Home > Store

Securing Business Information: Strategies to Protect the Enterprise and Its Network

Register your product to gain access to bonus material or receive a coupon.

Securing Business Information: Strategies to Protect the Enterprise and Its Network

Book

  • Sorry, this book is no longer in print.
Not for Sale

Description

  • Copyright 2002
  • Dimensions: 7-3/8x9-1/4
  • Pages: 256
  • Edition: 1st
  • Book
  • ISBN-10: 0-201-76735-X
  • ISBN-13: 978-0-201-76735-3

Securing Business Information provides an approach to security that is derived from numerous successful implementations. The Enterprise Security Plan (ESP) is a six-step process for tailoring enterprise security techniques to the needs of your business.

This book will guide you through these steps to secure your computing infrastructure within the constraints of normal business operations, resources, and today's technology:

  • Prepare the enterprise, starting with the staff and their roles.
  • Organize a group of security domains and assess the tolerable amount of risk for each.
  • Complete a baseline security analysis and derive a set of guiding policies.
  • Determine how security policies are being enforced throughout the enterprise.
  • Identify gaps and set priorities.
  • Plan the projects to implement an appropriately secure enterprise.

020176735XB12132001

Sample Content

Online Sample Chapter

Preparing Your Enterprise for Tighter Security

Downloadable Sample Chapter

Click below for Sample Chapter related to this title:
byrnesch1.pdf

Table of Contents



Preface.


1. Prepare the Enterprise for Security.

The Enterprise Security Charter.

Building the Security Organization.

Security Leadership.

Security Management.

Security Administration.

Resource Ownership.

Where Security Reports.

Building Security Job Descriptions.

Centralizing and Decentralizing Security Functions.

Marketing the Mission within the Enterprise.

Developing a Security Marketing Program.

Marketing Upward.

Marketing Outward.



2. Organize Security by Resource and Domains31

Identifying Resources31

Existing Sources of Resource Identification.

Levels of Information Hierarchy.

Complexity of Classification Schemes.

External Requirements.

Selecting Appropriate Security Levels.

Grouping Resources into Security Domains.

ESP Domain Schemes.

Merging the Domain Schemes.

An Example of Need-based Divisions.

Documenting the Rules for Domain Designation.



3. Complete the Baseline Security Analysis.

Choosing a Policy Model.

Formal Security Policies.

Identity-based Policies.

Role-based Policies54

Researching Existing Policies.

Conducting a Policy Audit.

Finding Documented Policies.

Finding Undocumented Policies.

Creating the Functional Assessment of Security.

Reducing the Scope of the Projects.



4. Complete the Requirements.

Identifying Security Requirements.

Selecting the Sources of Information.

Collecting Information.

Developing Requirements.

Categories of Requirements.

Determining Business Requirements.

Determining Data Management Requirements.

Determining Application Requirements.

Determining Infrastructure Requirements.

Trust Modeling.

Point 1: Establishing Trust Concepts.

Point 2: Applying Trust Concepts.

Point 3: Achieving Trust-based Requirements.

Patterns for Adaptive Infrastructure.



5. Identify Gaps and Prioritize Needs.

Analyzing Gaps.

Assessing Risk.

Analyzing Costs and Benefits.

Assessing Culture.

Prioritizing Projects.



6. Selecting and Planning the Projects.

Determining the Security Strategy.

Shortening the List of Projects.

Selecting Projects.

Reordering Priorities by Duration.

Determining Required Resources.

Planning the Projects.

Sourcing the Projects.

Selecting the Security Products.

Marketing the Projects.

Product Packaging.

Upward Marketing.

Outward Marketing.

What Is Next?



7. Modifying ESP.

Modifying the Baseline Steps.

Pass 1.

Pass 2.

Pass 3.

Pass 4.

Integrating ESP into the Ongoing Security Program.



8. Formulating a Technology Strategy.

Analyzing Technology Maturation.

Projecting Demand Curves.

Assessing Adoption Probability.



9. Security Technologies.

Enforcement Security Technologies.

Identification.

Authentication.

Authorization.

Access Control.

Support Security Technologies.

Auditing.

Administration.

Technology Integration.



10. Two Case Histories.

Meet Y Company.

Step 1. Prepare the Enterprise for Security.

Step 2. Organize Security by Resources and Domains.

Step 3. Complete the Baseline Security Analysis1 57

Step 4. Complete Requirements.

