Full download ebook at ebookname.

com

Information Assurance for the Enterprise A Roadmap

to Information Security 1st Edition Corey Schou

https://ebookname.com/product/information-assurance-for-the-
enterprise-a-roadmap-to-information-security-1st-edition-
corey-schou/

OR CLICK BUTTON

DOWLOAD NOW

Download more ebook from https://ebookname.com

More products digital (pdf, epub, mobi) instant
download maybe you interests ...

Handbook of Research on Information Security and

Assurance Jatinder N. D. Gupta

https://ebookname.com/product/handbook-of-research-on-
information-security-and-assurance-jatinder-n-d-gupta/

A Practical Guide to Managing Information Security

Steve Purser

https://ebookname.com/product/a-practical-guide-to-managing-
information-security-steve-purser/

Information Security Policies Procedures and Standards

Guidelines for Effective Information Security
Management 1st Edition Thomas R. Peltier

https://ebookname.com/product/information-security-policies-
procedures-and-standards-guidelines-for-effective-information-
security-management-1st-edition-thomas-r-peltier/

Economics of Information Security Advances in

Information Security 1st Edition L. Jean Camp

https://ebookname.com/product/economics-of-information-security-
advances-in-information-security-1st-edition-l-jean-camp/
Maximizing The Enterprise Information Assets 1st
Edition Timothy Wells

https://ebookname.com/product/maximizing-the-enterprise-
information-assets-1st-edition-timothy-wells/

Knowledge Sharing in the Integrated Enterprise

Interoperability Strategies for the Enterprise
Architect IFIP International Federation for Information
Processing 1st Edition Peter Bernus
https://ebookname.com/product/knowledge-sharing-in-the-
integrated-enterprise-interoperability-strategies-for-the-
enterprise-architect-ifip-international-federation-for-
information-processing-1st-edition-peter-bernus/

Information Security Illuminated 1st Edition Michael G.

Solomon

https://ebookname.com/product/information-security-
illuminated-1st-edition-michael-g-solomon/

Handbook of information security 1st Edition Hossein

Bidgoli

https://ebookname.com/product/handbook-of-information-
security-1st-edition-hossein-bidgoli/

National Security Volume 2 Handbooks in Information

Systems Handbooks in Information Systems Handbooks in
Information Systems 1st Edition Hsinchun Chen

https://ebookname.com/product/national-security-
volume-2-handbooks-in-information-systems-handbooks-in-
information-systems-handbooks-in-information-systems-1st-edition-
 A ns plap to ae

oi; Schou

am DYlaps)alel=iaatel.<oi 0
| Information Assurance for
the Enterprise: A Roadmap
to Information Security
 Information Assurance for
| the Enterprise: A Roadmap
to Information Security

Corey Schou
Idaho State University

Dan Shoemaker
University of Detroit Mercy

McGraw-Hill
Irwin
Boston Burr Ridge, IL Dubuque, !A Madison, WI New York San Francisco St. Louis
Bangkok Bogoté Caracas KualaLumpur Lisbon London Madrid Mexico City
Milan Montreal New Delhi Santiago Seoul Singapore Sydney Taipei Toronto
 McGraw-Hill
Irwin
INFORMATION ASSURANCE FOR THE ENTERPRISE:
A ROADMAP TO INFORMATION SECURITY
Published by McGraw-Hill/Irwin, a business unit of The McGraw-Hill Companies, Inc., 1221
Avenue of the Americas, New York, NY, 10020. Copyright © 2007 by The McGraw-Hill Companies,
Inc. All rights reserved. No part of this publication may be reproduced or distributed in any
form or by any means, or stored in a database or retrieval system, without the prior written
consent of The McGraw-Hill Companies, Inc., including, but not limited to, in any network
or other electronic storage or transmission, or broadcast for distance learning.
Some ancillaries, including electronic and print components, may not be available to customers
outside the United States.
This book is printed on acid-free paper.
123456789
0 DOC/DOCE 098 76

ISBN: 978-0-07-225524-9
MHID: 0-07-225524-2

Editorial director: Brent Gordon

Executive editor: Paul Ducham
Editorial coordinator: Alaina Grayson
Marketing manager: Rhonda Seelinger
Project manager: Jim Labeots
Production supervisor: Gina Hangos
Senior designer: Artemio Ortiz Jr.
Lead media project manager: Cathy L. Tepper
Cover design: Artemio Ortiz Jr.
Typeface: 10/12 Giovanni
Compositor: International Typesetting and Composition
Printer: R. R. Donnelley

Library of Congress Cataloging-in-Publication Data

Schou, Corey.
Information assurance for the enterprise: a roadmap to information security / Corey Schou,
Dan Shoemaker.
p. cm.
ISBN-13: 978-0-07-225524-9 (alk. paper)
ISBN-10: 0-07-225524-2 (alk. paper)
1. Computer security. 2. Data protection. I. Shoemaker, Dan. II. Title.
QA76.9.A25$3523 2007
005.8-dc22
2006048178
www.imbhe.com
Corey D. Schou, Ph.D., is first and foremost a teacher. He is a professor of Computer
Information Systems, an Associate Dean in the College of Business, the University Pro-
fessor of Informatics, and director of the Informatics Research Institute at Idaho State
University. In his nearly 40-year career, he has taught collegiate courses in areas as
diverse as comparative anatomy and biology to international law and compilers. He
currently heads the congressionally funded National Information Assurance Training
and Education Center (NIATEC) to support solving Critical Information Infrastructure
problems in the United States.

Dr. Schou is an internationally recognized expert in information assurance, and travels

the globe consulting and speaking to industry, government, and academic leaders. He has
more than 30 years experience in computer science, information systems, and informa-
tion assurance yielding over 400 publications, books, and articles. As part of his research
stream, he has developed systems for integrated group decision support, training manage-
ment systems, and instructional design.

Twenty years ago, he developed the eDACUM process that has been used to develop
the major information assurance standards used by both industry and the United
States government, including NIST, CNSS, and NSA. Throughout his career, he has
been an active consultant to major organizations such as the United States Senate,
Federal Express, Apple, General Motors, United Airlines, Microsoft, Boeing, Depart-
ment of Energy, and the Department of State.

He is a founder of The Colloquium for Information Systems Security Education (CISSE),

the first non-government recipient of the Federal Information Systems Security Educators
Award, and the recipient of the highly prestigious Tipton Award in Computer Security.
Professor Schou has also received several awards from his university recognizing not only
his research, but his service to the profession.

A dedicated inventor and systems developer who is constantly manipulating ideas—as

well as flint—he is currently working with colleagues on an artificial intelligence project
to classify Native American arrowheads.

He is an active member of many professional organizations and is an avid traveler.

Most importantly, he is dedicated to his family who has remained patient throughout
his professional journey.

Dan Shoemaker, Ph.D., is the Director of the Centre for Assurance Studies, a National
Security Agency (NSA) Center of Academic Excellence in Information Assurance
Education at the University of Detroit Mercy, where he is a professor and the Chair of
the Computer and Information Systems Program since 1985. His Ph.D. is from the
University of Michigan in Ann Arbor, and he has held various professional IS roles at
that institution, as well as at Michigan State University. His two books, “Engineering a
Better Software Organization” and “GOT-ITFine Tuning Your Software Organization” sold
extensively to the U.S. military as well as overseas.

Serving as an expert panelist on three national working groups within the Department
of Homeland Security's Cybersecunty Division, Dr. Shoemaker is an author and one of
three domain editors for the Software Assurance Common Body of Knowledge. He also
serves on the Assurance Business Case Working Group and the Workforce Education
and Training Working Group.

Lectures on cybersecunty, information assurance, and software engineering related topics

have taken Dr. Shoemaker throughout the United States and Canada. He founded the
International Cybersecurity Education Coalition (ICSEC), connecting higher education
institutions located in Michigan, Ohio, and Indiana. ICSEC’s mission is to extend and
support the teaching of standard information assurance curricula within the Midwest.

Dr. Shoemaker has been a formal U.S. partner of the British Standards Institution (BSI)
since 1994 and he has worked with the recently released ISO/IEC 27000 International
Standard Series for Information Security since its inception in 1995. In addition,
Dr. Shoemaker is a member of the advisory panel for Automation Alley, a designated
academic advocate for the Information Systems Audit and Control Association (ISACA),
and he teaches a COBIT based Sarbanes-Oxley audit to managers up and down the Big
Three’s automotive supply chain in Detroit.

Dr. Shoemaker loves to travel with his wife, his little white dog, and any of his four
grown children who might be willing to come along. He has a particular fondness for
England, where he attended school in his youth and he always spends some of his sum-
mers in London.
 Prelace gmersteen seysretees ot gin ewe tee ae ag rt Care hdSUPE 2 ena Se

Chapter | IKNOWINZ.VV MAL LOISOCUIG ®ab.ccrutits ctu ste as alk ea )nSoartoe alin st
Chapter 2 Assessing Risks .......... och DOR aie ee Taare a Aree
Chapter 3 DECUDIYAPONCV MEE ater aeenci es cellos: eit. 4 oo.yaheiati. 6478 we ele
Chapter 4 Building and Documenting an
Information Assurance Framework ...............2eeee8-

Chapter 5 Maintainingisecunity,of Operations. 55.4.6...

sce Yn ee ae 2s
Chapter 6 Elisuruig COMLFOREG ACCESS™ Geil, se sia te tee eens tes eet cee
Chapter 7 PERSGMNENSCCUIICY @ea alaaln: i cscs ores ee coos aoa ae eee
Chapter 8 EUV SICA SGCUNICY Mmnrre atta) eee me nen ems siete Snare aioe estat
Chapter 9 Assuring Against Software Vulnerabilities ....................
Chapter 10 Continuity Planning and Disaster Recovery) ............0005-
Chapter I | LAWS sEGUIATIONS, ANG. Cli Cmiair sc ss os ot eos we oe Ee eV ala
Chapter 12 Network Security Basics: Malware and Attacks ...............
Chapter 13 \TY DEOIODY Mam A elon Muiay Peardteackavee ae 4 cin hs Oa. 6 ald aioe we PRN of

Chapter 14 Ensuring the secure’Use of Software 0.050.550.

sce ee ees

Chapter I5 Human Factors: Ensuring Secure Performance ................

Chapter 16 Information Ethics and Codes of Conduct ...............08.

AppendixA APACHE LONGBOW AH-64D:
Target Acquisition and Display System (TADS)
UIBSPAGG ENOIECE Wipes. cic sine caehodis « oun Oegu dese Ve aNne
DIORA
DIY een ee ee es re ns teeta aes esa kare esas

Vii
 nik biz : hes
ae.” ss» ett
: alaaliand & a ae
(a i ,<

a ke ee rene
j _ wr 7 7
iw alee eer a
: >4
ef cae iE | =|?
’
ns en 7
’ = : 1 nae pee As 80 2 eGee ae
kOe se oad
: a af en 7 cet

em uy oe - pearem.f gst 9 |
cis as ee) neasaad
(eee
a hs ial be
te « Nptiges : . & bine
Bibi. -

Arta Cy: Ht eek wit

4. oe Wo ease, PS
| bab aaa ings + Gon
7
a0 the fo en > a . _ “ultee

er A ms “a - ae et ® > a

<n é CO a
coer Pate ateith OS ie ‘ere?
a Se vp. aod onciatiggns ave.) TT

eairgerey ty) im gevemylat we

beast pie 2 sai <5 sega ,

‘ - —)" cine gets:

a Me )) od tire edie e OOieee
sonar! gudud pried ace iad? OF yo

‘non to Gal he eet corde 6) see

Ce idth WOO EMDR Asbieqgh
PAT) rvrcrd wiget] wy lA tet
bee ranats wes"ae
f Pi
4 qian itith®

ra : : . : aged

=@ ‘

~~
Wy 7
_— a
 DECLARE cioiyey cdots a hechiu eee teins«TE PE ETOCS, cs ce okies xix

