9780133545197 free download

This section covers topics that come up frequently in security technology planning, including defense in depth, single points of vulnerability, the need to minimize security burdens, and having realistic goals. Policy-based thinking permeates IT security, this book, and almost any IT security course.

It is crucial to have students understand policy-based implementation backwards and forwards. Exceptions are almost always necessary.

While they should be minimized, they should not be absolutely forbidden. The implementation of guidance for exception handling is critical because exceptions are inevitable but dangerous, so they must be tightly controlled and documented. Only some people should be allowed to request exceptions.

Even fewer people should be allowed to authorize exceptions. The requestor and approver should be different people. The exception must be carefully documented in terms of specifically what was done and who did each action.

Without proper documentation, it would be impossible to accurately identify who made the exception. An example of a dangerous exception would be a person approving his or her own budget or expenditures without oversight.

Oversight is a term for a group of tools for policy enforcement. Policy drives oversight. Those involved in oversight must develop oversight plans based upon specific policies. Promulgation is telling affected parties about policies underscoring the vision behind specific policies. Stinging employees is setting them up with the opportunity to follow or fail a policy and see what they do.

The benefits of stinging employees are that it raises awareness and it can be used as a ploy to increase IT security awareness training money. If specific stings are repeated annually, they can also be used to indicate positive trends. Stings can create resentment if not handled well. They can also sometimes be seen as punishment instead of teaching. Why it is being done.

Security metrics are measurable indicators of security success. Periodic measurement is beneficial because it indicates whether a company is doing better or worse in implementing its policies. The purpose of auditing is to develop opinions on the health of controls, not to find punishable instances of noncompliance. Log files is information recorded in database form, and documentation is information recorded on forms or memos. The avoidance of compliance indicates a deliberate circumvention of security, which is dangerous.

Internal audits are done by an organization on itself; external audits are done by an outside firm. Periodic auditing is good because it allows a company to compare results over time. Unscheduled audits are done to try to identify those who are avoiding security without tipping them off of an upcoming audit.

Companies should install anonymous protected hotlines because oftentimes a coworker is the first person to discover a security violation. Anonymous protected hotlines help to minimize the fear of reprisal amongst informers.

This is important because some employees may be reluctant to speak for fear of reprisals. When there is an anonymous hotline for people to call, and by guaranteeing protection against reprisals, companies can maximize participation from employees.

General employee misbehavior should be taken as a red flag because in many cases of serious security violations, the perpetrator had a history of unacceptable overt behavior. Opportunity, pressure, and rationalization e Give an example of pressure not discussed in the text. An example of pressure not discussed in the text is peer pressure. An employee may be pressured by fellow employees to bypass security in order to accomplish a team goal. There is also the pressure of revenge.

Getting back at a company for employee mistreatment is often a pressure employees can face after committing misbehavior. Rationalizations are important because people do not like to take actions when they consider the actions as bad, making them bad people. An employee takes customer PII home to work on it in a nonsecure environment because the work environment is too slow or restrictive to get the job done, and the company would rather have the work done sooner than later.

Again, violating the rule will save the company time and money, as long as nothing happens. An employee can rationalize that a risky action was done before so it can be done again. Vulnerability testing is done to attack the system yourself to see if you can find vulnerabilities before attackers do.

An attack is still an attack, no matter what the label. The contract should specify what will be done in detail and when it will be done. It must also hold the internal vulnerability blameless if such damage occurs. You should look for expertise, experience, and insurance against possible damage. It is needed to confirm that the fixes were made. Why is it important to sanction violators? If violators are not sanctioned, there is no consequence to violating security protocols, and protocols will not be followed by employees.

A governance framework specifies how to do planning, implementation, and oversight. COSO focuses on corporate-level governance. CobiT focuses on IT governance. CobiT focuses broadly on the governance of the IT function. Internal environment, Objective setting, Event identification, Risk assessment, Risk response, Control activities, Information and communication, and Monitoring.

If control activities are weak, all other control elements are unlikely to be ineffective. The delivery and support domain has the most control objectives. More than f Why is CobiT strongly preferred by U. IT auditors? CobiT is strongly preferred by U. To specify what should be done to provide protection c List the 11 broad areas in You will have to look this up on the Internet.

Name another view and describe why it is good. Another view for IT security is that of a family practice doctor. By ensuring overall health of the company from the IT security perspective, the doctor enables a stronger and more efficient and effective organization.

Or one could view the IT security function like that of a priest. Or view the whole situation as turning evil into good or providing positive for all to follow. Also, it can be seen as educating the user and ultimately giving them the choice to chose.

The whole idea should be approached before this whole fact. A company has a resource XYZ. The company believes that an attack is likely to be successful about once in five years. A proposed countermeasure should cut the frequency of occurrence in half. How much should the company be willing to pay for the countermeasure?

Base Case. It also has an excellent collection of security-related white papers to help keep you current. In this project, you are going to look at some important security problems, investigate a security career, read a white paper, and look at one of several ready-made templates designed to help you write a good security policy for your business or organization. Open a Web browser and go to www. Click Resources, and Top 20 Critical Controls.

Take a screenshot. Click Resources and Additional Resources. Scroll down and click on the link labeled 20 Coolest Careers. Scroll down to the description of a career that interests you. Click Resources and Reading Room. Click Top 25 Papers Based on Views. Click on a paper that interests you. Return to the SANS. Click Resources and Security Policy Project. Click the link labeled Email Security Policy.

Scroll down and click the link labeled Download Email Policy Word doc. Open the e-mail policy document you just downloaded. In the Microsoft Word window, press Ctrl-H. Click on the Replace tab. Click Replace All. Take a screenshot of your new policy. Refog is one of the few GUI-based keyloggers that is completely free. Refog can stay completely hidden until you press the specific key sequence to recall the main window.

It can automatically load the keylogger and hide it from users. It also monitors programs, websites, chats, and can take screenshots. Note: You may have to disable your antivirus software to get Refog to work correctly.

However, this is good news because your antivirus would, in theory, keep someone else from loading a keylogger on your computer without your permission. Everyday low prices and free delivery on eligible orders.

Unlike static PDF Security in Computing solution manuals or printed answer keys, our experts show you how to solve each problem step-by-step.

No need to wait for office hours or assignments to be graded to find out where you took a wrong turn. It is likely that students pursuing a career in the IT security industry will seek some type of certification. Offer more context : Increased Business Focus.

This edition includes more of a focus on the business applications of the concepts. The concepts, principles, and terminology have remained the same, but the implications of each topic are more focused on the business environment. These videos include IT security—related current news stories, technical demonstrations, conference presentations, commentary by industry leaders, historical background, and demonstrations of new security products.

Over 80 percent of the news articles in this book reference stories that have occurred since the prior edition was published. Show how it all connects : Comprehensive Framework. This framework works to help increase retention of the material by illustrating how topic areas relate to each other.

New to This Edition. Business Environment Focus Expanded material on Certifications —Reviewers of the prior edition asked for more material related to IT security certifications. Share a link to All Resources. Instructor Resources. Previous editions. Corporate Computer Security, 3rd Edition. Relevant Courses. Sign In We're sorry! Username Password Forgot your username or password?

Sign Up Already have an access code?