Home > Store

Securing Business Information: Strategies to Protect the Enterprise and Its Network

Register your product to gain access to bonus material or receive a coupon.

Securing Business Information: Strategies to Protect the Enterprise and Its Network

Book

  • Sorry, this book is no longer in print.
Not for Sale

Description

  • Copyright 2002
  • Dimensions: 7-3/8x9-1/4
  • Pages: 256
  • Edition: 1st
  • Book
  • ISBN-10: 0-201-76735-X
  • ISBN-13: 978-0-201-76735-3

Securing Business Information provides an approach to security that is derived from numerous successful implementations. The Enterprise Security Plan (ESP) is a six-step process for tailoring enterprise security techniques to the needs of your business.

This book will guide you through these steps to secure your computing infrastructure within the constraints of normal business operations, resources, and today's technology:

  • Prepare the enterprise, starting with the staff and their roles.
  • Organize a group of security domains and assess the tolerable amount of risk for each.
  • Complete a baseline security analysis and derive a set of guiding policies.
  • Determine how security policies are being enforced throughout the enterprise.
  • Identify gaps and set priorities.
  • Plan the projects to implement an appropriately secure enterprise.

020176735XB12132001

Sample Content

Online Sample Chapter

Preparing Your Enterprise for Tighter Security

Downloadable Sample Chapter

Click below for Sample Chapter related to this title:
byrnesch1.pdf

Table of Contents



Preface.


1. Prepare the Enterprise for Security.

The Enterprise Security Charter.

Building the Security Organization.

Security Leadership.

Security Management.

Security Administration.

Resource Ownership.

Where Security Reports.

Building Security Job Descriptions.

Centralizing and Decentralizing Security Functions.

Marketing the Mission within the Enterprise.

Developing a Security Marketing Program.

Marketing Upward.

Marketing Outward.



2. Organize Security by Resource and Domains31

Identifying Resources31

Existing Sources of Resource Identification.

Levels of Information Hierarchy.

Complexity of Classification Schemes.

External Requirements.

Selecting Appropriate Security Levels.

Grouping Resources into Security Domains.

ESP Domain Schemes.

Merging the Domain Schemes.

An Example of Need-based Divisions.

Documenting the Rules for Domain Designation.



3. Complete the Baseline Security Analysis.

Choosing a Policy Model.

Formal Security Policies.

Identity-based Policies.

Role-based Policies54

Researching Existing Policies.

Conducting a Policy Audit.

Finding Documented Policies.

Finding Undocumented Policies.

Creating the Functional Assessment of Security.

Reducing the Scope of the Projects.



4. Complete the Requirements.

Identifying Security Requirements.

Selecting the Sources of Information.

Collecting Information.

Developing Requirements.

Categories of Requirements.

Determining Business Requirements.

Determining Data Management Requirements.

Determining Application Requirements.

Determining Infrastructure Requirements.

Trust Modeling.

Point 1: Establishing Trust Concepts.

Point 2: Applying Trust Concepts.

Point 3: Achieving Trust-based Requirements.

Patterns for Adaptive Infrastructure.



5. Identify Gaps and Prioritize Needs.

Analyzing Gaps.

Assessing Risk.

Analyzing Costs and Benefits.

Assessing Culture.

Prioritizing Projects.



6. Selecting and Planning the Projects.

Determining the Security Strategy.

Shortening the List of Projects.

Selecting Projects.

Reordering Priorities by Duration.

Determining Required Resources.

Planning the Projects.

Sourcing the Projects.

Selecting the Security Products.

Marketing the Projects.

Product Packaging.

Upward Marketing.

Outward Marketing.

What Is Next?



7. Modifying ESP.

Modifying the Baseline Steps.

Pass 1.

Pass 2.

Pass 3.

Pass 4.

Integrating ESP into the Ongoing Security Program.



8. Formulating a Technology Strategy.

Analyzing Technology Maturation.

Projecting Demand Curves.

Assessing Adoption Probability.



9. Security Technologies.

Enforcement Security Technologies.

Identification.

Authentication.

Authorization.

Access Control.

Support Security Technologies.

Auditing.

Administration.

Technology Integration.



10. Two Case Histories.

Meet Y Company.

Step 1. Prepare the Enterprise for Security.

Step 2. Organize Security by Resources and Domains.

Step 3. Complete the Baseline Security Analysis1 57

Step 4. Complete Requirements.

Step 5. Identify Gaps and Prioritize Needs.

Meet Z Company: A Federated Model.

Step 1. Prepare the Enterprise for Security.

Step 2. Organize Security by Resources and Domains.

Step 3. Complete the Baseline Security Analysis.

Step 4. Complete Requirements.

Step 5. Identifying Gaps and Prioritizing Needs.



11. Security Follow-Up Projects.

Y Company.

Marketing Program.

General Policy Revision and Domain Perimeter Repair.

Security Technology Improvements and Administration Policy Changes.

Considerations.

Z Company.

