Muutke küpsiste eelistusi

Cybersecurity: Engineering a Secure Information Technology Organization New edition [Pehme köide]

4.67/5 (6 hinnangut Goodreads-ist)
(University of Detroit Mercy), (Oakland Community College)
  • Formaat: Paperback / softback, 512 pages, kõrgus x laius x paksus: 275x217x17 mm, kaal: 624 g
  • Ilmumisaeg: 29-Jan-2014
  • Kirjastus: Course Technology Inc
  • ISBN-10: 1285169905
  • ISBN-13: 9781285169903
Teised raamatud teemal:
  • Pehme köide
  • Hind: 131,58 €*
  • * saadame teile pakkumise kasutatud raamatule, mille hind võib erineda kodulehel olevast hinnast
  • See raamat on trükist otsas, kuid me saadame teile pakkumise kasutatud raamatule.
  • Kogus:
  • Lisa ostukorvi
  • Tasuta tarne
  • Lisa soovinimekirja
Cybersecurity: Engineering a Secure Information Technology Organization New editionSuurem pilt
  • Formaat: Paperback / softback, 512 pages, kõrgus x laius x paksus: 275x217x17 mm, kaal: 624 g
  • Ilmumisaeg: 29-Jan-2014
  • Kirjastus: Course Technology Inc
  • ISBN-10: 1285169905
  • ISBN-13: 9781285169903
Teised raamatud teemal:
Püsilink: https://www.kriso.ee/db/9781285169903.html
Software is essential and pervasive in the modern world, but software acquisition, development, operation, and maintenance can involve substantial risk, allowing attackers to compromise millions of computers every year. This groundbreaking book provides a uniquely comprehensive guide to software security, ranging far beyond secure coding to outline rigorous processes and practices for managing system and software lifecycle operations. The book opens with a comprehensive guide to the software lifecycle, covering all elements, activities, and practices encompassed by the universally accepted ISO/IEEE 12207-2008 standard. The authors then proceed document proven management architecture and process framework models for software assurance, such as ISO 21827 (SSE-CMM), CERT-RMM, the Software Assurance Maturity Model, and NIST 800-53. Within these models, the authors present standards and practices related to key activities such as threat and risk evaluation, assurance cases, and adversarial testing. Ideal for new and experienced cybersecurity professionals alike in both the public and private sectors, this one-of-a-kind book prepares readers to create and manage coherent, practical, cost-effective operations to ensure defect-free systems and software.
Preface xiii
Chapter 1 Lifecycle Management
1(22)
Lifecycle Management
2(12)
Why ICT Companies Need to Change the Way They Do Business
2(1)
The ICT Industry is Significantly Profitable and Globally Influential
3(1)
Business Realities versus Due Care
4(1)
The ICT Lifecycle: A Definition
5(1)
Implementing Best Practice using a Single Framework
6(2)
The Benefit of Standards
8(1)
The People Factor: The Role of Disciplined and Properly Motivated Performance
9(1)
Maintaining a Floor Capability
9(1)
Strategic Management of the Lifecycle
10(1)
Aligning the ICT Lifecycle with the Business Purpose
11(1)
Creating a Systematic Lifecycle Management Process
11(1)
Making Concrete Arrangements for Lifecycle Management
12(1)
Implementing a Company-Wide Process
12(1)
Factoring People into the Plan
13(1)
Oversight and Day-to-Day Lifecycle Management
13(1)
Lifecycle Management versus Assurance: A Distinction
13(1)
Summing up Lifecycle Management
14(1)
Adopting a Single Standard to Minimize ICT Defects
14(6)
Tailoring a Solution
18(1)
Summing up the ISO 12207 Standard
19(1)
Chapter Summary
20(1)
Key Terms
20(1)
Review Questions
20(1)
Case Project
21(2)
Chapter 2 The Agreement Processes
23(26)
System Lifecycle Processes: The Agreement Processes
24(1)
Establishing the Form of the Standard Lifecycle
24(1)
The Acquisition Process
25(12)
Overview of the Acquisition Process
26(3)
Detail of the Acquisition Process
29(8)
The Supply Process---The Other Side of the Coin
37(9)
Overview of the Supply Process
37(1)
Unique Elements of the Supply Process
37(1)
Responding to the Customer's Bid Request
38(1)
Negotiating the Contract from the Supplier Side
39(2)
Project Execution
41(1)
Oversight and Control
42(1)
Documenting Contract Compliance
42(1)
Product and Process Assurance
42(1)
Subcontractor Monitoring and Control
43(1)
Ensuring the Supply Chain
43(1)
Verification, Validation, and Testing
44(1)
Delivery and Acceptance
45(1)
Chapter Summary
46(1)
Key Terms
47(1)
Review Questions
47(1)
Case Project
48(1)
Chapter 3 Organizational Project-Enabling Processes
49(20)
Overview of Project-Enabling Processes
50(1)
Why Are Organizational Processes Important?
