© SidorArt/Shutterstock.
Note: Page numbers followed by f or t indicate material in figures or tables respectively
A
acceptable use policy (AUP), 187, 188, 311
access control lists (ACLs), 215, 224, 321
access controls, 96, 213–220, 246–248, 272–274, 300–301, 320–321, 322, 345, 348–350
access rights, 214–216, 272–274, 300–301, 320–321, 348–349
accounting management, 272
ACLs. See access control lists
activity objects, 152
acts of congress, 22
administration management, 69
administrative safeguards, HIPAA, 32, 32t
Administrative Simplification, 31
AICPA. See American Institute of Certified Public Accountants
alternative controls, 186, 186f
American Institute of Certified Public Accountants (AICPA), 49, 87, 257, 303, 371
American National Standards Institute (ANSI), 369
annex A, 94
annual employee performance reviews, 197–198
annual security compliance audit, 67–68
ANSI. See American National Standards Institute
antivirus software, 109
application controls, 107
application encryption, 352t
Application Layer firewall, 78
application performance monitoring software, 348
applications, 107, 119, 148t, 150, 342, 343t
application server, 239
application software, 333, 344
application software patch management, 221, 352–353
application software vs. system software, 332–333
“Applying a Single Integrated Framework,” 83t
ARPA. See American Recover and Reinvestment Act
Arthur Andersen firm, 27
assessments, 8
asset management, 95
assurance, 7
ASV. See Approved Scanning Vendor
attack execution, 279
attack planning, 279
attacks, 271
attack vect, 235
audit department Web site, 123, 162
audit finding, 166
audit frequency, 106
Auditing Standard No. 2, 28, 125
Auditing Standard No. 5, 28
Auditing Standards Board of the American Institute of Certified Public Accountants (AICPA), 87, 303
audit logs, 223
audit objective, 105
auditor certifications, 361
auditors, 87
audit report opinion, 166
audit validating compliance process, 144–146
AUP. See acceptable use policy
authentication, 215
authentication servers, 315
automated audit reporting tools and methodologies, 147–149
automated/computer-based tool, 146
availability, 216–218, 246, 247–248, 274
awareness, 156
B
background check, 194
backup encryption, 352t
backup image, 276
baseline configuration management, 149
baseline controls, 136, 136–138
BCPs. See business continuity plans
best practice documents, 150
blacklist, 268
BMIS. See Business Model for Information Security
breadth, 78
broadband, 314
business continuity management, 96, 174
business continuity plans (BCPs), 276, 340
business drivers, 185
business liability insurance, 135–136
business requirement analysis phase, 335
business view, 48
C
C&A. See certification and accreditation
CAATT. See computer assisted audit tools and techniques
CAG. See Consensus Audit Guidelines
California Consumer Privacy Act, 36–37
cancer, 258
CAP. See Certification and Accreditation Professional
card verification value (CVV) number, 208
CASP. See CompTIA Advanced Security Practitioner
CBK. See Common Body of Knowledge
CCB. See configuration control board
CCFP. See Certified Cyber Forensics Professional
CCSA. See Certification in Control Self-Assessment
cell relay WAN, 294t
certification and accreditation (C&A), 366–374
certification and accreditation for auditors, 369–374
Certification for Information Security, 366–369
Certification in Control Self-Assessment (CCSA), 371
Certification in Risk Management Assurance (CRMA), 372
Certified Financial Services Auditor (CFSA), 372
Certified Government Auditing Professional(CGAP), 371
Certified Information Security Manager (CISM), 374
Certified Information Systems Auditor (CISA), 361t, 370t, 373
Certified Information Systems Security Professional (CISSP), 361t
Certified in Risk and Information Systems and Control (CRISC), 374
Certified Internal Auditor (CIA), 370–371
Certified in the Governance of Enterprise IT (CGEIT), 374
