Muutke küpsiste eelistusi

Information Assurance Architecture [Pehme köide]

  • Formaat: Paperback / softback, 624 pages, kõrgus x laius: 234x156 mm, kaal: 453 g
  • Ilmumisaeg: 23-Sep-2019
  • Kirjastus: CRC Press
  • ISBN-10: 0367387174
  • ISBN-13: 9780367387174
Teised raamatud teemal:
Information Assurance ArchitectureSuurem pilt
  • Formaat: Paperback / softback, 624 pages, kõrgus x laius: 234x156 mm, kaal: 453 g
  • Ilmumisaeg: 23-Sep-2019
  • Kirjastus: CRC Press
  • ISBN-10: 0367387174
  • ISBN-13: 9780367387174
Teised raamatud teemal:
Püsilink: https://www.kriso.ee/db/9780367387174.html
Märksõnad:

Now that information has become the lifeblood of your organization, you must be especially vigilant about assuring it. The hacker, spy, or cyber-thief of today can breach any barrier if it remains unchanged long enough or has even the tiniest leak. In Information Assurance Architecture, Keith D. Willett draws on his over 25 years of technical, security, and business experience to provide a framework for organizations to align information assurance with the enterprise and their overall mission.





The Tools to Protect Your Secrets from Exposure



This work provides the security industry with the know-how to create a formal information assurance architecture that complements an enterprise architecture, systems engineering, and the enterprise life cycle management (ELCM). Information Assurance Architecture consists of a framework, a process, and many supporting tools, templates and methodologies. The framework provides a reference model for the consideration of security in many contexts and from various perspectives; the process provides direction on how to apply that framework. Mr. Willett teaches readers how to identify and use the right tools for the right job. Furthermore, he demonstrates a disciplined approach in thinking about, planning, implementing and managing security, emphasizing that solid solutions can be made impenetrable when they are seamlessly integrated with the whole of an enterprise.





Understand the Enterprise Context



This book covers many information assurance subjects, including disaster recovery and firewalls. The objective is to present security services and security mechanisms in the context of information assurance architecture, and in an enterprise context of managing business risk. Anyone who utilizes the concepts taught in these pages will find them to be a valuable weapon in the arsenal of information protection.



Examining the importance of aligning computer security (information assurance) with the goals of an organization, this book gives security personnel direction as to how systems should be designed, the process for doing so, and a methodology to follow. By studying this book, readers will acquire the skills necessary to develop a security architecture that serves specific needs. They will come to understand distinctions amongst engineering architecture, solutions architecture, and systems engineering. The book also shows how the Zachman and the Federal Enterprise Architecture models can be used together to achieve the goals of a business or government agency.
Author's Note xxiii