Chapter | KnOWINEIV
DAC CORSECUNC me fs. Meee eee og Snes ora ants ec Geis Le |
Ensuring ConuinuousKnowledgee (22a. Wty. ad tcpaht Manes ove os oe 2
PLOcess timp emmenitatiOR Macc she sie eh anv2 fo Cn Bee ee eS ues 2
PASSCL CTE C ALLO THO eee ee okt oie, fh ace aee Sot 8 os Ae 4
COMUOLOL Clianiven = acne ne sae ner ad ae ce apie | oN) ees ae 7
SLATUIS ACCOUTIEMO Rene enn ohn: UL EEEE Co tena exes: saree 8
ZPASCRUIE Vala tLO lies aieare ts ts Sea eee ERS Cereaeg. need nc ae ge 8
WEtSIOM MAN ACCIRCIE ooh ascsc'on.w\ Wiis Puree senna Awa, 9
Maintaining lite gitty ar igs at can choice ohn gaye eMicn me oh. chs kis eee aa 9
EStA DUS UNE (NECKPOLNE cence y. cu. airs oy oc kes tke oho eee 9
Documenting the Decision= =-7.06<12.....0de ss ee eon. me 10
ASSIZMINS AMCMOTILY mare.) een <ahiaes -aiteanh iacmrseteria Nak «x s0es oe es 10
lmplementimetne Change s\l-cenesaraqced-cacetiaties OS eae aook 11
Accounting forintormnation, \iiecssed as-ade Mee Nin wagh oes ees 12
Other Considerationsyynt, wo iensce searesett + scenes: ce eee ee 12
Establishing dhewssurance FUNCTION: sat, Hehe aeiGoreh «cere eee eeennas 13
Basing the, Response onthe RISKS jysashecd acnraieiiee «eee ce set see nees 13
MiMi SRE quireM CMtSR wean aa ees eeroeeyd. Sere Asa sine oa ow ee. 14
Corrective Actlom Requirements’ Mmeneerae ieee eee reece e eeae 14
PinanGlal actors ve aqasdemec.-renearssiiere-Moe ese cs oeceda ree ne 15
LKB OOCI grevereterk 74). 553 easicnss rte Sst RPE ack evs oe een ale ons 15
Documenting the Assurance: Solutions: h. ae. erarmninaesth «2s. 20. .0s cerees 16
SEQUENGeanG LiMiING Ger creareiys AnortoeP scion as eee eee iy?
Monitoring) <.cpserr95 A. costincciane sth oad eet ae sew eed ce Semele 5 17
ACCOUREADN TGCS 4prorat apo Haeicererist tae Bertie tee coe eos cee weclex s 18
Documentationand Reporting yciul cosestaseeedt ook ce wens oases 18
PrODIeMT RESOMMION an... «. ke PURTeE Ie TORT SD < isle ewe ne code ee 18
KEEPING Te SVStCIEY ALIDMEU ccm deceit iie.2sj50 SORROE gah cnierdelsy cis)to.aieis.015% 18
Chapter Summary= eects cescw ne ete bee ees sess oe mle ces iS)
ACSA Wehaga nae estinetion osu dae ob (ct gold b.o317oh GEO OB Se UH EIN ocr 21
IMeailKamnnXOlUbA Pay ner ecacta oa AGS eaae or Gaerne Meee are nereer 21
Mialtiple CHOMCE CII 2 icc opnste vrs GE PAM RRL Iw viwacgas 0.0 ain es 22
JER ALONUIVA” cout tnt ices aaa OOS ag SUN he OR OEE Oe ane EE aoe 23
(SASCEXCLGIS CHEE CEO RY Cone eae ccs Ste mete wee nielaios a/te or 23
Information Assurance for the Enterprise
X

Chapter 2 Assessing Risks eee eee ere rere see eee eee eee eeseeeeeeeeeeeseees

RISKS ATO VERVIEW; Fos aisnvias brs on tevonce nine wav nce eolaiedhe ee ee
Knowing Where You Stand © 05.0. 005s 0c pe oe com on erm anon
Making Threats Visible: Risk Classification ................
Strategy Formulation: Deciding About the Response .......
The Security Solution: Deploying Countermeasures .......
Operational Risk; Assessment, cc-tcenium snows cyl so eens eo che
Establishment: Planning for Operational Risk Assessment.
ALICE oho eetetee eis eile ae Ae eee ene teea eae eee Cet ees
Managing the:Audit Process” “7.2 0..saeeonwst sss psicemomen en
Details of Execution: Performing the Audit .................
C&A: The Federal Government's Use of Audit ...............
Chapter: Summiaty? eaccc enn cn comers anata soles eteviewer © ace vere
Keys VerriiSi seynyeer teeta ccc seettetet nore atesa etote arate res)oi-otaseater rate
Key Berni Quizie ei iin nn ane tiie creiste clare ste eleerate een ina
Multiple Choice Ouiz 9 een cet ns cee mare ne nome
Essay Quiz? Saha aun waka ee renee otis see Maes araie elas Asie yes
CaseEXercise |Myce we es hee en rn ne renter tersAe

Chapter 3 Security Policy eee ee eee reer eee eee ees e eee eee ese ee ee ese reeees

Definitions: Assets, Risks, and Countermeasures ..................

The Common Characteristics of an Information Assurance Process
Establishing the Information Assurance Process ..............-.-.
Ensuring Coordination: Integrating Functions ..............
Creating the Assurance Process: The Role of Design .........
Security Infrastructure: Making the Process Systematic ......
Planning: Formalizing the Assurance Process ...............
Policy and Information ASSUtanNcelres stort 6 poate tae fee wana. canon
The Relationship between Policy and the Assurance Process
General Requirements for the Information Assurance Process
Developing an Asstirance Plan) at. Tad .eys ver eee peek sc cas
Designing a Functional Information Security Management System
Defining the Information Assurance Boundaries ...........
Building the Information Assurance System ................
Maintaining Information Assurance over Time ............
Chapter Summary» anis%.o0 Seoeee eee tee Teens cea ewe
Rey TOMMS ~> aulbite cvecenioern nn Oe OND TOM eM EE ec
Key Lenin: Quizie nk ancien ak,5s eee Te hase ves ce
Multiple Choice Quiz: «an iecramdininnada deere moet eaan
ESSay QUIR senile Gnesi leurs Ne Oe mente crnmnneenicis de
Case EXeTGS > newrk ivals cite a atc CIR coe eke wns ap

Chapter 4 Building and Documenting an Information Assurance

Framework: © itasccsscc Masetee coeie eareit ener enn eC ierereT nTcreTae Tee
 Contents

XI
Infrastructure and the Five Pillars of Assurance ........ eeeeeecece eeeees 90
Instituting a Sustainable Security Operation ...............eeeeeeeeeees 92
The Role of Policy in Creating an Infrastructure .................. 92
Ensuring a Disciplined Process: Establishing the Culture ........ 93
Developing An Information Assurance Infrastructure ............ 94
Ensuring Common Understanding: Metrics and Security ........ 95
Accommodating Human Factors in the Infrastructure ............ 97
Documentation: Conveying the Form of the Infrastructure ....... 97
Tailoring a Concrete Information Assurance System ............. 100
‘Types‘of Controlshaa. 2a Fete MMA ESTAS REET o.5.08 dente acdsee 104
Chapter Summarys (i, 4.4700 te Sone eee I as pee ns wed ieee os 107
Key lens yi 8 Cee tik th pod RRL OPS aero aneeeaeiens 108
Key, Ferri QUIZ ain teem oor:2 MY SORT RN ot oe ne aneCE oe ae 109
Maltiple'Ghoice Owiz,. x: ope wingih deSHEN «ce a2s ce vermenate 109
Essay. Quiz Aa een Bie RAY, ssp 5 MANO PRAM oP dew see oxen deds 111
CasGEXelCiSes gM wy ots eid A Re ee ads Ls emesis: 12

Chapter 5 Maintaining Security of Operations .............eceeeeeeeee

sence 113
Aims? Alignine:Purpose with Practice:), Lassen eeaesatek.....2522 05 its)
Threat Response: Keeping the Organization on Its Toes .......... 115
Staying Alert: Elements of the Operational Security Process ...... £US
Implementation: Setting Up the Security of Operations Process .. 119
Operational Planning eek-eiin oe Sater het NIG ws bse es 119
Operational Responsesiye yiituces Realtree osc cs eto gua ses 122
Ensuring Continuing Integrity: Configuration Management ..... 125
Opetational, Housekeeping) 1. acme. «eee weet: secs cr teas sae 128
Preparing an Operational Procedure Manual .................... 128
Manaeine SeauritysPatches} shigtles! aatusecd-seisinaatibs. cae.ces a0 128
BackUp Your Data; Back Up Your lob) Jews «6. eco ecceeesces 129
Enforcing Persorall Security Discipline? lost agaasth nc occ essence. oes 129
Maintaining YOunSeltwarevarnnasyit. na BINLOAI aac es ne need Beov es 130
Making YourSottwate Behayed rocnutt ads has cesT «2 co cceees 130
Walcning NOUP BACK? |Wats canteen, PR AG ce cs cece cw awe See 130
Chapters Summary PAere ete 1 PSII ee ce ivrno es nods 132
Kevelermsi precmci etter ee atcinl se nite AePARe MRO ce ainslaw cas ed agerocis 133
Key Temini@ Gz Fieegarreuane santa me MAS wn nine oe tas eevee 133
Multiple Choice Quiz, Bai R ry 3c ee Qt cc len eons 134
PSSay Quizetaietia desecrate ea MN Ie Cho cnrremaas ay ee 136
GasesEXErcise NPE. on aee ate he MEE AM es cn tale Sho damets 136

Crapter 6 Ensuring ONEONCG ACCESS os aceite ea in a giclee ws. ow s's2 e's oe 139
Principles oinccese COrirOlay vehtigers td birps yeh «oie erind ooeevee 139
Identification and Authentication: Establishing Identity ......... 140
Combining Approaches: Multifactor Authentication ............. 144
Approaches for Establishing Identity in Cyberspace .............. 145

xi
Information Assurance for the Enterprise
XIl

Authorization: Controlling Access) 5.1. 0) 9)0% F202 R TN. 2. 2 kes sos 147
Types of Permission: Methods for Granting Access ...........-+-. 148
Real-World Access Control: Automating the Process ............. 153
Setting Up the System: Account Management ................++:. 156
Intrusion Detection: Backstopping Access Control ............... 157
Security Assessments: Penetration Testing .........--..-+see eens 161
Common Access 'Gontrol/Modelsim =. pasmreeetrittcel oe ercloes eee 162
Classification-Based Security Models: Bell-LaPadula_ ............. 163
Integrity-Based Security Models: Biba... ... 10... eee e eee eee eee 165
Transaction-Based Security Models: Clark-Wilson .............-. 166
Chapter Summary =~ tip. Pea eeie Md ens a 2 als ime syncane ee 167
Key. Terms» srosranrostoutsn/anto a cishcreWierwn ae Hn cee wind Sora.dsa eam A 169
Key Tenn Quiz, owen cerns srs « Seas SRM eae MORA VipndsaSine) a ah aa 170
Multiple;Choice Quiz... citys taiete aerate sna A damaeed asa 170
ESSAY CUBEZ) «wennideatafiyate avs ophaNery avelige ateteee «MOORING "si or wrayer ate a IP
(CAS CVEXOLCIS CP saceenece 8 rov-pevarorene charerve) <1MR NA OTN Ne se oop Srorne ceerstset oe IS