50(1)
Lifecycle Model Management Process (6.2.1)
51(3)
Lifecycle Model Management Activity 6.2.1.3.1: Process Establishment
52(1)
Lifecycle Model Management Activity 6.2.1.3.2: Process Assessment
53(1)
Lifecycle Model Management Activity 6.2.1.3.3: Process Improvement
53(1)
Infrastructure Management Process (6.2.2)
54(3)
Infrastructure Management Activity 6.2.2.3.1: Process Implementation
56(1)
Infrastructure Management Activity 6.2.2.3.2: Establishment of the Infrastructure
57(1)
Infrastructure Management Activity 6.2.2.3.3: Maintenance of the Infrastructure
57(1)
Project Portfolio Management Process (6.2.3)
57(2)
Project Portfolio Management Activity 6.2.3.3.1: Project Initiation
58(1)
Project Portfolio Management Activity 6.2.3.3.2: Portfolio Evaluation
59(1)
Project Portfolio Management Activity 6.2.3.3.3: Project Closure
59(1)
Human Resource Management Process (6.2.4)
59(3)
Human Resource Management Activity 6.2.4.3.1: Skill Identification
61(1)
Human Resource Management Activity 6.2.4.3.2: Skill Development
61(1)
Human Resource Management Activity 6.2.4.3.3: Skill Acquisition and Provision
62(1)
Human Resource Management Activity 6.2.4.3.4: Knowledge Management
62(1)
Quality Management (6.2.5)
62(3)
Quality Management Activity 6.2.5.3.1: Quality Management
64(1)
Quality Management Activity 6.2.5.3.2: Quality Management Corrective Action
64(1)
Chapter Summary
65(1)
Key Terms
65(1)
Review Questions
66(1)
Case Project
67(2)
Chapter 4 Project Processes
69(24)
Overview of Project Processes
70(3)
Defining and Coordinating the Project
70(1)
Building the Project Team
71(1)
Organizing the Project
72(1)
The Project Processes of ISO 12207-2008
72(1)
The Project Planning Process (6.3.1)
73(2)
Project Initiation
73(1)
Project Planning
74(1)
Project Authorization and Launch
74(1)
The Project Assessment and Control Process (6.3.2)
75(2)
The Project Assessment and Control Activities
76(1)
The Decision Management Process (6.3.3)
77(3)
Decision Management Activities
78(2)
The Risk Management Process (6.3.4)
80(4)
Risk Management Activities
80(4)
The Configuration Management Process (6.3.5)
84(2)
Configuration Management Planning
85(1)
Configuration Management Execution
85(1)
The Information Management Process (6.3.6)
86(2)
Information Management Planning
86(1)
Information Management Execution
87(1)
The Measurement Process (6.3.7)
88(2)
Measurement Planning
88(1)
Measurement Performance
89(1)
Measurement Evaluation
89(1)
Chapter Summary
90(1)
Key Terms
91(1)
Review Questions
91(1)
Case Project
92(1)
Chapter 5 Technical Processes
93(24)
Overview of the Technical Process Group
94(1)
Development Processes of the Technical Process Group
94(1)
