Presented by John M. Kennedy
October 30, 2007
ProMonsterMedia, LLP
   Incident Response Plan

   Security Requirements

    Information System
    Security Policy

   Contingency Plan

...
 How do I deal with this?
 What impact does it have?
 Who needs to know?
 DITSCAP
 HIPAA
 Sarbanes-Oxley
 Phone  Contact List
 Check List
 Goals and Objectives
 Attack Impact Matrix
 Notification Matrix
 Evidence Guidance...
 Senior   Management
    Provides Support, Authority to
     Act
    Provides Funding
    Provides Approval
 Steering   Committee
    Overall direction of IRP
    Frequent review of draft plans
    One member from each
     im...
 Development     Team
    Project Officer
    Support Staff (each department)
 Create    Steering Committee
     Establish Team Lead
 Identifying   Critical Systems and
  Data
 Identifying Disaste...
 Developed     after the initial design
 of system
    Step 1 - Definition
 Used after system has been put
 into place....
 No Simple Answer
 No “Canned” Solution
 Time to Prepare (depends…)
    How Prepared (documented)
    How Skilled (de...
 Incident   Response Team
    Members




                             (Maiwald, 2002)
 Security   Policy
    Purpose
    Audience
 Security   Measures
    Ongoing Monitoring
    Deployment of necessary ...
 Initiation      System-Level
  Phase            Prioritization
 Development     Enterprise-
  Phase            Level
...
Security
 Database                Feature
 Security
Mechanism




            Protection
            Objective
• Security Features
   Security Features the system-
   to-be must have (e.g. Privacy)
• Protection Objectives
   Principl...
 Awareness    and Training

    Awareness
    Training
    Education
    Certification
 Vulnerabilities     assessment
 Access    control
     Passwords
     Physical security
     Access cards
     Biom...
 Firewalls   and Anti-virus
     Types of protection
     Firewall architecture
 Host   security
     Servers hardeni...
 Cryptography
    Symmetric vs. Asymmetric
     encryption
    Public key infrastructure (PKI)
     encryption
    Dig...
 Audit
 RiskAssessment
 Disaster and Recovery
 Vulnerabilities    assessment
     Defining the scope of vulnerability
      management
     Asset inventory
     Inf...
 Access      controls
    Reusable passwords
        Passwords must be changed
         periodically
    Password poli...
 Network security
 TCP/IP Standards
    Internet protocol
    HTTPS Protocol
    Secure Socket Layer (SSL)
 Firewall
     Types of protection
         Packet inspection
         Application inspection
         Denial of serv...
 Host   security
    Hardening servers
    Hardening clients
    Hosting servers in a separate secure
     buildings
 ...
 Cryptography
    Symmetric vs. Asymmetric
     encryption
    Public key infrastructure (PKI)
     encryption
    Dig...
 Auditing
     Audit trails
     Purpose of audit mechanism
     Aspects of effective auditing
 Risk   assessment
  ...
 System   milestones
    The development process will start
     at the beginning of the project and
     will be an ong...
Information
System Security
Policy
 Purposeof the Information
 System Security Policy

 Target   Information System
 Policy    Content
    Identify Roles and Responsibilities
    Access Control & External Access
    User Characteristi...
   Informs all users of the goals and
    constraints of using the system.

   Explains how the security program
    is ...
   Characteristics of a well developed
    security policy:
     Coverage
     Durability
     Realism
     Usefulnes...
System Description   System
  Distributed         Capabilities
   Database             Stores and
  Queried by         ...
Roles &
                              Access Control &
  Responsibilities
                                External Access
...
User                       Sensitivity of
  Characteristics            Processed Data

                              Data...
 Tasks


    1st : Draft of document

    2nd : Release of document

    3rd : Baseline document
        If approved
    Estimate based off NWA
    50193/0002 for completion of 100
    pages.
       8 man hours per page @ 1FTE =105 USD
 ...
 “What do we do when we can
 not use our facility?”