Preface xxvii
Acknowledgments xxix
SECTION I IA2
1 Foundational Concepts for IA2
3(10)
1.1 Introduction
3(1)
1.2 Objective
4(1)
1.3 Foundations of Successful Architecture
5(6)
1.3.1 Architecture Terminology
6(1)
1.3.1.1 Enterprise Architecture and Systems Architecture
7(1)
1.3.2 Information Assurance: A Working Definition
8(1)
1.3.2.1 Mission Integrity versus Mission Entropy
9(1)
1.3.2.2 Melding Architecture and Information Assurance
9(1)
1.3.3 Systems Engineering
10(1)
1.4 Ontologies, Taxonomies, and Hierarchies
11(1)
1.5 Context and Perspective
11(1)
1.6 Identify, Enumerate, Articulate, and Address
11(1)
1.7 Summary and Conclusion
12(1)
2 The IA2 Framework
13(36)
2.1 Introduction
13(1)
2.2 Objectives
14(1)
2.3 IA2 Framework Details
15(3)
2.4 IA2 Architectural Drivers
18(3)
2.4.1 Business Drivers
18(2)
2.4.2 Technical Drivers
20(1)
2.5 IA2 Views
21(6)
2.5.1 People
21(2)
2.5.2 Policy
23(1)
2.5.3 Business Process
23(1)
2.5.4 Systems and Applications
24(1)
2.5.5 Information or Data
25(1)
2.5.6 Infrastructure
25(1)
2.5.7 Intraorganizational/Interorganizational
26(1)
2.6 IA Core Principles
27(2)
2.7 IA2 Principles
29(1)
2.8 IA Compliance Requirements
30(3)
2.9 Aligning IA with ELCM
33(5)
2.9.1 Concept
35(1)
2.9.2 Architect
35(1)
2.9.3 Engineer
35(1)
2.9.4 Acquire/Develop
35(1)
2.9.5 Implement
36(1)
2.9.6 Test
36(1)
2.9.7 Deploy
36(1)
2.9.8 Train
37(1)
2.9.9 Operate and Maintain
37(1)
2.9.10 Retire
37(1)
2.10 IA2 Compliance Verification
38(2)
2.10.1 IA Compliance Verification: A Sample Resource
38(1)
2.10.2 IA Operations Cycle
38(2)
2.11 I A2 Line of Sight
40(8)
2.11.1 Business Requirements
41(1)
2.11.2 [ IA] Architecture
42(1)
2.11.3 [ IA] Concept of Operations (CONOPS)
42(1)
2.11.4 [ IA] Portfolio Management (PfM)
42(1)
2.11.5 [ IA] Enterprise Systems Engineering
43(1)
2.11.6 [ IA] Design
43(1)
2.11.7 IA Services
44(1)
2.11.8 IA Mechanisms
44(1)
2.11.9 Vendor Selection
44(1)
2.11.10 Product Selection
45(1)
2.11.11 Implementation
45(1)
2.11.12 Operations and Maintenance
45(1)
2.11.13 IA2 Implementation Taxonomy
46(1)
2.11.13.1 IA2 Implementation Taxonomy Examples
46(2)
2.12 Conclusion and Commentary
48(1)
3 The IA2 Process
49(20)
3.1 Introduction
49(1)
3.2 Objectives
50(1)
3.3 The IA2 Process
50(17)
3.3.1 Articulate the Intent
51(1)
3.3.1.1 Define What the Solution Is and What It Is for
51(6)
3.3.1.2 Commentary
57(1)
3.3.2 Define the Environment
57(1)
3.3.2.1 Define Where the Solution Resides
57(1)
3.3.2.2 Environment as Seen from the IA2F Views
58(1)
3.3.3 Define the Scope
58(1)
3.3.3.1 Establish the Connection of the Solution to Strategic Goals
58(4)
3.3.4 Identify Inputs to the IA2 (Influences and Dependencies)
62(1)
3.3.4.1 Define What You Need to Know
62(1)
3.3.5 Discovery of As-Is (Current Organizational Posture)
62(1)
3.3.5.1 Document the Current State
62(1)
3.3.6 Analysis
63(1)
3.3.6.1 Evaluate the Current State
63(1)
3.3.7 Identify Outputs
64(1)
3.3.7.1 Define Expected Outcomes
64(2)
3.3.8 Produce Outputs
66(1)
3.3.8.1 Produce Expected Outcomes
66(1)
3.3.9 Summary of IA2 Process Phases
67(1)
3.4 Conclusion and Commentary
67(2)
4 IA Quantification
69(22)
4.1 Introduction
69(1)
4.2 Objectives
70(1)
4.3 IA Quantification Framework (IAQF)
