This book demonstrates how information security requires a deep understanding of an organization's assets, threats and processes, combined with the technology that can best protect organizational security. It provides step-by-step guidance on how to analyze business processes from a security perspective, while also introducing security concepts and techniques to develop the requirements and design for security technologies. This interdisciplinary book is intended for business and technology audiences, at student or experienced levels. Organizations must first understand the particular threats that an organization may be prone to, including different types of security attacks, social engineering, and fraud incidents, as well as addressing applicable regulation and security standards. This international edition covers Payment Card Industry Data Security Standard (PCI DSS), American security regulation, and European GDPR. Developing a risk profile helps to estimate the potential costs that an organization may be prone to, including how much should be spent on security controls. Security planning then includes designing information security, as well as network and physical security, incident response and metrics. Business continuity considers how a business may respond to the loss of IT service. Optional areas that may be applicable include data privacy, cloud security, zero trust, secure software requirements and lifecycle, governance, introductory forensics, and ethics. This book targets professionals in business, IT, security, software development or risk. This text enables computer science, information technology, or business students to implement a case study for an industry of their choosing. . Preface: How to Use This Book For the Educator Addressing Educational Criteria Teaching Aides for the Security Instructor Disclaimer Acknowledgments Contents Part I: The Problem of Security Chapter 1: Security Awareness: Brave New World 1.1 With Security, Every Person Counts 1.2 Attackers and Motives 1.2.1 Cybercrime 1.2.2 Espionage 1.2.3 Information Warfare 1.3 Criminal Techniques to Enter, Investigate, and Persist in a Network 1.4 Protecting Yourself 1.5 Questions References Chapter 2: Combatting Fraud 2.1 Internal Fraud 2.1.1 Defenses Against Internal Fraud 2.1.2 Recognizing Fraud 2.2 External Fraud 2.2.1 Identity Theft 2.2.2 Social Engineering 2.2.3 Business Email Compromise 2.2.4 Consumer Fraud 2.2.5 Receipt, Check, and Money Order Scams 2.2.6 Developing an Action Plan 2.3 Advanced: A Fraud Investigation 2.4 Questions and Problems 2.4.1 Health First Case Study Problems References Chapter 3: Complying with the PCI DSS Standard 3.1 Applicability 3.2 Background and Threats 3.3 General Requirements 3.3.1 Definitions 3.3.1.1 Payment Card Information 3.3.1.2 Payment Card Configuration 3.3.2 PCI DSS Requirements 3.3.2.1 Build and Maintain a Secure Network 3.3.2.2 Protect Cardholder Data 3.3.2.3 Maintain a Vulnerability Management Program 3.3.2.4 Implement Strong Access Control Measures 3.3.2.5 Regularly Monitor and Test Networks 3.3.2.6 Maintain an Information Security Policy 3.3.3 Additional Requirements for Sophisticated Configurations 3.3.4 The PCI DSS Approval Process and Annual Assessments 3.3.5 Other Security Concerns 3.4 Specific Vendor Requirements 3.5 Advanced: Software Security Framework 3.6 Questions and Problems References Part II: Strategic Security Planning Chapter 4: Managing Risk 4.1 Risk Management Overview 4.1.1 Step 1: Identify Risks 4.1.2 Step 2: Determine Loss Due to Threats 4.1.3 Step 3: Estimate Likelihood of Exploitation 4.1.4 Step 4: Compute Expected Loss 4.1.5 Step 5: Treat Risk 4.1.6 Step 6: Monitor (and Communicate) Risk 4.2 The Ethics of Risk 4.3 Advanced: Financial Analysis