Step 5. Identify Gaps and Prioritize Needs.

Meet Z Company: A Federated Model.

Step 1. Prepare the Enterprise for Security.

Step 2. Organize Security by Resources and Domains.

Step 3. Complete the Baseline Security Analysis.

Step 4. Complete Requirements.

Step 5. Identifying Gaps and Prioritizing Needs.



11. Security Follow-Up Projects.

Y Company.

Marketing Program.

General Policy Revision and Domain Perimeter Repair.

Security Technology Improvements and Administration Policy Changes.

Considerations.

Z Company.

Establishing Minimum Security Criteria.

Policy Structure Creation.

Backbone Access Control.



12. Single-Point Administration through Role-based Authorization.

Single-Point Administration through Role-based Authorization.

Why Single-Point Administration Is Needed.

Role-based Authorization.



13. Single Sign-On.

The Security Fabric: Integrating the Tiers.

SSO Terminology.

Identification.

Strong Authentication and Authorization Management.

Product Architectures.

Script-based SSO Tools.

Broker-based SSO Tools.

How to Succeed at SSO.

Installability and Scalability.

SSO Planning Projects.

Evaluation Criteria for SSO Products.

Checklist of questions to ask in evaluating SSO products.



Appendix A: Sample Request For Proposal.

Request for Proposal.

Implementation of Secure Single Sign-On and Single-Point Administration.

I. Overview.

II. Environment.

Configuration.

III. Vendor Instructions.

IV. Requirements.

V. Implementation.

VI. Contract Terms.

VII. Vendor Financial Proposal.



Appendix B: Further Reading.


Glossary.


Index. 020176735XT01242002

Preface

Securing Business Information addresses one of the most prominent chal-lenges in e-Business: how to keep enterprise data secure in a distributed environment.

Starting in 1997, META Group developed information on security for distributed systems to serve a group of clients who were adapting to the new demands of on-line commerce. Working with these clients, META Group researchers found that security managers often have no distributed-systems experience, while those with distributed-systems experience have little or no security background. Both groups needed answers to the same questions: Where should we start? What process should we use to define appropriate security for our heterogeneous environment? In answer to these questions,

Securing Business Information provides the Enterprise Security Plan, a six- part process to help you implement the highest level of achievable security for your enterprise.



020176735XP01242002

Index


access control 139
    administration 140
    features 141
    integration 140
    lists (ACLs) 132
    platform support 140
    user-based 140
Ace/Server 122
ActiveX 136
administrative domain 38
adoption
    probability of 116
analysis
    cost/benefit vs. risk 86
    gap 72
    internal market 1
    Strength, Weakness, Opportunities, and Threats (SWOT) 20
    upward market 171
attack simulation 144
auditing 142
authentication 127
authorization
    individual 133
    role-based scheme 7
    technology-domain 133
authorization servers 133

backbone access control 178
baseline
    gaps between strategic requirements 82
    modifying the steps 107
biometrics 124
    face recognition 125
    fingerprint recognition 125
    hand-geometry recognition 125
    signature recognition 125
    voice recognition 126
bleeding-edge 116
boot control 141
briefing document 28
broker platform 205
business-to-business (B2B) 72, 134
business-to-consumer (B2C) 134
business-unit security officers 163

C/B 91
centralized authorization 69
certificate authority (CA) 130
certification 29
change 199
class
    definitions of 34
classification scheme
    complexity of 33
coached interview 62
collaborate patterns 79
Component Object Model (COM) 136
Computer Security Institute (CSI) 85
Control Objectives for Information and Technology (COBIT) 178
cost/benefit analysis 82
crossover point 127
cultural assessment 87
customers
    vs. business partners 66

Data Center 155
Data Encryption Standard (DES) 141
data management 66
data-warehousing 67
Delphi method 84
digital signature 132
Distributed Computing Environment (DCE) 128
    security 195
domain definitions
    purpose of 35
domain schemes 35

early adopters 114
early majority enterprises 114
e-Business 71
Elliptic Curve Cryptography (ECC) 129
Encrypted File System (EFS) 142
encryption 68, 141
end-user device 205
enforcement technologies 120
    branches of 119
Engineering Division 155
enterprise security charter 2, 22
Enterprise Security Plan (ESP) 1, 193
    administering 6
    domain schemes 36
    implementing 110
integrating into the security program 111
    enterprise security policy 160
establishing minimum security criteria 175
evaluation checklist 176
eCommerce
    security planning 76

