Incluye Indices

Foreword xiii Preface xvAcknowledgements xxi Part 1: Introduction 1Security Architecture 2Chapter 1: The Meaning of Security 3The Cultural Legacy: Business Prevention 3 Measuring and Prioritising Business Risk 4 Information Security as the Enabler of Business 5 Adding Value to the Core Product 10 Empowering the Customers 12 Protecting Relationships and Leveraging Trust 14 To Summarise: What Does 'Security' Mean? 15Chapter 2: The Meaning of Architecture 17The Origins of Architecture 17 Managing Complexity 18 Information Systems Architecture 19 Enterprise Security Architecture 23 Why Architectures Sometimes Fail to Deliver Bene_t - and How to Avoid that Fate 25 Security Architecture Needs a Holistic Approach 29 To Summarise: What Does Architecture Mean? 30Chapter 3: Security Architecture Model 33The SABSA(r) Model 33 The Architect's View 37 The Designer's View 38 The Builder's View 39 The Tradesman's View 39ESA1.indb ESA1.indb viivii 8/30/05 10:59:42 AM 8/30/05 10:59:42 AM The Facilities Manager's View 40 The Inspector's View 41 The SABSA(r) Matrix 42 Detailed SABSA(r) Matrix for the Operational Layer 43 To Summarise: The Security Architecture Model 43Chapter 4: Case Study 45Intergalactic Banking and Financial Services Inc 45 Interviews at IBFS 46 To Summarise: IBFS Inc 54Chapter 5: A Systems Approach 55The Role of Systems Engineering 55 Why a Systems Approach? 56 What Does the Systems Approach Make You Do? 57 The Need for Systems Engineering in Security Architectures 58 Some Basic Concepts 59 The Control System Concept 61 Using the Systems Approach in Security Architecture 62 Case Study 63 Advanced Modelling Techniques 68 To Summarise: A Systems Approach 77Chapter 6: Measuring Return on Investment in Security Architecture 79What Is Meant by 'Return on Investment'? 79 Why Do You Need Metrics? 80 The Security Management Dashboard 81 The Balanced Scorecard Approach 83 Business Drivers and Traceability 87 Business Attributes and Metrics 91 Setting Up a Metrics Framework 94 Maturity Models Applied to Security Architecture 95Chapter 7: Using This Book as a Practical Guide 107Using the SABSA(r) Model to De_ne a Development Process 108 Strategy and Concept Phase 109 Design Phase 114 Implementation Phase 128 Manage and Measure Phase 129 To Summarise: How to Use This Book as a Practical Guide 131ESA1.indb ESA1.indb viiiviii 8/30/05 10:59:43 AM 8/30/05 10:59:43 AM Contents ix Chapter 8: Managing the Security Architecture Programme 133 Selling the Bene_ts of Security Architecture 135 Getting Sponsorship and Budget 144 Building the Team 145 Getting Started: Fast Track(tm) Workshops 148 Programme Planning and Management 151 Collecting the Information You Need 152 Getting Consensus on the Conceptual Architecture 157 Architecture Governance and Compliance 158 Architecture Maintenance 159 Long-Term Con_dence of Senior Management 160 To Summarise: Managing the Security Architecture Programme 161Part 2: Strategy and Planning 163Strategy and Planning 164 Contextual Security Architecture 164 Conceptual Security Architecture 164Chapter 9: Contextual Security Architecture 165Business Needs for Information Security 166 Security As a Business Enabler 166 Digital Business 169 Operational Continuity and Stability 174 Safety-Critical Dependencies 179 Business Goals, Success Factors and Operational Risks 181 Operational Risk Assessment 185Chapter 10: Conceptual Security Architecture 213Conceptual Thinking 214 Business Attributes Pro_le 214 Control Objectives 215 Security Strategies and Architectural Layering 216 Security Entity Model and Trust Framework 250 Security Domain Model 261 Security Lifetimes and Deadlines 271 Assessing the Current State of your Security Architecture 279 To Summarise: Conceptual Security Architecture 279Part 3: Design 281Design 282 Logical Security Architecture 282 Physical Security Architecture 282 Component Security Architecture 283Chapter 11: Logical Security Architecture 285Business Information Model 286 Security Policies 288 Security Services 290 Entity Schema and Privilege Pro_les 316 Security Domain De_nitions and Associations 319 Security Processing Cycle 325 Security Improvements Programme 325 To Summarise: Logical Security Architecture 326Chapter 12: Physical Security Architecture 329Business Data Model 330 Security Rules, Practices and Procedures 339 Security Mechanisms 340 User and Application Security 359 Platform and Network Infrastructure Security 362 Control Structure Execution 372 To Summarise: Physical Security Architecture 373Chapter 13: Component Security Architecture 375Detailed Data Structures 375 Security Standards 379 Security Products and Tools 388 Identities, Functions, Actions and ACLs 390 Processes, Nodes, Addresses and Protocols 398 Security Step-Timing and Sequencing 403 To Summarise: Component Security Architecture 403Part 4: Operations 405Operations 405 Operational Security Architecture 405 Style of Part 4 405ESA1.indbESA1.indb 8/30/05 10:59:44 AM8/30/05 10:59:44 AM Contents xi Chapter 14: Security Policy Management 407The Meaning of Security Policy 407 Structuring the Content of a Security Policy 408 Policy Hierarchy and Architecture 409 Corporate Security Policy 411 Policy Principles 412 Information Classi_ cation 414 System Classi_ cation 415 CA and RA Security Policies 417 Application System Security Policies 418 Platform Security Policies 420 Network Security Policies 420 Other Infrastructure Security Policies 421 Security Organisation and Responsibilities 421 Security Culture Development 425 Outsourcing Strategy and Policy Management 427 To Summarise: 431Chapter 15: Operational Risk Management 433Introduction to Operational Risk Management 433 Regulatory Drivers for Operational Risk Management 437 The Complexity of Operational Risk Management 444 Approaches to Risk Assessment 449 Managing Operational Risk 453 Risk Mitigation 464 Risk-Based Security Reviews 465 Risk Financing 474 The Risk Management Dashboard 478 To Summarise: 480Chapter 16: Assurance Management 483Assurance of Operational Continuity 483 Organisational Security Audits 485 System Security Audits 490 System Assurance Strategy 492 Functional Testing 498 Penetration Testing 505 To Summarise: 508ESA1.indb ESA1.indb xixi 8/30/05 10:59:44 AM 8/30/05 10:59:44 AM Chapter 17: Security Administration and Operations 509 Introduction to Security Management and Administration 510 Managing the People 512 Managing Physical and Environmental Security 515 Managing ICT Operations and Support 516 Access Control Management 536 Compliance Management 540 Security-Speci_ c Operations 543 Managed Security Services 544 Product Evaluation and Selection 546 Business Continuity Management 548 To Summarise: 554Appendix A: List of Acronyms 559

La seguridad es demasiado importante para dejarla en manos de un solo departamento o empleado-que es una preocupación de toda una empresa. Enterprise Security Architecture muestra que tener un plan integral requiere más que la compra de software de seguridad que requiere un marco para desarrollar y mantener un sistema que sea proactivo. El libro se basa en el marco de capas SABSA. Proporciona un enfoque estructurado para los pasos y procesos que intervienen en el desarrollo de arquitecturas de seguridad. También considera cómo algunos de los aspectos importantes del negocio que puedan presentarse se puede resolver.