Certified Public Accountants (CPAs), 257, 371
Cetera and Cambridge, 13
CEUs. See continuing education units
CFSA. See Certified Financial Services Auditor
CGAP. See Certified Government Auditing Professional
CGEIT. See Certified in the Governance of Enterprise IT
change management, 68, 151, 223–224, 244–246, 270, 295–296, 319–320
changing technology, 155
chief information officer (CIO), 80f
chief information security officers (CISOs), 46, 153
chief privacy officer (CPO), 110
Child Online Protection Act, 34
Children’s Internet Protection Act (CIPA), 34
Children’s Online Privacy Protection Act (COPPA), 39–40, 53
CIA certification. See Certified Internal Auditor certification
C-I-A triad. See confidentiality, integrity, and availability triad
CICA. See Canadian Institute of Chartered Accountants
CIO. See chief information officer
CIPA. See Children’s Internet Protection Act
ciphertext, 246
circuit switching WAN, 294t
circumstance, 167
CISA. See Certified Information Systems Auditor
Cisco VPN Monitor, 318t
CISM. See Certified Information Security Manager
CISOs. See chief information security officers
CISSP. See Certified Information Systems Security Professional
cleartext, 246
client based architecture, 343t
client/server architecture, 343t
client/server protocol, 315
cloud computing, 290
CMDB. See configuration management database
CMOS configuration. See complementary metal-oxide semiconductor configuration
coaxial cable, 237t
COBIT. See Control Objectives for Information and Related Technology
code of ethics, 364
CodePlex Remote Access Monitor, 318t
cold site, 339
Committee of Sponsoring Organizations (COSO), 28, 82, 111, 133, 222
Committee of Sponsoring Organizations (COSO) of the Treadway Commission, 28, 111
Common Vulnerabilities and Exposures (CVE), 115
communication protocol, 238
Communications Decency Act, 368
communication skills, 368
communications security, 96
compensating controls, 52, 136
competency, 363
complementary metal-oxide semiconductor (CMOS) configuration, 220
complexity, 321
compliance, 3, 10–12, 46–57, 66–70, 96, 175–176, 181–199, 203–225, 229–251, 255–282, 324t
components, 210f, 235–241, 236f, 261–269, 293–297, 311–317, 312f, 337–346, 337f
comprehensive security assessments, 67, 141–142
CompTIA. See Computing Technology Industry Association
CompTIA Advanced Security Practitioner (CASP), 368
CompTIA Project+certification, 368
CompTIA Security+certification, 367
computer assisted audit tools and techniques (CAATT), 146
computer performance, 148t
Computer Security Division (CSD) of NIST, 121
Computing Technology Industry Association (CompTIA), 366–367
confidentiality, 30, 216, 219–220, 246–247, 259
confidentiality agreement, 193–194
confidentiality, integrity, and availability (C-I-A) triad, 9–10, 29, 29f, 200–205, 201f, 215, 226–228, 250–253, 274–276, 323–326, 326t
configuration and change management, 69–70
configuration change control board, 149
configuration control board (CCB), 270
configuration management, 149, 150, 242–245, 271, 280–281, 346–347
configuration management database (CMDB), 150
configuration monitoring and auditing, 149, 150
configuration validation, 321–323
content analysis, 268
content keyword filtering, 268
continuing education units (CEUs), 368
continuous improvement, 153
control analysis process, 113
Control Objectives for Information and Related Technology (COBIT), 11, 47, 55, 82–87, 117, 131, 222
control recommendations process, 113
controls, 6, 7, 78, 97, 323, 324t
control self-assessments (CSAs), 371
control standards, 47
cooperative agreement, 339
coordinated attacks, 271
COPPA. See Children’s Online Privacy Protection Act
Corporate Accountability and Responsibility Act, 26
Corporate Fraud Accountability Act of 2002, 27
corrective controls, 109, 136, 250t, 324t, 340
corrective security control, 132
COSO. See Committee of Sponsoring Organizations
