolutely guarantee that a mishap will not occur in his or her department. However, the wise manager can strive to be fully acquainted with the nature of the risk, develop an organisational structure, and invest time and money to minimise the chance

Introduction of an unwanted incident and reduce the effect of any damage. The purpose of this book is to enable the manager to become aware of the information security risk and the methods of counterattack. In this way and through the development of a management structure and a set of counter-measures to deter attack and initiate recovery procedures, he or she can take a more aggressive, pro active stance in the face of deliberate threats. As we shall see many times in this book, good information security depends first and foremost upon good management. In many cases substantial increases in security can be achieved by improved management practices; on the other hand the effectiveness of sophisticated gadgetry, software, and crytographic system,s can easily be nullified by bad management. 'Computers don't steal, people do', is a wise maxim. Security is a "people" issue and effective security has to be pervasive. To reach such an objective demands a corporate policy that calls for commitment from staff and management, and needs to be integrated into both management and system structures. Once implemented it has to be constantly maintained and monitored for effectiveness. This book is designed as a work of reference. The first chapter provides the foundation upon which subsequent sections are built, but the authors do not expect the work to be read in sequence, from cover to cover, as a novel. Hence the question and answer format has been chosen - the reader can examine the list of questions at the beginning of the book and select the ones that seem most relevant. Often asking the right question is half way to finding the right answer, and through extensive use of cross-referencing, the reader is able to place the question in its relevant context. Acknowledgement The authors would like to thank the following: Chris Reed of Queen Mary College, London University, for advice on copyright, Robin Moses, formerly of CCTA, now of BIS Applied Systems for help on risk analysis, Stuart Dresner for advice on privacy legislation and John Foster of GE Information Services for help with insurance issues.

Contents 1 Data Security 1 D. Longley 1.1 Overview 1 1.2 Security Policy and Organizational Structure 13 1.3 Personnel and Responsibilities 16 1.4 Data Ownership and Data Handling Responsibilities 24 1.5 Access Control and Cryptographic Controls 27 1.6 Information Flow Control 53 1.7 Security of Stored Data 58 1.8 Monitoring and Audit Trails 59 1.9 Military and Commercial Security 77 2 Computer Security Risk Analysis and Management 81 M. Shain and A. Anderson 2.1 Overview 81 2.2 Risk Analysis and Management: an Overview 82 2.3 Conventional Computer Security Risk Analysis and Management 89 2.4 Courtney Technique of Risk Analysis 95 2.5 CRAMM Risk Analysis 110 2.6 Conclusions 116 3 Countermeasures 118 M. Shain 3.1 Overview 118 3.2 Physical Security 119 3.3 Access Control 130 3.4 Personal Computer Security 158 3.5 Contingency Planning 172 3.6 Insurance 185

Contents 4 Communications Security W. Caelli 4.1 Overview 4.2 Network Security 4.3 Security on IBM Systems 4.4 OSI Security 193 193 197 208 212 5 Financial and Banking Networks W. Caelli 5.1 Overview 225 5.2 Identity and Authentication of the User: Plastic Cards 228 5.3 Identity and Authentication of the User: PINs 238 5.4 Privacy, Integrity, and Authenticity of Financial Messages 247 5.5 Financial Network Security. 251 225 6 Office Automation Security W. Caelli 6.1 Overview 6.2 Communications and Logical Security 6.3 Physical Security of Office Systems 6.4 Procedural and Personnel Security 258 258 261 269 274 7 Security and the Law 283 D. Longley 7.1 Overview 283 7.2 Data Protection 289 7.3 Legal Protection of Information Assets 310 7.4 Computer Crime 320 7.5 Law and Personnel 331 Appendix A Security Models 339 A.1 Bell-La Padula Model 339 A.2 Orange Book 340 A.3 RACF 342 Appendix 8 Cryptography 343 B.l Data Encryption Standard 343 B.2 DES Modes of Operation Cipher Block Chaining 352 B.3 DES Modes of Operation Cipher Feedback 354 B.4 DES Modes of Implementation Output Feedback 355

Contents B.5 Public Key Cryptography B.6 Public Key Cryptography RSA B.7 Stream Cipher B.8 Message Authentication B.9 Key Notarization Appendix C Access Control C.l Password C.2 PIN Management and Security Appendix D Communications Security D.1 Electronic Listening Device D.2 Telephone Intrusion D.3 Port Protection Device D.4 X.400 356 359 362 362 366 368 368 369 375 375 376 377 377 Appendix E Appendix F Glossary Data Protection Laws at a Glance List of Questions 380 383 393

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback