Effective Cybersecurity A Guide to

Using Best Practices and Standards 1st

Edition William Stallings
Visit to download the full and correct content document:
https://textbookfull.com/product/effective-cybersecurity-a-guide-to-using-best-practice
s-and-standards-1st-edition-william-stallings/
More products digital (pdf, epub, mobi) instant
download maybe you interests ...

Network Security Essentials Applications and Standards

6th Edition William Stallings

https://textbookfull.com/product/network-security-essentials-
applications-and-standards-6th-edition-william-stallings/

Implementing Cybersecurity: A Guide to the National

Institute of Standards and Technology Risk Management
Framework 1st Edition Dan Shoemaker

https://textbookfull.com/product/implementing-cybersecurity-a-
guide-to-the-national-institute-of-standards-and-technology-risk-
management-framework-1st-edition-dan-shoemaker/

Computer Organization and Architecture 9th Edition

William Stallings

https://textbookfull.com/product/computer-organization-and-
architecture-9th-edition-william-stallings/

SAP Business Analytics A Best Practices Guide for

Implementing Business Analytics Using SAP 1st Edition
Sudipa Duttaroy (Auth.)

https://textbookfull.com/product/sap-business-analytics-a-best-
practices-guide-for-implementing-business-analytics-using-
sap-1st-edition-sudipa-duttaroy-auth/
Computer Security: Principles and Practice 4th Edition
William Stallings

https://textbookfull.com/product/computer-security-principles-
and-practice-4th-edition-william-stallings/

Cybersecurity Law, Standards And Regulations Tari

Schreider

https://textbookfull.com/product/cybersecurity-law-standards-and-
regulations-tari-schreider/

Guide to Food Safety and Quality during Transportation

Second Edition Controls Standards and Practices Ryan

https://textbookfull.com/product/guide-to-food-safety-and-
quality-during-transportation-second-edition-controls-standards-
and-practices-ryan/

Fundamentals of Software Architecture A Comprehensive

Guide to Patterns Characteristics and Best Practices
Neal Ford

https://textbookfull.com/product/fundamentals-of-software-
architecture-a-comprehensive-guide-to-patterns-characteristics-
and-best-practices-neal-ford/

Computer Organization and Architecture Designing for

Performance 10th Edition William Stallings

https://textbookfull.com/product/computer-organization-and-
architecture-designing-for-performance-10th-edition-william-
stallings/
About This E-Book
EPUB is an open, industry-standard format for e-books. However, support
for EPUB and its many features varies across reading devices and
applications. Use your device or app settings to customize the presentation
to your liking. Settings that you can customize often include font, font size,
single or double column, landscape or portrait mode, and figures that you
can click or tap to enlarge. For additional information about the settings and
features on your reading device or app, visit the device manufacturer’s Web
site.

Many titles include programming code or configuration examples. To

optimize the presentation of these elements, view the e-book in single-
column, landscape mode and adjust the font size to the smallest setting. In
addition to presenting code and configurations in the reflowable text format,
we have included images of the code that mimic the presentation found in
the print book; therefore, where the reflowable format may compromise the
presentation of the code listing, you will see a “Click here to view code
image” link. Click the link to view the print-fidelity code image. To return
to the previous page viewed, click the Back button on your device or app.
 Effective Cybersecurity
Understanding and Using Standards and Best
Practices