cost, 116
countermeasure gap analysis, 173–175
countermeasures, 151–153, 170–171
coverage, 152
“Covering the Enterprise End to End,” 83t
COVID-19 pandemic, 3, 198, 264, 265, 307
CPAs. See Certified Public Accountants
CPO. See chief privacy officer
credit card industry, 11
creditor, 24
CRISC. See Certified in Risk and Information Systems and Control
criteria, 167
Critical Security Controls, 52, 55t, 124–125
Critical Security Controls for Effective Cyber Defense, 124
CRMA. See Certification in Risk Management Assurance
cryptographic controls, 175
cryptography, 96
CSAs. See control self-assessments
CSD of NIST. See Computer Security Division of NIST
CSSLP. See Certified Secure Software Lifecycle Professional
CVE. See Common Vulnerabilities and Exposures
CVV number. See card verification value number
Cybersecurity and Data Protection Program (CDPP), 108t
D
DAC. See discretionary access control
database and drive encryption, 350–351, 352t
database encryption, 352t
database servers host data, 65
Datagram Transport Layer Security (DTLS), 302t
data isolation, 334
data leakage protection, 231–233
data leak security appliances, 268
data loss protection (DLP), 353
data loss security appliances, 268
data privacy protection, 207–208, 259f, 289–290, 290f, 310, 333
data-protection methods, 351
data storage devices, 342
decommission phase, 337
dedicated line/leased line WAN, 294t
demilitarized zone (DMZ), 63, 245, 260, 264f
Deming cycle, 94
denial of service (DoS) attack, 231, 243
deployment phase, 336
descriptive control framework, 78
detective controls, 5, 56, 109, 132, 192, 241, 248
detective security control, 132
developer testing phase, 336
devices, 209–214, 210f, 235–241, 261–269, 293–297, 311–317, 312f, 337–346, 337f
diesel generators, 340
disaster recovery plans (DRPs), 276, 338, 339, 339f
discretionary access control (DAC), 215, 224
distributed applications, 288, 289, 331, 344
distributed architectures, 288, 343t
documented IT security policies, 221–224, 249, 323, 324t, 354
DoD requirements. See U.S. Department of Defense requirements
Domain Name System (DNS), 65
Domains in the IT infrastructure, 59–60, 122–123, 134–137
DoS attack. See denial of service attack
DRPs. See disaster recovery plans
DTLS. See Datagram Transport Layer Security
dual-homed ISP connections, 274–275, 274f
dual routers/dual circuits, 301t
due care, 66
due diligence, 207
dynamic governance system, 85
E
effective risk-assessment process, 116
E-Government Act of 2002, 22
Electronic Communications Privacy Act of 2000, 50, 258
electronic PHI (ePHI), 31
electronic work papers, 125
employee background checks, 194–195
employees, 187, 194–195, 196–197, 365
employer-driven codes of conduct, 364–365
enabler goals, 84
“Enabling a Holistic Approach,” 83t
encryption, 216, 220, 234, 246, 260, 302, 322, 350–351, 352t
end-to-end governance system, 86–87
Enforcement Rule, 31
Enron Corporation, 26
enterprise risk management (ERM), 111, 133, 372
enumeration, 278
Environmental Protection Agency (EPA), 22
environmental security, 96
environment control, 338
EPA. See Environmental Protection Agency
ePHI. See electronic PHI
E-Rate discounts, 34
ERM. See enterprise risk management
Ethernet, 295
Ethernet MAN, 295
ethical behavior principles, 366
examination method, 8
external compliance, 11
external media, 247
F
Fair Credit Reporting Act (FCRA), 50, 194, 258
Family Educational Rights and Privacy Act (FERPA), 36
fault management, 272
FCC. See Federal Communications Commission
FCRA. See Fair Credit Reporting Act
FDA. See Food and Drug Administration
feasibility, 116
Federal Communications Commission (FCC), 22
Federal Information Processing Standards (FIPS), 121
Federal Information Security Management Act of 2002 (FISMA), 22–24
Federal Trade Commission (FTC), 22, 24
FERPA. See Family Educational Rights and Privacy Act
FFIEC guidance, 311
fiber optic cable, 236t