Chapter 7 Personnel.Security —.... 2ves5, Mie Neen SP oan 6s tesoe ‘75

First St€pS FITSte uncaane act Aeeteere oe tree eee Homa Mathers <avayetoere wes:
Originatiomon Threats? Akin se Seeds sowie s= dgeade 176
Access and Security Control: Establishing Secure Space .......... 176
Ensunng Continuous! Practiceme. eer eee eae sess 2 = so ere Ave
Ensuring, Personnel Security. Behavior aim. «tye cecee co .- oe cme ees sou vig
Documenting Security Procedures™ se. o.e te. © os ccew aw cenc aon 178
Assignment of Individual Responsibility ...2............:.-0:+-: 179
Rules Of BEN AViOl cascticaiecn se eta e 8 toe EON sod octet 179
The Roleot Awareness and! Trainitig’ (ctserasee. «soc <a.ssaceeen 180
Planning: Ensuring Reliable Control over Personnel ................... 181
Gontrol Princip lesen tpt. era et orto telRee aissoci ais dee me 181
Personnel Screeninewe wren acti rater teeth or ies ernie oo A eawis Oe 183
Planning for PersonnelsAssurance a. ae siteeeeen wegc vecece cen cee 183
Security and the Human Resources PunctiOn) "Beso. «cn eee ese en ees 183
TODD CETICLON erect buses orertucee. aL ni cir es,nthew Seca obeaess 184
Assignment.os REcUITed, [ist Fimvievste SAMGMORA nn on eee ec cen aes 185
Background Screening anid Hiring. < «canines Sete cncnscwasws bene es 186
Employee Awareness Training and Education .................... 187
Controlling Access of Employees and Contractors
tO. Restricted IMESrMALiOn =» Kanon wan cers comet MORN cine < ncnarsCals Meng 190
USERACCOUNT Mama pel eiiia sac, weyacic ominaeMneen natn ri hicr-ritre- roe teers 191
User Account Audit and Management Review. ...............0005 193
Detecting Unauthorized/Illegal Activities ....................0008 193
Friendly Termination -».<.-AeVeeiee.
22 teee ee cee ee cme ack oe 194
Unfriendly dériniinia tigi Ore earener ee oat ener wie is Go no wninn Seman 35
Contractor Considerations "sige seen inte uk oon eens 196
Chapter Summidty"' eT St Be eat on «ous tre come 198
Rey T@rinis ics-ive sgeeecs rete eee ciseta vee crore cetera 199
 Contents

Xiil
INGyalergaA@)Uz 1s, 36. Leave ACRE BUI ce cay os 200
Multi lerGHoiceiO wiz Basen IMAI A ois ico ows es we 201
Essay CUZ user Nise ee,donee PP MORE Aisin cena oeveeeune 202
Case RNeTCiseh SATA Age. tate I SE Aes «gin.sean st eceaceve 203

Chapter 8 etSY
ARTS USSTSINY
#5 Psa el ts Pee A a a Se oa a ese 205
The Problems of Dispersion and. Divetsityamr werk co.06+. 000 eso2 206
Nie Joyo tSeCure Space al vrngscoGce ca ce SAMUI Gc ech hes aire 206
Factor One: Ensimne.the Location gijst pret aot. =o. coc. ance cen: 207
Factor Two: Ensuring Controlled. Access) sia jiiint. 2s... .cae0sc8.e: 207
Factor three: Ensuring Control of Secure Spaces... ............ 207
he Physical Security, Process:and'Plaria pseu @ekOk 00 as as o-sac0 sc: 208
The hy sical SeGurifysPrOeess Ais sieges. aoa eau es hase ia ee esa eee 208
Pinysital Seclininype al mer meter crt stMerrie terns eete lc ttece sinter ae ote 208
Physical,Security Targets:and Threats! essai Die WUMAUO.R ..65... < 210
Adeats tO ve BACIICY 7p a.7. . ee MEU IND, 6 oro.ohs se aca 210
Safeguarding E Guipmentyipsse.) &. 0) SARI «6 olycoe ees won 213.
Controlling AccessibyiPeople rad. RN EE. we 215
Mitigating the Effects of Natural Disasters and Fires ............. 221
Chapter SUMANATYis pveeee secs ee MEME er a5 sn pcteele acsgk 224
Kevalenmnishk Aieritinc it One eee eet ee ee lish a Sot aaa « 225
Keyeleriy QUizi cs eee eee) Cy PPI, oe ook vie cn cee: 226
MiltiplenehOicel@ iz re. Seaetieet Gls BART ocak occ dees cas 226
ESSayA@ WIZ Teehe eee etre oe ere Ie Oe coe aaenseaesnnes 228
CasciExercise dense: MeL eS OEE c.cauwenceane sees 229

Chapter 9 Assuring Against Software Vulnerabilities ..............

eee eee 231
Hacking (On iOitaaeadee oc csr cutcach RRS AIDE Pes io hea nee saa ee 231
Software Assurance as National Policy) asaauth ahesteah os cose secs seco. 232
WhavAtedne Aims of Soitware Assurance’ “enuts gage. sc. cse ocean es oes 232
ASI AVE Ol (DISTINCTIONS bist onset: ac: STEERER cee cess ews ok 233
Dey SOM WALI OCESS mmacwisrel acl iP ociaciar tein scooters as dees cn oen 234
ThesSiagesion the Soltwale PIOCess . atase. <a sseries aseeeee 234
Preconditions: Establishing the Point of Reference ............... 235
Best Practices and Methodologiest maeremee miatliiee ste. se ae 237
Phase.1; Module Testing and Integration 0472. ...........s.006s05. 237,
Phase 2;Qualification and.System Testingwinta%s......:.........5- 240
Phase 3: Installation and Operational Testing ................... 241
Quantifying the Process: Software Assurance Measurement ............ 242
Models).Metricsiand Data), Gs. > 2 SUA IRON fossa sucas cece ss 243
Building an Effective Metrics|Progranme 3 ASN 2A.CtRe eee ces 244
Tailoring aSet of Reliability; MeastiresetmunnnWen’ «o.0).0 62 sei. ees 244
A CAMMALS SOUS ATE, Oacantante SURI RELMENS NOMMILD os cosa skewness 245
Installation and Maintenance:
Pasting Lonel crmarPeronmance (irysTaeGd. ce ecs seen caee es 246
Information Assurance for the Enterprise

Secure Management of Outsourced or Third-Party Services .............

A Common Criteria: Basing Security Functionality
ona. Protection, Profile; . 4ccc.24.cerchie oe Dri icosscur tee
The Common Criteria: Form of the Standard .................45-
Advantages:of a Protection Profile: “wanes Fame sce ces gee ecto
Developing aProtectionm/Prohlem Yoraee sees. scee ese r arama
Chapter Surnmlary ee Ses a ok AOE ed PN nan casio wey
Key Terms ® qoatwiea. ht sae nomenon: Metts ads alesis eine
Key erin Quiz mieten veratrineattheere tereteMeovalefoxolaiaicla icvrete chon
Multiple: Choice QUizae 2a ee. daw ee ne uere ne
EssayeQ) wi Zzartiae, 0. VN Et Re a ee PEON we oka commen atedee
G@aseEXercise: «AVAL Aen Settee MeN he edeye Guava.Doreisg As

Chapter 10 Continuity Planning and Disaster Recovery —.........

seen eeeeee
Continuity and Business Valve’ (S494. ceetec some ae Pe See a cece wore ote
Continuity Planning © 4.0... ¥ssteses- eee toe eeWOME: co enue a eeceeene
ContentsiofaiContinuityaelanwaeeee eee erent eee
Proactive Response: Ensuring “Continuous” Continuity ...............
Recovery: Times liroraeiet. Ws Med oe See Sve oe Geom ataaee ce
AlteTmative Sites Wat Bisnis nc nee MASE ORR oa oss Sowa aetsevais
Analysis. PTOCESSES® “AaRAGie ate oe cinema Me so su amo oar oneae
Ingredients-of a,Continutty Plan: 1. estes. 6 Saw ces cee one cannes
Instituting the Business Continuity Management Process ........
The Four Phases of the Business Continuity Planning Process
Disaster Recovery Planning ac. at es 6 SRO < occu oo Semen ae
Chapter Sumuninatye scars tee cok ace wee crete eee eae eee
INGY GLEIILS MPWeverecstecs etyciotncsresSuctin creas iedafin <lecar onus ettvarsies ciesspeisieeie akao wrege teens
Keyser Quizg gengr-n. sven ounarvancerament
seate ce eee ec olvis Servaee
Multiple Choice Ouizat sna Uae th eee Caen Okt coho baw aces
ESSAY QUIZ seen crenrsia bee As RN NG SENDS MOORE onacewlere sualSieve
CasesEXerCiSee am ites mide ee ee GaSe binswinive a c.c OeranS

Chapter I 1 Laws, Regulations,and Crime —.... 1... cece eee eee ee eee eee ee eee
Protecting Intellectual Property
Enforcing Protection Rights:
The DigitaliMillennium, Copyright Act Sec... os. css ccasecss
International Prevention and the Business Software Alliance
Software Piracy
Consequences of Piracy
Regulating PiraiGye, «cnc aiee dee RRO 6. chun ohe dene ss
Laws Affecting Coraputen leet wit eeide tim BHO UL. en en cosce eve
Governmental Regulations
Privacy: Re grailath C0 8gbasics: 3: RN aS A Crore oon ree ws
Laws to Protect, Privarcyaieantt ole Rian cee. «cies cana a eee
The Freedom of Information Act
 Contents

XV

heuPravacywict sane Aeens Wet ea etre MEE Wei iwisiciceo es 289

Acts Related to.Financial Privacy Ya easeeate orn. oc. casec.s- coos 289
The Computer Matching and Privacy Protection Act ............. 290
Canning Spam: The CAN-SPAM Act of 2003) ....... 2.cece eee eees 291
Gy Der, Crime acy. eter) Lyrae ree VN IE. odo ss ectien open 292
Motivation. andiMethod. saassesssteie
een -PaPPe. 2.2. taccs. Seve 292
OUTCOME MES ERR AC. Sees EA ay RES ots oe neous ele 293
Beh avila ccdy eso LR OEE PN HHO oo coy aa skeaes 294
giypesiol Hacker Tools pancho eRe IEICE 6 conte Sea.a/tais Sat 297
JTechnological Approachesiof Attackers, oF. jAWMi.. 2... csc neeoe 2917.
Computer Cron ema reerrectr eae Tere ers es oe rnc 298
Laws Designed: to.ControliComputer Grime ons 0.2.0... a ons 298
Ensure, ContracuCompliance Iss. eAUeib agit DHE «oe cc os 302
Ghaptes, SUMIRAL Ys ge crite erated
PAR coe «sdk eaede eee 304
Nate Ranta yr tre PSE SOAL, MIE rot Sea coma alia e148 sean ena eae 306
Keygleimn\© Ui 7esereec aa pectne cect ene cas see ocie eeseerie 306
Maultiple:;Choice Quiz Ileta see rene enh os s.0 eee 307
JESSEN ALOIUIDA Gera o oda an apis coed ae chi Sue as LAS go cea Emme 308
GaSCrEXCLCISC ie casa san pease 2 ERE CE oc ene is Oo sieeyainelsss 309

Chapter 12 Network Security Basics: Malware andAttacks ...............66 311

Engineering the Network: Ensuring a Proper Design ................... 312
Connection Contiol pacino oe ORE RE Sc he ies wae 312
Enforcing Connection Control: The Firewall ..3.................. 313
eraneraission C Ont Mas hey ae em eee coe heaaae oie a: 314
Defending Networks {ronr atcaCkss= que sete ee Cees oe ee cea. mee ete S15
Threats toinformation:;Malicious Godest) J. ivdg.c8h.d. 2.2. ees 315
Malicious Attacksiein, | Sein: OMe RIOR, SBOFT, 6 ek. cede cre Be 319
dhe Role-and Useiof PolicysManagersitnyi) OM... oe cccs sce eens 321
Cy Der Lermrisin (cd iaTeee etter tel 2 TEE. ERI 5 es eis aa se te 325
Managing. and Defending ia Network enianiantd.(SHIEH Mids .cce. sec5s: 326
Network Security Management and Planning .................... 327,
Network Defense in Depth: Maintaining
a Capable Architecttirel a. emit ietieh) feted os cine codes vie nee s 329
GhaptenSimmmaty wpne) Rew PI 6 oo ccna enews ee S31
MESHING: ee aacopemoyecon 0 bt too hone Watido 4 ts topameneme oD memoir 335
Keys Ceri Quiz ce ceccuwuils« deeateleen BOOM Scere co wae enews 335
Mirltiple @hoicer© wizittitsenvat: Ae. SWIRLED os eek ere ae ves 335
ESSAy Oui p«geese watss) ctPe aint, PTA netad in SOT EISR RD oo sce aie we 337
(CaASELEXCICISG Saar ot ces cance ait no. OTTO ERIN SE GR,«ace le Siesven 337

Chapter 13 Cryptology iene ect ne sen tace cme nt sents opawe cs eewseeavons 339
Cry PIOPTADVAUD CIDICS Bes ca. tine) Meath ws se sa ee a sieoa wien s 339
Integrity and Authentication: |i) sich D.oletelieh
«2. sense veins saan 340
BYTES SVP Ee |So ee oer ne een abe (0.05 Sao ea a 340
Information Assurance for the Enterprise
XVI

How Cryptography Works: Codes Versus Ciphers ..........--.

