| Foreword |
|
xv | |
| Preface |
|
xvii | |
| Benefits |
|
xvii | |
| The Evolution of Information Security |
|
xvii | |
| Information Security Literature |
|
xviii | |
| How to Use This Book |
|
xviii | |
| About the SABSA® Model |
|
xx | |
| Relationship to Other Methods, Models and Standards |
|
xxi | |
| And Finally |
|
xxi | |
| Acknowledgements |
|
xxiii | |
|
|
|
1 | (166) |
|
|
|
2 | (1) |
|
|
|
3 | (14) |
|
The Cultural Legacy: Business Prevention |
|
|
3 | (1) |
|
Measuring and Prioritising Business Risk |
|
|
4 | (1) |
|
Information Security as the Enabler of Business |
|
|
5 | (5) |
|
Adding Value to the Core Product |
|
|
10 | (2) |
|
|
|
12 | (2) |
|
Protecting Relationships and Leveraging Trust |
|
|
14 | (2) |
|
To Summarise: What Does `Security' Mean? |
|
|
16 | (1) |
|
The Meaning of Architecture |
|
|
17 | (16) |
|
The Origins of Architecture |
|
|
17 | (1) |
|
|
|
18 | (1) |
|
Information Systems Architecture |
|
|
19 | (4) |
|
Enterprise Security Architecture |
|
|
23 | (2) |
|
Why Architectures Sometimes Fail to Deliver Benefit - and How to Avoid that Fate |
|
|
25 | (4) |
|
Security Architecture Needs a Holistic Approach |
|
|
29 | (1) |
|
To Summarise: What Does Architecture Mean? |
|
|
30 | (3) |
|
Security Architecture Model |
|
|
33 | (12) |
|
|
|
33 | (4) |
|
|
|
37 | (1) |
|
|
|
38 | (1) |
|
|
|
38 | (1) |
|
|
|
39 | (1) |
|
The Facilities Manager's View |
|
|
40 | (1) |
|
|
|
40 | (1) |
|
|
|
41 | (1) |
|
Detailed SABSA® Matrix for the Operational Layer |
|
|
42 | (1) |
|
To Summarise: The Security Architecture Model |
|
|
43 | (2) |
|
|
|
45 | (10) |
|
Intergalactic Banking and Financial Services Inc |
|
|
45 | (1) |
|
|
|
46 | (8) |
|
|
|
54 | (1) |
|
|
|
55 | (24) |
|
The Role of Systems Engineering |
|
|
55 | (1) |
|
|
|
56 | (1) |
|
What Does the Systems Approach Make You Do? |
|
|
57 | (1) |
|
The Need for Systems Engineering in Security Architectures |
|
|
58 | (1) |
|
|
|
59 | (2) |
|
The Control System Concept |
|
|
61 | (1) |
|
Using the Systems Approach in Security Architecture |
|
|
62 | (1) |
|
|
|
63 | (5) |
|
Advanced Modelling Techniques |
|
|
68 | (9) |
|
To Summarise: A Systems Approach |
|
|
77 | (2) |
|
Measuring Return on Investment in Security Architecture |
|
|
79 | (32) |
|
What Is Meant by `Return on Investment'? |
|
|
79 | (1) |
|
|
|
80 | (1) |
|
The Security Management Dashboard |
|
|
81 | (2) |
|
The Balanced Scorecard Approach |
|
|
83 | (4) |
|
Business Drivers and Traceability |
|
|
87 | (2) |
|
Business Attributes and Metrics |
|
|
89 | (9) |
|
Setting Up a Metrics Framework |
|
|
98 | (2) |
|
Maturity Models Applied to Security Architecture |
|
|
100 | (11) |
|
Using This Book as a Practical Guide |
|
|
111 | (26) |
|
Using the SABSA® Model to Define a Development Process |
|
|
112 | (1) |
|
Strategy and Concept Phase |
|
|
113 | (5) |
|
|
|
118 | (13) |
|
|
|
131 | (2) |
|
|
|
133 | (1) |
|
To Summarise: How to Use This Book as a Practical Guide |