 “What can we do now to better
 prepare our business unit to
 respo...
   The best way to         Observe
    prepare for a            information
    disaster is to           security
    av...
To maintain an acceptable
level of residual risk
throughout the lifecycle
 ITSystem Contingency
 Plans
    Must be tested annually
    Table Top exercise
    Functional exercise
 Public
       Law 107-347, also known
 as Federal Information Security
 Management Act of 2002 (FISMA)
  Require  agenc...
 Contingency planning is the task
 that develops a plan for
 emergency response, backup
 operations, and post-disaster
 r...
 Thecontingency plan evaluation
 task analyzes the contingency,
 back-up, and continuity of
 service plans to ensure the ...
 Theteam plan has been
 developed by the
 ProMonsterMedia IT Working
 Group

 Team Leaders are responsible for
 part of ...
 The form is to chart the progress
 in developing your business
 resumption plan

 Each plan segment/module is
 listed w...
 Thiscertification task that
 ensures that change control and
 configuration management
 practices are, or will be, in pl...
 Inspectionsof operational sites
 to ensure their compliance with
 the physical security, procedural
 security, TEMPEST, ...
 Review configuration &
 security Management
  Follow change mgmt
   documented in SSAA
  Determine if system security
...
1.   Definition
2.   The Target Audience
3.   Rationale and Purpose
4.   System Milestones
5.   Content Development
6.   E...
Definition
What is Security Education,
Training and Awareness
[SETA] Plan?
 Michael Whitman (2006) stated that
a SETA plan is a: “Pro...
The Target
Audience
The Weakest Link

The most secure Point of Failure in any Security
  program.

            Security is everyone's
        ...
Database Security
SETA PROGRAM
RATIONALE

    All people perusing or
    administering the Database
    Management System ...
The Rationale and
Purpose
 “Only two things are infinite, the
 universe and human stupidity,
 and I'm not sure about the
 former.”

 “Problemscann...
Best Practices &
 Guides

Legal Components: Official Sources and
Documentation

   1.    ISO 17799
   2.    COBIT 4.0
   3...
   1. By building in-depth knowledge,
    as needed, to design, implement, or
    operate security programs for
    organ...
The System
Milestones
1                  2
                  Program
Strategy
                  Design &
Planning
                 Development

...
These are the following phases of this life cycle
development process for SETA described by Wilson and
Hash (2003) in the ...
Specific Content
Development
   Laws And Regulations
   It Security Program
   System Environment
   System Interconnection
   Information Sharing...
Three models:



1.     Centralized


2.     Partially
       Decentralized


3.     Fully
       Decentralized



       ...
The NIST SP800.16
states: “Education
integrates all of the
security skills and
competencies of the
various functional
spec...
Figure 3 Need
assessment (Wilson
& Hash, 2003, p. 29,
figure 3-5 ).
The NIST SP800-50
    (2003) provides the
    following questions (p.
    29):


•   What awareness, training,
    and/or ...
   Did our team
    completed a needs
    assessment?

   did our team
    develop a overall
    strategy?

   Did our ...
Figure 6 The Post-implementation
(Wilson & Hash, 2003, p. 46,
figure 6-1 )
Figure 7 Evaluation and Feedback
Methodology (Wilson & Hash, 2003,
p. 48, figure 6-2 )
Estimates
   Government Security Classification Costs
    Estimate
    Fiscal Year 2005

    Total = $7.7 Billion
    Personnel Sec...
Total = 60 Estimated SETA Team 1 Program    2
                                    Strategy Design &
     Hours per 180 Est...
Estimate based for completion of 180
 pages

  1 SETA Security Team hours equals $250.00 US
    Dollars [USD]
  Estimated ...
Thank you for your attention and
 just as a reminder:

 Security is about “us” not only
 about you. We are all in it.

Do ...
SETA Appendices
2007 LandWarNet Conference. (2007, Aug 21) Notes

Addison, S. (July 3, 2007) Best Practices for Security
   Awareness Trai...
Department of Defense (1997, Dec 30). Information Assurance.
     Retrieved October 28, 2007, from
     http://iase.disa.m...
G. (2002). Implementing an Effective IT Security Program.
   Retrieved October 27, 2007,
    from http://www.sans.org/read...
Panko, R. (2004). Corporate Computer and Network Security.
     Upper Saddle River, NJ: Pearson Education Inc.