file encryption, 352t
file integrity checking, 142t
file server, 239
file system, 148t
financial audits, 166
Financial Modernization Act of 1999, 28
Financial Privacy Rule, 28, 29
finding, 166
fingerprinting, 221
FIPS. See Federal Information Processing Standards
fire-suppression equipment, 338
firewalls, 62, 78, 235, 262, 275–276
FISMA. See Federal Information Security Management Act of 2002
fixed hard disk drives, 213
flowcharting software, 125
folder/directory encryption, 352t
Food and Drug Administration (FDA), 22
footprinting, 278
FTC. See Federal Trade Commission
FUD (fear, uncertainty, and doubt), 367
G
G2700. See GIAC Certified ISO-2700 Specialist
GAIT. See Guide to the Assessment of IT Risk
gap analysis, 48, 136–138, 137f, 172, 173–175, 174t, 222
General Data Protection Regulation (GDPR), 21
Generally Accepted Privacy Principles (GAPP), 110t, 172, 173t
generators, 340
GIAC. See Global Information Assurance Certification
GIAC Certified ISO-2700 Specialist (G2700), 353
Glass-Steagall Act, 28
GLBA. See Gramm-Leach-Bliley Act
Global Technology Audit Guides (GTAGs), 370
governance distinct from management, 85–86
Gramm-Leach-Bliley Act (GLBA), 28–30, 28–30, 46, 50
GRE. See Generic Routing Encapsulation
GSNA certification. See GIAC Systems and Network Auditor certification
GTAGs. See Global Technology Audit Guides
guests/third parties, 187
guidelines for control standards, 244–245
Guide to the Assessment of IT Risk (GAIT), 370
Guide to the Project Management Body of Knowledge, A (PMBOK), 106
H
halon, 338
hard disk drives, 213
HCISPP. See Healthcare Information Security and Privacy Practitioner
Health Insurance Portability and Accountability Act (HIPAA), 22, 30–33, 30–33, 32t–33t, 41, 50, 150, 196, 213, 258, 308, 330
heating, ventilating, and air conditioning (HVAC) services, 338
HHS. See U.S. Department of Health and Human Services
high-impact system baseline control, 138
high-impact systems, 67
high-level security assessment, 67
high-speed internal LAN, 338
HIPAA. See Health Insurance Portability and Accountability Act
HITECH Act. See Health Information Technology for Economic and Clinical Health Act
holistic approach, 85
host based architecture, 343t
hot site, 339
HTTP. See Hypertext Transfer Protocol
HTTPS. See Hypertext Transfer Protocol Secure
human error and mistakes, 183–184
human resources (HR), 188, 313
human resource security, 95
HVAC services. See heating, ventilating, and air conditioning services
Hypertext Transfer Protocol (HTTP), 302t
I
identity theft, 24–25, 49, 258
IDS. See intrusion detection system
IEC. See International Electrotechnical Commission
IEEE. See Institute of Electrical and Electronics Engineers
IFAC. See International Federation of Accountants
IIA. See Institute of Internal Auditors
impact analysis process, 113
incident response management tools, WAN, 300
information assets, protection of, 373
information security (IS), 6–8, 173
information security incident management, 92t, 96
information security management system (ISMS), 90
information security policies, 95, 173
information security responsibilities, 173
Information Systems Audit and Control Association (ISACA), 82, 83, 109, 145, 173, 361, 362, 369, 370t, 371–373
Information Systems Security Accountability, 197–199
Information Systems Security Assessment Framework (ISSAF), 141
information systems types, 137
information system vs. information security compliance, 4–9
information technology (IT), 77
Information Technology Laboratory (ITL) Bulletins, 121
infrastructure controls, 107
insiders, 184
Institute of Electrical and Electronics Engineers (IEEE), 136
Institute of Internal Auditors (IIA), 4, 5, 81, 120, 361, 369–370, 369–372
integrated audits, 107
integrity, 31, 66, 207, 219, 247
intellectual property rights (IPRs), 175
Internal Auditor magazine, 369
internal penetration testing, 280
internal standards, 47