70(12)
4.3.1 IA Quantification: Stakeholder Perspective
71(1)
4.3.1.1 Audience Dependent
72(1)
4.3.1.2 Spam Blocking Example
72(1)
4.3.1.3 Strategic Interests
72(1)
4.3.1.4 Tactical Interests
73(1)
4.3.1.5 IA Quantification Terms
73(1)
4.3.2 IA Quantification: Asset/Target Perspective
74(1)
4.3.2.1 Financial (Currency Measurement)
74(1)
4.3.2.2 Development (Quality Measurement)
75(1)
4.3.2.3 Operational (Functional Parameter Measurement)
75(1)
4.3.2.4 Risk Management (Standard Risk Assessment Quantification)
75(1)
4.3.2.5 Attack Modeling
75(1)
4.3.3 Attack Modeling: An Example
76(1)
4.3.4 IA Quantification: Vulnerability
76(1)
4.3.5 IA Quantification: Threat Perspective
77(1)
4.3.5.1 Threat Probability Assessment (TPA)
77(4)
4.3.5.2 Deductive Approach
81(1)
4.3.5.3 Inductive Approach
82(1)
4.4 IA Quantification Process (IAQP)
82(5)
4.4.1 Narrative
83(1)
4.4.2 Parameters
83(1)
4.4.3 Quantification
84(1)
4.4.4 Discovery
85(1)
4.4.5 Analysis
86(1)
4.4.6 Report
86(1)
4.4.7 Feedback
86(1)
4.5 Conclusion and Commentary
87(4)
SECTION II APPLIED IA2
5 Organizational Views of IA
91(32)
5.1 Introduction
91(1)
5.2 Objectives
91(1)
5.3 The Message of IA to the Organization
92(2)
5.3.1 OCF Layer Relationships
94(1)
5.4 Governance and IA
94(12)
5.4.1 The Scope of Risk Governance, Management, and Assessment
97(2)
5.4.2 Guiding Risk Analysis with Threat Assessments
99(1)
5.4.2.1 Threat Probability Assessment
99(3)
5.4.2.2 Intelligent Resource Allocation
102(1)
5.4.3 Scope of Control
103(1)
5.4.4 E-Insurance
103(3)
5.5 Management and IA
106(7)
5.5.1 Employment Practices and Policies
108(1)
5.5.1.1 Pre-Employment
109(1)
5.5.1.2 Post-Employment
109(1)
5.5.1.3 Employee Monitoring
109(1)
5.5.1.4 Employee Evaluation
110(1)
5.5.1.5 Employee Termination
110(1)
5.5.1.6 Employee References
110(1)
5.5.1.7 Commentary
110(1)
5.5.2 Compliance Management Program
110(1)
5.5.2.1 Compliance Assessment Process
111(2)
5.5.2.2 Security Policies
113(1)
5.6 Builders and IA
113(1)
5.7 Operations and IA
114(1)
5.8 Users and IA
115(1)
5.9 Leadership and IA
115(6)
5.9.1 Personal Development
116(1)
5.9.2 Championing IA Outside the IA Environment
117(1)
5.9.3 Perception Management
117(1)
5.9.3.1 Accommodate the People Factor in IA Perception
117(1)
5.9.4 Ethical Decision Making
118(1)
5.9.4.1 The Ethics Message
118(1)
5.9.5 Vendor Relations
119(1)
5.9.5.1 Vendor Roles in the IA
119(1)
5.9.5.2 Vendor and Product Selection
119(1)
5.9.6 Problem Solving
120(1)
5.9.6.1 When Things Go Right
120(1)
5.9.6.2 When Things Go Awry
120(1)
5.9.6.3 Problem-Solving Influence on IA2F
121(1)
5.10 Commentary and Conclusion
121(2)
6 IA Business Drivers
123(18)
6.1 Introduction
123(1)
6.2 Objectives
124(1)
6.3 IA Requirements Engineering and Compliance Management
124(3)
6.3.1 IA Compliance Requirements Engineering
126(1)
6.4 IA Requirements Engineering and SE
127(9)
6.4.1 Business Process Decomposition
130(2)
6.4.2 Systemic Decomposition
132(2)
6.4.3 Domain Functional-Isolation Requirements Engineering
134(2)
6.5 Requirements Traceability
136(3)
6.6 Conclusion and Commentary
139(2)
7 IA Technical Drivers
141(12)
7.1 Introduction
141(1)
7.2 Objectives
141(1)
7.3 IA2 Technology Drivers
142(1)