Pfleeger, ...
Thompson, D. (2005). Implementing a Secure Wireless Network
    for a Windows Environment. Retrieved October 27, 2007,
   ...
Wilson, M., Zafra de, D. E., Tressler, J.D., Ippolito, J.B. (April
     1998).Information Technology Security Training
   ...
Database development and security certification and accreditation plan  pitwg
Database development and security certification and accreditation plan  pitwg
Database development and security certification and accreditation plan  pitwg
Database development and security certification and accreditation plan  pitwg
Database development and security certification and accreditation plan  pitwg
Database development and security certification and accreditation plan  pitwg
Database development and security certification and accreditation plan  pitwg
Database development and security certification and accreditation plan  pitwg
Upcoming SlideShare
Loading in …5
×

Database development and security certification and accreditation plan pitwg

2,391 views

Published on

Information Systems Development and Database Development Management Meeting Security legal security requirements

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
2,391
On SlideShare
0
From Embeds
0
Number of Embeds
6
Actions
Shares
0
Downloads
37
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Database development and security certification and accreditation plan pitwg

  1. 1. Presented by John M. Kennedy October 30, 2007 ProMonsterMedia, LLP
  2. 2.  Incident Response Plan  Security Requirements  Information System Security Policy  Contingency Plan  Security Education, Training and Awareness Program [SETA]
  3. 3.  How do I deal with this?  What impact does it have?  Who needs to know?
  4. 4.  DITSCAP  HIPAA  Sarbanes-Oxley
  5. 5.  Phone Contact List  Check List  Goals and Objectives  Attack Impact Matrix  Notification Matrix  Evidence Guidance  Actual Procedures Guides (appendix)
  6. 6.  Senior Management  Provides Support, Authority to Act  Provides Funding  Provides Approval
  7. 7.  Steering Committee  Overall direction of IRP  Frequent review of draft plans  One member from each impacted department
  8. 8.  Development Team  Project Officer  Support Staff (each department)
  9. 9.  Create Steering Committee  Establish Team Lead  Identifying Critical Systems and Data  Identifying Disasters  Draft Plan According to Matrix  Plan Review  Plan Approval
  10. 10.  Developed after the initial design of system  Step 1 - Definition  Used after system has been put into place.  Step 4 – Post Accreditation
  11. 11.  No Simple Answer  No “Canned” Solution  Time to Prepare (depends…)  How Prepared (documented)  How Skilled (development team)  Level of Support (departments)  Size of Plan (manual size)  Identify Members  Identify Critical Systems  Identify Critical Data  Identify Appropriate Response
  12. 12.  Incident Response Team  Members (Maiwald, 2002)
  13. 13.  Security Policy  Purpose  Audience  Security Measures  Ongoing Monitoring  Deployment of necessary security measures tools.
  14. 14.  Initiation  System-Level Phase Prioritization  Development  Enterprise- Phase Level  Implementati Prioritization on Phase  Operations Phase  Disposal Phase
  15. 15. Security Database Feature Security Mechanism Protection Objective
  16. 16. • Security Features Security Features the system- to-be must have (e.g. Privacy) • Protection Objectives Principles that contribute towards the security features (e.g. Access Control) • Security Mechanisms Mechanisms to achieve the protection objectives (e.g. Authentication)
  17. 17.  Awareness and Training  Awareness  Training  Education  Certification
  18. 18.  Vulnerabilities assessment  Access control  Passwords  Physical security  Access cards  Biometric Authentication  Wireless security  Network security  TCP/IP Standards  The internet protocol
  19. 19.  Firewalls and Anti-virus  Types of protection  Firewall architecture  Host security  Servers hardening  Patching  Clients Hardening
  20. 20.  Cryptography  Symmetric vs. Asymmetric encryption  Public key infrastructure (PKI) encryption  Digital certificates  E-Mail security  Intrusion detection system (IDS)  Penetration testing  Logging and Traffic monitoring
  21. 21.  Audit  RiskAssessment  Disaster and Recovery
  22. 22.  Vulnerabilities assessment  Defining the scope of vulnerability management  Asset inventory  Information management  Tools  Reporting and remediation  Response planning
  23. 23.  Access controls  Reusable passwords  Passwords must be changed periodically  Password policies  Good password  Physical security  To buildings and infrastructure  Access cards  Biometric authentication  Wireless security