|
|
134 | (3) |
|
Managing the Security Architecture Programme |
|
|
137 | (30) |
|
Selling the Benefits of Security Architecture |
|
|
139 | (9) |
|
Getting Sponsorship and Budget |
|
|
148 | (1) |
|
|
|
149 | (3) |
|
Getting Started: Fast Track™ Workshops |
|
|
152 | (4) |
|
Programme Planning and Management |
|
|
156 | (1) |
|
Collecting the Information You Need |
|
|
156 | (5) |
|
Getting Consensus on the Conceptual Architecture |
|
|
161 | (1) |
|
Architecture Governance and Compliance |
|
|
162 | (1) |
|
|
|
163 | (1) |
|
Long-Term Confidence of Senior Management |
|
|
164 | (1) |
|
To Summarise: Managing the Security Architecture Programme |
|
|
165 | (2) |
|
Part 2: Strategy and Planning |
|
|
167 | (118) |
|
|
|
168 | (1) |
|
Contextual Security Architecture |
|
|
168 | (1) |
|
Conceptual Security Architecture |
|
|
168 | (1) |
|
Contextual Security Architecture |
|
|
169 | (48) |
|
Business Needs for Information Security |
|
|
170 | (1) |
|
Security As a Business Enabler |
|
|
170 | (3) |
|
|
|
173 | (5) |
|
Operational Continuity and Stability |
|
|
178 | (5) |
|
Safety-Critical Dependencies |
|
|
183 | (2) |
|
Business Goals, Success Factors and Operational Risks |
|
|
185 | (3) |
|
Operational Risk Assessment |
|
|
188 | (21) |
|
Business Processes and Their Need for Security |
|
|
209 | (2) |
|
Organisation and Relationships Affecting Business Security Needs |
|
|
211 | (1) |
|
Location Dependence of Business Security Needs |
|
|
212 | (1) |
|
Time Dependency of Business Security Needs |
|
|
213 | (1) |
|
To Summarise: Contextual Security Architecture |
|
|
214 | (3) |
|
Conceptual Security Architecture |
|
|
217 | (68) |
|
|
|
218 | (1) |
|
Business Attributes Profile |
|
|
218 | (1) |
|
|
|
219 | (1) |
|
Security Strategies and Architectural Layering |
|
|
220 | (34) |
|
Security Entity Model and Trust Framework |
|
|
254 | (12) |
|
|
|
266 | (9) |
|
Security Lifetimes and Deadlines |
|
|
275 | (8) |
|
Assessing the Current State of your Security Architecture |
|
|
283 | (1) |
|
To Summarise: Conceptual Security Architecture |
|
|
283 | (2) |
|
|
|
285 | (122) |
|
|
|
286 | (1) |
|
Logical Security Architecture |
|
|
286 | (1) |
|
Physical Security Architecture |
|
|
286 | (1) |
|
Component Security Architecture |
|
|
287 | (2) |
|
Logical Security Architecture |
|
|
289 | (42) |
|
Business Information Model |
|
|
290 | (2) |
|
|
|
292 | (2) |
|
|
|
294 | (15) |
|
Application and System Security Services |
|
|
309 | (4) |
|
Security Management Services |
|
|
313 | (7) |
|
Entity Schema and Privilege Profiles |
|
|
320 | (3) |
|
Security Domain Definitions and Associations |
|
|
323 | (5) |
|
Security Processing Cycle |
|
|
328 | (1) |
|
Security Improvements Programme |
|
|
329 | (1) |
|
To Summarise: Logical Security Architecture |
|
|
329 | (2) |
|
Physical Security Architecture |
|
|
331 | (46) |
|
|
|
332 | (9) |
|
Security Rules, Practices and Procedures |