7.4 Wireless Networks: An Example
143(4)
7.4.1 Definitions
143(1)
7.4.2 Security Concerns
144(1)
7.4.3 Policy
144(1)
7.4.3.1 Corporate Perspective
144(1)
7.4.3.2 Employee Perspective
145(1)
7.4.4 Practice
145(1)
7.4.5 IA2 Perspective
146(1)
7.5 Communications (Voice and Data): An Example
147(4)
7.5.1 Traditional Communications
147(1)
7.5.2 Emerging Communications
147(3)
7.5.3 Communications Influence on the IA2 F
150(1)
7.5.3.1 Voice Communications
150(1)
7.5.3.2 Data Communications
150(1)
7.5.3.3 Convergence
150(1)
7.6 Conclusion and Commentary
151(2)
8 IA2: Context of IA Services
153(72)
8.1 Introduction
153(1)
8.2 Objectives
153(1)
8.3 IA Services
154(6)
8.3.1 Defense-in-Depth Perspective
154(3)
8.3.2 Exogenous View of Defense-in-Depth
157(1)
8.3.3 Endogenous View of Defense-in-Depth
158(1)
8.3.3.1 Physical
158(1)
8.3.3.2 Data State
159(1)
8.3.3.3 IA Operations Cycle
159(1)
8.4 IA Compliance Management Program
160(3)
8.4.1 Compliance Assessment
161(1)
8.4.1.1 Compliance Assessment: Subjective
161(1)
8.4.1.2 Compliance Assessment: Objective (Quantification)
162(1)
8.4.2 IA2 Perspective
163(1)
8.5 IA Assessment and Audit
163(5)
8.5.1 Audit Perspective
164(1)
8.5.2 Audit Process
165(1)
8.5.2.1 Audit Trigger Events
165(1)
8.5.2.2 Audit Notification
165(1)
8.5.2.3 Audit Responsibilities and Performance
166(1)
8.5.2.4 Reporting Results
166(1)
8.5.2.5 Organizational Feedback
166(1)
8.5.3 Sarbanes-Oxley: An Audit and Assessment Example
167(1)
8.5.4 Commentary
167(1)
8.6 Policy Management
168(8)
8.6.1 Security Policies
168(1)
8.6.1.1 Roles and Responsibilities
169(2)
8.6.1.2 Policy Drivers
171(1)
8.6.1.3 Commentary
171(1)
8.6.1.4 Policy Examples: E-Mail and Internet Appropriate Use
171(1)
8.6.1.5 Policy Details
172(1)
8.6.1.6 Policy Enforcement
173(1)
8.6.2 Using Social Psychology to Enforce Policies
173(1)
8.6.2.1 Audience Framing and Message Delivery
174(1)
8.6.2.2 Commentary
175(1)
8.7 Security Education, Training, and Awareness Management
176(4)
8.7.1 Security Education, Training, and Awareness (SETA) Policy
177(1)
8.7.2 SETA Architecture
178(1)
8.7.3 SETA Deployment
179(1)
8.7.4 Commentary
179(1)
8.7.5 Effectiveness Metrics (Tracking)
179(1)
8.8 Privacy
180(4)
8.8.1 Privacy Qualifiers
181(1)
8.8.2 Compliance Requirements
181(1)
8.8.2.1 External Privacy Qualifiers
181(1)
8.8.2.2 Internal Privacy Qualifiers
182(1)
8.8.3 Privacy IA2 Perspective
182(1)
8.8.4 Censorship
183(1)
8.8.5 Censorship IA2 Perspective
183(1)
8.9 Enterprise Operations Management: IA Context
184(4)
8.9.1 Network Management
184(2)
8.9.1.1 Network Management Services
186(1)
8.9.1.2 Network Management Mechanics
186(1)
8.9.1.3 Network Management and IA2
187(1)
8.9.2 Operations Security Management
187(1)
8.10 Computer Security Incident Response Team (CSIRT)
188(6)
8.10.1 Compliance Requirements
190(1)
8.10.2 CSIR Policy
190(2)
8.10.3 Practice
192(1)
8.10.4 Best Practices
192(1)
8.10.5 IA2 Perspective
192(2)
8.11 Vulnerability Management
194(3)
8.11.1 Vulnerability Assessments
194(1)
8.11.1.1 Deliverables
195(1)
8.11.1.2 Deliverable Format and Content
196(1)
8.11.2 Patch Management
196(1)
8.11.3 I A2 Perspective
197(1)
8.12 Digital Forensics
197(4)
8.12.1 Business Drivers
