Preface


Increasing every day in frequency and sophistication, planned cyber attacks are impacting systems, data and user access at virtually every business and government organization. Whether accidentally triggered by users opening their daily e-mail, or planned denial of services attack triggering a thousand zombie systems, IT management and corporate executives must be ready to respond, minimize and defeat threats to revenue generating and citizen facing operations. In many cases, the decision to protect information assets may materially impact agency or corporate budgets , previously planned investment and projected shareholder returns.

Edited by a senior IT executive with contributions from industry and government experts, this book is written for senior managers by senior managers. Avoiding technical jargon except when necessary, the book is organized into three primary sections of governance, architecture and technology. Each section provides extensive insights, including the legal, staffing, financial, communications, risk, management strategies and technical aspects of securing IT computing and communications systems. A decision framework is provided at the end of each chapter to assist in making the management trade-offs between investment, security, access and legal compliance. At the end of the book are reference lists of publicly available security related information sources.

Using the book s decision trade-off frameworks to make better decisions, executives and managers select which short-term and long- term investments and support activities are required to protect their computing infrastructures . Based on best practices from information assurance professionals and security consultants in government and industry, the unique decision trade-off frameworks describe processes, actions and budgets that effectively protect information and system access in a quickly changing and challenging world.

The Executive Overview discusses the security as a process concept that has gained recognition within the IT and security communities. Several topics reviewed include the new world of IT security, the continuously increasing value of information assets, and the security challenges and responsibilities facing executives and senior managers today.

Section I reviews the governance issues of IT security, including balancing employee privacy with information access, administrative security policies, legal exposures, risk management strategies and trusting trusted systems.

Section II introduces the architecture issues of IT security, starting with building a threat matrix. It then provides details on architecture alignment with service level agreements, constructing multilevel protection barriers, and revealing internal threats to IT security processes. The section also discusses disaster planning approaches.

Section III focuses on technology issues that intersect and support the issues of governance and architecture. Technology components comprise a large percentage of IT security investments, and executives need some understanding of how the technology is applied, how it functions and why it is so expensive to operate and maintain. This section reviews COTS software protections , data backup and restore, continuity planning, data obsolescence, biometrics, smartcards, and security penetration testing.

Reference Materials are provided as pointers to publicly available information security sources. As major legislative and technical standards are expected in the coming years , checking these sources for updates on a quarterly basis is prudent and beneficial.

Acknowledgments    

Books on technology and security are team contributions from both the technical and managerial perspectives. Information Technology Security: Advice from the Experts has benefited from editorial review and contributions from numerous experts in the field, who gave generously of their time and knowledge. The following people have provided contributions to, or reviewed all or part of the manuscript: Robert L. Lowry, former Director of Computer Aided Design Services, TRW Inc.; Norman J. Schweitzer, Senior Manager, CATIA Inc.; Douglas Purvance, President & CEO, e-Global Trading Partners; John Whipple, Senior Project Manager, Dell Computer Inc.; Dorothy Nolan, President & CEO of Offix Inc.; Gordon Chastain, President & CEO, SPIN International; Timothy Slusser, CIO & Vice President, CSC Federal Sector; Kevin Kelley, Program Executive, PRIME Alliance; Aaron Phelps, Director of System Test & Operations; Ted Bream, Director for the MeF Project; John McKenna, Director of Systems Engineering Operations, PRIME Alliance Program; Stephen Proctor, Deputy Director, Infrastructure Engineering PRIME Alliance Program; Richard Feucht, Director of Security and Privacy Office, PRIME Alliance Program; and John Boelens, Director of Infrastructure Engineering, PRIME Alliance Program.

To these people and many others I may have failed to give credit to, your ideas, suggestions and guidance over the years have been of the highest value possible and are much appreciated. Any errors or omissions are of course my own. Please advise the author of errors via e-mail at IITSbook@aol.com and I will do my best to correct errata in subsequent versions of the book.

I must also express thanks to the four primary contributors to this book: Chrisan Herrod, Charles Rex IV, Clifton Poole, and Craig E. Kaucher. The quality of their content and responsiveness to deadlines were incredible, given the significant responsibilities they have in their normal duties at the National Defense University in the Washington DC area.

From a senior management perspective, the future of information technology security is equally frustrating and satisfying . Almost every day brings yet another series of reports and requirements detailing security breeches, software patches and system vulnerabilities. It is somewhat frustrating to both executive management and security professionals that whatever defenses are developed, purchased, installed or operated, over time they will be defeated by clever people and misapplied technology components.

However, every day that unauthorized people and intrusive attacks are kept out of information, systems, networks and buildings , and business operations continue without interruption, is professionally satisfying. The objective, of course, is to achieve 100% sustained success in protecting information, systems and networks ” a difficult and challenging feat.

Wishing you constant success in protecting your information, network and systems assets 24 x 7.

Lawrence M. Oliva
Reston, Virginia
February 2004




Information Technology Security. Advice from Experts
Information Technology Security. Advice from Experts
ISBN: 1591402484
EAN: N/A
Year: 2004
Pages: 113

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net