Facilitated Risk Assessment Process (FRAP) 85
failure, redundancy, and recovery 205
Formal Security Policies 52
Gantt chart 97
gap analysis 72
general public 114
Generalized System Security Application-Programming Interface (GSSAPI) 128, 194
geographic domain 36
granularity 34, 94
    coarse 32
    excessive 187
    fine-resource 32

hard tokens 122
headquarters 155
heterogeneity 199, 201
heterogeneity factor (HF) 201
heuristic scanning 138
hinge point 115

identification 194
Identity-based Policies 52
Information Architecture Group (IAG) 102
intrusion detection 143
inventory system
    implementation of 32
IP Network 157

job descriptions
    samples of 11

Kerberos 69, 128, 140, 202
key management 69

large office 156
leading-edge technology 114
lifecycle-based domain 44
Lightweight Directory-Access Protocol (LDAP) 130

management white paper 105
market identification 16
market research
    and analysis 17
marketing 2
    analyzing outward markets 26
    analyzing upward markets 23
    applying 15
    communication plan 104, 172
    communications 20
    creating messages for the outward audience 27
    creating messages for the upward audience 24
    crucial to ESP 15
    developing outward communications 27
    developing product packages for upward markets 23
    different approaches to upward and outward audiences 18
    identifying targets of upward marketing 22
    identifying the targets of outward marketing 26
    program 16
    using market research 20
marketing campaign
    first step 170
media
    using in Outward Marketing communications 28

network access control 142

Object Linking and Embedding (OLE) 136
OLE custom control (OCX) 137
Open Group (formerly Open Software Foundation) 128
operating system dependence 205
organizational domain 37
Outward marketing 104, 170, 173
outward markets
    developing product packages for 27

paradigms
    centralized vs. distributed 8
password
    mandated change 122
    strong 122
pattern
    adaptive infrastructure 79
    identifying behavior 27
    of operation 47
perimeter window 48
point products 101
policy
    consistent 14
    finding documented and undocumented 56
    identity-oriented statement 53
    reviewing 174
    security 47
    structure creation 176
policy audit 143
    conducting a 56
preference list 200
priorities
    reordering by duration 95
process
    domain-definition 36
product packaging 20, 103, 171
production
    scheduling 25
projects
    marketing 103
    planning 97
    prioritizing 90
    reducing the scope of 58
    tactical vs. strategic 90
Public-Key Infrastructure (PKI) 128
publish patterns 79

Rank It 84
RBA 185
real cost of ownership (RCO) 203
relational database management system (RDBMS) 32
request for proposal (RFP) 99, 203
requirements
    achieving trust-based 76
    building a list of 64
    categories of 64
    collecting 62
    determing business 65
    determining infrastructure 70
    tactical 68
    tactical vs. strategic 115
resource owner 5
resource(s)
    constraints 16
    control of 189
    determining required 96
    hierarchy 32
    identifying 31
    list 34
    mapping 38
    organizing 39
    organizing issues by application 41
    organizing issues by security class 40
    securing 8
    security 7
    security classification of 33
    sources of information 33
    type of 33
resource-based domain 39
    defining the scheme 42
risk assessment 82, 83
rogue 136
    applications 138
    controlling 139
    methods for controlling 138
role
    administrative assistant (AA) 185
    administrator 171
    central administrator 189
    Chief Executive Officer (CEO) 2, 178
    Chief Information Officer (CIO) 8, 62, 151
    Chief Security Officer (CSO) 162, 165, 178
    Director of Security 4, 11
    executive management 2
    general manager 171
    local administrator 189
    lower management 2
    middle management 2
    programmer 6
    resource owner 5, 6, 8, 33, 38, 171
    security administrator 4, 6, 10, 13, 14, 190, 201, 203
    security director 6
    security manager 4, 6, 10, 12, 13, 17, 24, 28, 31, 36, 39, 44, 52
    sponsor for the marketing program 17
    systems administrator 172
    systems analysts 17
    technical manager 171
    technicians 171
role definition 185
Role-Based Administration (RBA) 135, 184, 189, 200
    alternative approaches to 187
    cost of 191
    establishing 185
    issues in implementing 191
roles 188
    assigning 14
    creation of 189
RSA algorithm 129