198(1)
8.12.2 Compliance Requirements
198(1)
8.12.2.1 Legislation
198(1)
8.12.2.2 RFP
198(1)
8.12.2.3 CONOPS
198(1)
8.12.2.4 Policy
199(1)
8.12.3 Policy
199(1)
8.12.4 Practice
199(1)
8.12.5 Best Practices
199(1)
8.12.6 IA2 Perspective
200(1)
8.12.7 Commentary
201(1)
8.13 Business Impact Assessment
201(5)
8.13.1 Compliance Requirements
202(1)
8.13.2 Policy
202(1)
8.13.3 Practice
202(2)
8.13.4 Best Practices
204(1)
8.13.5 BIA Deliverables
205(1)
8.13.6 IA2 Perspective
205(1)
8.13.7 Commentary
205(1)
8.14 Business Continuity Management
206(6)
8.14.1 Compliance Requirements
207(1)
8.14.2 Policy
207(1)
8.14.3 Practice
208(1)
8.14.4 Best Practices
209(1)
8.14.5 COOP: Determining Priorities
209(2)
8.14.6 IA2 Perspective
211(1)
8.15 Disaster Recovery Planning (DRP) and Disaster Recovery Management (DRM)
212(6)
8.15.1 Compliance Requirements
212(1)
8.15.2 Policy
213(1)
8.15.3 Practice
213(1)
8.15.3.1 Hot Site Solution: Dedicated
214(1)
8.15.3.2 Warm Site Solution: Shared (Warm)
214(1)
8.15.3.3 Cold Site Solution
214(1)
8.15.3.4 Development Environment
214(1)
8.15.3.5 Reciprocal Agreement
214(1)
8.15.3.6 Reserve System
215(1)
8.15.3.7 Commercial Service
215(1)
8.15.4 IA2 Perspective
216(1)
8.15.5 Commentary
217(1)
8.16 Backup and Recovery
218(5)
8.16.1 Business/Technical Drivers
219(1)
8.16.2 Compliance Requirements
219(1)
8.16.3 Policy
219(1)
8.16.4 Practice
219(1)
8.16.4.1 Strategy
220(1)
8.16.4.2 Tactics
221(1)
8.16.5 Best Practices
221(2)
8.16.6 IA2 Perspective
223(1)
8.16.7 Commentary
223(1)
8.17 Security Controls
223(1)
8.18 Conclusion and Commentary
224(1)
9 IA2: Context of IA Mechanisms
225(54)
9.1 Introduction
225(1)
9.2 Objectives
226(1)
9.3 IA2 Context of IA Mechanisms
226(3)
9.3.1 Applied IA2
229(1)
9.4 Organizational Context of IA Mechanisms
229(4)
9.5 Security Standards
233(4)
9.5.1 Homogeneous versus Heterogeneous IA bnvironments
233(1)
9.5.2 Applied IA2 Summary
234(1)
9.5.3 Standards in the IA2 Process: An Example
235(2)
9.6 Anti-Malware
237(5)
9.6.1 Applied IA2: Anti-Malware
237(1)
9.6.1.1 Anticipate
238(1)
9.6.1.2 Defend
238(1)
9.6.1.3 Monitor
238(1)
9.6.1.4 Respond
238(1)
9.6.2 Anti-Spam: An Anti-Malware Mechanism
239(1)
9.6.2.1 Policy
239(1)
9.6.2.2 Practice
240(1)
9.6.2.3 IA2 Perspective
240(2)
9.7 Firewalls
242(5)
9.7.1 Applied IA2: Firewalls
244(3)
9.8 Intrusion Detection Systems
247(3)
9.8.1 Applied IA2: IDS
248(1)
9.8.2 Policy
248(1)
9.8.3 Practice
249(1)
9.8.4 Best Practices
249(1)
9.8.5 IA2 Perspective
249(1)
9.8.5.1 Security Service and Mechanism Aggregation
250(1)
9.9 Honey pots
250(3)
9.9.1 Policy
251(1)
9.9.2 Best Practices
251(2)
9.9.3 IA2 Perspective
253(1)
9.9.4 Commentary
253(1)
9.10 Public Key Infrastructure (PKI) and Certificate Authority (CA)
253(3)
9.10.1 Applied IA2 Summary
254(1)
9.10.1.1 PKI Models (Trust Models)
254(2)
9.11 OS Security
256(4)
9.11.1 Applied IA2: OS Mechanistic IA Configurations
257(2)
9.11.2 Commentary
259(1)
9.12 Identity and Privilege Management
260(3)
9.12.1 Applied IA2: Identity and Privilege Management Capability
260(3)
9.12.2 Commentary
263(1)
9.13 Protecting the Information Infrastructure
263(2)
9.13.1 Applied IA2: Protecting the Information Infrastructure Capability