The lntricacies of Codes? 4. 5030-425.20 ae ae ee
Theintricaciesiof-Ciphiersyes. 2a: (Pea Mes one seat
Keys for Encryption | 4.2009) e- ee. Re eee ee ae a oe ake
Secret Key (Symmetric) Cryptography ................-.
Secret Key Management “Ci sjie. sere tele eleerica reese
Public Key (Asymmetric) Cryptosystems ................
Publie Key Mandgemient:\ c.vuniennisecn.
eer kewene nek tome
Digital Sigwatures: 0.6.2: nee eee » at ete a oore
Public Key Matrastructures® mapas.eee aes. ves eee
KeysMama Servet ie pierce arate rsvere rte ta teen ree oe
Attacking a Cryptosystem: Cryptanalysis ................
Public Key Products and Technologies itiie age. tese.. «2.22:
SAL coterie eta oe Gitar wisUisabase & 5 Ee eRe RC cnihn Saar

TEA ere ee tecte a tena.chie seeintirn.s tee ee ee

Secure Sockets:Layer (SSL) Siva! Sheen eevee oo se
Elliptic CUEveT saemer etalon ee cum cekicn acc See tenat re asc ae
GhaptemSumMinary © scink ad acres ceee Seat ements siete
Iey MICTITNS Mec aeearet Sisoesero aiesate stone yetrre oa ec cagitetore, seanemenseey ee
Wey Perini QUIZ a cst ya ateteeorah eyoteancree nae Hisiols ee steaks ata
MultipleGhoice Quizem eens oseaeee ceo e ees: aerate
ESSay QUIZ renee eieratind mina s Dea Ree ort Me Reena chen efetane
Gase: EX€rclSem enn. Shr Nase she omelet he ioe eae Retake waives, Gane

Chapter 14 Ensuring the Secure Use of Software ..............0ee

cues
Configuring the Operating System for Security ...............
ilypess Assigning the Proper Label wins. ememes seen coe ose
Rights: Ensuming the) Proper Access!) Geevekin.tee.<< <b.<x
Policies and Operating System Configuration
Application Management Software and Security) ..............
The Scopeof ApplicationsSecunity) Vicar. wae Wes oo. ene
OperatiormalsAssuvaince yl Gos 5. ts pier. MAR RRR ccc xe.
Ensuring Operational Effectiveness:
Making the Assurance Case. (easiest momitrotn cto. ns
Operational Analysis” o.. cic cn 5 CR ON eee vee
PYODIEMMRESOMIUOM ten mes crer eetee eee week. eee oe
Certification and Accreditation of Applications
Ensuring an Effective Security Architecture ..a:..s0y80k.......:
Database Security
Chapter Stimimany “rst thane ee ee ee ee
Key Terms
Key Temi Qaiz® 5.0 ossihlnes nies ee Ree a ee oe
Multiple Choice Quizeayies Get nee aoe eee ee
Essay Quiz
Case Exercise
 Contents

XVII
Chapter 15 Human Factors: Ensuring Secure Performance .........-02eee0e-
Assuring Reliable Performance y.... « «acter een ear are sere eee
SveBOd OU KIOWlCUGE IL IAT 5 cient reais ence tert rn cr ciic cosmos
PatamaMOodel( LIS7) Ban tates ae ne eee eo
InsBSyMeso Ot Greela| GOL SO ola alainotf Nes. glbpinshen aa ane ope Eo
Me@umben Model (199141 993 \ar meen ee tere ee ree ee tee
The Intermediate Models: eEDACUM and NIST 800-16 ...........
Recent standards Developments ovtae steerer atte ee er eee ee
Extending the McCumber Model—The MSR Model ..............
Delivering the Body of Knowledge’ o.oo... cc ec cceecc cece ete ee eeeneee ees
AWATCHIESS ECOBLALNS te See heats oh Oa te Sek. tee cert Pee ae ae
ARALLITIS PIOSTAMS seme fae oh ata ae eeaaa eke eee re enh ee Ce ee a oe
PUUCAMON PLOCtaTNS Meee he Rete erLeet. een Rae oa eetaare
Increasing Organizational Capability Through AT&E ...................
Information Assulance Recopmilion tte feeder cqut, <<on ace
informal Realization-tine ver oe ee tenets eee eee 2 eee
Information Assurance Understanding "7.2 0)... cco eccea aceon
Deliberate COnuGl Seren pee trey Siete oe Ree tet era nas Te ae wise
ContinuoussAdaptationm@er mse coe eee ee ee eee
Building Enective ALQE, PlOstalnset acm santa ste eee torso eet Mom aoe
Steps to Achieve the Basic Recognition Level... cscs. ecssnceees
Steps to Achieve the Informal
Procedtral and Realization, Level (0 tye. «coe; aieact ae oe
Steps to Achieve the Planned Procedural
and Information Assurance Understanding Level .............
Steps toy Achieve the Gontrolled Level soci seman staal:
Steps fouacmieve (he ACApUye Level. ia atten ates:
Gia ier SUTRA Many sy nee she aie ren sa cine Cae aa csr ge
inv Raaaikh © ecbosmomge o an canine Soh Dac oR ROeTeE AnNee Gontomaars manta sic
Kevalerym OUIZa tal, cl to Shaauactue ptaieieiwalgsrs accents gudaalac a aint
PVT EG) CR CNCON OLS ccs, ares ERE a he os ee ee
PSCAVECQITIZ, ©ceaetasteastin “porate atssatesixceyelsySBetacaiars wa inlacoxomnioin ubone arate RraSGeTea
(Wa SCEXETCISC] art heacc pista acis accrue yeaah sieSLs xencpray suc oeraes agar

Chapter 16 Information Ethics and Codes of Conduct —........

2... eee eee es
SAG PNWitOED m1 a mm a nt PPR eee an rae vm a
EticsrancelmlonmatlonyAssuranGeman cart jeri ences aes
METS ATI Lect IMOIOOV ar oon aac erties eee se iagtees cmesare <2aes
Practical Ethical Systems: Enforcing
Proper MerciviG ial BEL AVIOM esCntr ccd accinveetin eolein b>.ceajaleialiie cares alors
Establishing a Basis: Formal Codes
PEROT MALICE MOM COVCTSALC eR ose: ent shine es oc gts s 6 aynie a
Certification: Ensuring Professional Capability ..................
LETRGURTING ECV elt mmrmbrae eres iste oo ches ciccna dinn 6h nihopavewwe eed win p84 08
NRTA SUTIN ON ACY we eet fic onions RAUF Aoi oR Os ore8aTS ie,ge oe
Min aeNORE AVA DTODMANON bak c. sinc des scese nc ars bets ce ne deve
Information Assurance for the Enterprise
XVIII
The Ethics of Confidentiality? stzivecB. eracaat colt. 21 sete 430
The Ethics ofl mtegrityin icwcccemascgnctoreebet Getta er eee 431
Chapter Summary > Saeed sceh ap hotaotiecriteeied Bd er eee 434
KeyalermSisae. Js bi. ncsen Spee setlarieasmacec kine sinnryse cine 436
Key Terny Quiz tesautiws<. Sei pitt a< roe eee fe ai ciesa.eke mane 437
Multiple Ghoicei@uizie «.axes yes ee ee ee aoe i ecoereceaere 437
ECE LOLI AS AG Serta orsDEE TTCO Tee COT oO Te cere ee aes toe 439
(ASC NETCISC
EU ME oe tints 286s te itoad chsh ha teem si ciaa ree 439

Appendix A APACHE LONGBOW AH-64D:

Target Acquisition and Display System (TADS)
Upsrage Phovect ma athe. toe er Mme re Bera ny ashe enantio eet 441
LIVE PTOPECHes Creer tec tetet h carat eee ert anda MEE aso<osa5s ae aa/opeoI 442
ProjectiRequisements ty). twas eee s aahdpiegsice ache r 443
Project Characteristics it ccis os ay ante ta ey ockicincenm aes eee 4d
PrOGtiction Detail Sin 5. 2c aa cinta eee cia feted on oe itor 445
The OrganizatOnieen ors esta cade ata coed exueantaa eee 450
TheProblem Facing the Organization § aescndseb econ soe aden dee 451

BibuGgraphly 2. sacha sk secre ss ote. Peeves cn cence Sora cenaea tame 453
This text is based on two assumptions. First, written, spoken, and electronic informa-
tion is valuable—it is an asset; the information assurance function should be able to
protect any information asset the organization owns. Second, information assurance
has to be complete and continuous. All sae Scag must be in place and operating
correctly at all times.
Most organizations do not even know heh information they have much less what
threatens it. They cannot even evaluate risks they are accepting because they do not
know the

e Scope—companies just cannot get their arms around their own assets
e Value—shifting understanding of the value of information that a company
DOES hold
e Risks—knowing all of the ways that information can be threatened
e Assigned Accountability—putting the right people in charge of the process

To ensure the right level of security the organization has to create a complete, clearly
understandable, and economically feasible protection system. The system must ensure
the security of all information of value; it must account for all likely risks and address
them with appropriate countermeasures.
This text describes the elements and procedures involved in protecting information.
It explains how the elements inter-relate and how they can be used to build an infor-
mation assurance strategy that is continuously effective and reliable over time. That
strategy details how to design, implement, and maintain a comprehensive and coor-
dinated information assurance solution. That solution must address a broad spectrum
of security requirements, not just those that are convenient. It must be systematic and
maintainable as a long-term operational process and it must directly support the busi-
ness case requirements.
The information assurance solution merges all required procedures and controls into
a single coordinated process. The reliability of that process must be objectively measur-
able. The process must evolve continuously to meet the changing environment. The
process must provide a trustworthy long-term assurance capability, which addresses all
probable threats and responds to all incidents appropriately. Consequently, the infor-
mation assurance process should be holistic. That is, a proper information assurance
solution must incorporate all of the factors necessary to satisfy all the security needs for
a given situation. That condition is termed “total protection.”
The book covers the essential material for the DHS Centers of Academic Excellence
in Computer Security Education as well as (ISC)2 Common Body of Knowledge and
the Draft ACM Computing Curriculum (2005). It also addresses the principles of
ISO-17799.

xix
Information Assurance for the Enterprise
XX

Background of the Field: From COMSEC to IA

The concept of total protection has evolved through several stages mirroring the evolu-
tion of computer technology itself. There continue to be a many ways in which infor-
mation security is understood and approached because of those evolutionary steps.
The idea of computer security surfaced with the widespread use of computers in
the 1960s, therefore, security solutions for the first 20 years were almost exclusively
technology-focused. Although technological solutions are still fundamental to the
field, a strictly technology-centric approach is the narrowest possible way to approach
security.
Typical technological approaches involving the essential practices for assuring hard-
ware and software functionality (COMPUSEC) and network operation (COMSEC).
These are machine-oriented disciplines and they are relevant to an entire range of con-
cerns associated with the electronic processing, storage, and transmission of data. Their
limitation lies in the fact that they cannot ensure that the information being processed
is trustworthy or that the physical space is secure.
For instance, classic COMPUSEC and COMSEC employ documented procedures to
ensure trusted access to the computer and network equipment (authentication and
authorization), as well as to insuring the secure transmission of digital information
(integrity checking and encryption). However, they do not incorporate safeguards to
ensure that equipment itself is not damaged or stolen. Nor do they guarantee that the
system will not be misused. Since these approaches ensure secure processing and trans-
mission of electronic data, that omission is appropriate. However, it is also a potential
source of serious vulnerability, if the aim is to ensure the protection of all information
stored on the computer.
Information security (INFOSEC) provides functions to improve control over the
external elements. It provides that assurance by using procedures similar to those em-
ployed to secure financial or physical assets. INFOSEC relies heavily on monitoring and
audit functions to enforce its practices.
Since INFOSEC uses one or both of the technological disciplines (that is, COMSEC,
or COMPUSEC), it is capable of securing a broader and less tangible range of assets.
For instance, INFOSEC does not simply ensure that the system is password protected.
It ensures that accesses under a given password are logged for the purpose of regularly
monitoring use as well as identifying misuse for corrective action.
The classic INFOSEC model does not account for conventional environmental threats
such as physical infrastructure and routine operational failures. This failure is a source of
vulnerability, because threats like terrorist acts, power failures, or even violations of the
law can be disastrous.
Security of operations protects the organization against environmental threats by
ensuring that the actual operation of the system is reliable, consistent, and complies
with contractual and regulatory requirements. It is a procedural rather than a technical
discipline and it does not imply the supplementary use of COMSEC or COMPUSEC.
Security of operations involves equipment and standard operating procedures to assure
the safety of the physical elements of the system. An effective security-of-operations func-
tion is important, because it focuses on maintaining the system's continuous availability.
 Preface

XXI

The weakness of the security-of-operations concept lies in the fact that it does not
specifically include measures for securing electronic transmissions and storage. Further-
more, because of its orientation toward physical protection, it is often administered
separately from the information assurance function.

