Assessing and Managing Security Risk in IT Systems / Edition 1
by John McCumber
Assessing and Managing Security Risk in IT Systems: A Structured Methodology builds upon the original McCumber Cube model to offer proven processes that do not change, even as technology evolves. This book enables you to assess the security attributes of any information system and implement vastly improved security environments.
Part I delivers an overview of
… See more details belowOverview
Assessing and Managing Security Risk in IT Systems: A Structured Methodology builds upon the original McCumber Cube model to offer proven processes that do not change, even as technology evolves. This book enables you to assess the security attributes of any information system and implement vastly improved security environments.
Part I delivers an overview of information systems security, providing historical perspectives and explaining how to determine the value of information. This section offers the basic underpinnings of information security and concludes with an overview of the risk management process.
Part II describes the McCumber Cube, providing the original paper from 1991 and detailing ways to accurately map information flow in computer and telecom systems. It also explains how to apply the methodology to individual system components and subsystems.
Part III serves as a resource for analysts and security practitioners who want access to more detailed information on technical vulnerabilities and risk assessment analytics. McCumber details how information extracted from this resource can be applied to his assessment processes.
Product Details
- ISBN-13:
- 9780849322327
- Publisher:
- Taylor & Francis
- Publication date:
- 08/28/2004
- Edition description:
- New Edition
- Pages:
- 288
- Sales rank:
- 1,433,724
- Product dimensions:
- 6.20(w) x 9.30(h) x 0.80(d)
Table of Contents
SECURITY CONCEPTS
Using Models
Introduction: Understanding, Selecting, and Applying Models
Understanding Assets
Layered Security
Using Models in Security
Security Models for Information Systems
Shortcomings of Models in Security
Security in Context
Reference
Defining Information Security
Confidentiality, Integrity, and Availability
Information Attributes
Intrinsic versus Imputed Value
Information as an Asset
The Elements of Security
Security Is Security Only in Context
Information as an Asset
Introduction
Determining Value
Managing Information Resources
References
Understanding Threat and Its Relation to Vulnerabilities
Introduction
Threat Defined
Analyzing Threat
Assessing Physical Threats
Infrastructure Threat Issues
Assessing Risk Variables: The Risk Assessment Process
Introduction
Learning to Ask the Right Questions about Risk
The Basic Elements of Risk in IT Systems
Information as an Asset
Defining Threat for Risk Management
Defining Vulnerabilities for Risk Management
Defining Safeguards for Risk Management
The Risk Assessment Process
THE McCUMBER CUBE METHODOLOGY
The McCumber Cube
Introduction
The Nature of Information
Critical Information Characteristics
Confidentiality
Integrity
Availability
Security Measures
Technology
Policy and Practice
Education, Training, and Awareness (Human Factors)
The Model
References
Determining Information States and Mapping
Information Flow
Introduction
Information States: A Brief Historical Perspective
Automated Processing: Why Cryptography Is Not Sufficient
Simple State Analysis
Information States in Heterogeneous Systems
Boundary Definition
Decomposition of Information States
Developing an Information State Map
Reference
Decomposing the Cube for Security Enforcement
Introduction
A Word about Security Policy
Definitions
The McCumber Cube Methodology
The Transmission State
The Storage State
The Processing State
Recap of the Methodology
Information State Analysis for Components and
Subsystems
Introduction
Shortcomings of Criteria Standards for Security Assessments
Applying the McCumber Cube Methodology for Product
Assessments
Steps for Product and Component Assessment
Information Flow Mapping
Cube Decomposition Based on Information States
Develop Security Architecture
Recap of the Methodology for Subsystems, Products, and
Components
References
Managing the Security Life Cycle
Introduction
Safeguard Analysis
Introduction
Technology Safeguards
Procedural Safeguards
Human Factors Safeguards
Assessing and Managing Security Risk in IT Systems
Vulnerability-Safeguard Pairing
Hierarchical Dependencies of Safeguards
Security Policies and Procedural Safeguards
Developing Comprehensive Safeguards: The Lessons of the Shogun
Identifying and Applying Appropriate Safeguards
Comprehensive Safeguard Management: Applying the
McCumber Cube
The ROI of Safeguards: Do Security Safeguards Have a Payoff?
Practical Applications of McCumber Cube Analysis
Introduction
Applying the Model to Global and National Security Issues
Programming and Software Development
Using the McCumber Cube in an Organizational Information
Security Program
Using the McCumber Cube for Product or Subsystem Assessment
Using the McCumber Cube for Safeguard Planning and Deployment
Tips and Techniques for Building Your Security Program
Establishing the Security Program: Defining You
Avoiding the Security Cop Label
Obtaining Corporate Approval and Support
Creating Pearl Harbor Files
Defining Your Security Policy
Defining What versus How
Security Policy: Development and Implementation
Reference
SECTION III APPENDICES
Vulnerabilities
Risk Assessment Metrics
Diagrams and Tables
Other Resources
Customer Reviews
Average Review: