Search in ISMS Guides

Google
 

Saturday, September 1, 2007

Risk Analysis and the Security Survey, Third Edition (Hardcover)

Risk Analysis and the Security Survey, Third Edition (Hardcover)

Order Now


Product Details
  • Hardcover: 392 pages
  • Publisher: Butterworth-Heinemann; 3 edition (February 22, 2006)
  • Language: English
  • ISBN-10: 0750679220
  • ISBN-13: 978-0750679220
  • Product Dimensions: 10.3 x 7.4 x 1.2 inches
Editorial Reviews
Review
Security is an element of risk management, asserts James F. Broder in the third edition of his classic Risk Analysis and the Security Survey. And he ably backs up that statement in this wonderfully written book, which should be required reading for all current and future security professionals.-Jerry D. Loghry, Security Management, March 2007

Review
'...it provides the reader with a thorough understanding of the vital subjects of risk analysis and the art/science of conducting and producing effective, results-oriented security surveys. It is written to meet the needs of security professionals from student to master. Broder and his contributing authors have addressed today's changes while retaining the spirit, quality, and fundamental principles described in the first edition. As we evolve into an information based society, the principles and advice in this book will serve the reader well, particularly when dealing with the increasing demands of asset protection, information protection, high technology issues, terrorism, and unkown risks. An excellent book in its original iteration, this edition is far superior to the first. It is highly recommended both an as excellent resource and as a study aid the CPP examination.' - Security Management

This text sets out to understand the principles of risk analysis and to relate these to security students and professionals. Its aim is to help those individuals produce more effective results-oriented security surveys geared to the ever-changing needs of the organization. -The Computer Law and Security Report

The text takes the reader through the relevant issues based on a fundamental philosophy of risk control that the program should be as self-sufficient as possible in all matters pertaining to security. -The Computer Law and Security Report

As a study text for those involved in security risk analysis this book would be an important addition to a professional's library, but it would also be very valuable to an investigator involved in post-incident investigations. -The Institute of Professional Investigators

The 1984 edition was still in the ASIS "top-ten" before the compilation of this volume, indicating what security professionals think of it's value as a security text book. -The Institute of Professional Investigators --This text refers to an out of print or unavailable edition of this title.

Book Description
Security and risk management are principally concerned with the protection and conservation of corporate assets and resources. The task of protection continues to be an increasingly complex one in a time when technology is creating new products (and thus risk) at an explosive rate. Add this to the crime rate -- now aggravated by domestic and international terrorism -- and the importance of risk analysis and evaluation to design proper protection becomes self-evident.

With an awareness of the growing threat of global terrorism, the third edition of RISK ANALYSIS AND THE SECURITY SURVEY has been completely updated. It includes two new chapters covering disaster recover planning, mitigation, and the evolving methodologies that are a result of the Homeland Security Act. The following topics will also be added and covered among the various chapters: contingency planning, testing of disaster response plan, managing during a crisis, maintaining and testing a response plan (team drills, etc.), bomb threats and suicide bombings, and prevention techniques to better prepare business for new post 9/11 security risks.

- Covers Business Impact Analysis (BIA), Project Planning, Data Collection, Data Analysis and Report of Findings, and Prediction of Criminal Behavior
- Presents updated statistical information and practical case examples
- Helps professionals and students produce more effective results-oriented security surveys

Card catalog description
"Risk Analysis and the Security Survey, Second Edition provides an understanding of the principles of risk analysis to security students and professionals. It will help them produce more effective, results-oriented security surveys geared to the ever-changing needs of the organization."--BOOK JACKET. "The most fundamental philosophy of risk control, design, and implementation is to make the program as self-sufficient as possible in all matters pertaining to security. This includes the two-sided coin of risk control: (1) the protection of assets by identifying, analyzing, and prioritizing the risk, and (2) contingency and disaster recovery planning."--BOOK JACKET. --This text refers to an out of print or unavailable edition of this title.

About the Author
James F. Broder, CFE, CPP, BCFE, has more than 35 years experience in security and law enforcement. He has worked as a security executive, instructor, and consultant as well as having served in Vietnam as a Police Advisor in the Counter Insurgency Directorate, Vietnamese National Police. A former FBI Special Agent and employee for the US State Department, Mr. Border is considered to be one of the most highly recognized security authorities in the United States.