  24. 24.  Network security  TCP/IP Standards  Internet protocol  HTTPS Protocol  Secure Socket Layer (SSL)
  25. 25.  Firewall  Types of protection  Packet inspection  Application inspection  Denial of service inspection  Authentication of users  Types of firewalls  Router screening  Computer based  Host firewalls  Stateful, ACLS, and application firewalls
  26. 26.  Host security  Hardening servers  Hardening clients  Hosting servers in a separate secure buildings  Patching installation  Managing permissions  Testing for vulnerabilities
  27. 27.  Cryptography  Symmetric vs. Asymmetric encryption  Public key infrastructure (PKI) encryption  Digital certificates  E-Mail security  Intrusion detection system (IDS)  Penetration testing  Logging and Traffic monitoring
  28. 28.  Auditing  Audit trails  Purpose of audit mechanism  Aspects of effective auditing  Risk assessment  Periodically assess risks  Threat, vulnerability and asset identification  Disaster and recovery
  29. 29.  System milestones  The development process will start at the beginning of the project and will be an ongoing process  Estimated number of hours to complete appendix-F = 10 Hours  Estimated number of pages =  5 IT personnel x ($35/hr) = $175  $175x17(pages)x10(hrs/page)= $ 29,750 total cost for appendix-F
  30. 30. Information System Security Policy
  31. 31.  Purposeof the Information System Security Policy  Target Information System
  32. 32.  Policy Content  Identify Roles and Responsibilities  Access Control & External Access  User Characteristics  Sensitivity of Processed Data  Tasks and Estimates
  33. 33.  Informs all users of the goals and constraints of using the system.  Explains how the security program is structured.  Provides scope and direction for all security activities within the organization.  Recognizes the system’s sensitive assets.
  34. 34.  Characteristics of a well developed security policy:  Coverage  Durability  Realism  Usefulness  Comply with applicable laws and regulations
  35. 35. System Description System  Distributed Capabilities Database  Stores and  Queried by distributes telecommuting information to employees and clients clients  Sensitive data processed  Malpractice Lawsuits  Disciplinary Actions
  36. 36. Roles & Access Control & Responsibilities External Access  Designated Approving  Auditing Authority (DAA)  Public Key  Information System Infrastructure & E- Security Officer (ISSO) mail  User Representatives  Internet Security  Database  Virus Definition Administrator Updates
  37. 37. User Sensitivity of Characteristics Processed Data  Data Classification  Discretionary Access Control  Data Markings  Password Management  Printed Data
  38. 38.  Tasks  1st : Draft of document  2nd : Release of document  3rd : Baseline document  If approved
  39. 39.  Estimate based off NWA 50193/0002 for completion of 100 pages.  8 man hours per page @ 1FTE =105 USD  13 pgs x 105 USD = 10,500 USD  Estimate  10 pgs x 8 hrs = 80 hours  80hr x 105 USD = 8,400 USD  FTE (Full Time Engineer $13.13)  USD (United States Dollars)
  40. 40.  “What do we do when we can not use our facility?”  “What can we do now to better prepare our business unit to respond when our facility is unavailable?”
  41. 41.  The best way to  Observe prepare for a information disaster is to security avoid the procedures disaster. regarding Therefore, look computers in for any potential your facility, and problems you encourage can find and increased correct them. security when appropriate.  Observe physical security  Consider procedures in encouraging your facility, and security-training encourage sessions where increased appropriate. security when appropriate.
  42. 42. To maintain an acceptable level of residual risk throughout the lifecycle
  43. 43.  ITSystem Contingency Plans  Must be tested annually  Table Top exercise  Functional exercise
  44. 44.  Public Law 107-347, also known as Federal Information Security Management Act of 2002 (FISMA)  Require agencies to identify and provide information security protections commensurate with risk and magnitude of harm resulting from unauthorized access, use, disclosure, disruption, modification or destruction of information and information systems
  45. 45.  Contingency planning is the task that develops a plan for emergency response, backup operations, and post-disaster recovery.
  46. 46.  Thecontingency plan evaluation task analyzes the contingency, back-up, and continuity of service plans to ensure the plans are consistent with the requirements identified in the SSAA.
  47. 47.  Theteam plan has been developed by the ProMonsterMedia IT Working Group  Team Leaders are responsible for part of the plan development process.
