Information Security Architecture

Organizations need assistance in developing and implementing a comprehensive and flexible enterprise wide information security architecture (ISA) to protect the confidentiality, integrity, and availability of their information and system resources from the growing threats to information security.

Information Security Architecture provides an understanding of the requirements for a strategic plan for security within the organization. It then details the five key components of an information security architecture — organization and infrastructure, policies and procedures, security baselines of system components, security awareness and training, and compliance — and provides step-by-step guidance on how to analyze, develop, and implement a logical and effective program that obtains the security objectives of the organization.

Information Security Architecture shows you how to combine practical and cost-effective technical solutions with sound management practices to:

• Safeguard sensitive, critical, and proprietary information from unauthorized access, disclosure, or modification
• Protect information systems and supporting computer resources from loss, damage, or destruction
• Provide organizational management with reasonable assurance as to the integrity, confidentiality, and availability of information assets and computing resources
• Recognize and adopt all federal and state regulations concerning the confidentiality of an industry's critical information

• Executive Summary

1. Information Security Architecture
• Why an Architecture?
• Summary
• Getting Started
2. Security Organization and Infrastructure
• The Security Organization
• The Executive Committee for Security
• Centralized versus Decentralized Security Administration
• Risk-Based Approach to Classifying Resources
• Levels of Classifications
• Summary
• Getting Started
3. Security Policies, Standards, and Procedures
• The Information Security Policy
• Information Security Acknowledgement Form
• Network Computing Policy
• Security Standards
• Standards Organizations
• Security Procedures
• Summary
• Getting Started
4. Security Baselines and Risk Assessments
• Information Security Assessment: A Phased Approach
• High-Level Security Assessment
• Security Operations
• Computer Operations
• Application Controls Assessments
• Summary
5. Security Awareness and Training Program
• Program Objectives
• Program Considerations
• Summary
• Getting Started
6. Compliance
• Level One Compliance: The Component Owner
• Level Two Compliance: The Audit Function
• Level Three Compliance: The Security Team
• Line of Business Security Plan
• Enterprise Management Tools
• Summary
7. Pitfalls to an Effective ISA Program
• Lack of a Project Sponsor and Executive Management Support
• Executive Management's Lack of Understanding of Realistic Risk
• Lack of Resources
• The Impact of Mergers and Acquisitions on Disparate Systems
• Independent Operations throughout Business Units
• Discord between Mainframe versus Distributed Computing Cultures
• Fostering Trust in the Organization
• Mom-and-Pop Shop Beginnings
• Third-Party and Remote Network Management
• The Rate of Change in Technology
• Summary
• Getting Started
8. Security Technology
• Encryption
• Public Key Infrastructures
• Firewalls
• Virtual Private Networks
• One-Time Passwords and Smart Cards
• Remote Access Servers
• Biometrics
• Summary
9. Conclusion

• Appendices
1. Sample Security Policies and Procedures
1. The Information Security Policy
2. Information Security Acknowledgment Form
3. Network Usage Policy
4. Internet Policy
5. Security Standards and Procedures Table of Contents
6. Anti-virus Update Procedures
2. Sample Security Assessment Workplans
1. Information Security Assessment Workplan
2. Application Controls Assessment Workplan
3. Network Security Assessment Workplan
4. Windows NT Assessment Workplan
5. Telecommunications Security Assessment Workplan
3. Sample Compliance Plans
1. Sample Computer Incidence Response Plan
2. Sample Line of Business Security Plan

This is a book that has a hard time trying to decide whether to be about information security, security organizations, security technology, policies, risk assessments, etc. Of course, that is life for anyone in the security field, but reading about life in the security field, without it being acknowledged as such, doesn't help the practitioner (as s/he already knows most of these facts) or the students/beginner (as s/he doesn't understand the finer points unless explicitly written on their noses).

There is nothing wrong with the contents, but it falls a bit short of being the integrated approach that the author claims it to be.

You can safely skip it.