Table of Content

Acknowledgments
Introdution
1.RISK
2.VULNERBILITY AND THREAT IDENTIFICATION
3.RISK MEASUREMENT
4.QUANTIFYING AND PRIORITIZING LOSS POTENTIAL
5.COST/BENEFIT ANALYSIS
6.THE SECURITY SURVEY: AN OVERVIEW
7.MANAGEMENT AUDIT TECHNIQUES AND THE PRELIMINARY SURVEY
8.THE SURVEY REPORT
9.CRIME PREDICTION
10.DETERMINING INSURANCE REQUIREMENTS
11.BUSINESS IMPACT ANALYSIS
12.BUSINESS CONTINUITY PLANNING
13.PLAN DOCUMENTATION
14.RESPONSE PLANNING
15.CRSIS MANADEMENT PLANNING FOR KINDNAP, EXTORTION, OR RANDOM
16.MONITORING SAFEGUARDS
17.THE SECURITY CONSULTANT

APPENDICES
A. Security Survey Work Sheets
B. Danger Signs of Fraud, Embezzlement, and Theft
C. Professional Pratices for Bisiness Continuity Plan
D. Sample BIA Introdution Letter
E. Sample Kindnap and Random Contingency Plan
F. How to Establish Notice
G. Handling Media Inquiries
H. Security System Specifications
I. Sample Introdution Memorandum: Disaster Recovery Planning
Index

Physical Security Primer

In this article we will continue with our detailed look at applying physical security whenever and wherever possible. In this article we will cover Backup Power. Let’s take a look at what you can do to make sure that power remains a reality at your facility, home or office.

If you missed the first article in this series please go read Windows 2000 and 2003 Server Physical/Logical Security Primer (Part 1).

Power is essential to running computer systems. Without electrical power, there would be no 1s and 0s. Therefore, as administrators, we need to assess our physical security when it comes to unfavorable environmental conditions which inevitably lead to ‘power failures’. Power failures can not only put your company out of business if you don’t have a back up source of power, but even worse, if you don’t have conditioners on your line, you will ‘ruin’ your equipment. Power supplies, when taking a massive surge, usually don’t fare too well afterwards.

Physical Security Primer (Part 2)

In Part 1, we entered the mind of the villain. We covered ‘very generally’ what you should be looking at a very high level. In part 2, we look at other things you can do to implement physical security to better defend against attack. For one, you can consider backup power.


Backup Power Systems

There are several types of power backup capabilities and choosing the right one should be done after the total cost of anticipated downtime and its effects are calculated.

  • You have to assume you will have a power outage at some point. If so, assess how you would recover from it. A UPS (Uninterruptible Power Source/Supply is a battery powered backup system for an AC line supply like that commonly used with personal computers) may not be enough to sustain long term operations. Then you would need a generator.
  • Amazingly enough, deriving the total cost per hour for backup power is nothing more than dividing the annual expenditures by the annual standard hours of use.
  • There are large and small issues that can cause power failure or fluctuations so don’t think it's all major power blackouts that create a problem. A small power surge from ESD (Electrostatic Discharge) would be enough to damage a computer motherboard rendering it useless.
  • A low cost non-expensive mechanism to generate power in time of need is to have generators in place. An example can be seen here:

