INTRODUCTION
- Who Should Read This Book
- How This Book Is Organized
- Conventions
PART I: Starting the Policy Process
Chapter 1: What Information Security Policies Are
- About Information Security Policies
- Why Policies Are Important
- When Policies Should Be Developed
- Mitigating Liability
- After A Security Breach
- Document Compliance
- Demonstrate Quality Control Processes
- How Policies Should Be Developed
- Define What Policies Need to Be Written
- Perform a Risk Assessment/Analysis or Audit
- Review, Approval, and Enforcement
- Summary
Chapter 2: Determining Your Policy Needs
- Identify What Is to Be Protected
- Hardware and Software
- Non-Computer Resources
- Inventorying Human Resources
- Identify From Whom It Is Being Protected
- Data Security Considerations
- Handling of Data
- Personal and Personnel Data
- Backups, Archival Storage, and Disposal of Data
- Backup Considerations
- Archival Storage of Backups
- Disposing of Data
- Incident Response and Forensics
- Incident Response Strategies
- Summary
Chapter 3: Information Security Responsibilities
- Management Responsibility
- Information Security Management Committee
- Information Ownership
- Assigning Information Ownership
- Security Responsibilities of Information Ownership
- Information Security Compliance Plans
- Role of the Information Security Department
- Use of Consultants for Information Security
- Other Information Security Roles
- Integrating Information Security into the Business Process
- Individual Information Security Roles
- Auditing and Monitoring
- Understanding Security Management and Law Enforcement
- Information Security Awareness Training and Support
- Summary
PART II: Writing the Security Policies
Chapter 4: Physical Security
- Computer Location and Facility Construction
- Facility Construction
- Locks and Barriers
- Environmental Support
- Inventory Maintenance
- Facilities Access Controls
- Building Access Controls
- Restricting Access to Computer Facilities
- Visitors
- Contingency Planning
- Emergency Response Plans
- Disaster Recovery
- Security Alert and Alarms
- General Computer Systems Security
- Preventative Maintenance
- System Availability
- Periodic System and Network Configuration Audits
- Staffing Considerations
- Summary
Chapter 5: Authentication and Network Security
- Network Addressing and Architecture
- Network Planning
- Network Addressing
- Domain Name Service Configuration
- Network Address Translation
- Other Addressing Concerns
- Policies for Expanding the Network
- Network Access Control
- Gateways
- Virtual Private Networks and Extranet
- Authorization of Services
- Login Security
- Login Requirements and Procedures
- Guests and Other Users
- Login Banners
- Login Controls
- Login Reporting
- Setting Session Restrictions
- User Access Administration
- Working with Special Privileges
- Passwords
- Policies Defining Valid Passwords
- Storage of Passwords
- Special Passwords
- User Interface
- Access Controls
- Telecommuting and Remote Access
- Employee Equipment Guidelines
- Remote Access Data Security Guidelines
- Employee Responsibilities
- Telecommuting and Remote Access Facilities
- Tunneling Through The Internet
- Summary
Chapter 6: Internet Security Policies
- Understanding the Door to the Internet
- Architecture Issues
- Policies Managing Incoming Traffic
- Guarding the Gate
- Network Address Translation
- Allowable Services
- Usenet News
- Administrative Responsibilities
- Maintenance
- Outsourcing Agreements
- Enforcement
- User Responsibilities
- Training
- Understanding What Internet Usage Represents
- Transmitting of Sensitive Information
- Reliability of information downloaded
- World Wide Web Policies
- Web Access to Network and Infrastructure
- Security and Maintenance of CGI and Other Support Programs
- Content Enhancers
- Content Control
- Privacy Policy
- User Access to the Web
- Application Responsibilities
- Data and File Transfers
- Authentication of Internet Transactions
- VPNs, Extranets, Intranets, and other Tunnels
- Modems and Other Backdoors
- Employing PKI and Other Controls
- Electronic Commerce
- Summary
Chapter 7: Email Security Policies
- Rules for Using Email
- Administration of Email
- Establish the Right to Monitor Email
- Handling of Email
- Archiving Email
- Scanning Email
- Limiting The Size of Email
- Use Of Email for Confidential Communication
- Encrypting Email for Confidentiality
- Digitally Signing Email
- Summary
Chapter 8: Viruses, Worms, and Trojan Horses
- The Need for Protection
- Establishing the Type of Virus Protection
- Testing for Viruses
- System Integrity Checking
- Distributed and Removable Media
- Rules for Handling 3rd Party Software
- User Involvement with Viruses
- Summary
Chapter 9: Encryption
- Legal Issues
- International Encryption Policies
- Liability Concerns
- Managing Encryption
- Handling Encryption and Encrypted Data
- Key Generation Considerations
- Key Management
- Disclosure of Keys
- Key Storage
- Transmission of Keys
- Summary
Chapter 10: Software Development Policies
- Software Development Processes
- Identifying Software Development Responsibilities
- Establishing Software Development Policies
- Access Controls in Software
- Other Policy Considerations
- Authentication Design Rules
- Testing and Documentation
- Generating Test Data
- Testing and Acceptance
- Documentation Requirements
- Revision Control and Configuration Management
- Revision Control Request Procedures
- Configuration Management and Security Fixes
- Configuration Management and Maintenance
- Testing Before Installation
- Installation Procedures
- Third Party Development
- Policy to Guarantee Integrity
- Restriction Commercial Distribution
- Escrow for Third Party Software
- Intellectual Property Issues
- Summary
PART III: Maintaining the Policies
Chapter 11: Acceptable Use Policies
- Writing the AUP
- User Login Responsibilities
- Use of Systems and Network
- User Responsibilities
- Organization's Responsibilities and Disclosures
- Monitoring and Examination of Network Data
- Collection of Private Data
- Common Sense Guidelines About Speech
- Summary
Chapter 12: Compliance and Enforcement
- Testing and Effectiveness of the Policies
- Publishing and Notification Requirements of the Policies
- Monitor, Control and Remedies
- Monitoring
- Controlling
- Remedies
- Administrator's Responsibility
- Logging Considerations
- Reporting Of Security Problems
- Handling of Information Security Incident Reporting
- Required Actions
- Auditing and Data Capturing
- Considerations When Computer Crimes Are Committed
- Working With Law Enforcement
- Consideration for Preservation of Evidence
- Summary
Chapter 13: The Policy Review Process
- Periodic Reviews of Policy Documents
- What Should the Policy Reviews Include
- The Review Committee
- Summary
PART IV: Appendixes
Appendix A: Glossary
Appendix B: Resources
Appendix C: Sample Policies
|
Scott's Home Page...