  48. 48.  The form is to chart the progress in developing your business resumption plan  Each plan segment/module is listed with the development responsibility.
  49. 49.  Thiscertification task that ensures that change control and configuration management practices are, or will be, in place and are sufficient to preserve the integrity of the security relevant software and hardware.
  50. 50.  Inspectionsof operational sites to ensure their compliance with the physical security, procedural security, TEMPEST, and COMSEC requirements.
  51. 51.  Review configuration & security Management  Follow change mgmt documented in SSAA  Determine if system security mgmt continues to support mission and architecture  Conduct risk management review  Assess if risk to CIAA is being maintained at an acceptable level  Conduct compliance validation if needed  Ensure continued compliance w/SSAA requlations, current threat assessment, and concept of operations  Maintain SSAA
  52. 52. 1. Definition 2. The Target Audience 3. Rationale and Purpose 4. System Milestones 5. Content Development 6. Estimates 7. References 8. Appendices
  53. 53. Definition
  54. 54. What is Security Education, Training and Awareness [SETA] Plan? Michael Whitman (2006) stated that a SETA plan is a: “Program designed to provide direct, applied measures to influence employee behavior, increase employee abilities and enable the organization to hold employees accountable for their actions.” (p. 22.). Now, why educating, training and People awareness is so important for protecting and Securing Critical or sensitive information?
  55. 55. The Target Audience
  56. 56. The Weakest Link The most secure Point of Failure in any Security program. Security is everyone's responsibility!  According to Wilson & Hash (2003) the key factor to provide security is not the technology or the state of the art efforts to protect and secure the Information Systems [IS].  To provide adequate information security the people factor is the key factor because they are the system’s weakest link. (p. 1) SEC_RITY is not complete without U!
  57. 57. Database Security SETA PROGRAM RATIONALE All people perusing or administering the Database Management System and Information Systems must:  Understand the ProMonsterMedia’s mission and their roles and responsibilities  Follow ProMonsterMedia’s Information System Security Policy, regulations and practices.  Be trained and/or aware of the risks, threats and the methods of controls implemented to protect and secured the Information System assets and resources and critical (Wilson & Hash October 2003).
  58. 58. The Rationale and Purpose
  59. 59.  “Only two things are infinite, the universe and human stupidity, and I'm not sure about the former.”  “Problemscannot be solved at the same level of awareness that created them.” (Whitman, 2006, p. 30)
  60. 60. Best Practices & Guides Legal Components: Official Sources and Documentation 1. ISO 17799 2. COBIT 4.0 3. HIPAA (Privacy & Security Rules) 4. GLB-A 5. PCI Data Security Standard 6. OMB Circular A-130 7. FISMA Public Law 107-347 8. NIST SP 800-16 9. NIST SP 800-50 10. Section 508 of the Rehabilitation Act (Addison, 2007)
  61. 61.  1. By building in-depth knowledge, as needed, to design, implement, or operate security programs for organizations and systems  2. By developing skills and knowledge so that computer users can perform their jobs while using IT systems more securely  3. By improving awareness of the need to protect system resources (NIST, 1995).
  62. 62. The System Milestones
  63. 63. 1 2 Program Strategy Design & Planning Development 3 Delivery, Administration & Post-implementation
  64. 64. These are the following phases of this life cycle development process for SETA described by Wilson and Hash (2003) in the NIST SP800-50: 1. Awareness and Training Program Design (Wilson & Hash, 2003, Section 3) 2. Awareness and Training Material Development (Wilson & Hash, 2003, Section 4) 1. Program Implementation (Wilson & Hash, 2003, Section 5) 2. Post-Implementation (Wilson & Hash, 2003, Section 6)
  65. 65. Specific Content Development
  66. 66.  Laws And Regulations  It Security Program  System Environment  System Interconnection  Information Sharing  Sensitivity  Risk Management  Management Controls  Acquisition/Development/Installat ion/  Implementation Controls  Operational Controls  Awareness, Training, And Education Controls  Technical Controls (Wilson, Zafra de, Tressler, & Ippolito, April 1998)
  67. 67. Three models: 1. Centralized 2. Partially Decentralized 3. Fully Decentralized (Wilson & Hash, 2003) Figure 2 Model 1 – Centralized Program Management (Wilson & Hash, 2003, p. 23, figure 3-1)