  • I mentioned generators earlier, they are a great source of backup power that can be kept running longer than UPS power. UPS power is very short term, its only really meant to give your Servers time to log users out and shut down properly so the operating system doesn’t crash and data get corrupted or lost. UPS systems are glorified line conditioners to keep the hardware from getting damaged from power surges and in time of power failure, UPS power is used to get the server shut down quickly and properly. A generator is used for the ongoing period – full power should be restored to all your systems.
  • Some generators have sensors to detect power failure and will start automatically which is a huge plus for off hour’s power failures.
  • Thresholds can be calibrated to best serve an environment, depending on the type and size of the generator; it might provide power for minutes or days.
  • Now that we have discussed the differences between UPS systems and Generators, let’s wrap this up with some considerations for both.
  • Generators are used for long term, you should consider having one onsite so that if you sustain a long term power hit, you can run gas tanks back and forth to the generator, but at least your systems will have power.
  • Issues to consider with UPS systems
    • Size of load UPS can support. The battery can only support so much ‘pull’ from the devices plugged into it. Most UPS systems come with indicator lights (and buzzers) that let you know when you are exceeding the UPS’s power capacity.
    • How long it can support the load, which is all the plugged in devices requesting its power (the battery duration needs to be considered for purchase)
    • Even UPS’s fail so for complete redundancy, they sell UPS Transfer switches that also make the UPS redundant, I highly recommend those too.
    • You want your UPS to have a certain battery life before its tapped out. I suggest getting ones with long battery life. Sometimes you need to log users out of a server and shut down a million applications and processes, who knows – every second counts when there is a failure so give yourself as much of a chance as possible.
    • UPS’s naturally offer surge protection and line conditioning.
    • UPS’s also offer filtering of EMI and RFI filtering. This is Electromagnetic and Radio Interference filtering.
    • Consider using devices with high MTBF values. MTBF (Mean Time between Failures) is nothing more than the actual service life of the drive before it starts to fail from wear and tear.
    • Consider getting a device that will allow for automatic shutdown of systems when power is running out. This is ideal for when you don’t have anyone on staff off hours and your power goes out. The UPS can tell the server that it’s in trouble and then through a process of commands, shut itself down to avoid being damaged.
  • When the computer must keep running, or when it is convenient to allow a soft shutdown, some self-contained power supply units can save a lot of trouble - they will detect the eventual loss of power due to their battery exhaustion and shut down the computer in an orderly manner.
  • There are two main methods of protecting against power issues:
    • Uninterrupted power supply (UPS):
      • A UPS uses batteries that range in size and capacity
      • The UPS can either be standby or online
      • Online systems use AC line voltage to charge a bank of batteries.
      • When in use, the UPS has an inverter that changes the DC output from the batteries into the required AC form and regulates the voltage as it powers computer devices
      • Other than a UPS, a generator is also a form of a backup power source.
    • Power line conditioners: Power line conditioners are nothing more than a device that offers a steady flow of regulated power at an exact level. In other words, the UPS draws power from the source and stores it in an internal battery. Any devices plugged into the UPS will draw power until a failure, and then rely on the UPS battery give them power. IF they never fail (and even when they do), the UPS will give a ‘steady and conditioned’ flow of power to the requestors. This is line conditioning.

Problems with Power Current

Never thought there would be so many problems huh? Well, for a long time I personally worked in a manufacturing plant that was prone to them. Our location was in a place where the power just plain stunk. (It still does). Anyway, these things do happen and it’s important to consider when considering physical security. If you have no power, you have no business. If that’s not a disaster I don’t know what is!

Excessive Power

  • Spike: Momentary high voltage
  • Surge: Prolonged high voltage

Loss of Power

  • Fault: Momentary power out
  • Blackout: Prolonged loss of power

Degradation of Power

  • Sag: Momentary low voltage
  • Brownout: Prolonged power supply that is below normal voltage

Interference Issues:

  • Electromagnetic Interference (EMI): EMI can be created by the difference between three wires: (hot- neutral- ground). Lightning and electrical motors create EMI.
  • Radio Frequency Interference (RFI): Caused by fluorescent lighting, electric cables, components within electrical systems, radio signals. RFI is created by components of an electrical system. Fluorescent lighting usually cause RFI

Power Preventative Measures


  • Use a surge protector
  • Try to make sure a steady electrical current is maintained to any device
  • Use a Voltage regulator
  • Proper Earth grounding needs to take place
  • EMI should be avoided with shielding
  • RFI should be avoided with proper design (don’t run power lines over fluorescent lighting, etc)
  • Use three-prong connections with a ground plug, instead of the ungrounded two-prong plugs
  • Do not plug outlet strips and extension cords into each other

Summary

In this article we covered the basics of Physical Security and backup power. I hope you enjoyed this article, looking at physical security and getting a different perspective on disaster. More to come so stay tuned!