William Stallings

Upper Saddle River, NJ • Boston • San Francisco • New York

Toronto • Montreal • London • Munich • Paris • Madrid
Cape Town • Sydney • Tokyo • Singapore • Mexico City
Many of the designations used by manufacturers and sellers to distinguish their products are claimed
as trademarks. Where those designations appear in this book, and the publisher was aware of a
trademark claim, the designations have been printed with initial capital letters or in all capitals.
The author and publisher have taken care in the preparation of this book, but make no expressed or
implied warranty of any kind and assume no responsibility for errors or omissions. No liability is
assumed for incidental or consequential damages in connection with or arising out of the use of the
information or programs contained herein.
For information about buying this title in bulk quantities, or for special sales opportunities (which
may include electronic versions; custom cover designs; and content particular to your business,
training goals, marketing focus, or branding interests), please contact our corporate sales department
at corpsales@pearsoned.com or (800) 382-3419.
For government sales inquiries, please contact governmentsales@pearsoned.com.
For questions about sales outside the U.S., please contact intlcs@pearson.com.
Visit us on the Web: informit.com/aw
Library of Congress Control Number: 2018941168
Copyright © 2019 Pearson Education, Inc.
All rights reserved. This publication is protected by copyright, and permission must be obtained from
the publisher prior to any prohibited reproduction, storage in a retrieval system, or transmission in
any form or by any means, electronic, mechanical, photocopying, recording, or likewise. For
information regarding permissions, request forms, and the appropriate contacts within the Pearson
Education Global Rights & Permissions Department, please visit www.pearsoned.com/permissions/.
ISBN-13: 978-0-13-477280-6
ISBN-10: 0-13-477280-6
1 18

Executive Editor
Brett Bartow

Development Editor
Marianne Bartow

Managing Editor
Sandra Schroeder

Senior Project Editor

Lori Lyons

Copy Editor
Kitty Wilson
Project Manager
Dhayanidhi Karunanidhi

Indexer
Ken Johnson

Proofreader
Jeanine Furino

Technical Reviewers
Akhil Behl
Michael Shannon

Cover Designer
Chuti Praertsith

Compositor
codemantra
To Tricia, my loving wife, the kindest and gentlest person.
Contents at a Glance
Preface
CHAPTER 1 Best Practices, Standards, and a Plan of Action

PART I PLANNING FOR CYBERSECURITY

CHAPTER 2 Security Governance
CHAPTER 3 Information Risk Assessment
CHAPTER 4 Security Management

PART II MANAGING THE CYBERSECURITY FUNCTION

CHAPTER 5 People Management
CHAPTER 6 Information Management
CHAPTER 7 Physical Asset Management
CHAPTER 8 System Development
CHAPTER 9 Business Application Management
CHAPTER 10 System Access
CHAPTER 11 System Management
CHAPTER 12 Networks and Communications
CHAPTER 13 Supply Chain Management and Cloud Security
CHAPTER 14 Technical Security Management
CHAPTER 15 Threat and Incident Management
CHAPTER 16 Local Environment Management
CHAPTER 17 Business Continuity

PART III SECURITY ASSESSMENT

CHAPTER 18 Security Monitoring and Improvement
 Appendix A: References and Standards
Appendix B: Glossary
Index

Appendix C (Online Only): Answers to Review Questions

You can find Appendix C at informit.com/title/9780134772806. Click the
Downloads tab to access the PDF file.
Table of Contents
Preface
Chapter 1: Best Practices, Standards, and a Plan of Action
1.1 Defining Cyberspace and Cybersecurity
1.2 The Value of Standards and Best Practices Documents
1.3 The Standard of Good Practice for Information Security
1.4 The ISO/IEC 27000 Suite of Information Security Standards
ISO 27001
ISO 27002
1.5 Mapping the ISO 27000 Series to the ISF SGP
1.6 NIST Cybersecurity Framework and Security Documents
NIST Cybersecurity Framework
NIST Security Documents
1.7 The CIS Critical Security Controls for Effective Cyber Defense
1.8 COBIT 5 for Information Security
1.9 Payment Card Industry Data Security Standard (PCI DSS)
1.10 ITU-T Security Documents
1.11 Effective Cybersecurity
The Cybersecurity Management Process
Using Best Practices and Standards Documents
1.12 Key Terms and Review Questions
Key Terms
Review Questions
1.13 References