|
|
341 | (1) |
|
|
|
342 | (19) |
|
User and Application Security |
|
|
361 | (3) |
|
Platform and Network Infrastructure Security |
|
|
364 | (10) |
|
Control Structure Execution |
|
|
374 | (1) |
|
To Summarise: Physical Security Architecture |
|
|
375 | (2) |
|
Component Security Architecture |
|
|
377 | (30) |
|
|
|
377 | (4) |
|
|
|
381 | (9) |
|
Security Products and Tools |
|
|
390 | (2) |
|
Identities, Functions, Actions and ACLs |
|
|
392 | (8) |
|
Processes, Nodes, Addresses and Protocols |
|
|
400 | (5) |
|
Security Step-Timing and Sequencing |
|
|
405 | (1) |
|
To Summarise: Component Security Architecture |
|
|
405 | (2) |
|
|
|
407 | (154) |
|
|
|
407 | (1) |
|
Operational Security Architecture |
|
|
407 | (1) |
|
|
|
407 | (2) |
|
Security Policy Management |
|
|
409 | (26) |
|
The Meaning of Security Policy |
|
|
409 | (1) |
|
Structuring the Content of a Security Policy |
|
|
410 | (1) |
|
Policy Hierarchy and Architecture |
|
|
411 | (2) |
|
Corporate Security Policy |
|
|
413 | (1) |
|
|
|
414 | (2) |
|
Information Classification |
|
|
416 | (1) |
|
|
|
417 | (2) |
|
CA and RA Security Policies |
|
|
419 | (1) |
|
Application System Security Policies |
|
|
420 | (2) |
|
Platform Security Policies |
|
|
422 | (1) |
|
Network Security Policies |
|
|
422 | (1) |
|
Other Infrastructure Security Policies |
|
|
423 | (1) |
|
Security Organisation and Responsibilities |
|
|
423 | (4) |
|
Security Culture Development |
|
|
427 | (2) |
|
Outsourcing Strategy and Policy Management |
|
|
429 | (4) |
|
|
|
433 | (2) |
|
Operational Risk Management |
|
|
435 | (50) |
|
Introduction to Operational Risk Management |
|
|
435 | (4) |
|
Regulatory Drivers for Operational Risk Management |
|
|
439 | (7) |
|
The Complexity of Operational Risk Management |
|
|
446 | (5) |
|
Approaches to Risk Assessment |
|
|
451 | (4) |
|
Managing Operational Risk |
|
|
455 | (11) |
|
|
|
466 | (1) |
|
Risk-Based Security Reviews |
|
|
467 | (9) |
|
|
|
476 | (4) |
|
The Risk Management Dashboard |
|
|
480 | (2) |
|
|
|
482 | (3) |
|
|
|
485 | (26) |
|
Assurance of Operational Continuity |
|
|
485 | (2) |
|
Organisational Security Audits |
|
|
487 | (5) |
|
|
|
492 | (2) |
|
System Assurance Strategy |
|
|
494 | (6) |
|
|
|
500 | (7) |
|
|
|
507 | (3) |
|
|
|
510 | (1) |
|
Security Administration and Operations |
|
|
511 | (50) |
|
Introduction to Security Management and Administration |
|
|
512 | (2) |
|
|
|
514 | (3) |
|
Managing Physical and Environmental Security |
|
|
517 | (1) |
|
Managing ICT Operations and Support |
|
|
518 | (20) |
|
Access Control Management |
|
|
538 | (4) |
|
|
|
542 | (3) |
|
Security-Specific Operations |
|
|
545 | (1) |
|
Managed Security Services |
|
|
546 | (2) |
|
Product Evaluation and Selection |
|
|
548 | (2) |
|
Business Continuity Management |
|
|
550 | (8) |
|
|
|
558 | (3) |
| Appendix A: List of Acronyms |
|
561 | (8) |
| Index |
|
569 | |
Lisainfo e-raamatute kohta