Consolidating Approaches: IA
COMPUSEC, COMSEC, INFOSEC, and security of operations are all valuable aspects
of-overall security. However, the problem with each of them individually is that they
address part, but not all, of the problem creating the potential for exploitation of un-
secured areas. This has led to the recognition that every avenue of attack must be safe-
guarded in order for the assurance to be correct.
The means for accomplishing that is characterized by a relatively new term, “informa-
tion assurance,” or IA. IA takes a comprehensive view of the assurance responsibility.
Essentially, it involves the creation of a persistent, organization-wide assurance system,
which contains the policies, procedures, and technical and managerial functions needed
to guarantee security in every area of threat throughout the information life cycle. It
is necessary to establish information assurance through a strategic planning process
because of its all-inclusive process focus.
Information assurance is the broadest and most intuitively attractive of the assur-
ance disciplines because it incorporates the strengths of the other methods into a
holistic approach focused on ensuring total security. Nonetheless, beyond establishing
a top-level architecture, the IA concept does little more than integrate the conventional
assurance activities of COMSEC, NETSEC, INFOSEC, and security of operations into
a single system.

The Information Assurance Life Cycle:

The Organization of the Text
Properly functioning systems produce consistent outcomes. To achieve consistency, sys-
tems incorporate a common set of elements into a logical process. With systems, the
term for that process is a life cycle. System life cycles always have a defined beginning,
follow repeatable steps, and produce predictable outcomes. Every component within
the life cycle has a specific purpose and contributes differently to the overall outcome.
In this text, you will learn about the standard elements and interrelationships of
the information assurance life cycle. Each chapter presents one of the elements of that
process and focuses on describing the qualities that each component adds to the overall
assurance picture. In addition it tracks how that element subsequently interacts with
the other elements in the process to establish trustworthy and sustainable security.
The book is organized along the lines of the information assurance life cycle and is
divided into four sections, as follows.
Information Assurance for the Enterprise
XXII

Section One: Understanding the Risks

The first section, composed of two chapters, outlines the two primary principles that
are the starting place for the information assurance process. These are necessary because
information is intangible. Therefore, there has to be an initial stage to identify and label
the information that the organization owns and recognize what threatens it.
The first chapter presents a process to ensure that all items of value to the organiza-
tion are identified and accounted for. Without this process, the organization would
not know what to secure. Once each information asset is identified and catalogued, a
tisk assessment is carried out to define the specific things that might harm each item.
Specific knowledge of the risks is a precondition to establishing a correct response.
Chapters in this section are

e Chapter 1: Understanding the Form of the Asset

e Chapter 2: Assessing Risks

Section Two: Sustaining a Relevant Response

To ensure trust, the information assurance process has to be sustainable. Sustainabil-
ity requires a concrete and repeatable infrastructure of processes that are continuously
appropriate and persistent. Section Two discusses the principles that the organization
must address to ensure a systematic response. Chapters in this section are

e Chapter 3: Establishing an Overall Process

e Chapter 4: Building and Documenting an Information Assurance Framework
e Chapter 5: Maintaining Security of Operations
e Chapter 6: Controlling Access

Section Three: Deploying the Countermeasures

The countermeasures are the traditional areas of security. This section is composed of
eight chapters, organized into management and technical countermeasures. All these
areas are broad and deep and each contains more material than could possibly be pre-
sented in a single textbook because they represent substantive actions. Consequently,
we concentrate on discussing their general application and their interrelationship with
each other. The individual reader may choose to do greater in-depth research into spe-
cific areas of interest using the chapter as a starting point. Chapters in this section are

e Management Countermeasures
e Chapter 7: Personnel Security
e Chapter 8: Physical Security
e Chapter 9: Assuring Against Software Vulnerabilities
e Chapter 10: Continuity Planning and Implementation
e Chapter 11: Laws, Regulations, and Computer Crime
 Preface

XXIII
e Technical Countermeasures
e Chapter 12: Network Security
e Chapter 13: Cryptology
e Chapter 14: Ensuring the Secure Use of Software

Section Four: Sustaining a Security Culture

Finally, two aspects of the assurance process do not fit directly within a life-cycle model.
Those are ethics and human factors. These are higher-level principles, which support
the “security behavior” of the organization. Although they appear to be peripheral to
establishing a security system, they are critical to its long-term success. We provide a
discussion of each as well as suggest how they contribute to the establishment and op-
eration of the information assurance system.

e Chapter 15: Human Factors: Ensuring Secure Performance

e Chapter 16: Ensuring an Ethical Organization

Intended Audience
Our assumption in writing this book is that information assurance is not limited to
securing information assets in electronic form. It must secure all information of any
value, in whatever form. Thus, electronic protection approaches by themselves are in-
sufficient. In addition, genuine assurance implies that all elements necessary to ensure
reliable protection have been established. Consequently, in addition to technical con-
trols, the security solution must also incorporate all relevant organizational and human
factors into a total system of protection.
This book provides a comprehensive, in-depth survey of the field of information
assurance. The audience includes everybody from students interested in understanding
what information assurance is, to instructors who want to teach information assurance
from a holistic perspective.
In many cases, we have taken liberties with the technical details to ensure that the
principle is clear to a broader audience. Because of its breadth and application focus,
the audience for this book extends from business and technical managers who want to
learn how to ensure security within their particular areas to top-level executives who
want to provide leadership for an effort in this field.
 hs me yet heal hae a RES,
ltteersfa pin een eeeser
sitittd
] na fl Sab "4 ennan Agr aa

- > die? ‘ = .
Lowe
sme
a” or
a
eee aelacda ae rd
a aa mininele aoreoenirm ganas atwigAiey > “

—
Ah
i onvier nanan’ won eee
baalhadith # eens peel aa x S ; mie if t A he 7.)
Sl oy
el Coe 1S ie # ee i ‘a .
- i in a were avec Sait Spetal <idpBaines *th » rie
0)16
Wi
oyster
36Seattl
PUD 3! ROD! sino av eee racers
e etsy Wiriiriy ay mys Heise Ant? eran U a
, HRMinaypereroR sires MHrurigtinon absent his eal |
shes basset! ‘Vie Shi Gri fens) Crh rhe oes aed oa
MAPALas ete riotNe aus on int ele sti ~colse eho Si ABE
1 Ts ilove lo1 meme heed deininal)
TM Iarren
hen 10 Sol oth be Yaenute rinobe md eTorenebsronncey ey ee mE 8
grieve! eau utreaey yaslanreg vapid “ners dine): oe haw att wt

IRA tied Ite ANT 1 Te gel MT, OAR omat

or eueaeae
A paale ebecte ci ribo Dale oer al? A, Bei eye Free ae ON,
Hi ariveoeinags 1a fo) --\uay thie phend. ast ort
aos di be oh eats leave fst acl
: vent eqatis Iveu! 5 he TSO) ier eee See ahwel p-
y= fall Ved as eapenal Sargon. ot ew
ri
 CHAPTER

Knowing What to Secure

In this chapter, you will learn:
* Why “knowing what to secure” is the first step in the security process
* Why information has to be controlled like any other organizational asset
* Why change has to be rigorously planned for and managed

Information is like no other asset: it is intangible; therefore, it cannot be accounted for

like car parts or soapboxes. It is valuable; yet it is hard to establish a precise dollar value
for knowledge. These two characteristics, lack of tangibility and ambiguous worth, pose a
fundamental dilemma for the assurance process because it creates a situation where you
are unsure of what to protect.

Therefore, the first step in the assurance process is to identify and label every useful
bit of information that the organization owns. This is a simple inventory process. Every
item of information is catalogued and a value is assigned. The recording process is
called baselining and the catalogue that it produces is called a baseline. The baseline
is the starting point for the security response.
A baseline is the precise specification of the content and interrelationship of all of the
organization’s information items. By definition, the baseline contains only items that the
organization considers valuable. The baseline documents the information resource base of
the organization.
Because the actual contents of the baseline are intangible, this documentation is the
proxy for the asset itself. Since the baseline constitutes the only tangible record of the
asset base, that documentation has to be maintained as a living entity throughout
the information assurance process. The protection scheme is geared to protecting the
contents of the baseline. Therefore, the goal of the baselining process is to assure a con-
tinuously accurate picture of the components and status of the information base.
The information base is dynamic because the information contained is constantly
changing. Most information of value is directly related to the business case. Therefore,
asset bases evolve with the business case over time.
It is important to maintain alignment between the baseline and the business case,
because the baseline contains the information that supports the organization’s mission
and purpose. As such, a formally documented and highly disciplined process should be
employed to evaluate and control any changes to the baseline.
Information Assurance for the Enterprise
2
A disciplined process is necessary because information is hard to keep track of and
the business case is complex. Strict discipline assures that all items of value to the orga-
nization are accounted for. :
For example, a change to the organizational business case, such as a new product
line, will produce new information. The new information may be extremely valuable
to the overall success of the product and the organization. Therefore, there has to be
certainty that any new information added will be identified properly and assured ade-
quately. Without a formal process to make certain that changes are reflected accurately,
it is likely that the organization's understanding of the contents of the asset base will be
lost. This creates the potential for valuable new items to be unprotected, or even for the
organization to lose track of its assets entirely.

Ensuring Continuous Knowledge

The process that assures that the contents of the information base are always known
and documented adequately is called asset management. Asset management estab-
lishes and maintains a precise description of the information asset base, its constituent
elements, and their interrelationship. It assures a permanent, accurate accounting and
enables the status of the asset base to be known at all times.
Asset management assures that the documentation is accurate and that all security
policies are correctly implemented. Asset management is a complex organizational
process composed of six interdependent activities. These are

. Process implementation
. Asset identification
. Control of change
. Status accounting
. Asset evaluation
—
HO
W
SP. Version management
Dna

Process Implementation
It takes a plan to establish a persistent organizational process. In the case of asset manage-
ment, this is called the asset management plan. That plan enumerates the activities that
make up the entire asset management process. This includes all of the necessary proce-
dures as well as all the points in the process where those functions will be performed. The
plan defines and assigns organizational roles, responsibilities, and personal interrelation-
ships while specifying the interactions between each activity.
The product is a complete, correct, and fully documented life-cycle strategy. That
strategy lays out the overall approach to accounting for and maintaining the status of
all information of value to the enterprise. The resulting plan should precisely specify
the process that will be used to identify and label information and maintain a correct
representation. Because the plan sets the strategic direction and dictates the procedures
 Chapter I: Knowing What to Secure
3
for meeting organizational objectives, it must also be sensitive to changes in organiza-
tional context. Therefore, the organization must make a commitment to continuous
planning and updating throughout the life cycle.
The plan must make certain that the status of the information asset is known and
kept up-to-date. It must assure that valid baselines and versions exist. In conjunction
with the requirement to maintain baseline integrity, rules must be laid down to assure
that the repositories that contain the formally constituted baselines are properly main-
tained and archived. Finally, the plan should specify an up-to-date list of the decision
makers who are authorized to approve alterations to the form of the asset base. That
list should itemize the authority, scope, and responsibility of each decision maker.
One of the most important benefits of a well-managed asset baseline is that it under-
writes the way that risk is managed and disaster recovery is assured. The risk manage-
ment function is an essential feature of the information assurance process because it
maintains the organization's planned response to all identified threats. The risk man-
agement plan is based on an assessment of the threat to the information base that each
risk represents. Risk management is aided by well-defined baselines because a clear
picture of the form of the asset assures that only relevant threats will be dealt with.
Effective disaster recovery is another outcome of good baseline management. Disas-
ter recovery plans assure the ability to recover assets after a disaster. This is an important
element in ensuring organizational continuity. The contribution of the asset manage-
ment plan to the disaster recovery process is the assurance of precise knowledge about
the contents of the asset base (this precise knowledge enables the timely restoration of
normal functions) to a specified recovery point.
Periodically it is necessary to archive a well-defined baseline. Periodic archiving as-
sures that an up-to-date picture of the asset is available for recovery. The rules and
procedures for archiving each baseline have to be defined and documented in order
to do archiving properly. Thus, the asset management plan has to describe both the
timing and the execution steps required to back up and preserve each baseline. That
includes fundamental considerations such as establishing the priority for what is to
be protected, as well as itemizing the requirements for sequencing and scheduling the
recovery steps in the case of a disaster. At a minimum, the following concerns should
be addressed:

e Is all the necessary information and associated equipment needed to re-create

the baseline available in the archive?
e Are all necessary media protected from disaster?
e Is there a need to maintain copies of the controls that have been set to assure
each item of information?
e Is there a requirement to maintain copyright records for a specific set of assets?
e What is the mode of retention, including the media and format, as well as the
location of stored baselines and the tools for maintenance?
e What length of time will baselines be kept? The goal is to preserve the baseline
for only as long as is necessary to support disaster recovery.
Information Assurance for the Enterprise
|
This section has provided an overview of the implementation process. Before we
move on to the next section, which focuses on the details of how the process is executed,
we would like you to answer some questions about overall concepts.

