LIBRARIES Building a Global Information Assurance Program.Pdf
Total Page:16
File Type:pdf, Size:1020Kb
Building a Global Information Assurance Program OTHER AUERBACH PUBLICATIONS The ABCs of IP Addressing Information Security Management Gilbert Held Handbook, 4th Edition, Volume 4 ISBN: 0-8493-1144-6 Harold F. Tipton and Micki Krause, Editors The ABCs of TCP/IP ISBN: 0-8493-1518-2 Gilbert Held Information Security Policies, ISBN: 0-8493-1463-1 Procedures, and Standards: Building an Information Security Guidelines for Effective Information Awareness Program Security Management Mark B. Desman Thomas R. Peltier ISBN: 0-8493-0116-5 ISBN: 0-8493-1137-3 Building a Wireless Office Information Security Risk Analysis Gilbert Held Thomas R. Peltier ISBN: 0-8493-1271-X ISBN: 0-8493-0880-1 The Complete Book of Middleware A Practical Guide to Security Engineering Judith Myerson and Information Assurance ISBN: 0-8493-1272-8 Debra Herrmann ISBN: 0-8493-1163-2 Computer Telephony Integration, 2nd Edition The Privacy Papers: William A. Yarberry, Jr. Managing Technology and Consumers, ISBN: 0-8493-1438-0 Employee, and Legislative Action Rebecca Herold Cyber Crime Investigator’s Field Guide ISBN: 0-8493-1248-5 Bruce Middleton ISBN: 0-8493-1192-6 Secure Internet Practices: Best Practices for Securing Systems in Cyber Forensics: A Field Manual for the Internet and e-Business Age Collecting, Examining, and Preserving Patrick McBride, Jody Patilla, Evidence of Computer Crimes Craig Robinson, Peter Thermos, Albert J. Marcella and Robert S. Greenfield, and Edward P. Moser Editors ISBN: 0-8493-1239-6 ISBN: 0-8493-0955-7 Securing and Controlling Cisco Routers Global Information Warfare: Peter T. Davis How Businesses, Governments, and ISBN: 0-8493-1290-6 Others Achieve Objectives and Attain Competitive Advantages Securing E-Business Applications and Andy Jones, Gerald L. Kovacich, Communications and Perry G. Luzwick Jonathan S. Held and John R. Bowers ISBN: 0-8493-1114-4 ISBN: 0-8493-0963-8 Information Security Architecture Securing Windows NT/2000: Jan Killmeyer Tudor From Policies to Firewalls ISBN: 0-8493-9988-2 Michael A. Simonyi ISBN: 0-8493-1261-2 Information Security Management Handbook, 4th Edition, Volume 1 Six Sigma Software Development Harold F. Tipton and Micki Krause, Editors Christine B. Tayntor ISBN: 0-8493-9829-0 ISBN: 0-8493-1193-4 Information Security Management A Technical Guide to IPSec Virtual Private Handbook, 4th Edition, Volume 2 Networks Harold F. Tipton and Micki Krause, Editors James S. Tiller ISBN: 0-8493-0800-3 ISBN: 0-8493-0876-3 Information Security Management Telecommunications Cost Management Handbook, 4th Edition, Volume 3 Brian DiMarsico, Thomas Phelps IV, Harold F. Tipton and Micki Krause, Editors and William A. Yarberry, Jr. ISBN: 0-8493-1127-6 ISBN: 0-8493-1101-2 AUERBACH PUBLICATIONS www.auerbach-publications.com To Order Call: 1-800-272-7737 • Fax: 1-800-374-3401 E-mail: [email protected] Building a Global Information Assurance Program Raymond J. Curts, Ph.D. Douglas E. Campbell, Ph.D. AUERBACH PUBLICATIONS A CRC Press Company Boca Raton London New York Washington, D.C. This edition published in the Taylor & Francis e-Library, 2005. “To purchase your own copy of this or any of Taylor & Francis or Routledge’s collection of thousands of eBooks please go to www.eBookstore.tandf.co.uk.” Library of Congress Cataloging-in-Publication Data Curts, Raymond J. Building a global information assurance program / Raymond J. Curts, Douglas E. Campbell. p. cm. Includes bibliographical references and index. ISBN 0-8493-1368-6 (alk. paper) 1. Computer security. 2. Data protection. I. Campbell, Douglas E., 1954– II. Title QA76.9 .A25 C874 2002 005.8—dc21 20020278 CIP This book contains information obtained from authentic and highly regarded sources. Reprinted material is quoted with permission, and sources are indicated. A wide variety of references are listed. Reasonable efforts have been made to publish reliable data and information, but the author and the publisher cannot assume responsibility for the validity of all materials or for the consequences of their use. Neither this book nor any part may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, microfilming, and recording, or by any information storage or retrieval system, without prior permission in writing from the publisher. The consent of CRC Press LLC does not extend to copying for general distribution, for promotion, for creating new works, or for resale. Specific permission must be obtained in writing from CRC Press LLC for such copying. Direct all inquiries to CRC Press LLC, 2000 N.W. Corporate Blvd., Boca Raton, Florida 33431. Trademark Notice: Product or corporate names may be trademarks or registered trademarks, and are used only for identification and explanation, without intent to infringe. Visit the Auerbach PublicationsWeb site at www.auerbach-publications.com © 2003 by CRC Press LLC Auerbach is an imprint of CRC Press LLC No claim to original U.S. Government works International Standard Book Number 0-8493-1368-6 Library of Congress Card Number 20020278 ISBN 0-203-99755-7 Master e-book ISBN Contents 1 Introduction to Information Assurance ................................................ 1 Availability........................................................................................................................ 3 Integrity ............................................................................................................................ 3 Authentication..................................................................................................................3 Confidentiality..................................................................................................................4 Nonrepudiation................................................................................................................ 5 Summary........................................................................................................................... 6 2 Basic Concepts ......................................................................................... 9 Attributes ........................................................................................................................ 10 Information Attributes ................................................................................................... 11 Pure Information Attributes .......................................................................................... 12 Attributes Partially Influenced by the System ............................................................. 13 Attributes Directly Influenced by the System ............................................................. 14 System Attributes ........................................................................................................... 19 The Bottom Line, Revisited .......................................................................................... 27 Information Assurance .................................................................................................. 27 Commercial Capabilities................................................................................................ 29 Security........................................................................................................................... 29 Network Views .............................................................................................................. 30 Risk Management .......................................................................................................... 31 Information Concepts.................................................................................................... 31 Reasoning.......................................................................................................................41 Types of Logic............................................................................................................... 43 Summary.........................................................................................................................45 3 Risk, Threat, and Vulnerability Assessments...................................... 47 Why Perform an Assessment? ...................................................................................... 51 The New Reality of Risk Management ........................................................................ 74 Risk Management Policy for Tomorrow...................................................................... 74 Information Systems Risk Management....................................................................... 75 Risk Assessment............................................................................................................. 75 4 Overview of Systems Engineering ....................................................... 77 A Systems Engineering Case Study.............................................................................. 78 Case Study Background................................................................................................ 80 v vi Building a Global Information Assurance Program The Mission.................................................................................................................... 80 The Goal ........................................................................................................................82 An Approach Toward a Solution ................................................................................. 84 CASE Tools: A Means of Managing Architectural Information.................................