internal-to-external attack, 279–280
internal to external penetration test, 279–280
International Electrotechnical Commission (IEC), 90–96
International Information Systems Security Certification Consortium (ISC)2, 361, 362, 366–367
International Organization for Standardization (ISO), 89–96, 272
International Organization for Standardization/ International Electrotechnical Commission (ISO/IEC) 27002 standard, 139
International Professional Practices Framework (IPPF), 369
International Telecommunication Union Telecommunication Standardization Sector (ITU-T), 272
Internet AUPs, 188
internet economy, 19
internet-facing components, 273, 348
Internet Protocol (IP) addresses, 62
Internet Protocol Security (IPSec), 302t
Internet service providers (ISPs), 265–266, 266f, 315, 316–317
interview method, 8
in the clear, 247
intrusion detection system (IDS), 244
intrusion prevention system (IPS), 244
intrusive testing, 280
IP addresses. See Internet Protocol addresses
IPPF. See International Professional Practices Framework
IPS. See intrusion prevention system
IPSec. See Internet Protocol Security
IRM. See information resource management
IRS. See U.S. Internal Revenue Service
ISACA. See Information Systems Audit and Control Association
ISMS. See information security management system
ISO. See International Organization for Standardization
ISO 27002, 96
ISO/IEC 27000, 90, 91t–92t, 93
ISO/IEC 27002, 95–96, 118, 139
ISO/IEC JTC1, 90
ISO technical committee, 90
ISPs. See Internet service providers
ISSA. See Information Systems Security Association
ISSAF. See Information Systems Security Assessment Framework
IT. See information technology
ITAF. See Information Technology Assurance Framework
IT asset AUP, 188
IT audit process, 196, 196t, 373
ITGI. See Information Technology Governance Institute
IT Governance Institute, 83
IT infrastructure, 119, 175–176, 257f
IT infrastructure audit, 57–66, 138–139, 153–155
IT infrastructure domains, 59–60, 122–123, 134–135
ITL Bulletins. See Information Technology Laboratory Bulletins
IT security assessment, 6–7, 111–117
IT security policy, 118
IT security policy framework, 68–69, 69f, 118–119, 122–123
IT universe, 123
ITU-T. See International Telecommunication Union Telecommunication Standardization Sector
K
Kerberos, 241
L
LAN Domain, 61–62, 229–251, 232f
LAN Domain business drivers, 230–235
LAN-to-WAN Domain, 57, 62–63, 255–282, 289f
laptop computers, 211, 313–314
layered audit approach, 139
layered protocols, 296
layered security, 116
Layer 2 switches, 295
Layer 3 switches, 295
Layer 2 Tunneling Protocol (L2TP), 302t
leadership, 94
likelihood determination process, 113
local area network (LAN), 57, 213, 239–240
local printer, 212
local resource, 209
logons, 350
log review, 142t
logs, 147
M
MAC. See mandatory access control; Media Access Control
mainframe computers, 341
maintenance phase, 336
maintenance procedures, 155
malware, 219
management controls, 107
management tools and systems, 299
mandatory access control (MAC), 215
mandatory vacation, 156
MANs. See metropolitan area networks
mechanism objects, 152
Media Access Control (MAC), 224, 295
Media Access Control (MAC) address, 295
media storage plan, 218
“Meeting Stakeholder Needs,” 83f
metro Ethernet, 295
metropolitan area networks (MANs), 295
microcomputers, 341
minicomputers, 341
misconfigurations, 149
mission-critical data centers, 340
MITRE Corporation, 115
mixed WANs, 299
motivations, 115t
MPLS. See Multiprotocol Label Switching
N
NAC. See Network Access Control
NAT. See network address translation
National Checklist Program (NCP), 112
National Do Not Call Registry, 50
National Institute of Standards and Technology (NIST), 7, 11, 22–24, 53, 63, 96, 98, 99, 107, 131, 137, 345
NCP. See National Checklist Program
NDA. See non-disclosure agreement
need to know basis, 38
Network Access Control (NAC), 273–274, 349, 350