Cross Check
~

1. Why is the specific identification of items to be secured a precondition for the

security process?
. Why is the asset identification process best done in a hierarchical fashion?
. What is asset accounting and why is it important?
. Why should there be a plan to implement asset accounting?
. How is disaster recovery related to asset accounting?
—W .
un
aA
N Why is asset accounting an essential support for the disaster recovery process?

Asset Identification
The goal of the asset identification function is to establish an accurate record of the
precise form of the items in the information asset base. To assure proper representation,
all items that comprise the information asset base have to be identified and labeled
unambiguously. Once this is done, the documentation is continuously updated.
Asset identification is based on a formal identification scheme. The identification
scheme assures that everything worth protecting is identified and labeled properly As
a result, the asset identification scheme is the cornerstone of good asset management.
Identification and labeling of the asset is an essential requirement because the infor-
mation base is a theoretical construct, which might have many forms. Practical security
requirements demand that a complete and correct picture of the form of the informa-
tion asset is maintained at all times. This implies a process to assure that the relevant
characteristics of each item of information are known and properly recorded.
An asset identification scheme establishes the “day one” form of the asset and it is
kept current throughout the life cycle. With new organizational systems, this process is
carried out during the design phase. If the function is already part of an existing system,
then a retrospective analysis of existing systems is required.
Such after-the-fact analysis can be costly and difficult for a manager to justify
because it may require documenting the functions of hundreds of thousands of lines of
code that could be decades old. However, it is essential to the overall responsibility to
provide assurance, because legacy systems are usually insecure. That is, it would not be
sound practice for the organization to be able to say with certainty that 10’percent of its
systems—those that represent new code—were secure, but that the status of the other
90 percent was unknown.
Because of the necessity to secure only those items of value, the identification scheme
is always guided by the business case. There are two separate steps involved in docu-
menting the identification scheme. First, the decision criteria to be used to identify and
characterize the individual asset items must be explicitly agreed to. For instance, criteria
like ... “The information item must be directly traceable to and support a business process"
 Chapter I: Knowing What to Secure
5
can be used to decide whether or not an asset is worth protecting. Then, once the right
decision criteria are established, it is important to assure that the people responsible for
conducting the actual identification and labeling process will correctly use them.
Each item of information that will go into the asset base is identified and appropri-
ately labeled. As we said earlier, this is a documentation process. The description of the
item, its area of application, and its general use is recorded and a label is created. This
documentation and labeling process actually requires two passes.
The first pass describes the components of the baseline at a high level of functioning.
The aim is to describe the large components of a particular_real-world operation, ,
for instance, Se (saeco Ca AGT clint anayaa Lua
encompassing, rather than detailed. It should focus on communicating the general
form of the asset base to managers and users. This is done to obtain feedback. The aim
is to assure a clear relationship between the documentation of the asset base and the
associated elements of the business process.
The actual asset base typically contains multiple representations. These are called
versions. For example, data from tax forms for different years would constitute different
versions of the same basic item, which is “tax form information.” Once that high-level
understanding is achieved, a second pass is required to detail each of the large compo-
nents. The outcome of this second pass is a detailed description of each of the infor-
mation items that_were identi in the first pass. Figure 1-1 illustrates this two-pass
approach to identifying and representing the information asset.

Bua @y7-rlllnicelmaartacelay waco ines)

Malena occ cael

Individual Documentation | Individual Documentation | Individual Documentation —
Baseline Version(s) Baseline Version(s) | Baseline Version(s)

WGFeeUeMic-ushss Welelalre(er-y (aun) | Unique Items | Unique Items | Unique Items | Unique Items
Flpie <@rolstane)ie | lelel@elgiege)ky| and Controls | and Controls | and Controls | and Controls

Figure I-1 Hierarchy of documentation baselines

The labeling employed to characterize the relationship of each individual compo-

nent to all other components is based on and reflects the hierarchical structure. In actu-
al application, the labels will employ mnemonics unique to each item. That facilitates
automated management, in a database for instance. However, the labeling must always
correlate to the element's location in the hierarchy of the identification scheme.
Items defined at each level are given specific labels associated with the structure itself.
These labels must be unique and should designate and describe the position of the
item in the overall family tree of the asset base. A label should provide a unique name
Information Assurance for the Enterprise
6
of the item, the name of the baseline, and the version designation. Furthermore, the
overall labeling scheme must be expressed in such a way that the relationship between
all components can be understood. It is a good idea to use naming standards to guide
the labeling process in an organization of any size.
During the identification process, all information items that make up the informa-
tion base are described and labeled. They are arrayed in a logical framework based
on their interrelationships and interdependencies. This structure represents the form
(configuration) of the asset.
As we have said, an aggregate set of related information items is termed a baseline. The
individual components constituting this baseline are identified and labeled. That struc-
ture is then maintained as a coherent array of the information items that compose it.
Moreover, once the baseline is established, it is maintained through the life cycle of the
system that it describes.
The most common model for representing the components of a baseline is hierar-
chical. However, as we said earlier, the business case evolves over time; therefore, the
form of the asset base also evolves. Consequently, the labels that characterize informa-
tion are subject to alterations in their relative position within that hierarchy, as well
as in the relationship to other items at the same level. The identification scheme must
accommodate such changes.
The organization then establishes the practical countermeasures that will be used
to assure each component at a desired level of security. Depending on the degree of
assurance required, information can be described at one or all of these levels (as shown
in Figure 1-2):

e The baseline (for example, an entity’s complete set of assets)

e Baseline components (for example, a single asset—a document, for instance)
e The unit (for example, an individual item—a field on a document)

Lowest Level
Figure |-2
A Single Baseline Control Set | of Control
Increasing levels is composed of
of control
Moderate
Individual Control Sets for Each Baseline Version
< Level of Control
are composed of

Unique Item Controls Highest Level of

Control

The asset base can be assured this way because the classification and tagging of the
elements provides a tangible representation of the items to be secured.
The structure is maintained top-down, ranging from a view of the information asset
as a single entity all the way down to a designation of the explicit items that constitute it.
The baseline representation that emerges at the lowest level in this decomposition
process is a detailed and concréte architecture. That coricrete architecture represents
the only tangible depiction of the asset. Sane see
 Chapter |: Knowing What to Secure
1
The general approach to this design process is outlined in Figure 1-3. Please remem-
ber, this is provided as an illustration only. The approach is the same in all cases, but the
form of each particular implementation will vary with the individual business model
of the organization.

Overall
Information Asset
Baseline

is composedof

IT Equipment I Software and — Data and

Personnel Asset
; and Tangible | | Application Asset | Information Asset
Baseline |
| Asset Baseline Baseline Baseline
|

Specific Asset |
| Baselines at Lower |
|Levels of Definition |
SS

DB Records

Figure 1-3 Generic hierarchy of components of an information base

Figure 1-3 is a general representation of the mechanism that identifies and arrays the
distinct items of information that comprise the asset base. The decomposition process
illustrated demonstrates how the goal of establishing successive levels of understand-
ing is achieved. At the lowest level of decomposition, the baseline scheme that emerges
represents the detailed architecture of the asset base of the organization.
Because the array of items and their position in the hierarchy is subjective, that deci-
sion should be based on consensus. It should be made using the input of many stake-
holders, ranging from the technical staff to the business case owners of a given item of
information. However, independent of who makes the decision, once it is established,
the formal asset baseline is kept in some sort of formally designated repository, which
is maintained accurately throughout the life cycle.

Control of Change
Change control is a continuous process. It assures that the documentation
of the items
that exist_within the baseline is accurate and that their precise status is known_at all
times. Its aim is to manage the natural evolution of an entity in such a way that it
preserves its overall integrity. An effective process for the control of change offers two
advantages. First, it assures the integrity and correctness of a baseline. Second, it allows
for the maintenance of continuous knowledge about status.
Information Assurance for the Enterprise
8
Change control is a sensing, analysis, and authorizing function. It is necessary be-
cause information evolves. Items are continuously added to baselines and the form
and content of individual baselines changes as the business model evolves. Moreover,
the Unter Raaares 1eGuIDESIS Geeate cachHen aSaT changing jin accordance
with alterations in policy, as well as to the form of the asset itself. Thus, there has to be
a process to manage the natural evolution. Otherwise, the understanding needed to as-
sure the asset base would degrade quickly. For that reason alone, effective information
assurance depends on rigorous change control.
The functional parts of asset management are interrelated, in that the capability
to conduct effective change management depends on the prior process (asset identi-
fication). The information assets of the organization are intangible. If change were not
controlled, the rest of the assurance process would become pointless. That is because
the organization would not know what it was protecting. Therefore, change manage-
ment is a critical requirement.
Any change to the baseline can have serious implications because any modification
to the form of the information asset may change the protecti wirements. Conse-
quently, the appropriate manager must authorize all proposed changes. That decision-
making process must be supported by an analysis of the implications of the change.
That analysis should consider such things as how the changed item will be reinte-
grated into and interface with the other items in the assurance scheme. As a require-
ment, there should be an estimate of the affects and resource commitments required to
modify the form of the protection. Change control is such an important process that its
detailed implementation will be discussed in detail in the next section.

Status Accounting
Identification and change control establish and maintain a correct and continuously
evolving image of the content of the information base. This image is documented by
the status accounting function. Status accounting maintains running documentation
of all asset baselines and performs the routine reporting activities necessary to transmit
that knowledge to the appropriate managers:
This record is typically maintained in an electronic repository or “ledger.” This ledger is
the concrete documentation of the asset base. The ledger is referenced by change control
to perform the impact alalyeis, prior tothe authorization of a change. It is updated in a
timely fashion once a change has been approved and implemented. In many organiza-
tions, the person responsible for doing the status accounting is the information resource
manager. Because this manager essentially maintains the baselines, this individual is
sometimes referred to as a baseline manager.

Asset Evaluation
The point of asset evaluation is to assure the operational integrity of the asset base
itself. That assessment is an important continuous review process. It involves a formal
‘inspection of a designated baséline. Inspection targets will normally depend on the
requirements of the situation. Evaluations are done on a routine, scheduled basis.
 Chapter I: Knowing What to Secure
9
The schedule is typically developed as part of the initial planning. It is important
to maintain a disciplined inspection process, because the basic principle of integrity
is involved.
The evaluation assesses the degree of correctness of the baseline. It tests the accu-
racy of the description, the placement of the item in the hierarchy, and labeling of
each information resources within the baseline. In conjunction with these steps, it also
evaluates the appropriateness and effectiveness of the specific safeguards that have been
established for each element.
The result of each evaluation is communicated to appropriate designated execu-
tives. By rule, any findings of nonoccurrence or identified anomalies must be resolved
through action by the manager responsible for the affected item. Immediate executive
action is required because these anomalies are, by definition, latent vulnerabilities. The
reporting process itself, as well as the explicit criteria for judging whether the problem
has been resolved, is outlined in the asset management plan.