script model 197
script variability 200
Secure Sockets Layer (SSL) 134
secured resource platform 205
SecurID 122
security
    administration 182
    audit 190
    auditing 142
    decisions regarding 28
    developing a functional assessment of 57
    evaluating the security program 29
    identifying the requirements 61
    management 8
    mapping 39
    program 2
    selecting security products 101
security administrator
    differences between security manager and 3
security staff
    reporting to the CIO 9
selective application 187
Sesame 127, 195
signature scanning 138
Simple Network Management Protocol (SNMP) 144
Single Sign-On (SSO) 128, 140, 151, 161, 181, 194
    developing an ESP project for 200
    evaluating products 204
    limiting factors 198
    terminology 194
    tools 146
Single-Point Administration (SPA) 134, 151, 161, 181, 183, 194
    defining 192
Small Office 156
smart card 123, 195
SNA Network 157
soft tokens 123
solution
    authorization 195
sourcing strategy 98
SSO 103
staff changes
    assessing the impact of 65
stovepipe 9
surveys 17
System Administrator Tool for Analyzing Networks (SATAN) 145

technical white paper 105
technologies
    matching vs. identification 127
technology-based domain 42
tools
    @Risk 83
    broker-based SSO 197
    certificate-management 136
    modeling 83
    risk audit 83
    Risk Watch 84
    security 55
    systems management 35
transact patterns 79
trust 72, 130
trust concepts
    applying 74
    establishing 72
trust modeling
    vs. risk assessment 74

upward marketing 104, 109, 170, 172
    developing communications 23
    using media in 24

vendor viability 206
Virtual Private Network (VPN) 167
virus 135
    methods for controlling 138

Web Single Sign On (Web SSO) 134

Updates

Submit Errata

More Information

InformIT Promotional Mailings & Special Offers

I would like to receive exclusive offers and hear about products from InformIT and its family of brands. I can unsubscribe at any time.

Overview


Pearson Education, Inc., 221 River Street, Hoboken, New Jersey 07030, (Pearson) presents this site to provide information about products and services that can be purchased through this site.

This privacy notice provides an overview of our commitment to privacy and describes how we collect, protect, use and share personal information collected through this site. Please note that other Pearson websites and online products and services have their own separate privacy policies.

Collection and Use of Information


To conduct business and deliver products and services, Pearson collects and uses personal information in several ways in connection with this site, including:

Questions and Inquiries

For inquiries and questions, we collect the inquiry or question, together with name, contact details (email address, phone number and mailing address) and any other additional information voluntarily submitted to us through a Contact Us form or an email. We use this information to address the inquiry and respond to the question.

Online Store

For orders and purchases placed through our online store on this site, we collect order details, name, institution name and address (if applicable), email address, phone number, shipping and billing addresses, credit/debit card information, shipping options and any instructions. We use this information to complete transactions, fulfill orders, communicate with individuals placing orders or visiting the online store, and for related purposes.

Surveys

Pearson may offer opportunities to provide feedback or participate in surveys, including surveys evaluating Pearson products, services or sites. Participation is voluntary. Pearson collects information requested in the survey questions and uses the information to evaluate, support, maintain and improve products, services or sites, develop new products and services, conduct educational research and for other purposes specified in the survey.

Contests and Drawings

Occasionally, we may sponsor a contest or drawing. Participation is optional. Pearson collects name, contact information and other information specified on the entry form for the contest or drawing to conduct the contest or drawing. Pearson may collect additional personal information from the winners of a contest or drawing in order to award the prize and for tax reporting purposes, as required by law.

Newsletters

If you have elected to receive email newsletters or promotional mailings and special offers but want to unsubscribe, simply email information@informit.com.

Service Announcements

On rare occasions it is necessary to send out a strictly service related announcement. For instance, if our service is temporarily suspended for maintenance we might send users an email. Generally, users may not opt-out of these communications, though they can deactivate their account information. However, these communications are not promotional in nature.

Customer Service

We communicate with users on a regular basis to provide requested services and in regard to issues relating to their account we reply via email or phone in accordance with the users' wishes when a user submits their information through our Contact Us form.

Other Collection and Use of Information


Application and System Logs

Pearson automatically collects log data to help ensure the delivery, availability and security of this site. Log data may include technical information about how a user or visitor connected to this site, such as browser type, type of computer/device, operating system, internet service provider and IP address. We use this information for support purposes and to monitor the health of the site, identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents and appropriately scale computing resources.