Part I: Planning for Cybersecurity

Chapter 2: Security Governance
2.1 Security Governance and Security Management
2.2 Security Governance Principles and Desired Outcomes
Principles
Desired Outcomes
2.3 Security Governance Components
Strategic Planning
Organizational Structure
Roles and Responsibilities
Integration with Enterprise Architecture
Policies and Guidance
2.4 Security Governance Approach
Security Governance Framework
Security Direction
Responsible, Accountable, Consulted, and Informed (RACI)
Charts
2.5 Security Governance Evaluation
2.6 Security Governance Best Practices
2.7 Key Terms and Review Questions
Key Terms
Review Questions
2.8 References
Chapter 3: Information Risk Assessment
3.1 Risk Assessment Concepts
Risk Assessment Challenges
Risk Management
Structure of This Chapter
3.2 Asset Identification
Hardware Assets
Software Assets
 Information Assets
Business Assets
Asset Register
3.3 Threat Identification
The STRIDE Threat Model
Threat Types
Sources of Information
3.4 Control Identification
3.5 Vulnerability Identification
Vulnerability Categories
National Vulnerability Database and Common Vulnerability
Scoring System
3.6 Risk Assessment Approaches
Quantitative Versus Qualitative Risk Assessment
Simple Risk Analysis Worksheet
Factor Analysis of Information Risk
3.7 Likelihood Assessment
Estimating Threat Event Frequency
Estimating Vulnerability
Loss Event Frequency
3.8 Impact Assessment
Estimating the Primary Loss
Estimating the Secondary Loss
Business Impact Reference Table
3.9 Risk Determination
3.10 Risk Evaluation
3.11 Risk Treatment
Risk Reduction
Risk Retention
Risk Avoidance
 Risk Transfer
3.12 Risk Assessment Best Practices
3.13 Key Terms and Review Questions
Key Terms
Review Questions
3.14 References
Chapter 4: Security Management
4.1 The Security Management Function
Security Planning
Capital Planning
4.2 Security Policy
Security Policy Categories
Security Policy Document Content
Management Guidelines for Security Policies
Monitoring the Policy
4.3 Acceptable Use Policy
4.4 Security Management Best Practices
4.5 Key Terms and Review Questions
Key Terms
Review Questions
4.6 References

