This book was produced in an attempt to understand today’s security environment and how the application of existing international standards and best practices can be used to assist in the protection of information systems and their associated software. It identifies a body of knowledge essential to acquire, develop, and sustain a secure information environment. Each chapter contains a list of related references, as well as recommendations for additional reading. Together, this book provides a foundation for developing further education and training curricula and products, as well as being useful to security practitioners, system administrators, managers, standards developers, evaluators, testers, and those wishing to be knowledgeable about the establishment and sustainment of a secure information environment.
The wild growth of the Internet is one of the most remarkable phenomena in human history. It is much more than just a medium for communication – it is the core of a global information infrastructure, which is influencing our culture at the same time as it insinuates itself into our daily lives. There are predictions that this phenomenon is changing everything from standards of literacy and monetary transactions, to the practice of medicine.
Almost every new development has opposing aspects. For example, the automobile has provided us with new means of effectively and quickly covering distance and moving goods. It has also created pollution, caused innumerable deaths through accident and misuse, and has created a dependency on limited fossil fuel.
The rapid development of the Internet is also not without its benefits and costs. The Internet is now an almost universal trade space for economic transactions, government decisions, and social interaction. At the same time, it is a largely unstructured terrain with few legal limitations and rules. The result has been a digital ‘wild, wild West’ with the Internet providing a fertile feeding ground for cyberwarriors, cyberterrorists, and cybercriminals.
Given that we might agree on the need to create some form of order in this Internet environment, the key question now is how? The imposition of law and regulation is one solution. The other may be a greater reliance on standards and best practices that allow for regularity and fairness in managing the broad issue of Internet regulation and structure without adversely affecting the Internet’s open architecture. The idea is to embrace the new information technology as a powerful positive agent for change without ignoring the dangers created by the deterministic nature of change.
I undertook the task of authoring this book to provide security practitioners, managers, engineers, as well as educators, trainers, and others with a companion to guide them through the challenge of using international standards to address security issues in an environment of cyberwarfare, cyberterrorism, and cybercrime.
The guiding principle behind this book was to straightforwardly provide a new context for addressing some of the broader challenges of security. It is not intended to provide detailed instructions for implementing technical security solutions – there are already sufficient works that provide this information. Rather, it is intended to encourage security professionals to look at the dangerous environment in which our information systems exist and to view the world of international standards and best practices as a resource for creating a culture of security within their organizations.
Driven by awareness of the rampant worldwide explosion in the exploitation of information system vulnerabilities and human frailty and naivety, demand is growing for means to improve the protection of these systems in both the defence and commercial sectors. Government and industry need standardized and consistent processes that effectively and efficiently acquire, develop, and sustain secure information systems; means to justify confidence in these processes and their products; and practitioners that are motivated, disciplined, and proficient in their execution.
Determining what level of knowledge to presume of the readers of this book took several twists and turns. Initially, I took the existence of several significant configuration and technical security guides as a starting point for establishing presumption of knowledge. My goal was to provide a new perspective, essential to ensure the protection of information systems, detection of exploitable vulnerabilities, and the rapid restoration of essential capability.
Fortunately, efforts to answer the question: ‘What are the standards and best practices relevant to achieving consistent security processes to address an environment of cyberwar, cyberterror, and cybercrime?’ benefited from a number of prior efforts and products. These will be found in the reference and further reading sections in each chapter.
In concert with the guiding principle that the book should simply provide a new perspective on the use of standards and best practices to persons already possessing good security engineering knowledge, I attempted to ensure adequate coverage of requisite knowledge areas in contributing disciplines to enable instructors and professionals from several disciplines, such as software engineering, systems engineering, project management, etc., to identify and acquire competencies associated with the identification and implementation of appropriate standards and best practices.
Finally, I would like to say that I have enjoyed authoring this book and thank all of the helpful people involved.
Dr Julie E. Mehan, PhD, CISSP