Writing Information Security Policies
暫譯: 撰寫資訊安全政策

Scott Barman

Writing Information Security Policies
  • 出版商: New Riders
  • 出版日期: 2001-11-12
  • 定價: $1,100
  • 售價: 5.0$550
  • 語言: 英文
  • 頁數: 240
  • 裝訂: Paperback
  • ISBN: 157870264X
  • ISBN-13: 9781578702640
  • 相關分類: 資訊安全

    • 立即出貨(限量) (庫存=2)

買這商品的人也買了...

商品描述

Administrators, more technically savvy than their managers, have started to secure the networks in a way they see as appropriate. When management catches up to the notion that security is important, system administrators have already altered the goals and business practices. Although they may be grateful to these people for keeping the network secure, their efforts do not account for all assets and business requirementsFinally, someone decides it is time to write a security policy. Management is told of the necessity of the policy document, and they support its development. A manager or administrator is assigned to the task and told to come up with something, and fast!Once security policies are written, they must be treated as living documents. As technology and business requirements change, the policy must be updated to reflect the new environment--at least one review per year. Additionally, policies must include provisions for security awareness and enforcement while not impeding corporate goals. This book serves as a guide to writing and maintaining these all-important security policies.

Table of Contents

I. STARTING THE POLICY PROCESS.

1. What Information Security Policies Are.
About Information Security Policies. Why Policies Are Important. When Policies Should Be Developed. How Policies Should Be Developed.

2. Determining Your Policy Needs.
Identify What Is to Be Protected. Identify From Whom It Is Being Protected. Data Security Considerations. Backups, Archival Storage, and Disposal of Data. Intellectual Property Rights and Policies. Incident Response and Forensics.

3. Information Security Responsibilities.
Management Responsibility. Role of the Information Security Department. Other Information Security Roles. Understanding Security Management and Law Enforcement. Information Security Awareness Training and Support.

II. WRITING THE SECURITY POLICIES.

4. Physical Security.
Computer Location and Facility Construction. Facilities Access Controls. Contingency Planning. General Computer Systems Security. Periodic System and Network Configuration Audits. Staffing Considerations.

5. Authentication and Network Security.
Network Addressing and Architecture. Network Access Control. Login Security. Passwords. User Interface. Access Controls. Telecommuting and Remote Access.

6. Internet Security Policies.
Understanding the Door to the Internet. Administrative Responsibilities. User Responsibilities. World Wide Web Policies. Application Responsibilities. VPNs, Extranets, Intranets, and Other Tunnels. Modems and Other Backdoors. Employing PKI and Other Controls. Electronic Commerce.

7. Email Security Policies.
Rules for Using Email. Administration of Email. Use of Email for Confidential Communication.

8. Viruses, Worms, and Trojan Horses.
The Need for Protection. Establishing the Type of Virus Protection. Rules for Handling Third-Party Software. User Involvement with Viruses.

9. Encryption.
Legal Issues. Managing Encryption. Handling Encryption and Encrypted Data. Key Generation Considerations. Key Management.

10. Software Development Policies.
Software Development Processes. Testing and Documentation. Revision Control and Configuration Management. Third-Party Development. Intellectual Property Issues.

III. MAINTAINONG THE POLICIES.

11. Acceptable Use Policies.
Writing the AUP. User Login Responsibilities. Use of Systems and Network. User Responsibilities. Organization's Responsibilities and Disclosures. Common-Sense Guidelines About Speech.

12. Compliance and Enforcement.
Testing and Effectiveness of the Policies. Publishing and Notification Requirements of the Policies. Monitoring, Controls, and Remedies. Administrator's Responsibility. Logging Considerations. Reporting of Security Problems. Considerations When Computer Crimes Are Committed.

13. The Policy Review Process.
Periodic Reviews of Policy Documents. What the Policy Reviews Should Include. The Review Committee.

IV. APPENDIXES.

Appendix A. Glossary.
Appendix B. Resources.
Incident Response Teams. Other Incident Response Information. Virus Protection. Vendor-Specific Security Information. Security Information Resources. Security Publications. Industry Consortia and Associations. Hacker and “Underground” Organizations. Health Insurance Portability and Accountability Act. Survivability. Cryptography Policies and Regulations. Security Policy References.

Appendix C. Sample Policies.
Sample Acceptable Use Policy. Sample Email Security Policy. Sample Administrative Policies.

Index.

商品描述(中文翻譯)

管理員比他們的經理更具技術能力,已經開始以他們認為合適的方式來保護網絡。當管理層意識到安全性的重要性時,系統管理員已經改變了目標和商業實踐。雖然他們可能對這些人保持網絡安全表示感激,但他們的努力並未考慮到所有資產和商業需求。最後,有人決定是時候撰寫安全政策了。管理層被告知政策文件的必要性,並支持其發展。一位經理或管理員被指派負責此任務,並被告知要迅速提出方案!一旦安全政策撰寫完成,必須將其視為活文件。隨著技術和商業需求的變化,政策必須更新以反映新的環境——至少每年進行一次審查。此外,政策必須包括安全意識和執行的條款,同時不妨礙企業目標。本書作為撰寫和維護這些重要安全政策的指南。

目錄

I. 開始政策流程
1. 什麼是資訊安全政策
關於資訊安全政策。為什麼政策很重要。何時應該制定政策。如何制定政策。

2. 確定您的政策需求
確定需要保護的內容。確定保護對象。數據安全考量。數據的備份、存檔和處理。智慧財產權和政策。事件響應和取證。

3. 資訊安全責任
管理責任。資訊安全部門的角色。其他資訊安全角色。理解安全管理和執法。資訊安全意識訓練和支持。

II. 撰寫安全政策
4. 實體安全
電腦位置和設施建設。設施訪問控制。應急計劃。一般電腦系統安全。定期系統和網絡配置審計。人員配置考量。

5. 認證和網絡安全
網絡地址和架構。網絡訪問控制。登錄安全。密碼。用戶界面。訪問控制。遠程工作和遠程訪問。

6. 網際網路安全政策
理解通往網際網路的門。管理責任。用戶責任。全球資訊網政策。應用程序責任。VPN、外部網、內部網和其他隧道。調製解調器和其他後門。使用PKI和其他控制。電子商務。

7. 電子郵件安全政策
使用電子郵件的規則。電子郵件的管理。使用電子郵件進行機密通信。

8. 病毒、蠕蟲和木馬
需要保護的原因。建立病毒保護類型。處理第三方軟件的規則。用戶與病毒的互動。

9. 加密
法律問題。管理加密。處理加密和加密數據。密鑰生成考量。密鑰管理。

10. 軟體開發政策
軟體開發流程。測試和文檔。版本控制和配置管理。第三方開發。智慧財產權問題。

III. 維護政策
11. 可接受使用政策
撰寫AUP。用戶登錄責任。系統和網絡的使用。用戶責任。組織的責任和披露。關於言論的常識指導。

12. 合規性和執行
政策的測試和有效性。政策的發布和通知要求。監控、控制和補救措施。管理員的責任。日誌考量。安全問題的報告。計算機犯罪發生時的考量。

13. 政策審查流程
政策文件的定期審查。政策審查應包括的內容。審查委員會。

IV. 附錄
附錄A. 詞彙表。附錄B. 資源。
事件響應小組。其他事件響應信息。病毒保護。供應商特定的安全信息。安全信息資源。安全出版物。行業聯盟和協會。駭客和“地下”組織。健康保險可攜性和責任法案。存活能力。密碼政策和法規。安全政策參考。

附錄C. 範本政策。
範本可接受使用政策。範本電子郵件安全政策。範本管理政策。索引。

類似商品