About Robert J. Shimonski

Robert J. Shimonski (MCSE, etc) is an entrepreneur, technology consultant and published author. Robert's specialties include network infrastructure design, management and the troubleshooting of Microsoft and Cisco products. Robert has in depth experience with globally deployed Microsoft and Cisco systems. Robert works with new companies constantly to help them forge their designs, as well as to optimize their networks and keep them highly available, secure and disaster free. Robert is author of many security related articles and published books to include the best selling: "Sniffer Network Optimization and Troubleshooting Handbook" from Syngress Media Inc (ISBN: 1931836574). Robert is also the author of the best selling: Security+ Study Guide and DVD Training System (ISBN: 1931836728) and Building DMZs for Enterprise Networks (ISBN: 1931836884) also from Syngress. Robert can be found online at www.rsnetworks.net

Article Source : www.windowsecurity.com

Auditing for Increased Security

You will need to Audit your systems for enhanced and increased security. When Microsoft laid out this objective, they were most likely thinking about building your security strategy up with Defense in Depth. This strategy is outlined as a way to avoid depending on one single protective measure deployed on your network. In other words, to eliminate the feeling of being secured because you implemented a firewall on your Internet connection you should implement other security measures like an IDS (Intrusion Detection) system, Auditing and Biometrics for Access Control.

You need to understand that you need many levels (hence, defense in depth) of security to be able to feel and be safe from potential threats. A possible Defense in Depth matrix with Auditing included could look like the graphic in the figure below.

So now that you know why auditing is so important, you could probably benefit from a good definition of the term ‘auditing’. Auditing is the process of analyzing gathered data for the purpose or intent of determining a possible problem, or in the security arena, an attack or exploit. Auditing is best used on any system that can generate some type of log file that you can save, refer to and analyze – especially over time.

Your security strategy should implement a strong policy on auditing systems. If you are strapped for time, I would suggest you at least implement a policy to audit your most critical systems or systems that are facing the Internet. This way, you can be somewhat informed of possible attack on systems that if rendered inoperable, could put you out of business.

You should try to determine the level of auditing you need to deploy on your systems, as excessive auditing will generate too many events to view and analyze.

Don’t over do it

When you are looking at auditing your systems, you really need to do some analysis before the analysis! Do some research and think about what it really is you are trying to determine using auditing. It is not wise to just turn on all auditable events without even knowing what it is you are enabling. Excessive auditing could actually cause you to lose some logged events if you have the log set to overwrite events as needed – excessive logging could push an event you may have need to see right out of the readable log you were going to analyze.

There are in fact ways that you can stop this activity that will be talked about within the chapter, but just remember, if you blindly turn on auditing without thinking about what it is you want to accomplish, you could actually lose data. There are ways to stop this… one is to adjust the log size so that it will hold more events. Another way is to set it so that you will only be able to clear the events manually so you don’t lose data. (both will be explained in more detail later in the chapter). Other ways is to use add on products of third party tool sot accumulate your events in one centralized location like MOM. You could use a tool like Microsoft Operations Manager, which can help you to gather, filter and analyze massive amounts of events on all your systems.

When you perform auditing, you can have one of two categories:

  • Success: A success event indicates that a user has successfully gained access to a resource
  • Failure: A Failure event indicates that a user has attempted to gain access to a resource but failed

These two categories will determine many things. If you monitor both, you can find patterns such as if you have a series of failures of a logon. This may indicate that there is someone trying to log on to a system and failing each time. Problems in auditing this type of behavior is if you have an administrator who may have forgotten the password, or worse yet – have the caps locks key on while trying to log on. This would show up in the event log. If you have a series of failures followed by a success, then you can see that either the administrator figured out the error, or if it is an attack, then the attacker was able to breach the system. This is how both success and failure could be seen working in conjunction with one another.

In our next articles, we will look at how to set up auditing with Windows 2000.


About Robert J. Shimonski


Robert J. Shimonski (MCSE, etc) is an entrepreneur, technology consultant and published author. Robert's specialties include network infrastructure design, management and the troubleshooting of Microsoft and Cisco products. Robert has in depth experience with globally deployed Microsoft and Cisco systems. Robert works with new companies constantly to help them forge their designs, as well as to optimize their networks and keep them highly available, secure and disaster free. Robert is author of many security related articles and published books to include the best selling: "Sniffer Network Optimization and Troubleshooting Handbook" from Syngress Media Inc (ISBN: 1931836574). Robert is also the author of the best selling: Security+ Study Guide and DVD Training System (ISBN: 1931836728) and Building DMZs for Enterprise Networks (ISBN: 1931836884) also from Syngress. Robert can be found online at www.rsnetworks.net

Article Source : www.windowsecurity.com

Risk Assessment and Threat Identification

Although you’ve gathered a considerable amount of data to this point, you will need to analyze this information to determine the probability of a risk occurring, what is affected, and the costs involved with each risk. Once you’ve identified the risks that can pose a probable threat to your company, and determined how much loss can be expected from an incident, you are then prepared to make decisions on how to protect your company.