263(2)
9.14 Local Area Networks
265(3)
9.14.1 Applied IA2: LAN Protection Capability
265(3)
9.15 Cryptography
268(4)
9.15.1 Applied IA2: Cryptography Capability
269(1)
9.15.1.1 Business Requirements
269(2)
9.15.1.2 Cryptographic Services and Mechanisms: A Brief Example
271(1)
9.15.1.3 Cryptographic Influence on the IA2 F
271(1)
9.16 E-Commerce Safeguards
272(3)
9.16.1 Applied IA2: E-Commerce Safeguard Capability
273(1)
9.16.2 Health Care E-Commerce Example
274(1)
9.17 Development Quality Assurance
275(2)
9.17.1 Applied IA2: DQA Capability
276(1)
9.18 Commentary and Conclusion
277(2)
10 Aligning IA2 and EA Standards
279(24)
10.1 Introduction
279(1)
10.2 Objectives
280(1)
10.3 Federal Enterprise Architecture (FEA): An Introduction
280(9)
10.3.1 FEA Reference Models
282(1)
10.3.1.1 Performance Reference Model
282(1)
10.3.1.2 Business Reference Model
283(1)
10.3.1.3 Service Component Reference Model
283(1)
10.3.1.4 Technical Reference Model
284(1)
10.3.1.5 Data Reference Model
285(1)
10.3.2 IA2 Alignment with FEA RMs
285(1)
10.3.2.1 IA2 Alignment with PRM
285(1)
10.3.2.2 IA2 Alignment with BRM
286(1)
10.3.2.3 IA2 Alignment with SRM
286(1)
10.3.2.4 IA2 Alignment with TRM
287(1)
10.3.2.5 IA2 Alignment with DRM
287(1)
10.3.2.6 IA2 Alignment Deliverables
288(1)
10.3.3 FEA Security and Privacy Profile
288(1)
10.4 DoDAF Products Overview
289(1)
10.5 A List of EA Frameworks
289(1)
10.5.1 Enterprise Architecture Organizations
289(1)
10.6 Commentary
289(14)
SECTION III IA2 ENTERPRISE CONTEXT
11 The Framework Perspective
303(12)
11.1 Introduction
303(1)
11.2 Frameworks as Decision Support Tools
304(3)
11.2.1 Decision Making
305(1)
11.2.2 Change
305(1)
11.2.3 Simple System
306(1)
11.2.4 Business versus Technical Perspectives
307(1)
11.3 Organizational Structure Context Framework
307(8)
11.3.1 Governance Frameworks
308(1)
11.3.2 Management Frameworks
308(1)
11.3.3 Builder Frameworks
309(1)
11.3.4 Operations Frameworks
310(1)
11.3.5 User Frameworks
310(1)
11.3.6 Leadership Frameworks
311(1)
11.3.7 How to Use Frameworks
312(1)
11.3.8 IA2 Perspective of the Frameworks
312(3)
12 The Frameworks
315(22)
12.1 Introduction
315(1)
12.2 Objectives
316(1)
12.3 Enterprise Context Framework
316(3)
12.4 Enterprise Perspective of IA Framework
319(2)
12.5 Innovation Framework
321(1)
12.6 EA Framework
322(1)
12.7 ROI Framework
323(1)
12.8 Awareness, Training, and Education (ATE) Framework
324(2)
12.8.1 Objective-Centered Framework
325(1)
12.9 SATE Framework
326(1)
12.10 SE Framework
326(1)
12.11 Enterprise Life Cycle Management (ELCM) Framework
327(3)
12.11.1 Concept
328(1)
12.11.2 Architect
328(1)
12.11.3 Engineer
328(1)
12.11.4 Acquire/Develop
328(1)
12.11.5 Implement
329(1)
12.11.6 Test
329(1)
12.11.7 Deploy
329(1)
12.11.8 Train
329(1)
12.11.9 Operate and Maintain
329(1)
12.11.10 Retire
329(1)
12.12 Security Framework
330(2)
12.13 Risk Management Framework
332(1)
12.14 Security Management Program Framework (SMP Framework)
332(1)
12.15 Reality Check Framework (RCF)
333(1)
12.16 Summary
334(1)
12.17 IA2 Framework Context
335(2)
13 IA Justification
337(32)
13.1 Introduction
337(1)
13.2 Objectives
337(1)
13.3 ROI Justification
337(3)
13.3.1 Revenue
338(1)