Establishing Minimum Security Criteria.

Policy Structure Creation.

Backbone Access Control.



12. Single-Point Administration through Role-based Authorization.

Single-Point Administration through Role-based Authorization.

Why Single-Point Administration Is Needed.

Role-based Authorization.



13. Single Sign-On.

The Security Fabric: Integrating the Tiers.

SSO Terminology.

Identification.

Strong Authentication and Authorization Management.

Product Architectures.

Script-based SSO Tools.

Broker-based SSO Tools.

How to Succeed at SSO.

Installability and Scalability.

SSO Planning Projects.

Evaluation Criteria for SSO Products.

Checklist of questions to ask in evaluating SSO products.



Appendix A: Sample Request For Proposal.

Request for Proposal.

Implementation of Secure Single Sign-On and Single-Point Administration.

I. Overview.

II. Environment.

Configuration.

III. Vendor Instructions.

IV. Requirements.

V. Implementation.

VI. Contract Terms.

VII. Vendor Financial Proposal.



Appendix B: Further Reading.


Glossary.


Index. 020176735XT01242002

Preface

Securing Business Information addresses one of the most prominent chal-lenges in e-Business: how to keep enterprise data secure in a distributed environment.

Starting in 1997, META Group developed information on security for distributed systems to serve a group of clients who were adapting to the new demands of on-line commerce. Working with these clients, META Group researchers found that security managers often have no distributed-systems experience, while those with distributed-systems experience have little or no security background. Both groups needed answers to the same questions: Where should we start? What process should we use to define appropriate security for our heterogeneous environment? In answer to these questions,

Securing Business Information provides the Enterprise Security Plan, a six- part process to help you implement the highest level of achievable security for your enterprise.



020176735XP01242002

Index


access control 139
    administration 140
    features 141
    integration 140
    lists (ACLs) 132
    platform support 140
    user-based 140
Ace/Server 122
ActiveX 136
administrative domain 38
adoption
    probability of 116
analysis
    cost/benefit vs. risk 86
    gap 72
    internal market 1
    Strength, Weakness, Opportunities, and Threats (SWOT) 20
    upward market 171
attack simulation 144
auditing 142
authentication 127
authorization
    individual 133
    role-based scheme 7
    technology-domain 133
authorization servers 133

backbone access control 178
baseline
    gaps between strategic requirements 82
    modifying the steps 107
biometrics 124
    face recognition 125
    fingerprint recognition 125
    hand-geometry recognition 125
    signature recognition 125
    voice recognition 126
bleeding-edge 116
boot control 141
briefing document 28
broker platform 205
business-to-business (B2B) 72, 134
business-to-consumer (B2C) 134
business-unit security officers 163

C/B 91
centralized authorization 69
certificate authority (CA) 130
certification 29
change 199
class
    definitions of 34
classification scheme
    complexity of 33
coached interview 62
collaborate patterns 79
Component Object Model (COM) 136
Computer Security Institute (CSI) 85
Control Objectives for Information and Technology (COBIT) 178
cost/benefit analysis 82
crossover point 127
cultural assessment 87
customers
    vs. business partners 66

Data Center 155
Data Encryption Standard (DES) 141
data management 66
data-warehousing 67
Delphi method 84
digital signature 132
Distributed Computing Environment (DCE) 128
    security 195
domain definitions
    purpose of 35
domain schemes 35

early adopters 114
early majority enterprises 114
e-Business 71
Elliptic Curve Cryptography (ECC) 129
Encrypted File System (EFS) 142
encryption 68, 141
end-user device 205
enforcement technologies 120
    branches of 119
Engineering Division 155
enterprise security charter 2, 22
Enterprise Security Plan (ESP) 1, 193
    administering 6
    domain schemes 36
    implementing 110
integrating into the security program 111
    enterprise security policy 160
establishing minimum security criteria 175
evaluation checklist 176
eCommerce
    security planning 76

Facilitated Risk Assessment Process (FRAP) 85
failure, redundancy, and recovery 205
Formal Security Policies 52
Gantt chart 97
gap analysis 72
general public 114
Generalized System Security Application-Programming Interface (GSSAPI) 128, 194
geographic domain 36
granularity 34, 94
    coarse 32
    excessive 187
    fine-resource 32

hard tokens 122
headquarters 155
heterogeneity 199, 201
heterogeneity factor (HF) 201
heuristic scanning 138
hinge point 115

identification 194
Identity-based Policies 52
Information Architecture Group (IAG) 102
intrusion detection 143
inventory system
    implementation of 32
IP Network 157

job descriptions
    samples of 11

Kerberos 69, 128, 140, 202
key management 69

large office 156
leading-edge technology 114
lifecycle-based domain 44
Lightweight Directory-Access Protocol (LDAP) 130