Version Management
Version management is necessary because there are usually simultaneous representg-
tions sset baseline and is really a library administration function. It keeps
each authorized version of the asset baselines secure, each in its own repository. Since
those representations are maintained electronically, the repositories are usually just
another organizationally sanctioned database. These databases are individually main-
tained, and are labeled uniquely.
In addition to maintaining a record of all current versions, all superseded versions
are archived se y. This archive is similar to the repositories that hold the current
versions, in the sense that it is a secure electronic storage location. The archives of
old versions are useful to security because they provide a rollback capability in the
case of disaster, as well as serve as a source of time-series data fo
Many useful things can be learned about the long-term behavior and evolution of the
resource by studying these data.

Maintaining Integrity
In this part of the chapter, you will learn about the components that are necessary for
maintaining integrity in the organization.

Establishing the Checkpoint

The integrity of information must be supported by management function because it is a
critical quality for assurance. One of the most commonly accepted ways of performing
that function is outlined in Figure 1-4.
The location for receiving and processing requests must be established at_a single
identified point in the organization because the information resource is both intan-
ible dynamic. As such, any changes to its representation have to be carefully coor-
dinated. This is the checkpoint where changes are analyzed and authorized. Its purpose
is to make certain that a responsible party approves any changes to a secured baseline.
Information Assurance for the Enterprise
10
Figure |-4 WNfelaiiterture)ays Information
Generic asset Request for Asset Baseline
Change Manager
baseline change
TMANAgeINENt = he inner es
TOCess
P poscie Verification Implementation
aa Sue of Change of Change
| Ledger

The generic term for this process is “change management.” Change management es
continuous integrity by controlling all changes to all formally established. baselines.
Change management analyzes requests for changes to the form of the asset base. The
aim is to determine all of the potential implications and impacts on the affected base-
line. Once these are all understood, the next step is to obtain the authorizations.

Documenting the Decision

The method for requesting changes must be both understood clearly and applied con-
sistently throughout the organization. To assure consistency, the format of the docu-
mentation should be standardized. No single format is applicable to all assurance
situations. The following is the minimum information that needs to be supplied in
order for a decision to be made:

e Organizational requirements that necessitate the change

e The operational timeframe and proposed schedule
e Information items impacted
e Controls impacted
e Costs and resource commitments
e Staff capabilities required
e Any software or tool requirements ~
e Any anticipated changes in procedure caused by the change
e Any anticipated change in the way the baseline is kept (for example, libraries)
e Any audit considerations
e Any disaster recovery considerations
e If they exist, the impacts on the various versions

Assigning Authority
Decisions about the form of the asset base have to be made by a responsible party. This
assures accountability. Therefore, as part of the process the person who should appro-
priately make the decision has to be identified and decision-making authority has to
be assigned formally.
 Chapter I: Knowing What to Secure

The first step is to identify and designate the proper decision maker. The authority
for authorizing change is typically assigned based on operational responsibilities. That
is, the person who should be held accountable for approving changes to an informa-
tion asset should also be the one responsible for managing its generation and use.
The process of identifying and designating that decision-making authority requires
that the organization understands the operational implications for the information
itself. Policies should be made about questions such as whether low-level technical
activities, for instance routine maintenance changes, should be approved by any person
higher in the organization than technical workers.
Structural change to a baseline takes place when new items are created or added.
The decision to change a baseline can be approved only by the authorized decision
maker. From the standpoint of maintaining a disciplined approach, the decision maker
empowered to approve changes must also be the one with the authority to enforce the
decisions that they make. That is, the decision maker should be in a position to allocate
the resources and oversee the activities to assure the integrity of the change.

implementing the Change

Any change to the form or substance of a baseline element is initiated through a formal
process. A request for change is submitted to the person responsible for maintaining
the accuracy of the baseline. This responsibility is established as part of the planning
for the assurance function. The subsequent responsibility of that individual is to assure
that the change is appropriately authorized, and will not affect the integrity of either
the item or the asset baseline as a whole.
All changes have to be approved. At one end of the spectrum, if the change repre-
sents a high risk or is resource-intensive, the approval might come from an executive
decision based on a thorough analysis of impacts. If the change is determined to be low
tisk or have minor impact, this approval might be nothing more than a simple sign-off
from a technical manager.
The change is made once authorization is received and the person responsible for
making modifications to the controlled repository where the baseline is kept and
implemented. For example, they could change the labeling, add elements, or alter the
form of the element itself.
Once this is done, the person responsible for maintaining the overall integrity of the
asset base must inspect and verify the change. The purpose of the inspection and veri-
fication is to assure that the change was implemented correctly. If the change is impor-
BaP SaeR UMEENUTEbaseline should bemudived aiorward toverify that integrity has
been maintained. Once the up-to-date status of the baseline is confirmed, the labeling
is modified to reflect the form of the new baseline.
When the integrity of the baseline can be confirmed, its new status is recorded. Affected
parties are notified and, in the case of electronic items, affected systems are inspected to
assure they comply with the new status. Most operational baselines are complex. They
may have thousands of components and interrelationships that must be maintained to
keep an accurate picture of the asset. Ensuring that their representation is up to date
is a resource-intensive exercise; however, it is an absolute condition for security. If the
Information Assurance for the Enterprise
12
representation of the asset is not assured deliberately and rigorously, the painfully
constructed understanding of the information asset base will eventually be lost.
Changes at any level in the representation are always maintained at each relevant
level, and they must reflect correctly and accurately the changed status of the actual
asset base. For instance, even adding an extra field to a financial record requires that
data,administration reformat the database to capture the new information. At the same
time, from an assurance standpoint, if the form of the record is changed, there is now
something additional to secure (for example, the new item), so it is necessary to update
the baselines that contain that information item to reflect its new status, along with
changes to the controls.

Accounting for Information

It is necessary to create a formal organizational accounting function to assure that the
contents of the asset base are always accurate and known. In that respect, each baseline
is treated as if it were a separate account in a ledger. Individual transactions affecting
the form of those baselines, or the overall structure of the asset base itself, are entered
as they occur. The aim is to document and record all transactions for eline, This
function is not responsible for actually ensuring that the process of making the change
is carried out. Its purpose is to assure that up-to-date answers about the status of a given
baseline are available. The following data has to be gathered to assure that this function
operates as intended:

e The label and description of the information item

e How formally the item is controlled
e A description of the controls
e Measures appropriate to support the monitoring of the integrity of the item

Other Considerations
Escalation policies must always be considered because changes to the business case
can modify the security requirements of a particular information item. For instance,
an information item generated by a software system under development will always
have different sensitivity requirements than the information that flows through the
same application when it begins supporting the core operation. Once that system and
its data are moved up to operational status, it takes a different level of autharitxto
approve changes to the representation of the information it processes. This approval
requires some sort of procedure to assure that it actually happens. To assure that the
asset baselines integrity is maintained as they evolve, it is a good idea to keep track of
the individuals who requested the change. This allows security managers to-validate
sensitivity and use for example.
Finally, in complex and outsourced situations typical of modern information system
work, it is an absolute requirement that asset baselines evolve through a single integrated
nd coordinated function. An organization’s information resources frequently include
contributions from external participants—customers and subcontractors, for instance.
 Chapter I: Knowing What to Secure
I3
There should be a formal mechanism that assures that contributions do not inadver-
tently (or intentionally) damage the integrity of the organization’s understanding of its
own assets. Otherwise, if third parties had the capability to change baselines without
authority, there would be the extreme danger that the integrity of the entire asset could
be destroyed without anyone in the organization knowing it.
There is no greater threat to the integrity of information than uncontrolled change. If
the evolution of the baselines that represent the information asset is not controlled prop-
erly, critical information may be threatened because the necessary countermeasures were
not in place. This is not a trivial hazard and so it is essential that unauthorized changes
to the form of the asset base will not occur. Nevertheless, before we proceed to the next
section, which focuses on the actual steps to be taken to implement a reliable process for
controlling change, here are some questions to test your understanding of the process.
Cross Check

1. What is an information asset baseline and why is it critical to create one before
embarking on an information assurance process?
2. Why are asset baselines formulated hierarchically? What is the advantage of
approaching information identification that way?
3. Why are information asset baselines constantly changing? Is this a particular
problem in IT organizations?
4. Why is it important to control carefully changes that take place in the informa-
tion asset baseline?

Establishing the Assurance Function

In this part of the chapter, you will learn the details of establishing the assurance
function.

Basing the Response on the Risks

Information assurance maintains the integrity of the information asset base. That is,
once a baseline is established, explicit countermeasures can be put in place to assure
the protection of every organizational information asset. The assurance function can-
not be deployed, however, until the risks are understood fully. So, once the baselines
are established, it isnecessary to do a rigorous threat assessment to identify the mea-
sures that must be taken to resolve each threat.
A control that has been deliberately set to counter an identified threat is a counter-
measure. To identify the appropriate countermeasures, the organization must move
item by item through the baseline and t threats apply. Most of the rest of this
text discusses the types of specific countermeasures that may Dqused in various areas of
assurance. That is not our purpose here, because we are examining the process by which
all the vulnerabilities for every baseline are identified and recorded and the threats that
could exploit them are evaluated. The outcome of the process is an explicit inventory of
risks and the associated countermeasures.
Information Assurance for the Enterprise
14
The rigor of the process is always based on the degree of risk. The risk assessment can
be either formal or informal, but the idea is to identify all logical vulnerabilities. The
details of how to conduct a risk assessment are provided in the next chapter. Here we
are discussing the reasons for doing one and the general conditions that apply.
The risk assessment produces an initial characterization of the type and origin of
all reasonable threats to a particular information item. The next step in the process is
to determine the feasibility of each of the potential countermeasures that could put
in place to address every identified threat. That requires an accurate understanding
of the precise threat-countermeasure relationship, which involves characterizing four
related factors:

1. Timing requirements
2. Corrective action requirements
3. Financial factors
4. Likelihood

Timing Requirements
Deciding the timing of the countermeasure is applied is important because the value
of the corrective action depends on the ability to deliver it in sufficient time. The old
axiom about “closing the barn door after the horse has escaped” is an example of how
timing is a security issue.
Nonetheless, every threat has different timing requirements. Therefore, the feasi-
bility of the countermeasure should be evaluated based on the question of whether it
can react quickly enough to overcome the threat. For instance, an electronic penetra-
tion must be detected and responded to almost instantly or it will never be countered.
That is because the appearance of the threat is moving at the speed of the computer
itself. By comparison, an attempt by a thief to break into the computer room allows
a little more time to respond. Thus, timing has to be factored into any consideration
of feasibility.

Corrective Action Requirements

The same is true with corrective actions. A corrective action is the specific response that an
organization deploys for a given situation. There is a range of possible corrective actions
that could apply to a given threat. However, the most effective ones may not be feasible
because of technical, physical, or resource limitations. For example, if a software counter-
measure is identified as the best defense against a particular threat, it is prudent to assure
that it is compatible with the requirements of the current system. Otherwise, it would be
useless at best, and in the worst case it could constitute a threat.
The same considerations apply to physical countermeasures. For instance, it would
be hard to convince the Board of Directors to build another information systems build-
ing because the first is situated in a flood plain. That would be the case, even though
that might be the most effective countermeasure to the threat of floods. The salient
 Chapter I: Knowing What to Secure
5
point is that corrective actions are always assigned on a sliding scale, which factors
feasibility and cost into the equation. The outcome is typically the selection of a coun-
termeasure that is the most practical, rather than the one that is the best in all cases.

Financial Factors
The most important element and the one that is most easily understood and accepted
by the people in the organization, is financial factors. Financial factors typically
describe the return on investment (ROI) for a given countermeasure. If the cost of
implementing a countermeasure is greater than the conceivable loss, it is pointless to
consider‘it. This may seem unlikely, but in the case of low-value assets, there is always
the possibility that the expense of maintaining a given level of security outweighs the
financial loss resulting from compromise. Therefore, a decision might be justified to let
the item sit unprotected.