13.3.1.1 Increase Revenue
338(1)
13.3.1.2 Revenue Acceleration
339(1)
13.3.1.3 Sustain Revenue
339(1)
13.3.2 Cost
339(1)
13.3.2.1 Reduce Cost
339(1)
13.3.2.2 Avoid Cost
339(1)
13.4 IA Justification Based on Examining the Threat Space
340(5)
13.4.1 Threat Sources and Types
340(5)
13.4.2 IA2 Threat Taxonomy
345(1)
13.5 Expanding on the Adversary Threat Space
345(14)
13.5.1 Adversary Means
347(1)
13.5.1.1 Finances
348(1)
13.5.1.2 Equipment
348(1)
13.5.1.3 Knowledge
348(1)
13.5.2 Adversary Methods
349(1)
13.5.2.1 Computer System Penetration
349(1)
13.5.2.2 Programmatic Attacks
350(1)
13.5.2.3 Computer, Automated
350(1)
13.5.2.4 Computer, Interactive
351(1)
13.5.3 Adversary Motivations
351(1)
13.5.3.1 Computer Criminal Psychology
352(1)
13.5.3.2 Personal Motivations
353(1)
13.5.3.3 Industrial Motivations
353(1)
13.5.3.4 Political Motivations
353(1)
13.5.3.5 Information Warfare
354(1)
13.5.3.6 Asymmetrical Adversarial ism
354(1)
13.5.3.7 Cyber-Terrorism
355(1)
13.5.4 Adversary Mission
356(1)
13.5.4.1 Targets
356(1)
13.5.4.2 Intellectual Property (IP)
356(1)
13.5.4.3 E-Commerce
357(1)
13.5.4.4 Physical Infrastructure
357(1)
13.5.4.5 Desired Results of Target Attack
357(1)
13.5.4.6 Knowledge
358(1)
13.5.4.7 Subvert
358(1)
13.5.4.8 Destroy
358(1)
13.5.4.9 Steal
359(1)
13.5.4.10 Render Useless
359(1)
13.6 Consequences
359(2)
13.6.1 Level I: Interpersonal Damage
360(1)
13.6.2 Level II: Intercorporate Damage
360(1)
13.6.3 Level III: International Damage
360(1)
13.6.4 Adversary Consequences
360(1)
13.6.5 IA Core Principles as IA Justification
361(1)
13.7 IA Operations Cycle as IA Justification
361(3)
13.7.1 Anticipate
362(1)
13.7.2 Defend
363(1)
13.7.3 Monitor
364(1)
13.7.4 Respond
364(1)
13.8 Empirical Evidence
364(1)
13.8.1 Surveys
364(1)
13.8.2 Recent Media Coverage
365(1)
13.9 Compliance Requirements
365(2)
13.9.1 Cyberspace Law
366(1)
13.9.2 Legal Obligations
366(1)
13.10 IA Justification Summary
367(2)
14 Future of IA and IA2
369(18)
14.1 Introduction
369(1)
14.2 Objectives
369(1)
14.3 Future Vision
370(10)
14.3.1 General Bounds
370(1)
14.3.2 Future Vision Framework
371(1)
14.3.2.1 Drivers
371(1)
14.3.2.2 Extension
371(2)
14.3.2.3 Extrapolation
373(1)
14.3.2.4 Pendulum
374(1)
14.3.2.5 Patterns
374(1)
14.3.2.6 Connections
374(1)
14.3.2.7 Chaos
375(1)
14.3.3 Increase in Decision-Making Complexity
376(1)
14.3.4 Systems Dynamics
376(2)
14.3.5 Constants and Variables
378(1)
14.3.6 Summary of IA Future Vision
378(2)
14.4 The Future of IA
380(3)
14.5 The Future of IA2
383(4)
Appendix A IA2 Process Template 387(8)
Appendix B Templates of IA2F Views 395(10)
Appendix C IA Quantification Process Template 405(10)
Appendix D Security Management Program Framework 415(38)
Appendix E Security Management Program Template Outline 453(8)
Appendix F NIST Document Applicability Template 461(28)
Appendix G IA Standards Best Practices References 489(6)
Appendix H Root Cause Analysis Template 495(12)
Appendix I Problem Assertion Document Template 507(18)
Appendix J Privacy Management Program Outline 525(6)
Appendix K E-Insurance 531(6)
Appendix L Reading List 537(4)
Glossary 541(14)
References 555(4)
List of Figures 559(4)
List of Tables 563(8)
Index 571
Willett, Keith D.