management white paper 105
market identification 16
market research
    and analysis 17
marketing 2
    analyzing outward markets 26
    analyzing upward markets 23
    applying 15
    communication plan 104, 172
    communications 20
    creating messages for the outward audience 27
    creating messages for the upward audience 24
    crucial to ESP 15
    developing outward communications 27
    developing product packages for upward markets 23
    different approaches to upward and outward audiences 18
    identifying targets of upward marketing 22
    identifying the targets of outward marketing 26
    program 16
    using market research 20
marketing campaign
    first step 170
media
    using in Outward Marketing communications 28

network access control 142

Object Linking and Embedding (OLE) 136
OLE custom control (OCX) 137
Open Group (formerly Open Software Foundation) 128
operating system dependence 205
organizational domain 37
Outward marketing 104, 170, 173
outward markets
    developing product packages for 27

paradigms
    centralized vs. distributed 8
password
    mandated change 122
    strong 122
pattern
    adaptive infrastructure 79
    identifying behavior 27
    of operation 47
perimeter window 48
point products 101
policy
    consistent 14
    finding documented and undocumented 56
    identity-oriented statement 53
    reviewing 174
    security 47
    structure creation 176
policy audit 143
    conducting a 56
preference list 200
priorities
    reordering by duration 95
process
    domain-definition 36
product packaging 20, 103, 171
production
    scheduling 25
projects
    marketing 103
    planning 97
    prioritizing 90
    reducing the scope of 58
    tactical vs. strategic 90
Public-Key Infrastructure (PKI) 128
publish patterns 79

Rank It 84
RBA 185
real cost of ownership (RCO) 203
relational database management system (RDBMS) 32
request for proposal (RFP) 99, 203
requirements
    achieving trust-based 76
    building a list of 64
    categories of 64
    collecting 62
    determing business 65
    determining infrastructure 70
    tactical 68
    tactical vs. strategic 115
resource owner 5
resource(s)
    constraints 16
    control of 189
    determining required 96
    hierarchy 32
    identifying 31
    list 34
    mapping 38
    organizing 39
    organizing issues by application 41
    organizing issues by security class 40
    securing 8
    security 7
    security classification of 33
    sources of information 33
    type of 33
resource-based domain 39
    defining the scheme 42
risk assessment 82, 83
rogue 136
    applications 138
    controlling 139
    methods for controlling 138
role
    administrative assistant (AA) 185
    administrator 171
    central administrator 189
    Chief Executive Officer (CEO) 2, 178
    Chief Information Officer (CIO) 8, 62, 151
    Chief Security Officer (CSO) 162, 165, 178
    Director of Security 4, 11
    executive management 2
    general manager 171
    local administrator 189
    lower management 2
    middle management 2
    programmer 6
    resource owner 5, 6, 8, 33, 38, 171
    security administrator 4, 6, 10, 13, 14, 190, 201, 203
    security director 6
    security manager 4, 6, 10, 12, 13, 17, 24, 28, 31, 36, 39, 44, 52
    sponsor for the marketing program 17
    systems administrator 172
    systems analysts 17
    technical manager 171
    technicians 171
role definition 185
Role-Based Administration (RBA) 135, 184, 189, 200
    alternative approaches to 187
    cost of 191
    establishing 185
    issues in implementing 191
roles 188
    assigning 14
    creation of 189
RSA algorithm 129

script model 197
script variability 200
Secure Sockets Layer (SSL) 134
secured resource platform 205
SecurID 122
security
    administration 182
    audit 190
    auditing 142
    decisions regarding 28
    developing a functional assessment of 57
    evaluating the security program 29
    identifying the requirements 61
    management 8
    mapping 39
    program 2
    selecting security products 101
security administrator
    differences between security manager and 3
security staff
    reporting to the CIO 9
selective application 187
Sesame 127, 195
signature scanning 138
Simple Network Management Protocol (SNMP) 144
Single Sign-On (SSO) 128, 140, 151, 161, 181, 194
    developing an ESP project for 200
    evaluating products 204
    limiting factors 198
    terminology 194
    tools 146
Single-Point Administration (SPA) 134, 151, 161, 181, 183, 194
    defining 192
Small Office 156
smart card 123, 195
SNA Network 157
soft tokens 123
solution
    authorization 195
sourcing strategy 98
SSO 103
staff changes
    assessing the impact of 65
stovepipe 9
surveys 17
System Administrator Tool for Analyzing Networks (SATAN) 145

technical white paper 105
technologies
    matching vs. identification 127
technology-based domain 42
tools
    @Risk 83
    broker-based SSO 197
    certificate-management 136
    modeling 83
    risk audit 83
    Risk Watch 84
    security 55
    systems management 35
transact patterns 79
trust 72, 130
trust concepts
    applying 74
    establishing 72
trust modeling
    vs. risk assessment 74

upward marketing 104, 109, 170, 172
    developing communications 23
    using media in 24

vendor viability 206
Virtual Private Network (VPN) 167
virus 135
    methods for controlling 138

Web Single Sign On (Web SSO) 134

Updates

Submit Errata

More Information

Unlimited one-month access with your purchase
Free Safari Membership