Network Address Translation (NAT), 265–266
network configuration management process, 281, 323
network device, 150
network discovery, 143t
network documentation, 119
networking devices, 235
networking services software, 240–241
Network Layer firewall, 78
network management tools, 272
network operating system (NOS), 240
network performance, 148t
network port and service identification, 143t
network server and service devices, 239–240
network sniffing, 142t
network traffic monitoring device, 269
New York Stock Exchange (NYSE), 364
NIST. See National Institute of Standards and Technology
NIST 800-30, 113
NIST 800-115, 142
NIST 800-53A, 96
NIST Internal Reports (NISTIR), 121
NISTIR. See NIST Internal Reports
NIST Special Publication 800-18, 23
NIST Special Publication 800-30, 23
NIST Special Publication 800-37, 24
NIST Special Publication 800-39, 24
NIST Special Publication 800-53, 8, 24, 124
NIST Special Publication 800-59, 24
NIST Special Publication 800-53A, 24
NMPs. See network monitoring platforms
non-disclosure agreement (NDA), 193
nongovernmental organizations, 215
nonintrusive testing, 280
noninvasive techniques, 142
nonrepudiation, 315
normative references, ISO/IEC 27001, 93
O
objectives, 7
objectivity, 362
Office of Management and Budget (OMB), 24
ongoing assessment process, 67
open issue tracking software, 125
Open Source Security Testing Methodology Manual (OSSTMM), 141
Open Systems Interconnection (OSI) reference model, 295, 296f, 315
operating system, 150
operating system patch management, 221, 351
operations security, 96
optimization tools, 299
organizational policies, 47
organizational records, 175
organizational security policy framework, 138
organization-driven codes of conduct, 364–365
organization of information security, 95
organization-wide baseline, 133–134
OSI reference model. See Open Systems Interconnection reference model
OSSTMM. See Open Source Security Testing Methodology Manual
owner, 215
P
packet-filtering firewall, 262
packet sniffer, 241
packet switching WAN, 294t
PA-DSS. See Payment Application Data Security Standard
password cracking, 144t
Payment Card Industry (PCI), 309
Payment Card Industry Data Security Standard (PCI DSS), 14, 39t, 175, 176t, 208, 268, 373
PCAOB. See Public Company Accounting Oversight Board
PCAOB Auditing Standard. See Public Company Accounting Oversight Board Auditing Standard
PCI. See Payment Card Industry
PCI DSS. See Payment Card Industry Data Security Standard
PDCA approach. See plan-do-check-act approach
penetration tests, 9, 48, 141, 144t, 277, 279, 280, 282, 304, 324t
pentester, 278
performance management, 272
performance monitoring, 241–242, 269–270, 298, 318–319
permissions, 215
personal identification number (PIN), 138
personal information, 175
Personal Information Protection and Electronic Documents Act (PIPEDA), 259
personally identifiable information (PII), 28, 92t, 108t, 109
PHI. See protected health information
physical access controls, 337
physical safeguards, HIPAA, 33, 33t
physical security, 138
PII. See personally identifiable information
PIN. See personal identification number
PIPEDA. See Personal Information Protection and Electronic Documents Act
plan-do-check-act (PDCA) approach, 94
Point-to-Point Tunneling Protocol (PPTP), 302t
power generator, 340
PPTP. See Point-to-Point Tunneling Protocol
preproduction security assessment, 67
prescriptive control framework, 78
pretexting, 29
preventive controls, 241, 250t, 324t
preventive security control, 132
principle of least privilege, 68, 119, 193, 199, 271
printer, 212
print server, 240
Privacy Act of 1974, 258
privacy data protection, 49–51, 109–110, 172–173, 186–187, 207–208
privacy management, 49
privacy obligation, 257
privacy officer, 49
Privacy Rule, 31
procedure, 69
professional associations and certifications, 360–362
project management, 106
project management software, 207
project plan, 125
