Secure Internet Practices

SECURE INTERNET PRACTICES:
BEST PRACTICES FOR SECURING SYSTEMS IN THE INTERNET AND
E-BUSINESS
AGE
by Patrick McBride, Jody Patilla, Craig Robinson, Peter Thermos, Edward P.
Moser

“Is your e-business secure? Have you done everything you can to protect your
enterprise and
your customers from the potential exploits of hackers, crackers, and other
cyberspace
menaces? As we expand the brave new world of e-commerce, we are confronted
with a
whole new set of security problems. Dealing with the risks of Internet applications
and
e-commerce requires new ways of thinking about security.

“Secure Internet Practices: Best Practices for Securing Systems in the Internet
and
e-Business Age presents an overview of security programs, policies, goals, life
cycle
development issues, infrastructure, and architecture aimed at enabling you to
effectively
implement security at your organization. In addition to discussing general issues
and
solutions, the book provides concrete examples and templates for crafting or
revamping your
security program in the form of an Enterprise-Wide Security Program Model, and
an
Information Security Policy Framework.

“Although rich in technical expertise, this is not strictly a handbook of Internet
technologies,
but a guide that is equally useful for developing policies, procedures, and
standards. The
book touches all the bases you need to build a secure enterprise. Drawing on the
experience
of the world-class METASeS consulting team in building and advising on security
programs,
Secure Internet Practices: Best Practices for Securing Systems in the Internet and
e-Business Age shows you how to create a workable security program to protect
your
organization's Internet risk. “

- - - - - - - -
- - -

* Provides the first comprehensive overview of strategies, tactics, and
approaches
needed to secure an organization
* Covers everything needed to build a secure enterprise: policies, programs,
standards, procedures, goals, architecture, infrastructure, and applications
* Includes templates for an Enterprise-Wide Security Program and an
Information
Security Policy Framework
* Draws on the experience of METASeS in building and advising on security
programs
worldwide

- - - - - - - -
- - -

TABLE OF CONTENTS

INTRODUCTION
Brief History of the Internet
Size and Growth of the Internet
Implications for Security
Business Uses of the Internet
Security in the Internet and E-Commerce Age
A Formula for Quantifying Risk
Conclusion

THE INFORMATION SECURITY PROGRAM
The Present Information Systems Environment
A Risk Construct
Information Risk Management
Enterprise-Wide Information Security Program Elements: Framework,
Organization,
Technology, and Process
Creating a Successful Security Program
Building the Security Program
Conclusion

DEVELOPING AN INFORMATION SECURITY POLICY
The Impact of the Internet
Characteristics of Good Information Security Policy
METASeS Information Security Policy Framework
Policy Interpretation
Information Security Policy Life Cycle
Assessing Policy Needs
Developing Information Security Policy
Implementing and Deploying Policy
Maintaining Information Security Policy

WEB AND E-COMMERCE SECURITY
Chapter Components
Information Security Goals
Web and e-Commerce Security Architecture
The Process of Formulating Architecture
Types of Architecture
System Development Life Cycle Methodology
Underlying Infrastructure Components
Conclusion

Appendix A: Sample Excerpt from an Information Security Program Gap Analysis
Appendix B: Excerpts from Technology Standards and Configuration Guides
Publications
Appendix C: Resources for Information Security and Policy
Appendix D: Examples of Processes and Procedures
Appendix E: Trends in Security Spending
Glossary
Index

- - - - - - - -
- - -

EXCERPT FROM THE PREFACE

“This report from METASeS is written for those who need to develop policies,
programs,
strategies, and tactics for dealing with the risks of Internet applications and
e-Commerce.
The intended audience is management from various levels who are involved in
policy,
financial, technical, and other decisions for achieving appropriate Internet security.

“This book is not a detailed technical guide. It is an overview of security programs,
policies,
goals, life cycle development issues, infrastructures, and architectures aimed at
enabling you
to effectively implement security at your organization.

“In addition to simply writing about general issues and solutions, we have
attempted to give
concrete examples where possible and to provide "templates" to expedite your
own efforts in
this exciting, rapidly changing arena.

OVERVIEW

“The purpose of the report is to help an organization evaluate its Internet-related
business
risk, and create a workable security program, security policies, and architectures.
This report
is organized into the following chapters.

“The Introduction provides an overview of the explosive growth of the Internet and its
associated business applications, and the security implications of the
e-Commerce
revolution. A formula for quantifying risk is also presented.

“Chapter I introduces our overarching security program. It discusses the issues
organizations
must consider when designing, developing, implementing, and operating security
programs,
including risk management. It also provides our Enterprise-Wide Security Program
Model of
a
program's component parts.

“This chapter also provides some practical advice on how to analyze an existing
program,
and best-practice recommendations for scoring "early wins" on tightening security
in order to
garner the institutional support for sustaining longer-term initiatives.

“Chapter 2 covers a foundation stone of a security program - Information Security
Policy. It
describes the importance of policy, how to create it, and outlines its
characteristics. The
chapter also details the parts of the policy life cycle, describes standards and
procedures,
and outlines our Best-Practices Policy Framework. Given the importance of
information
policy in the Internet security space, and for security in general, this chapter
spends
considerable time on how to analyze, define, and improve current policies.

“Indeed, in the first two chapters of the report, this book devotes much attention to
program
and policy before tackling architecture and infrastructure. After all, clear security
policies and
a sound security awareness program must exist to lay the foundation for effective
protection
of information.

“Chapter 3 provides an overview of the fundamental security goals, architecture,
and
development methodology, including the system development life cycle. Moreover,
it takes a
detailed look at specific network infrastructure elements such as routers, servers,
application
issues, end-user issues, and security controls, and how they fit into the security
architecture
puzzle. For each element, this chapter provides a set of recommendations.

“Note that chapter 3 discusses the technical details of Internet security. Chapters
1 and 2
outline many of the overarching security program elements that are independent of
a given
system or application, but are essential to establishing a secure environment.
Chapter 3,
however, drills down into the specifics of security.

“The appendices provide specific examples and templates for security policies and
standards, as well as list numerous other sources of invaluable information on
Internet
security.

“Appendix A is a sample Information Security Gap Analysis.

“Appendix B contains illustrative tables of contents and excerpts from two of
METASeS' best
practices technical publications, a UNIX Technology Standard and a Solaris
Configuration
Guide.

“Appendix C contains links to important or interesting Web sites on Information
Security.
“Appendix D contains a comprehensive list of processes and procedures.

“Appendix E contains excerpts on trends in security spending from the META
Group report,
Enterprise Security in Practice: Market Segments in Transition.”

- - - - - - - -
- - -
2002, 211 pages. Order #DR624
- - - - - - - -
- - -

The Disaster Center Bookstore

Info, Network Security, Info Protection

Disaster Center Bookstore-a service of Rothstein Associates