Stakeholder Requirements Definition
95(3)
Stakeholder Identification
95(1)
Stakeholder Requirements Identification
96(1)
Stakeholder Requirements Evaluation
97(1)
Stakeholder Requirements Agreement and Recording
97(1)
System Requirements Analysis
98(2)
Requirements Specification
99(1)
Requirements Evaluation
99(1)
The Architectural Design Process
100(1)
Establishing Architecture
100(1)
Architectural Evaluation
101(1)
The Implementation Process
101(1)
The Integration Process
101(1)
Integration
102(1)
Test Readiness
102(1)
The Qualification Testing Process
102(1)
Qualification Testing
103(1)
The Installation Process
103(1)
Software Installation
104(1)
The Acceptance Support Process
104(1)
Product Acceptance Support
104(1)
Technical Process Group: The ICT Operations Process
105(3)
Preparation for Operation
106(1)
Operation Activation and Check-Out
107(1)
Operational Use
107(1)
Customer Support
107(1)
Problem Resolution
108(1)
Technical Process Group: The ICT Maintenance Process
108(4)
Process Implementation
110(1)
Problem and Modification Analysis
110(1)
Implementing Modifications
110(1)
Maintenance Review and Acceptance
111(1)
Migration
111(1)
Technical Process Group: Disposal
112(1)
Disposal Planning
112(1)
Disposal Execution
113(1)
Chapter Summary
113(1)
Key Terms
114(1)
Review Questions
114(1)
Case Project
115(2)
Chapter 6 Software Implementation Process Group
117(18)
Overview of Software Implementation Process Group
118(3)
The Software Implementation Process (7.1.1)
121(2)
Detail of Software Implementation Process: Software Implementation Strategy
122(1)
The Software Requirements Analysis Process (7.1.2)
123(2)
Detail of Software Requirements Analysis Process
124(1)
The Software Architecture Design Process (7.1.3)
125(1)
Detail of Software Architecture Design Activity
126(1)
The Software Detailed Design Process (7.1.4)
126(3)
Detail of Software Detailed Design Activity
127(2)
The Software Construction Process (7.1.5)
129(1)
Detail of Software Construction Activity
129(1)
The Software Integration Process (7.1.6)
130(1)
Detail of Software Integration Activity
130(1)
Software Qualification Testing (7.1.7) s
131(1)
Detail of Software Qualification Testing
132(1)
Chapter Summary
132(1)
Key Terms
133(1)
Review Questions
133(1)
Case Project
134(1)
Chapter 7 Software Supporting Processes and Software Reuse
135(34)
Overview of the Software Supporting Process Group
136(1)
Software Documentation Management
136(3)
Process Implementation
138(1)
Design and Development
138(1)
Production
139(1)
Maintenance
139(1)
Software Configuration Management
139(4)
Who Participates in Configuration Management?
139(1)
What are the Roles?
140(1)
What is the Process?
140(1)
The Configuration Management Plan
141(1)
Process Implementation
142(1)
Configuration Identification
142(1)
Configuration Control
142(1)
Configuration Status Accounting
143(1)
Configuration Evaluation
143(1)
Release Management & Delivery
143(1)
Software Quality Assurance
143(5)
Organization of SQA Operations
144(1)
SQA: Overall Operation
144(1)
SQA Reporting
145(1)
Starting the SQA Program
145(1)
Overview of Steps: Software Quality Assurance
145(2)
Process Implementation
147(1)
Product Assurance
147(1)
Process Assurance
148(1)
Assurance of Quality Systems
148(1)
Verification
148(4)
Process Implementation
150(1)
Verification
151(1)
Validation
152(2)
Process Implementation
154(1)
Analyzing Test Results
154(1)
Software Review
154(3)
Process Implementation
156(1)
Project Management Reviews
156(1)
Technical Reviews
156(1)
The Audit Process
157(2)
Process Implementation
158(1)
Audit
159(1)
Problem Resolution
159(2)
Process Implementation
160(1)
Problem Resolution
160(1)
Reuse
161(4)
Domain Engineering
161(2)
Reuse Asset Management
163(1)
Reuse Program Management
164(1)
Chapter Summary
165(1)
Key Terms
166(1)
Review Questions
166(1)
Case Project
167(2)
Chapter 8 Standard Process Models for Securing ICT Organizations
169(24)
Underwriting Trust and Competence in ICT
170(3)
The Problems that Capability Models Address
170(1)
Putting Capability into Practice
171(1)
A Distinction: Why We Need to Build a Standard Infrastructure First
172(1)
Why Use a Process Capability Model?
173(1)
The History of Best Practice Models
173(2)
Early Models of the CMM and ISO 9000
173(1)
Expanding the Application of the CMM During the Late 1990s
174(1)
ISO 15408: The Common Criteria
174(1)
The 21st Century
174(1)
Families of Prominent Capability Models
174(1)
The Capability Maturity Model (CMM)
175(1)
Background of the CMM
175(1)
Evolution of the CMM
176(1)
Components of the CMM
176(13)
Maturity Levels of the CMM
177(2)
Key Process Areas (KPAs)
179(3)
Key Practices
182(1)
Common Features of KPAs
182(1)
Determining Capability: The CMM Assessment Process
183(3)
CMMI
186(2)
ISO 15504 (also known as the Security Engineering CMM)
188(1)
Chapter Summary
189(1)
Key Terms
190(1)
Review Questions
190(1)
Case Project
191(2)
Chapter 9 The Systems Security Engineering Capability Maturity Model (ISO 21827)
193(20)
Overview of the SSE-CMM
194(3)
Background: The SSE-CMM Collaboration
196(1)
Structure of the SSE-CMM/ISO 21827 Standard
197(1)
The Base Practices of the SSE-CMM
198(5)
Project and Organizational Base Practices
201(2)
Assuring an Organization's System Security Engineering Capability
203(2)
Architectural Components of the SSE-CMM
205(5)
Process Capability Assessment
205(2)
Process Capability Evaluations
207(1)
Determining Capability Using the SSE-CMM Assessment Model
208(1)
The SSE-CMM Assessment Process
209(1)
Using Targeted Assessments to Ensure Supplier Capability
209(1)
Chapter Summary
210(1)
Key Terms
210(1)
Review Questions
211(1)
Case Project
211(2)
Chapter 10 Software Assurance Maturity Model
213(18)
Overview of the Software Assurance Maturity Model
214(2)
Understanding the SAMM Framework
214(2)
Governance Business Function
216(3)
Strategy & Metrics Practice
217(1)
Policy & Compliance Practice
218(1)
Education & Guidance Practice
218(1)
Construction Business Function
219(1)
Threat Assessment Practice
219(1)
Security Requirements Practice
220(1)
Secure Architecture Practice
220(1)
Verification Business Function
220(2)
Design Review Practice
221(1)
Code Review Practice
222(1)
Security Testing Practice
222(1)
Deployment Business Function
222(2)
Vulnerability Management Practice
223(1)
Environment Hardening Practice
223(1)
Operational Enablement Practice
224(1)
Applying SAMM---Getting the Job Done
224(3)
Understanding the Maturity Levels
224(1)
SAMM Approach to Assessment
225(2)
Using Scorecards to Measure Success
227(1)
Chapter Summary
227(1)
Key Terms
228(1)
Review Questions
228(1)
Case Project
229(2)
Chapter 11 The Building Security In Maturity Model (BSIMM)
231(16)
Overview of the BSIMM
232(5)
The Study
232(2)
BSIMM4 in Context
234(3)
