Today the vast majority of the world's
information resides
in, is derived from, and is exchanged among multiple
automated
systems. Critical decisions are made, and
critical action is taken based on information from these
systems. Therefore, the information must be accurate,
correct, and timely, and be manipulated, stored, retrieved,
and exchanged safely, reliably, and securely. In a time
when information is considered the latest commodity,
information
security should be top priority. A Practical
Guide to Security
Engineering and Information
Assurance
gives you an engineering approach to information security
and information assurance (IA). The book examines the
impact of accidental and malicious intentional action and
inaction on information security and IA. Innovative
long-term vendor, technology, and application-independent
strategies show you how to protect your critical systems
and data from accidental and intentional action and
inaction that could lead to system failure or compromise.
The author presents step-by-step, in-depth processes for
defining information security and assurance goals,
performing vulnerability and threat analysis, implementing
and verifying the effectiveness of threat control measures,
and conducting accident and incident investigations. She
explores real-world strategies applicable to all systems,
from small systems supporting a home-based business to
those of a multinational corporation, government agency, or
critical infrastructure system. The information revolution
has brought its share of risks. Exploring the synergy
between security, safety, and reliability engineering, A
Practical Guide to Security Engineering and Information
Assurance consolidatesand organizes current thinking about
information security/IA techniques, approaches, and best
practices. As this book will show you, there is
considerably more to information security/IA than
firewalls, encryption, and
virus protection.
Contents
1 Introduction 1
2 What Is Information Assurance, How Does It Relate To
Information Security, and Why Are Both Needed? 7
3 Historical Approaches To Information Security and
Information Assurance 27
4 Define the System Boundaries 67
5 Perform Vulnerability and Threat Analyses 83
6 Implement Threat Control Measures 127
7 Verify Effectiveness of Threat Control Measures 207
8 Conduct Accident/Incident Investigations 229
Annex A: Glossary of Terms 275
Annex B: Glossary of Techniques 295
Annex C: Additional Resources 353
Annex D Summary of Components, Activities, and Tasks of an
Effective Information Security/IA Program 373
Index