with Business Risk 4.4 Advanced: Risk for Larger Organizations 4.5 Questions and Problems 4.5.1 Health First Case Study Problems References Chapter 5: Addressing Business Impact Analysis and Business Continuity 5.1 Business Impact Analysis 5.1.1 Step 1: Define Threats Resulting in Business Disruption 5.1.2 Step 2: Define Recovery Objectives 5.2 Step 3: Business Continuity: Plan for Recovery 5.2.1 Recovery Sites 5.2.2 High-Availability Solutions 5.2.3 Disk Backup and Recovery 5.3 Step 4: Preparing for IT Disaster Recovery 5.4 Advanced: Business Continuity for Mature Organizations 5.5 Advanced: Considering Big Data Distributed File Systems 5.6 Questions 5.6.1 Health First Case Study Problems References Chapter 6: Governing: Policy, Maturity Models and Planning 6.1 Documenting Security: Policies, Standards, Procedures and Guidelines 6.2 Maturing the Organization via Capability Maturity Models and COBIT 6.3 Strategic, Tactical and Operational Planning 6.4 Allocating Security Roles and Responsibilities 6.5 Questions 6.5.1 Health First Case Study Problems References Part III: Tactical Security Planning 1.1 Important Tactical Concepts Chapter 7: Designing Information Security 7.1 Important Concepts and Roles 7.2 Step 1: Classify Data for CIA 7.3 Step 2: Selecting Controls 7.3.1 Selecting AAA Controls 7.3.2 Authentication: Login or Identification 7.3.2.1 Biometric Systems 7.3.3 Authorization: Access Control 7.3.4 Accountability: Logs 7.3.5 Audit 7.4 Step 3: Allocating Roles and Permissions 7.5 Advanced: Administration of Information Security 7.6 Advanced: Designing Highly Secure Environments 7.6.1 Bell and La Padula Model (BLP) 7.7 Questions 7.7.1 Health First Case Study Problems References Chapter 8: Planning for Network Security 8.1 Important Concepts 8.1.1 How Crackers Attack 8.1.2 Filtering Packets to Restrict Network Access 8.2 Defining the Network Services 8.2.1 Step 1: Inventory Services and Devices: Who, What, Where? 8.2.1.1 Inventorying Devices 8.2.2 Step 2: Determine Sensitivity of Services 8.2.3 Step 3: Allocate Network Zones 8.2.4 Step 4: Define Controls 8.3 Defining Controls 8.3.1 Confidentiality Controls 8.3.2 Authenticity & Non-Repudiation 8.3.3 Integrity Controls 8.3.4 Anti-Hacker Controls 8.4 Defining the Network Architecture 8.4.1 Step 5: Draw the Network Diagram 8.5 Advanced: How it Works 8.6 Questions 8.6.1 Health First Case Study Problems References Chapter 9: Designing Physical Security 9.1 Step 1: Inventory Assets and Allocate Sensitivity/Criticality Class to Rooms 9.2 Step 2: Selecting Controls for Sensitivity Classifications 9.2.1 Building Entry Controls 9.2.2 Room Entry Controls 9.2.3 Computer and Document Access Control 9.2.4 The Public Uses Computers 9.3 Step 3: Selecting Availability Controls for Criticality Classifications 9.4 Questions and Problems 9.4.1 Health First Case Study Problems References Chapter 10: Attending to Information Privacy 10.1 Important Concepts and Principles 10.2 Step 1: Defining a Data Dictionary with Primary Purpose 10.3 Step 2: Performing a Privacy Impact Assessment 10.3.1 Defining Controls 10.3.2 Anonymizing Data 10.4 Step 3: Developing a Policy and Notice of Privacy Practices 10.5 Advanced: Big Data: Data Warehouses 10.6 Questions References Chapter 11: Planning for Alternative Networks: Cloud Security and Zero Trust 11.1 Important Concepts 11.1.1 Cloud Deployment Models 11.2 Planning a Secure Cloud Design 11.3 Step 1: Define Security and Compliance Requirements 11.4 Step 2: Select a Cloud Provider and Service/Deployment Model 11.5 Step 3: Define the Architecture 11.6 Step 4–6: Assess and Implement Security Controls in the Cloud 11.7 Step 7: Monitor and Manage Changes in the Cloud 11.8 Advanced: Software Development with Dev-Sec-Ops 11.9 Advanced: Using Blockchain 11.10 Advanced: Zero Trust 11.10.1 Important Concepts 11.10.2 Zero Trust Architecture 11.11 Zero Trust Planning 11.11.1 Network and Cloud Checklist for Zero Trust 11.12 Questions References Chapter 12: Organizing Personnel Security 12.1 Step 1: Controlling Employee Threats 12.2 Step 2: Allocating Responsibility to Roles 12.3 Step 3: Define Training for Security 12.4 Step 4: Designing Tools to Manage Security 12.4.1 Code of Conduct and Acceptable Use Policy 12.4.2 Configuration Management and Change Control 12.4.3 Service Level Agreements 12.5 Questions and Problems 12.5.1 Health First Case Study Problems References Part IV: Planning for Detect, Respond, Recover Chapter 13: Planning for Incident Response 13.1 Important Statistics and Concepts 13.2 Developing an Incident Response Plan 13.2.1 Step 1: Preparation Stage 13.2.1.1 Bringing in the Law 13.2.2 Step 2: Identification Stage 13.2.3 Step 3: Containment and Escalation Stage 13.2.4 Step 4: Analysis and Eradication Stage 13.2.5 Step 5: Notification and Ex-post Response Stages (If Necessary) 13.2.6 Step 6: Recovery and Lessons Learned Stages 13.3 Preparing for Incident Response 13.4 Questions and Problems 13.4.1 Health First Case Study Problems References Chapter 14: Defining Security Metrics 14.1 Implementing Business-Driven Metrics 14.2 Implementing Technology-Driven Metrics 14.3 Questions and Problems 14.3.1 Health First Case Study Problems References Chapter 15: Performing an Audit or Security Test 15.1 Testing Internally and Simple Audits 15.1.1 Step 1: Gathering Information, Planning the Audit 15.1.2 Step 2: Reviewing Internal Controls 15.1.3 Step 3: Performing Compliance and Substantive Tests 15.1.4 Step 4: Preparing and Presenting the Report 15.2 Example: PCI DSS Audits and Report on Compliance 15.3 Professional and External Auditing 15.3.1 Audit Resources 15.3.2 Sampling 15.3.3 Evidence and Conclusions 15.3.4 Variations in Audit Types 15.4 Questions and Problems 15.4.1 Health First Case Study Problems References Chapter 16: Preparing for Forensic Analysis 16.1 Important Concepts 16.2 High-Level Forensic Analysis: Investigating an Incident 16.2.1 Establishing Forensic Questions 16.2.2 Collecting Important Information 16.3 Technical Perspective: Methods to Collect Evidence 16.3.1 Collecting Volatile Information Using a Jump Kit 16.3.2 Collecting and Analyzing Important Logs 16.3.3 Collecting and Forensically Analyzing a Disk Image 16.4 Legal Perspective: Establishing Chain of Custody 16.5 Advanced: The Judicial Procedure 16.6 Questions and Problems References Part V: Complying with National Regulations and Ethics References Chapter 17: Complying with the European Union General Data Protection Regulation (GDPR) 17.1 Background 17.2 Applicability 17.3 General Requirements 17.4 Rights Afforded to Data Subjects 17.4.1 Right of Access by the Data Subject (Article 15) 17.4.2 Right to Rectification (Article 16) 17.4.3 Right to Erasure (‘Right to Be Forgotten’) (Article 17) 17.4.4 Right to Restriction of Processing (Article 18) 17.4.5 Right to Data Portability (Article 20) 17.4.6 Right to Object to Processing (Article 21) 17.4.7 Right to Not Be Subject to a Decision Based Solely on Automated Processing (Article 22) 17.4.8 Rights of Remedies, Liabilities and Penalties (Articles 77–79) 17.4.9 Privilege of Notification (Article 13, 14) 17.4.10 Privilege of Communicated Response (Article 12) 17.4.11 Privilege of Protection of Special Groups (Article 9, 10) 17.5 Restrictions to Rights (Article 23) 17.6 Controller Processing Requirements 17.6.1 Risk Management and Security 17.6.2 Breach Notification 17.6.3 Penalties 17.6.4 Certification and Adequacy Decisions 17.6.5 Management and Third-Party Relationships 17.7 Actual GDPR Cases 17.8 