Risk Assesment

Although you’ve gathered a considerable amount of data to this point, you will need to analyze this information to determine the probability of a risk occurring, what is affected, and the costs involved with each risk. Assets will have different risks associated with them, and you will need to correlate different risks with each of the assets inventoried in a company. Some risks will impact all of the assets of a company, such as the risk of a massive fire destroying a building and everything in it, while in other cases; groups of assets will be affected by specific risks.

Assets of a company will generally have multiple risks associated with them. Equipment failure, theft, or misuse can affect hardware, while viruses, upgrade problems, or bugs in the code may affect software. By looking at the weight of importance associated with each asset, you should then prioritize which assets will be analyzed first, and then determine what risks are associated with each.

Once you’ve determined what assets may be affected by different risks, you then need to determine the probability of a risk occurring. While there may be numerous threats that could affect a company, not all of them are probable. For example, a tornado is highly probable for a business located in Oklahoma City, but not highly probable in New York City. For this reason, a realistic assessment of the risks must be performed.

Historical data can provide information on how likely it is that a risk will become reality within a specific period of time. Research must be performed to determine the likelihood of risks within a locality or with certain resources. By determining the likelihood of a risk occurring within a year, you can determine what is known as the Annualized Rate of Occurrence (ARO).

Information for risk assessment can be acquired through a variety of sources. Police departments may be able to provide crime statistics on the area your facilities are located, allowing you to determine the probability of vandalism, break-ins, or dangers potentially encountered by personnel. Insurance companies will also provide information on risks faced by other companies, and the amounts paid out when these risks became reality. Other sources may include news agencies, computer incident monitoring organizations, and online resources.

Once the ARO has been calculated for a risk, you can then compare it to the monetary loss associated with an asset. This is the dollar value that represents how much money would be lost if the risk occurred. You can calculate this by looking at the cost of fixing or replacing the asset. For example, if a router failed on a network, you would need to purchase a new router, and pay to have the new one installed. In addition to this, the company would also have to pay for employees who aren’t able to perform their jobs because they can’t access the network. This means that the monetary loss would include the price of new equipment, the hourly wage of the person replacing the equipment, and the cost of employees unable to perform their work. When the dollar value of the loss is calculated, this provides total cost of the risk, or the Single Loss Expectancy (SLE).

To plan for the probable risk, you would need to budget for the possibility that the risk will happen. To do this, you need to use the ARO and the SLE to find the Annual Loss Expectancy (ALE). To illustrate how this works, let’s say that the probability of a Web server failing is 30 percent. This would be the ARO of the risk. If the e-commerce site hosted on this server generates $10,000 an hour and the site would be estimated to be down two hours while the system is repaired, then the cost of this risk is $20,000. In addition to this, there would also be the cost of replacing the server itself. If the server cost $6000, this would increase the cost to $26000. This would be the SLE of the risk. By multiplying the ARO and the SLE, you would find how much money would need to be budgeted to deal with this risk. This formula provides the ALE:

ARO x SLE = ALE

When looking at the example of the failed server hosting an e-commerce site, this means the ALE would be:

.3 x $26,000 = $7,800

To deal with the risk, you need to assess how much needs to be budgeted to deal with the probability of the event occurring. The ALE provides this information, leaving you in a better position to recover from the incident when it occurs.