Web Analytics

Pearson may use third party web trend analytical services, including Google Analytics, to collect visitor information, such as IP addresses, browser types, referring pages, pages visited and time spent on a particular site. While these analytical services collect and report information on an anonymous basis, they may use cookies to gather web trend information. The information gathered may enable Pearson (but not the third party web trend services) to link information with application and system log data. Pearson uses this information for system administration and to identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents, appropriately scale computing resources and otherwise support and deliver this site and its services.

Cookies and Related Technologies

This site uses cookies and similar technologies to personalize content, measure traffic patterns, control security, track use and access of information on this site, and provide interest-based messages and advertising. Users can manage and block the use of cookies through their browser. Disabling or blocking certain cookies may limit the functionality of this site.

Do Not Track

This site currently does not respond to Do Not Track signals.

Security


Pearson uses appropriate physical, administrative and technical security measures to protect personal information from unauthorized access, use and disclosure.

Children


This site is not directed to children under the age of 13.

Marketing


Pearson may send or direct marketing communications to users, provided that

  • Pearson will not use personal information collected or processed as a K-12 school service provider for the purpose of directed or targeted advertising.
  • Such marketing is consistent with applicable law and Pearson's legal obligations.
  • Pearson will not knowingly direct or send marketing communications to an individual who has expressed a preference not to receive marketing.
  • Where required by applicable law, express or implied consent to marketing exists and has not been withdrawn.

Pearson may provide personal information to a third party service provider on a restricted basis to provide marketing solely on behalf of Pearson or an affiliate or customer for whom Pearson is a service provider. Marketing preferences may be changed at any time.

Correcting/Updating Personal Information


If a user's personally identifiable information changes (such as your postal address or email address), we provide a way to correct or update that user's personal data provided to us. This can be done on the Account page. If a user no longer desires our service and desires to delete his or her account, please contact us at customer-service@informit.com and we will process the deletion of a user's account.

Choice/Opt-out


Users can always make an informed choice as to whether they should proceed with certain services offered by InformIT. If you choose to remove yourself from our mailing list(s) simply visit the following page and uncheck any communication you no longer want to receive: www.informit.com/u.aspx.

Sale of Personal Information


Pearson does not rent or sell personal information in exchange for any payment of money.

While Pearson does not sell personal information, as defined in Nevada law, Nevada residents may email a request for no sale of their personal information to NevadaDesignatedRequest@pearson.com.

Supplemental Privacy Statement for California Residents


California residents should read our Supplemental privacy statement for California residents in conjunction with this Privacy Notice. The Supplemental privacy statement for California residents explains Pearson's commitment to comply with California law and applies to personal information of California residents collected in connection with this site and the Services.

Sharing and Disclosure


Pearson may disclose personal information, as follows:

  • As required by law.
  • With the consent of the individual (or their parent, if the individual is a minor)
  • In response to a subpoena, court order or legal process, to the extent permitted or required by law
  • To protect the security and safety of individuals, data, assets and systems, consistent with applicable law
  • In connection the sale, joint venture or other transfer of some or all of its company or assets, subject to the provisions of this Privacy Notice
  • To investigate or address actual or suspected fraud or other illegal activities
  • To exercise its legal rights, including enforcement of the Terms of Use for this site or another contract
  • To affiliated Pearson companies and other companies and organizations who perform work for Pearson and are obligated to protect the privacy of personal information consistent with this Privacy Notice
  • To a school, organization, company or government agency, where Pearson collects or processes the personal information in a school setting or on behalf of such organization, company or government agency.

Links


This web site contains links to other sites. Please be aware that we are not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of each and every web site that collects Personal Information. This privacy statement applies solely to information collected by this web site.

Requests and Contact


Please contact us about this Privacy Notice or if you have any requests or questions relating to the privacy of your personal information.

Changes to this Privacy Notice


We may revise this Privacy Notice through an updated posting. We will identify the effective date of the revision in the posting. Often, updates are made to provide greater clarity or to comply with changes in regulatory requirements. If the updates involve material changes to the collection, protection, use or disclosure of Personal Information, Pearson will provide notice of the change through a conspicuous notice on this site or other appropriate way. Continued use of the site after the effective date of a posted revision evidences acceptance. Please contact us if you have questions or concerns about the Privacy Notice or any objection to any revisions.

Last Update: November 17, 2020