PART II: Managing the Cybersecurity Function

Chapter 5: People Management
5.1 Human Resource Security
Security in the Hiring Process
During Employment
Termination of Employment
5.2 Security Awareness and Education
 Security Awareness
Cybersecurity Essentials Program
Role-Based Training
Education and Certification
5.3 People Management Best Practices
5.4 Key Terms and Review Questions
Key Terms
Review Questions
5.5 References
Chapter 6: Information Management
6.1 Information Classification and Handling
Information Classification
Information Labeling
Information Handling
6.2 Privacy
Privacy Threats
Privacy Principles and Policies
Privacy Controls
6.3 Document and Records Management
Document Management
Records Management
6.4 Sensitive Physical Information
6.5 Information Management Best Practices
6.6 Key Terms and Review Questions
Key Terms
Review Questions
6.7 References
Chapter 7: Physical Asset Management
7.1 Hardware Life Cycle Management
 Planning
Acquisition
Deployment
Management
Disposition
7.2 Office Equipment
Threats and Vulnerabilities
Security Controls
Equipment Disposal
7.3 Industrial Control Systems
Differences Between IT Systems and Industrial Control
Systems
ICS Security
7.4 Mobile Device Security
Mobile Device Technology
Mobile Ecosystem
Vulnerabilities
Mobile Device Security Strategy
Resources for Mobile Device Security
7.5 Physical Asset Management Best Practices
7.6 Key Terms and Review Questions
Key Terms
Review Questions
7.7 References
Chapter 8: System Development
8.1 System Development Life Cycle
NIST SDLC Model
The SGP’s SDLC Model
DevOps
8.2 Incorporating Security into the SDLC
Initiation Phase
Development/Acquisition Phase
Implementation/Assessment Phase
Operations and Maintenance Phase
Disposal Phase
8.3 System Development Management
System Development Methodology
System Development Environments
Quality Assurance
8.4 System Development Best Practices
8.5 Key Terms and Review Questions
Key Terms
Review Questions
8.6 References
Chapter 9: Business Application Management
9.1 Application Management Concepts
Application Life Cycle Management
Application Portfolio Management
Application Performance Management
9.2 Corporate Business Application Security
Business Application Register
Business Application Protection
Browser-Based Application Protection
9.3 End User-Developed Applications (EUDAs)
Benefits of EUDAs
Risks of EUDAs
EUDA Security Framework
9.4 Business Application Management Best Practices
9.5 Key Terms and Review Questions
Key Terms
Review Questions
9.6 References
Chapter 10: System Access
10.1 System Access Concepts
Authorization
10.2 User Authentication
A Model for Electronic User Authentication
Means of Authentication
Multifactor Authentication
10.3 Password-Based Authentication
The Vulnerability of Passwords
The Use of Hashed Passwords
Password Cracking of User-Chosen Passwords
Password File Access Control
Password Selection
10.4 Possession-Based Authentication
Memory Cards
Smart Cards
Electronic Identity Cards
One-Time Password Device
Threats to Possession-Based Authentication
Security Controls for Possession-Based Authentication
10.5 Biometric Authentication
Criteria for Biometric Characteristics
Physical Characteristics Used in Biometric Applications
Operation of a Biometric Authentication System
Biometric Accuracy
 Threats to Biometric Authentication
Security Controls for Biometric Authentication
10.6 Risk Assessment for User Authentication
Authenticator Assurance Levels
Selecting an AAL
Choosing an Authentication Method
10.7 Access Control
Subjects, Objects, and Access Rights
Access Control Policies
Discretionary Access Control
Role-Based Access Control
Attribute-Based Access Control
Access Control Metrics
10.8 Customer Access
Customer Access Arrangements
Customer Contracts
Customer Connections
Protecting Customer Data
10.9 System Access Best Practices
10.10 Key Terms and Review Questions
Key Terms
Review Questions
10.11 References
Chapter 11: System Management
11.1 Server Configuration
Threats to Servers
Requirements for Server Security
11.2 Virtual Servers
Virtualization Alternatives
Register This Book
Register your copy of Effective Cybersecurity on the InformIT
site for convenient access to updates and/or corrections as they
become available. To start the registration process, go to
informit.com/register and log in or create an account. Enter the
product ISBN (9780134772806) and click Submit. Look on the
Registered Products tab for an Access Bonus Content link next to
this product, and follow that link to access any available bonus
materials. If you would like to be notified of exclusive offers on
new editions and updates, please check the box to receive email
from us.
Another random document with
no related content on Scribd:
 1.E.5. Do not copy, display, perform, distribute or redistribute
this electronic work, or any part of this electronic work, without
prominently displaying the sentence set forth in paragraph 1.E.1
with active links or immediate access to the full terms of the
Project Gutenberg™ License.

1.E.6. You may convert to and distribute this work in any binary,
compressed, marked up, nonproprietary or proprietary form,
including any word processing or hypertext form. However, if
you provide access to or distribute copies of a Project
Gutenberg™ work in a format other than “Plain Vanilla ASCII” or
other format used in the official version posted on the official
Project Gutenberg™ website (www.gutenberg.org), you must, at
no additional cost, fee or expense to the user, provide a copy, a
means of exporting a copy, or a means of obtaining a copy upon
request, of the work in its original “Plain Vanilla ASCII” or other
form. Any alternate format must include the full Project
Gutenberg™ License as specified in paragraph 1.E.1.

1.E.7. Do not charge a fee for access to, viewing, displaying,

performing, copying or distributing any Project Gutenberg™
works unless you comply with paragraph 1.E.8 or 1.E.9.

1.E.8. You may charge a reasonable fee for copies of or

providing access to or distributing Project Gutenberg™
electronic works provided that:

• You pay a royalty fee of 20% of the gross profits you derive from
the use of Project Gutenberg™ works calculated using the
method you already use to calculate your applicable taxes. The
fee is owed to the owner of the Project Gutenberg™ trademark,
but he has agreed to donate royalties under this paragraph to
the Project Gutenberg Literary Archive Foundation. Royalty
payments must be paid within 60 days following each date on
which you prepare (or are legally required to prepare) your
periodic tax returns. Royalty payments should be clearly marked
as such and sent to the Project Gutenberg Literary Archive
Foundation at the address specified in Section 4, “Information
 about donations to the Project Gutenberg Literary Archive
Foundation.”