Questions and Problems References Chapter 18: Complying with U.S. Security Regulations 18.1 Security Laws Affecting U.S. Organizations 18.1.1 State Breach Notification Laws 18.1.2 HIPAA/HITECH Act, 1996, 2009 18.1.3 Sarbanes-Oxley Act (SOX), 2002 18.1.4 Gramm–Leach–Bliley Act (GLB), 1999 18.1.5 Identity Theft Red Flags Rule, 2007 18.1.6 Family Educational Rights and Privacy Act (FERPA), 1974, and Other Child Protection Laws 18.1.6.1 Children’s Online Privacy Protection Act (COPPA), 1998 18.1.6.2 Children’s Internet Protection Act (CIPA), 2000 18.1.7 Federal Information Security Management Act (FISMA), 2002 18.1.8 California Consumer Privacy Act (CCPA) 18.2 Computer Abuse Laws 18.3 Other Laws 18.4 Final Considerations 18.5 Advanced: Understanding the Context of Law 18.6 Questions and Problems References Chapter 19: Complying with HIPAA and HITECH 19.1 Background 19.2 Introduction and Vocabulary 19.3 HITECH Breach Notification 19.4 HIPAA Privacy Rule 19.4.1 Patient Privacy and Rights 19.4.1.1 Disclosures 19.4.1.2 De-identification and Limited Data Sets 19.5 HIPAA Security Rule 19.5.1 Administrative Requirements 19.5.2 Physical Security 19.5.3 Technical Controls 19.6 Recent and Proposed Changes in Regulation 19.7 Questions and Problems 19.7.1 Health First Case Study Problems References Chapter 20: Maturing Ethical Risk 20.1 Important Concepts 20.2 Raising Ethical Maturity through an Ethical Risk Framework 20.2.1 Raising Self-centered Ethical Concern 20.2.1.1 Open Communication 20.2.1.2 Develop a Code of Ethics 20.2.1.3 Provide an Anonymous Reporting Mechanism for Ethical Violations 20.2.2 Adhering to Regulation 20.2.2.1 Address Regulation Fully 20.2.2.2 Evaluate Legal Responsibility Beyond Regulation 20.2.2.3 Manage Projects Responsibly 20.2.3 Respecting Stakeholder Concerns 20.2.3.1 Personalize Risk 20.2.3.2 Evaluate Trade-offs of Concern 20.2.4 Addressing Societal Concerns 20.2.4.1 Think Outside the Engineer Role 20.2.4.2 Inform of Safety and Security Concerns to Customers 20.2.4.3 Evaluate Unknown Risk 20.3 Questions References Part VI: Developing Secure Software Chapter 21: Understanding Software Threats and Vulnerabilities 21.1 Important Concepts and Goals 21.2 Threats to Input 21.2.1 Recognize Injection Attacks 21.2.2 Control Cross-site scripting (XSS) 21.2.3 Authentication and Access Control 21.2.4 Recognize Cross-Site Request Forgery (CSRF) 21.2.5 Minimize Access 21.3 Implement Security Features 21.4 Testing Issues 21.5 Deployment Issues 21.5.1 Validate and Control the Configuration 21.5.2 Questions and Problems References Chapter 22: Defining a Secure Software Process 22.1 Important Concepts 22.1.1 Software Security Maturity Models 22.1.2 The Secure Software Group 22.2 Secure Development Life Cycle 22.2.1 Coding 22.2.2 Testing 22.2.3 Deployment, Operations, Maintenance and Disposal 22.3 Secure Agile Development 22.3.1 Designing Agile Style: Evil User Stories 22.4 Example Secure Process: PCI Software Security Framework 22.5 Security Industry Standard: Common Criteria 22.6 Questions and Problems 22.6.1 Health First Case Study Problems References Chapter 23: Planning for Secure Software Requirements and Design with UML 23.1 Important Concepts and Principles in Secure Software Design 23.2 Evaluating Security Requirements 23.2.1 Step 1: Identify Critical Assets 23.2.2 Step 2: Define Security Goals 23.2.3 Step 3: Identify Threats 23.2.4 Step 4: Analyze Risks 23.2.5 Step 5: Define Security Requirements 23.2.6 Specify Reliability, Robustness 23.3 Analysis/Design 23.3.1 Static Model 23.3.2 Dynamic Model 23.3.2.1 Sequence Diagrams 23.3.2.2 State Transition Diagrams 23.4 Example Secure Design: PCI Software Security Framework 23.5 Questions and Problems 23.5.1 Health First Case Study Problems References