A PRACTICAL GUIDE TO SECURITY ENGINEERING AND INFORMATION
ASSURANCE
by Debra S Herrmann
* Examines the impact of both accidental and malicious, intentional action
and
inaction
* Defines the five major components of a comprehensive and effective
program
* Introduces the concept of IA integrity levels and provides a complete
methodology
for
information security/IA throughout the life of a system
* Contains abundant practical how-to information, examples, templates, and
discussion problems
* Includes a glossary of acronyms and terms and a glossary of 80
techniques
* Summarizes the components, activities, and tasks of an effective program
“Today the vast majority of the world's information resides in, is derived from, and is
exchanged among multiple automated systems. Critical decisions are made, and
critical
action is taken based on information from these systems. Therefore, the
information must be
accurate, correct, and timely, and be manipulated, stored, retrieved, and
exchanged safely,
reliably, and securely. In a time when information is considered the latest
commodity,
information security should be top priority.
“A Practical Guide to Security Engineering and Information Assurance gives you
an
engineering approach to information security and information assurance (IA). The
book
examines the impact of accidental and malicious intentional action and inaction on
information security and IA. Innovative long-term vendor, technology, and
application-independent strategies show you how to protect your critical systems
and data
from accidental and intentional action and inaction that could lead to system failure
or
compromise.
“The author presents step-by-step, in-depth processes for defining information
security and
assurance goals, performing vulnerability and threat analysis, implementing and
verifying the
effectiveness of threat control measures, and conducting accident and incident
investigations. She explores real-world strategies applicable to all systems, from
small
systems supporting a home-based business to those of a multinational
corporation,
government agency, or critical infrastructure system.
“The information revolution has brought its share of risks. Exploring the synergy
between
security, safety, and reliability engineering, A Practical Guide to Security
Engineering and
Information Assurance consolidates and organizes current thinking about
information
security/IA techniques, approaches, and best practices. As this book will show
you, there is
considerably more to information security/IA than firewalls, encryption, and virus
protection. “
- - - - - - - -
- - -
“This book is a comprehensive yet practical guide to security engineering and the
broader
realm of information assurance (IA). This book fills an important gap in the
professional
literature. It is the first book to:
1. Examine the impact of both accidental and malicious intentional action
and
inaction
on information security and IA
2. Explore the synergy between security, safety, and reliability engineering
that is
the
essence of IA
3. Introduce the concept of IA integrity levels
4. Provide a complete methodology for security engineering and IA
throughout the
life of
a system
“The relationship between security engineering and IA and why both are needed is
explained.
Innovative long-term vendor, technology, and application-independent strategies
demonstrate
how to protect critical systems and data from accidental and intentional action and
inaction
that could lead to a system failure/compromise. These real-world strategies are
applicable to
all systems, from small systems supporting a home-based business to those of a
multinational corporation, government agency, or critical infrastructure system.
Step-by-step,
in-depth solutions take one from defining information security/IA goals through
performing
vulnerability/threat analyses, implementing and verifying the effectiveness of threat
control
measures, to conducting accident/incident investigations, whether internal,
independent,
regulatory, or forensic. A review of historical approaches to information security/IA
puts the
discussion in context for today's challenges. Extensive glossaries of information
security/IA
terms and 80 techniques are an added bonus.
“This book is written for engineers, scientists, managers, regulators, academics,
and
policy-makers responsible for information security/IA. Those who have to comply
with
Presidential Decision Directive (PDD-63), which requires all government agencies
to
implement an IA program and certify mission-critical systems by May 2003, will
find this
book especially useful.”
- - - - - - - -
- - -
TABLE OF CONTENTS
Introduction
Background
Purpose
Scope
Intended Audience
Organization
What is Information Assurance, How Does it Relate to Information Security, and
Why Are
Both Needed?
Definition
Application Domains
Technology Domains
Importance
Stakeholders
Summary
Discussion Problems
Historical Approaches to Information Security and Information Assurance
Physical Security
Communications Security (COMSEC)
Computer Security (COMPUSEC)
Information Security (INFOSEC)
Operations Security (OPSEC)
System Safety
System Reliability
Summary
Discussion Problems
Define the System Boundaries
Determine What is Being Protected and Why
Identify the System
Characterize System Operation
Ascertain What You Do/Do Not Have Control Over
Summary
Discussion Problems
Perform Vulnerability and Threat Analyses
Definitions
Select/Use IA Analysis Techniques
Identify Vulnerabilities, Their Type, Source, and Severity
Identify Threats, Their Type, Source, and Likelihood
Evaluate Transaction Paths, Critical Threat Zones, and Risk Exposure
Summary
Discussion Problems
Implement Threat Control Measures
Determine How Much Protection is Needed
Operational Procedures, In-Service Considerations, Controllability
Contingency Planning and Disaster Recovery
Perception Management
Select/Implement IA Design Features and Techniques
Summary
Discussion Problems
Verify Effectiveness of Threat Control Measures
Select/Employ IA Verification Techniques
Determine Residual Risk
Monitor Ongoing Risk Exposure, Responses, and Survivability
Summary
Discussion Problems
Conduct Accident/Incident Investigations
Introduction
Analyze Cause, Extent, and Consequences of Failure/Compromise
Initiate Short-term Recovery Mechanisms
Report Accident/Incident
Deploy Long-term Remedial Measures
Evaluate Legal Issues
Summary
Discussion Problems
Annex A - Glossary of Terms
Annex B - Glossary of Techniques
Annex C - Additional Resources
Annex D - Summary of the components, activities, and tasks of an effective
information
security/IA program
Index
- - - - - - - -
- - -
2002, 393 pages. Order #DR627.
- - - - - - - -
- - -
Rothstein Associates Inc.
4 Arapaho Rd.
Brookfield, CT 06804-3104 USA
1-888-ROTHSTEin; (888.768.4783)
Telephone: 203.740.7444; 888.768.4783
Fax: 203.740.7401
![[Home]](cat_home.gif)
![[Catalog]](cat_cat.gif)
![[Category]](cat_categ.gif)
![[Previous Item]](cat_back.gif)
![[Next Item]](cat_next.gif)
![[Checkout]](cat_chk.gif)
![[Review Cart]](cat_cart.gif)
![[Button]](cat_info.gif)
![[Button]](cat_bbb.gif)
![[Logo Image]](drchead.gif)
![[Item Image]](it190006.jpg)