• You provide a full refund of any money paid by a user who

notifies you in writing (or by e-mail) within 30 days of receipt that
s/he does not agree to the terms of the full Project Gutenberg™
License. You must require such a user to return or destroy all
copies of the works possessed in a physical medium and
discontinue all use of and all access to other copies of Project
Gutenberg™ works.

• You provide, in accordance with paragraph 1.F.3, a full refund of

any money paid for a work or a replacement copy, if a defect in
the electronic work is discovered and reported to you within 90
days of receipt of the work.

• You comply with all other terms of this agreement for free
distribution of Project Gutenberg™ works.

1.E.9. If you wish to charge a fee or distribute a Project

Gutenberg™ electronic work or group of works on different
terms than are set forth in this agreement, you must obtain
permission in writing from the Project Gutenberg Literary
Archive Foundation, the manager of the Project Gutenberg™
trademark. Contact the Foundation as set forth in Section 3
below.

1.F.

1.F.1. Project Gutenberg volunteers and employees expend

considerable effort to identify, do copyright research on,
transcribe and proofread works not protected by U.S. copyright
law in creating the Project Gutenberg™ collection. Despite
these efforts, Project Gutenberg™ electronic works, and the
medium on which they may be stored, may contain “Defects,”
such as, but not limited to, incomplete, inaccurate or corrupt
data, transcription errors, a copyright or other intellectual
property infringement, a defective or damaged disk or other
medium, a computer virus, or computer codes that damage or
cannot be read by your equipment.

1.F.2. LIMITED WARRANTY, DISCLAIMER OF DAMAGES -

Except for the “Right of Replacement or Refund” described in
paragraph 1.F.3, the Project Gutenberg Literary Archive
Foundation, the owner of the Project Gutenberg™ trademark,
and any other party distributing a Project Gutenberg™ electronic
work under this agreement, disclaim all liability to you for
damages, costs and expenses, including legal fees. YOU
AGREE THAT YOU HAVE NO REMEDIES FOR NEGLIGENCE,
STRICT LIABILITY, BREACH OF WARRANTY OR BREACH
OF CONTRACT EXCEPT THOSE PROVIDED IN PARAGRAPH
1.F.3. YOU AGREE THAT THE FOUNDATION, THE
TRADEMARK OWNER, AND ANY DISTRIBUTOR UNDER
THIS AGREEMENT WILL NOT BE LIABLE TO YOU FOR
ACTUAL, DIRECT, INDIRECT, CONSEQUENTIAL, PUNITIVE
OR INCIDENTAL DAMAGES EVEN IF YOU GIVE NOTICE OF
THE POSSIBILITY OF SUCH DAMAGE.

1.F.3. LIMITED RIGHT OF REPLACEMENT OR REFUND - If

you discover a defect in this electronic work within 90 days of
receiving it, you can receive a refund of the money (if any) you
paid for it by sending a written explanation to the person you
received the work from. If you received the work on a physical
medium, you must return the medium with your written
explanation. The person or entity that provided you with the
defective work may elect to provide a replacement copy in lieu
of a refund. If you received the work electronically, the person or
entity providing it to you may choose to give you a second
opportunity to receive the work electronically in lieu of a refund.
If the second copy is also defective, you may demand a refund
in writing without further opportunities to fix the problem.

1.F.4. Except for the limited right of replacement or refund set

forth in paragraph 1.F.3, this work is provided to you ‘AS-IS’,
WITH NO OTHER WARRANTIES OF ANY KIND, EXPRESS
OR IMPLIED, INCLUDING BUT NOT LIMITED TO
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR
ANY PURPOSE.

1.F.5. Some states do not allow disclaimers of certain implied

warranties or the exclusion or limitation of certain types of
damages. If any disclaimer or limitation set forth in this
agreement violates the law of the state applicable to this
agreement, the agreement shall be interpreted to make the
maximum disclaimer or limitation permitted by the applicable
state law. The invalidity or unenforceability of any provision of
this agreement shall not void the remaining provisions.