protected health information (PHI), 31, 331
protocols, 238
provide stakeholder value, 84
Public Company Accounting Oversight Board (PCAOB), 26, 125
Public Company Account Reform and Investor Protection Act, 26
Q
Qualified Security Assessor (QSA), 38, 373
quality assurance (QA), 347
quantitative risk analysis, 116
R
rack system, 338
RADIUS. See Remote Authentication Dial In User Service
reconnaissance, 278
recovery strategy, 218
redundancy, 297, 334, 339–340, 339f
regulatory acts of Congress, 22
regulatory agencies, 22
regulatory compliance, 12
remote access, 314–315, 317–320, 318t
remote access business drivers, 308–310
Remote Access Domain, 58, 307–325, 322f
Remote Authentication Dial In User Service (RADIUS), 315
remote connection process, 314–315
remote service, 259f
remote users, 322
removable media, 350
removable storage devices, 214
resistance, 154
resources, 154
responsibilities assignment, 155
restore plan, 218
results documentation process, 113
risk, 6
risk appetite, 133
risk assessment, 67, 107, 112, 114, 116–117
risk-based approach, 6, 23, 135
risk determination process, 113
risk identification, 112
Risk IT, 372
risk management, 9, 55, 81, 107–109, 125
risk management approach, 131
risk management strategies, 135f
risk mitigation, 112
risk-mitigation strategies, 136
risk monitoring, 112
risk response, 111
risk tolerance, 133
RMF. See risk management framework
rootkit, 219
rotation of duties, 156
round robin method, 275
router, 235
ruleset review, 142t
S
SAQ. See self-assessment questionnaire
Sarbanes-Oxley (SOX) Act, 22, 26–28, 87, 196, 303, 344
SAS 70. See Statement on Auditing Standards 70: Service Organizations
SB1386, 258
scanning, 278
SCM. See security configuration management; software configuration management
scope creep, 105
screening, 156
SEC. See Securities and Exchange Commission
Secure Sockets Layer (SSL), 302t
Secure Sockets Layer/Transport Layer Security (SSL/TLS), 302t
Secure Socket Tunneling Protocol (SSTP), 302t
secure VPNs, 302
Securities and Exchange Commission (SEC), 13, 22
security assessments, 67, 140–144, 167–170
security assessment techniques, 144
security baseline, 116–117, 131–138
security compliance audit, 67–68
security configuration management (SCM), 149
security controls, 6, 51–53, 55t, 68, 107–109, 117, 121, 124, 132–133, 170–171, 173–175, 174f, 187, 208, 234–235, 260–261, 292, 310–311, 333–334
security guidelines, 221–224, 249, 281, 303, 323, 354
security incident management, 174
security management, 272
security operation policies, 155
security operations, 69, 155–156
security policies, 118–119, 122–123, 172, 221–224, 249, 281
security policy framework, 118–119
security procedures, 221–224, 249, 281
security-related activities, 197
Security Rule, 31
security standards, 221–224, 249, 281
security training, 197
segregation of duties (SOD), 156
self-assessment questionnaire (SAQ), 38
separation of duties, 189–190, 189t, 190f
Server Message Block (SMB), 321
service account, 349
service audit reports, 87–88, 89t
service identification, network port and, 143t
service level agreements (SLAs), 297, 301, 339
Service Organization Control (SOC) reports, 87–88, 89t, 303
service organizations, 87
Shewhart cycle, 94
shielded twisted pair (STP) cable, 237t
Simple Network Management Protocol (SNMP), 318, 318t
single points of failure, 274–276, 304
single router, 301t
single router with backup, 301t
SLAs. See service level agreements
SMSP. See Social Media Security Professional
SNMP. See Simple Network Management Protocol
social engineering, 29, 50, 115t, 183
Social Security number (SSN), 49
SOC reports. See Service Organization Control reports
SoftSea Remote Access Monitor, 318t
software configuration management (SCM), 346–347
software-defined WAN (SD-WAN), 291–292
software design phase, 335
software development and maintenance, 346–347
software development life cycle (SDLC), 334–337