  68. 68. The NIST SP800.16 states: “Education integrates all of the security skills and competencies of the various functional specialties into a common body of knowledge . . . and strives to produce IT security specialists and professionals capable of vision and pro-active response.” (Wilson, Zafra, Tressler et al, 1998) Wilson & Hash (2003) indicated that “Training strives to produce relevant and needed security skills and competencies.” (p. 9) “Awareness is not training or education, is bringing the attention on the importance of Security Issues.” (Wilson, Zafra, Tressler et al, 1998) Figure 2 is Depicting the continuum (Wilson & Hash, 2003, p. 18, figure 2-1 )
  69. 69. Figure 3 Need assessment (Wilson & Hash, 2003, p. 29, figure 3-5 ).
  70. 70. The NIST SP800-50 (2003) provides the following questions (p. 29): • What awareness, training, and/or education are needed (i.e., what is required)? • What is currently being done to meet these needs? • What is the current status regarding how these needs are being addressed (i.e., how well are current efforts working)? • Where are the gaps Figure 4 shows the required between the needs and level of training versus the what is being done (i.e., current level of effort what more needs to be (Wilson & Hash, 2003, p. 30, figure 3-7 ) done)? • Which needs are most critical?
  71. 71.  Did our team completed a needs assessment?  did our team develop a overall strategy?  Did our team complete an awareness and training Program for implementing the strategy previously developed?  did the security team finally develop the awareness and training material? Figure 5 Key Steps Leading to Program Implementation (Wilson & Hash, 2003, p. 42, figure 5-1 )
  72. 72. Figure 6 The Post-implementation (Wilson & Hash, 2003, p. 46, figure 6-1 )
  73. 73. Figure 7 Evaluation and Feedback Methodology (Wilson & Hash, 2003, p. 48, figure 6-2 )
  74. 74. Estimates
  75. 75.  Government Security Classification Costs Estimate Fiscal Year 2005 Total = $7.7 Billion Personnel Security = $1.15 Billion Physical Security = $1 Billion Information Security = $4 Billion Information Technology = $3.6 Billion Classification Management = $310 Million Declassification = $57 Million Professional Education and Training = $219 Million Security Management and Planning = $1.2 Billion Unique = $6.6 Million (ISOO, 2005)
  76. 76. Total = 60 Estimated SETA Team 1 Program 2 Strategy Design & Hours per 180 Estimated pages. PlanningDevelopment 3 Delivery, Administration & Post-implementation PHASE Estimating Estimated SETA Team Hours Number of Pages The SETA 1s t STRATEGIC PLANNING 5 50 Program Design 2n d And Development 30 50 Delivery, Administration & Post- 25 80 3r Implementation d
  77. 77. Estimate based for completion of 180 pages 1 SETA Security Team hours equals $250.00 US Dollars [USD] Estimated Total of pages equals 180 Estimated Total amount of SETA Security Team equals 60 Estimate Appendix “O” SETA plan cost 60 SETA Security TEAM hours x $250.00 per hours = $15,000.00 US Dollars Other expenses and Misc. = 5,000.00 USD ESTIMATED TOTAL COST = $20,000.00
  78. 78. Thank you for your attention and just as a reminder: Security is about “us” not only about you. We are all in it. Do you have any questions?
  79. 79. SETA Appendices
  80. 80. 2007 LandWarNet Conference. (2007, Aug 21) Notes Addison, S. (July 3, 2007) Best Practices for Security Awareness Training. Security-awareness.com. Retrieved on October 24, 2007, from http://security-awareness- training.com/2007/07/23/best-practices-for-security- awareness-training/ Bowen, p. Hash, J. & Wilson, M.(2006). Information Security Handbook. Retrieved October26, 2007, from http://www.nist.gov Brackin, C. (2003). Vulnerability Management: Tools, Challenges, & Best Practices. Retrieved October 26, 2007, from http://www.sans.org/reading room Business Resumption Development Guide (2006, May 5) Buckley King LPA Canavan, S. & Diver, S. (2007). Information Security Policy- A Development Guide for Large & Small Companies. Retrieved October 26, 2007, from http://www.sans.org/reading room Department of Defense [DoD]. (July 31, 2000). Information Technology Security Certification and Accreditation Process (DITSCAP). Application Manual DoD 8510.1-M. Retrieved October 24, 2007, from http://www.dtic.mil/whs/directives/corres/pdf/851001m. pdf