1.F.6. INDEMNITY - You agree to indemnify and hold the

Foundation, the trademark owner, any agent or employee of the
Foundation, anyone providing copies of Project Gutenberg™
electronic works in accordance with this agreement, and any
volunteers associated with the production, promotion and
distribution of Project Gutenberg™ electronic works, harmless
from all liability, costs and expenses, including legal fees, that
arise directly or indirectly from any of the following which you do
or cause to occur: (a) distribution of this or any Project
Gutenberg™ work, (b) alteration, modification, or additions or
deletions to any Project Gutenberg™ work, and (c) any Defect
you cause.

Section 2. Information about the Mission of

Project Gutenberg™
Project Gutenberg™ is synonymous with the free distribution of
electronic works in formats readable by the widest variety of
computers including obsolete, old, middle-aged and new
computers. It exists because of the efforts of hundreds of
volunteers and donations from people in all walks of life.

Volunteers and financial support to provide volunteers with the

assistance they need are critical to reaching Project
Gutenberg™’s goals and ensuring that the Project Gutenberg™
collection will remain freely available for generations to come. In
2001, the Project Gutenberg Literary Archive Foundation was
created to provide a secure and permanent future for Project
Gutenberg™ and future generations. To learn more about the
Project Gutenberg Literary Archive Foundation and how your
efforts and donations can help, see Sections 3 and 4 and the
Foundation information page at www.gutenberg.org.

Section 3. Information about the Project

Gutenberg Literary Archive Foundation
The Project Gutenberg Literary Archive Foundation is a non-
profit 501(c)(3) educational corporation organized under the
laws of the state of Mississippi and granted tax exempt status by
the Internal Revenue Service. The Foundation’s EIN or federal
tax identification number is 64-6221541. Contributions to the
Project Gutenberg Literary Archive Foundation are tax
deductible to the full extent permitted by U.S. federal laws and
your state’s laws.

The Foundation’s business office is located at 809 North 1500

West, Salt Lake City, UT 84116, (801) 596-1887. Email contact
links and up to date contact information can be found at the
Foundation’s website and official page at
www.gutenberg.org/contact

Section 4. Information about Donations to

the Project Gutenberg Literary Archive
Foundation
Project Gutenberg™ depends upon and cannot survive without
widespread public support and donations to carry out its mission
of increasing the number of public domain and licensed works
that can be freely distributed in machine-readable form
accessible by the widest array of equipment including outdated
equipment. Many small donations ($1 to $5,000) are particularly
important to maintaining tax exempt status with the IRS.

The Foundation is committed to complying with the laws

regulating charities and charitable donations in all 50 states of
the United States. Compliance requirements are not uniform
and it takes a considerable effort, much paperwork and many
fees to meet and keep up with these requirements. We do not
solicit donations in locations where we have not received written
confirmation of compliance. To SEND DONATIONS or
determine the status of compliance for any particular state visit
www.gutenberg.org/donate.

While we cannot and do not solicit contributions from states

where we have not met the solicitation requirements, we know
of no prohibition against accepting unsolicited donations from
donors in such states who approach us with offers to donate.

International donations are gratefully accepted, but we cannot

make any statements concerning tax treatment of donations
received from outside the United States. U.S. laws alone swamp
our small staff.

Please check the Project Gutenberg web pages for current

donation methods and addresses. Donations are accepted in a
number of other ways including checks, online payments and
credit card donations. To donate, please visit:
www.gutenberg.org/donate.

Section 5. General Information About Project

Gutenberg™ electronic works
Professor Michael S. Hart was the originator of the Project
Gutenberg™ concept of a library of electronic works that could
be freely shared with anyone. For forty years, he produced and
distributed Project Gutenberg™ eBooks with only a loose
network of volunteer support.

Project Gutenberg™ eBooks are often created from several

printed editions, all of which are confirmed as not protected by
copyright in the U.S. unless a copyright notice is included. Thus,
we do not necessarily keep eBooks in compliance with any
particular paper edition.

Most people start at our website which has the main PG search
facility: www.gutenberg.org.

This website includes information about Project Gutenberg™,

including how to make donations to the Project Gutenberg
Literary Archive Foundation, how to help produce our new
eBooks, and how to subscribe to our email newsletter to hear
about new eBooks.