Governance Domain
237(1)
Strategy & Metrics Practice
237(1)
Compliance & Policy Practice
238(1)
Training Practice
238(1)
Intelligence Domain
238(1)
Attack Models Practice
239(1)
Security Features and Design Practice
239(1)
Standards and Requirements Practice
239(1)
SSDL Touchpoints Domain
239(2)
Architecture Analysis
240(1)
Code Review
240(1)
Security Testing
241(1)
Deployment Domain
241(3)
Penetration Testing
242(1)
Software Environment
242(1)
Configuration Management and Vulnerability Management
243(1)
Applying the BSIMM
244(0)
Key Lessons
244(1)
Chapter Summary
245(0)
Key Terms
245(1)
Review Questions
246(0)
Case Project
246(1)
Chapter 12 Aligning the ICT Organization with Regulatory Requirements
247(16)
Overview of Regulatory Models for ICT Organizations
248(3)
The Federal Information Security Act of 2002
248(3)
NIST 800-53 and General Implementation for FIPS 200
251(9)
Generic Security Controls
251(1)
NIST 800-53 Catalog of Baseline Controls
252(0)
Organizational Risk Management and NIST 800-53
252(1)
Practical Security Control Architectures
253(2)
Real-World Control Formulation and Implementation
255(1)
NIST 800-53 Control Baselines
256(2)
Six Feasibility Considerations for NIST 800-53
258(0)
Compensating Security Controls
258(2)
Chapter Summary
260(0)
Key Terms
260(0)
Review Questions
260(1)
Case Project
261(2)
APPENDIX A GPS/CDU Project for Wild Blue Yonder Technologies
263(8)
Company Overview
263(2)
COTS and GOTS
264(1)
Operations
265(0)
Data Collection, Metrics, and Tracking
265(0)
Structuring the Organization
265(2)
Organization Chart
266(1)
Specifics of the GPS/CDU Project
267(4)
Resource Requirements
268(1)
Project Characteristics
269(1)
Additional Considerations
270(1)
Glossary 271(4)
Index 275
Dan Shoemaker is a professor and senior research scientist at the Center for Cyber Security and Intelligence Studies--a National Security Agency (NSA) Center of Academic Excellence--at the University of Detroit Mercy (UDM). He also served as chair of the Computer and Information Systems Department at UDM for 25 years and holds a visiting appointment at London South Bank University. Dr. Shoemaker is co-chair of the Software Assurance Workforce Training and Education working group within the Department of Homeland Security's National Cybersecurity Division (NCSD). He has also served the NCSD as a member of the working group that developed its Essential Body of Knowledge, and as an expert panelist on three national working groups. A prolific author, Dr. Shoemaker is one of three domain editors for the Software Assurance Common Body of Knowledge. He lectures internationally on cybersecurity, information assurance, and software engineering topics, and he founded the International Cybersecurity Education Coalition (ICSEC) to connect higher education institutions and expand teaching of standard information assurance curricula throughout the Midwest. Dr. Shoemaker is the recipient of the Michigan Homeland Security annual Statewide award for Educators (2007). Ken Sigler has been a faculty member of the Computer Information Systems (CIS) program at the Auburn Hills, Michigan, campus of Oakland Community College (OCC) since 2001, and he has served as department chair since 2011. His primary research interests include software management, software assurance, and cloud computing, and he developed the college's CIS program option Information Technologies for Homeland Security." As a founding member of the International Cybersecurity Education Coalition (ICSEC), Sigler served as a liaison between the coalition and OCC, and he continues to act as post-secondary liaison to the articulations program with school districts across Oakland County. In this capacity, he developed a 2+2+2 Information Security Education process to shepherd students from information security coursework at the secondary level, through a four-year articulated program, and into careers in information security at a federal agency. Mr. Sigler is a member of IEEE, the Distributed Management Task Force (DMTF), and the Association for Information Systems (AIS)."