Exercise: Determining the Annual Loss Expected to Occur From Risks

A widget manufacturer has installed new network servers, changing its network from a peer-to-peer network to a client/server-based network. The network consists of 200 users who make an average of $20 an hour, working on 100 workstations. Previously, none of the workstations involved in the network had anti-virus software installed on the machines. This was because there was no connection to the Internet, and the workstations didn’t have floppy disk drives or Internet connectivity, so the risk of viruses was deemed minimal. One of the new servers provides a broadband connection to the Internet, which employees can now use to send and receive email, and surf the Internet. One of the managers read in a trade magazine that other widget companies have reported an 80 percent chance of viruses infecting their network after installing T1 lines and other methods of Internet connectivity, and that it may take upwards of three hours to restore data that’s been damaged or destroyed. A vendor will sell licensed copies of anti-virus software for all servers and the 100 workstations at a cost of $4,700 per year. The company has asked you to determine the annual loss that can be expected from viruses, and determine if it is beneficial in terms of cost to purchase licensed copies of anti-virus software.

1. What is the Annualized Rate of Occurrence (ARO) for this risk?

2. Calculate the Single Loss Expectancy (SLE) for this risk.

3. Using the formula ARO x SLE = ALE, calculate the Annual Loss Expectancy.

4. Determine whether it is beneficial in terms of monetary value to purchase the anti-virus software by calculating how much money would be saved or lost by purchasing the software.

ANSWERS TO EXERCISE QUESTIONS

1. The Annualized Rate of Occurrence (ARO) is the likelihood of a risk occurring within a year. The scenario states that trade magazines calculate an 80% risk of virus infection after connecting to the Internet, so the ARO is 80% or .8.

2. The Single Loss Expectancy (SLE) is the dollar value of the loss that equals the total cost of the risk. In the case of this scenario, there are 200 users who make an average of $20 per hour. Multiplying the number of employees who are unable to work due to the system being down by their hourly income, this means that the company is losing $4,000 an hour (200 x $20 = $4000). Because it may take up to three hours to repair damage from a virus, this amount must be multiplied by three because employees will be unable to perform duties for approximately three hours. This makes the SLE $12,000 ($4,000 x 3 = $12,000).

3. The ALE is calculated by multiplying the ARO by the SLE (ARO x SLE = ALE). In this case, this would mean that you would multiply $12,000 by 80 percent (.8) to give you $9,600 (.8 x $12,000 = $9,600). Therefore, the ALE is $9,600.

4. Because the ALE is $9,600, and the cost of the software that will minimize this risk is $4,700 per year, this means that the company would save $4,900 per year by purchasing the software ($9,600 - $4,700 = $4900).

Threat Identification

Once you’ve identified the risks that can pose a probable threat to your company, and determined how much loss can be expected from an incident, you are then prepared to make decisions on how to protect your company. After performing a risk assessment, you may find a considerable number of probable threats that can affect your company. These may include intrusions, vandalism, theft, or other incidents and situations that may vary from business to business. This may make any further actions dealing with risk management seem impossible.

The first thing to realize is that there is no way to eliminate every threat that may affect your business. There is no such thing as absolute security. To make a facility absolutely secure would be excessive in price, and it would be so secure that no one would be able to enter and do any work. The goal is to manage risks, so that the problems resulting from them will be minimized.

The other important issue to remember is that some threats will be excessive in cost to prevent. For example, there are a number of threats that can impact a server. Viruses, hackers, fire, vibrations, and other risks are only a few. To protect the server, it is possible to install security software (such as anti-virus software and firewalls) and make the room fireproof, earthquake proof, and secure from any number of threats. The cost of doing so, however, will eventually become more expensive than the value of the asset. It would be wiser to back up the data, install a firewall and anti-virus software, and run the risk that other threats will not happen. The rule of thumb is to decide which risks are acceptable.

After calculating the loss that may be experienced from a threat, you will need to find cost-effective measures of protecting yourself. To do this, you will need to identify which threats will be dealt with and how. Decisions will need to be made by management as to how to proceed, based on the data you’ve collected on risks. In most cases, this will involve devising methods of protecting the asset from threats. This may involve installing security software, implementing policies and procedures, or adding additional security measures to protect the asset.

You may decide that the risks involved with an asset are too high, and the costs to protect it are too high, as well. In such cases, the asset should be moved to another location, or eliminated completely. For example, if there is a concern about a Web server affected by vibrations from earthquakes in California, then moving the Web server to the branch office in New York nullifies the threat. By removing the asset, you subsequently eliminate the threat of it being damaged or destroyed.