software development phase, 336
source code, 344
SOX Act. See Sarbanes-Oxley Act
Special Publications from NIST, 121, 122, 124
specification object, 152
spyware, 219
SSCP. See Systems Security Certified Practitioner
SSL/TLS. See Secure Sockets Layer/Transport Layer Security
SSN. See Social Security number
SSTP. See Secure Socket Tunneling Protocol
standard control framework, 80
standards vs. frameworks, 76–77, 77t
Statement on Auditing Standards 70: Service Organizations (SAS 70), 88, 303
Statement on Standards for Attestation Engagements No. 16 (SSAE 16), 85
storage area network (SAN), 342
STP cable. See shielded twisted pair cable
subject, 215
subnets, 334
surge protection, 210
switch, 235
SysAdmin, Auditing, Network, Security (SANS) Institute, 52
system administrators, 191–193
System/Application Domain, 58, 65–66, 329–355, 332f
system characterization process, 113
system security plan, 23
system software, 332
T
tablet devices, 211
TACACS?. See Terminal Access Controller Access-Control System Plus
tailored to enterprise needs, 86
target vulnerability validation techniques, 144t
TCP/IP. See Transmission Control Protocol/Internet Protocol
TCP/IP reference model, 295
TDE. See Transparent Data Encryption
technical controls, 108
technical safeguards, HIPAA, 33, 33t
temporary behavior, 154
Terminal Access Controller Access-Control System Plus (TACACS?), 315
testing and quality assurance (QA), 347
testing security controls, 277
test method, 8
threat identification, 114
threat likelihood, 157, 158t, 159
threat statement, 168
threat vs. vulnerability vs. risk, 113–114
three lines of defense, 133, 134
time, 154
TLS. See Transport Layer Security
TLS VPN Remote Access, 322–323
traffic-monitoring devices, 269
training, 156
Transmission Control Protocol (TCP), 315
Transmission Control Protocol/Internet Protocol (TCP/IP), 141, 295, 315
Transmission Control Protocol/Internet Protocol (TCP/IP) reference model, 295, 296f, 315
transmission encryption, 247
Transparent Data Encryption (TDE), 352t
Transport Layer Security (TLS), 322
triple constraint, 106
TTR. See time to recover
two-factor authentication, 64, 216
Type I authentication (what you know), 215
Type II authentication (what you have), 215
Type III authentication (what you are), 215
Type 1 report, 88
Type 2 report, 88
U
UDP. See User Datagram Protocol
unauthorized systems and software, 149
uninterruptible power supply (UPS), 209–210, 217, 340
universal serial bus (USB) drive, 214
unshielded twisted pair (UTP) cable, 237t
UPS. See uninterruptible power supply
URL filter, 268
USB drive. See universal serial bus drive
User Datagram Protocol (UDP), 315
User Domain, 59–60, 112, 181–200
User Domain best practices, 199
User Domain business drivers, 182
user entities, 87
users, 148t
UTP cable. See unshielded twisted pair cable
V
vendor-neutral certifications, 367
virtual machines, 341
virtual private networks (VPNs), 64, 240, 264–265, 294t, 295, 302, 302t, 316, 318t, 320–321
virus, 219
volume/drive encryption, 352t
VPNs. See virtual private networks
vulnerabilities, 114, 149, 167–170
vulnerability analysis, 114–116, 144–146
vulnerability identification process, 113, 278
W
WAN access device, 298
WAN account, 299
WAN Domain, 57, 63, 287–304, 289f
WAN optimization device, 299
WAN optimizers, 298
WAN service providers, 293–294, 294t, 303
warm site, 339
web application, 15
web content filtering device, 268–269
WEP. See Wired Equivalent Privacy
wide area network (WAN), 57
wide area network (WAN) service provider, 255, 316–317
wired LAN connections, 236
wireless LAN connections, 236–239
wireless local area network (WLAN), 213
wireless scanning, 143t
WLAN. See wireless local area network
Workstation Domain, 57, 60–61, 203–225, 205f
workstation image, 206
workstation security, 208, 209
workstation vulnerability management, 220–221
WorldCom, 26
worm, 219
Z
zero-day vulnerability, 220