  81. 81. Department of Defense (1997, Dec 30). Information Assurance. Retrieved October 28, 2007, from http://iase.disa.mil/ditscap/DitscapFrame.html DIACAP and the GIGIA Archicture. (2005, March). Retrieved October 27, 2007, from http://www.afei.org/documents/DIACAPandtheGIGCCRTS_3 71.pdf DISA (June 21, 2007). Enclave Security Technical Implementation Guide Version 4, Release 1. DISA Field Security Operations. Developed by DISA for the DoD. Retrieved on October 28, 2007, from http://iase.disa.mil/stigs/stig/enclave-stig- v4r1.pdf DOD 5200.28-STD. (1985, December 26). Trusted Computer System Evaluation Criteria. Security Functionality Requirements. (1992, January 28). Minimum Security Functionality Requirements For Multi-User Operating Systems. Retrieved October 15, 2007 from http://security.isu.edu/pdf/secfunreq.pdf dWarNet Conference. (2007, Aug 21) NotesDepartment of Defense Information Assurance. (1997, Dec 30). Retrieved October 28, 2007, from http://iase.disa.mil/ditscap/DitscapFrame.html Foix, R. (2004, October 4). Expanding responsibility for incident response. Computerworld, 38(40), 28-28. Retrieved October 27, 2007, from Computer Source database.
  82. 82. G. (2002). Implementing an Effective IT Security Program. Retrieved October 27, 2007, from http://www.sans.org/reading room GadAllah, S. (2003). The Importance of Logging & Traffic Monitoring for Information Security. Retrieved October 27, 2007, from http://www.sans.org/reading room Iase.disa.mil. Information Assurance Support Environment Profile: Retrieved October 26, 2007, from http://iase.disa.mil/ Information Security Oversight Office [ISOO]. (2005). Report On Cost Estimates For Security Classification Activities Background And Methodology. Retrieved on October 28, 2007, from http://www.archives.gov/isoo/reports/2005- cost-report.html Kyle, S. (2003). Biometrics: An In Depth Examination. Retrieved October 27, 2007, from http://www.sans.org/reading room Maiwald, Eric. Security Planning and Disaster Recovery. Blacklick, OH, USA: McGraw-Hill Professional, 2002. National Computer Security Center (NCSC).(1987). A Guide to Understanding Audit in Trusted Systems. Retrieved October 27, 2007, from http://csrc,ncsl.nist.gov/publications/secpubs/rainbow/tg001.tx t
  83. 83. Panko, R. (2004). Corporate Computer and Network Security. Upper Saddle River, NJ: Pearson Education Inc. Pfleeger, C. & Pfleeger, S. (2003). Security In Computing (3rd ed).Upper Saddle River, NJ: Pearson Education Inc. Pfleeger, Charles, P. & Pfleeger, Shari, L. (2003) Pratt, M. (2007, May 16). Five tips for building an incident response plan. Retrieved October 27, 2007, from Computerworld Web site: http://www.computerworld.com/action/article.do?command =viewArticleBasic&articleId=9019558&pageNumber=1 Ross, R. (2004) Guide for the Security Certification and Accreditation of Federal Information Systems. Maryland: Diana Publishing Company Security in Computing (3rd Edition) New Jersey: Prentice Hall Setty, H. (2001). System Administrator-Security Best Practices. October 26, 2007, from http://www.sans.org/reading room
  84. 84. Thompson, D. (2005). Implementing a Secure Wireless Network for a Windows Environment. Retrieved October 27, 2007, from http://www.sans.org/reading room Whitman, M. E. (2006). Assuring the Integrity of Financial Information Systems: Awareness and Responsibility of Employees and Business Partners. Michael E., Ph.D., CISSP. Center for Information Security Education. Kennesaw State University. Retrieved October 24, 2007 from http://www3.uakron.edu/cba/cretisa/2006/whitman_infosec .pdf Wilson, M., & Hash, J. (October 2003). Building an Information Technology. Security Awareness and Training Program. NIST Special Publication 800-50. Computer Security Division. Information Technology Laboratory. National Institute of Standards and Technology. Gaithersburg, MD 20899-8933. Wilson, M., & Hash, J. (October, 2003). Information Technology Security Awareness, Training, Education, And Certification. Computer Security Division Information Technology Laboratory, ITL Bulletin. National Institute of Standards and Technology, NIST. Retrieved on October 23, 2007 from http://www.itl.nist.gov/lab/bulletns/bltnoct03.htm.
  85. 85. Wilson, M., Zafra de, D. E., Tressler, J.D., Ippolito, J.B. (April 1998).Information Technology Security Training Requirements: A Role- and Performance-Based Model. Computer Security. Information Technology Laboratory National Institute of Standards and Technology, NIST Special Publication 800-16 U.S. Supersedes Special Publication 500-172DEPARTMENT OF COMMERCE Technology Administration National Institute of Standards and Technology Performance-Based Model. Gaithersburg, MD 20899-0001. Retrieved October 24, 2007, from http://csrc.nist.gov/publications/nistpubs/800-16/800- 16.pdf www.dtic.mil (n.d). Retrieved October 22, 2007, from http://www.dtic.mil/whs/directives/corres/text/p85101m.txt

×