Another option is to transfer the potential loss associated with a threat to another party. Insurance policies can be taken out insuring the asset, so that if any loss occurs the company can be reimbursed through the policy. Leasing equipment or services through another company can also transfer the risk. If a problem occurs, the leasing company will be responsible for fixing or replacing the assets involved.

Finally, the other option is to do nothing about the potential threat, and live with the consequences (if they occur). This happens more often than you’d expect, especially when you consider that security is a tradeoff. For every security measure put in place, it makes it more difficult to access resources and requires more steps for people to do their jobs. A company may have broadband Internet connectivity through a T1 line for employees working from computers inside the company, and live with the risk that they may download malicious programs. While this is only one possible situation where a company will live with a potential threat (and gamble that it stays “potential” only), it does show that in some situations, it is preferable to have the threat rather than to lose a particular service.

About Robert J. Shimonski

Robert J. Shimonski (MCSE, etc) is an entrepreneur, technology consultant and published author. Robert's specialties include network infrastructure design, management and the troubleshooting of Microsoft and Cisco products. Robert has in depth experience with globally deployed Microsoft and Cisco systems. Robert works with new companies constantly to help them forge their designs, as well as to optimize their networks and keep them highly available, secure and disaster free. Robert is author of many security related articles and published books to include the best selling: "Sniffer Network Optimization and Troubleshooting Handbook" from Syngress Media Inc (ISBN: 1931836574). Robert is also the author of the best selling: Security+ Study Guide and DVD Training System (ISBN: 1931836728) and Building DMZs for Enterprise Networks (ISBN: 1931836884) also from Syngress. Robert can be found online at www.rsnetworks.net

Article Source : www.windowsecurity.com

ISO/IEC 27799

From Wikipedia, the free encyclopedia

ISO/IEC 27799 is an information security standard being currently developped by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). Its current title is Information Security Management in Health using ISO/IEC 27002.

The purpose of ISO/IEC 27799 is provides guidance to health organizations and other holders of personal health information on how to protect such information via implementation of ISO17799/ISO27002.

The content sections are:

  • 1: Scope
  • 2: References
  • 3: Terminology
  • 4: Symbols
  • 5: Health information security
  • 6: Practical Action Plan for Implementing ISO 17799/27002
  • 7: Healthcare Implications if ISO 17799/27002
  • 8: Annex A: Threats
  • 9: Annex B: Tasks and documentation of the ISMS
  • 10: Annex C: Potential benefits and tool attributes
  • 11: Annex D: Related standards

ISO/IEC 27006

From Wikipedia, the free encyclopedia

Jump to: navigation, search

ISO/IEC 27006 is an information security standard published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). It is entitled IT Security techniques: Requirements for bodies providing audit and certification of Information Security Management Systems (ISMS).

ISO/IEC 27006 offers guidelines for the accreditation of organizations which offer certification and registration with respect to an ISMS. ISO/IEC 27006 effectively replaces EA 7/03 (Guidelines for the Accreditation of bodies operating certification/ registration of. Information Security Management Systems).

Outline of the Standard

The standard contains the following ten sections:

  • 1: Scope;
  • 2: References;
  • 3: Terms;
  • 4: Principles;
  • 5: General Requirements;
  • 6: Structural Requirements;
  • 7: Resource Requirements;
  • 8: Information Requirements;
  • 9: Precise Requirements;
  • 10: Management System Requirements.

ISO/IEC 27003

From Wikipedia, the free encyclopedia

Jump to: navigation, search

ISO/IEC 27003 is an information security standard being currently developped by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). Its current title is Information Technology - Security techniques. Information security management system implementation guidance.

The purpose of ISO/IEC 27003 is to provide help and guidance in implementing an ISMS (Information Security Management System). Publication is not expected until late 2008 or early 2009.

Outline of the Standard

The proposed standard originally contained the following sections:

  • 1. Introduction
  • 2. Scope
  • 3. Terms & Definitions
  • 4. CSFs (Critical success factors)
  • 5. Guidance on process approach
  • 6. Guidance on using PDCA
  • 7. Guidance on Plan Process
  • 8. Guidance on Do Process
  • 9. Guidance on Check Process
  • 10. Guidance on Act Process
  • 11. Inter-Organization Co-operation