Likelihood
Likelihood is composed of two factors. The first is the frequency of occurrence (of the
threat) and the second is the extent of the harm that might result. The extent of harm
should never be confused with frequency of occurrence. For instance, fires might
happen infrequently. Yet if they do, the likelihood is very high that significant harm
will occur. Therefore, a countermeasure to protect your house against fires would
be highly justified, even if they were unlikely to happen. Conversely, if there is little
harm from one incident of a threat but a high rate of occurrence, then some sort of
countermeasure might be justified because the aggregate impact of the resulting harm
over time may be significant. Frequency and probability have to be balanced in that
respect to establish a countermeasure set.

Hoping for the Best and Planning for the Worst

Of course, it is important to base the threat assessment on an uncertainty factor. The
term uncertainty describes the priority of the threat. It is expressed as a percentage,
in the same way weather forecasters predict rain. It is important to communicate the
threat in layman’s terms because threat assessment is never an exact science and yet
people, especially decision makers, have to understand the situation in sufficient depth
in to build an appropriate response. This problem is a particular concern with an entity
as complex and abstract as information.
Uncertainty is expressed as a level of confidence—from zero to 100 percent. What
this confidence level communicates is the threat’s immediacy and impact. For instance,
a statement that a threat should be considered to be 100 percent likely to occur and
cause harm, in essence, states that the countermeasures are absolutely required.

Documenting the Countermeasures

Once the analysis of the risks is complete, the organization will know two different and
highly related things. First, it will know precisely what information assets it holds. This
has already been recorded in the set of baselines. Second, the organization will know
Information Assurance for the Enterprise
16
the type and priority of each of the threats to every one of the items in the baseline as
well as the countermeasures established to mitigate them. Figure 1-5 describes that
relationship.

| Individual | —Individual | Individual “Individual

Information | Information | Information | Information | Information
Elements | Elements | Elements | —Elemer __ Elements Elements |

_ Associated Associated Associated Associated Associated Associated

(@eiage) isicu Control Set Control Set (@ojlaiigelesicia Control Set Control Set

Coherent Information Assurance Control Baseline

Figure |-5 Relationship between the asset baseline and the control baseline

Therefore, the countermeasures that have been selected for each item in the asset base-
line must be recorded as well. The final version of the representation of the asset base has
both the information item and the associated countermeasures tightly bound to each
other. Changes to either type of baseline component are maintained in that way—in
essence, the information and the associated countermeasures have to correspond. It is
acceptable to have controls that do not specifically reference an information item or

ee ee et a

Documenting the Assurance Solution

Preparing and documenting a specific set of work practices establishes a concrete
link between each specific item of information and the countermeasures that are set
to protect it. Detailed work practices assure that the operational steps necessary to
maintain a correct relationship between the information and its countermeasures are
documented, understood, and practiced across the organization. In order to make
certain that these work practices are designed and documented correctly, the following
factors have to be considered:

e Sequence and timing of countermeasures

e Specific monitoring practices
 Chapter |: Knowing What to Secure
7
e Accountabilities
e Documentation and reporting
e Problem resolution responsibilities

Sequence and Timing

Countermeasures are generally not applied at the same time. Instead, they must be
sequenced properly. For example, these might be the countermeasures specified for
the personnel function:

: Background checks will be performed for all new hires.

. An initial employee orientation will be held to obtain confidentiality agreements.
. Employees will receive regularly scheduled security training.
. Employee violations of policy and procedure will be disciplined.
. Employees will be given periodic random background checks.
. Employees will report all security incidents they see.
. Employee-reported security incidents will be recorded and quantified.
OT
DH
CNH
NY
FW . Employees leaving the organization will be processed using secure personnel
practice.
9. Unfriendly terminations will be processed as security incidents.

There is a logical sequence for how these are deployed. For instance, it is impossible
to quantify an incident before it has been reported, and some of these items might take
place at the same time or interchangeably. However, it is not good practice to assume
that everybody knows the sequence. As a case in point, it is a matter of organizational
choice whether employees sign a confidentiality agreement before or after their creden-
‘tials are verified. While there are potential security risks associated with not verifying a
person’s credentials, there is little threat to confidentiality since the employee has not
been hired. As such, it is important that the personnel manager understand what task
to do first, and that knowledge cannot be assumed. This is a minor item, but it serves
to illustrate the point that sequence nee onsidered in the design process
for countermeasures.
2a)

Monitoring
Monitoring has two purposes: First, it assures attherelarons upbetween theinior-
and its
countermeasures
mation will be supervised: second, it allows the organization _.
to evolve continuously t termeasures as threats arise. A focused monitoring pro-
cess assures both of these functions. This function is established by developing work
practices that specify the participants, schedule, and responsibilities for each monitor-
ing activity, as well as the reporting requirements.
Information Assurance for the Enterprise
8
Accountabilities
Explici ntability for oversight and problem resolution should be assigned as part
of the description of the countermeasures. Otherwise, their application will not be
supervised properly. This requires that individual supervisory roles and responsibilities be
defined for each countermeasure, including the change management authority discusse
earlier in this chapter. Then, performance of these duties needs to be overseen using the
monitoring process just discussed. To assure evenhanded administration of discipline,
the consequences of a failure to meet assigned obligations must be spelled out.

Documentation and Reporting

The documentation and reporting function is established and maintained through a
statement of the specific steps required to_assure proper recording and reporting of
~incidents, That statement defines what information will be captured and specifically
how it will be recorded and reported. Customary reporting lines have to be specified to
assure this. The statement must also identify all management reports to be produced
down to their specific layout.

Problem Resolution SQ
Finally, a statement has to be made about how problems will be resolved. This set of
work Seticecis wally aloe TBIODIEM TeSOITOGR trocar defines how
typical problems with operations will be handled as they are identified, who is respon-
sible for their resolution, and the criteria that will be used to determine if the problem
has been resolved properly. This function closes the loop in ensuring consistent appli-
cation of the process, because it guarantees that problems that arise during operation
will be dealt with systematically.
)

Keeping the System Aligned

e e

As the final point, remember the importance of keeping the baseline properly aligned
with the evolution of the operating infrastructure of the organization. This is an itera-
tive process in the sense that it is inappropriate given the complex demands of even
the simplest organizational situation to develop a static representation and to fail to
maintain it. Therefore, effectiveness implies a commitment to continuous monitoring,
adjustment, and updating of the baseline.
This process should entail solicitation of continual and regular feedback from the
operational environment. The feedback is important because, in addition to providing
guidance, a well-executed feedback system generates a high degree of organizational
buy-in. This final benefit—universal acceptance—justifies fully the work required to
obtain that feedback because it assures disciplined performance of the security work.
We are now going to move on to the specific elements of information assurance, but
before we do so, we would like you to review a final set of key questions to check your
understanding of the ideas in this chapter.
 Chapter |: Knowing What to Secure
19
Cross Check

1. In terms of focus, what is the difference between the selection of the controls for
information assurance and the deployment of the actual response? Why should
these be considered different aspects?
. What is the role of the change control process and why might it be the single
most important success factor?
. Why is it necessary to conduct operational risk assessment on an ongoing basis?
How are the outcomes of this process used?
. What are the organizational and business case issues and constraints involved in
control selection? Why are these critical determinants of the ongoing effectiveness
of the information assurance system and how can they be affected by change?
. Why is it necessary to maintain a classic change management process for the in-
formation asset baseline? What is the role of the information baseline account-
ing ledger in this process and why is it important?
. Why is it necessary to value controls to implement information assurance?
What does the organization lose by not doing this (for example, what would
be the situation if this were not done)?
. What is-the role of threat assessment in the overall control formulation process?
Why is threat assessment a primary success factor for operational implementation?
. Why is it necessary to follow the steps in the process? What is the likely conse-
quence of jumping ahead a few steps to conclude things?

Chapter | Review
Chapter Summary
The asset management process is composed of six interdependent organizational
activities. These are process implementation, asset identification, change control,
status accounting, asset evaluation, and version management.
The baseline identification is important because the deployment of assurance
controls is directly referenced to the structure and content of the asset being
managed.
Change control is necessary because information assets are constantly evolving
and there should be an organizational process to manage that natural evolution.
Without change control, the ability to account for the information base with
certainty would quickly disappear.
Status accounting maintains a running account of all asset baselines and performs
the routine reporting activities required to convey that information to the appro-
priate people when needed.
Information Assurance for the Enterprise
20
Asset evaluation constitutes a formal inspection of the target baseline. It should
be performed on a scheduled basis.
The asset management process is formally defined and A deeRcalh implemented
by means of an asset management plan.
One of the primary benefits of well-managed asset baselines is that they fully
underwrite the risk management and disaster recovery process.
The identification and baselining process is the essential element in the estab-
lishment of an effective asset management program and, as a result, the corner-
stone of asset management is the asset identification scheme.
In practice, that aggregated set of related information assets is termed a “baseline.”
Items defined at each level are provided with unique and appropriate labels.
Generally, these labels are associated with the structure itself.
At the lowest level of decomposition, the baseline scheme that emerges will
represent the concrete architecture of the target information asset.
A change management process is necessary to establish and maintain explicit
control over the information asset baselines and associated controls.
Change management starts with having a defined mechanism for processing
change requests. This is a documentation activity.
Changes at each level in the structure of the information asset baseline are
maintained at all relevant levels in that ledger. They must reflect correctly and
accurately the changed status of the actual information item.
Operationally, a control set is assigned once the target asset is unambiguously
understood.
The actual process of designing the control set necessitates a step-by-step analysis
of the precise protection requirements of each individual element comprising the
information resource.
The purpose of assessment is to assure the effectiveness as well as confirm the
coverage of the assurance scheme.
The assessment operation is carried out much like other conventional testing
activity. The practical outcome of this process is a formal analysis of effectiveness.
The final form of the system is composed of two independently formulated, but
interrelated, baselines.
These are the information asset baseline, which describes the form of the resource,
and the control baseline, which provides the actual assurance.
The application of the required controls for each information item must be
spelled out in the form of itemized work practices.
Effectiveness implies a commitment to continuous monitoring and adjustment.
This process should be centered on constantly seeking feedback from the opera-
tional environment.
 Chapter I: Knowing What to Secure
2I
Key Terms
asset base (5)
asset identification (4)
asset management (2)
asset management plan (2)
authorized decision makers (11)
baseline (1)
baselining (1)
change control (7)
change management (8)
concrete architecture (6)
controlled repository (11)
corrective action (14)
countermeasure (13)
decision maker (3)
disaster recovery (3)
family tree (5)
financial factors (15)
risk management (3)
status accounting (8)
timing (3)
uncertainty (15)
version management (9)
work practices (16)

Key Term Quiz

Use the preceding vocabulary terms to complete the following sentences. Not all terms
will be used.

. Testing to refine the control set in its operational environment is called

. Each information item is identified by a unique and appropriate
. Essentially, types of baselines are involved in asset management.
. The baseline that provides the specific assurance function is called the
aN
NH
FW. The goal of authorization is to assure that the designated authorizes all
changes to information and control
i>). Implementing work practices involves consideration of their
7. Threats to information are identified by means of a
is necessary because an organization’s information can legitimately be
in more than one form, tax records for instance.
9. Measures to resolve problems are called
10. maintains an up-to-date record of the form of the asset.
Information Assurance for the Enterprise
22
Multiple Choice Quiz
1. Information asset management:
A. is irrelevant to information assurance
B. implements policy
C. involves AT&E
D. is unnecessary

2. Baselines:
A. are abstract
B. are intangible
C. are hierarchical
D. must be programmed

3. The process of formulating the control set should be based on:

A. best guess
B. confidence
C. iteration
D. asense of humor

4. To do its work properly, the status accounting function relies on the use of:
A. code reviews
B. repositories
C. controls
D. verifications

5. Information asset management is always based on:

A. aplan
B. an analysis
C. best guess
D. best practice

6. Version management is necessary because:

A. there are often multiple examples of the same information
B. software comes in multiple versions
C. there might be two organizations involved
D. versions are difficult to identify
NU TCC CT NT TT TAS HN TTT MATT ETT Hr namin FS ttenFn
Chapter teetteieretetteeetten
tients
|: KnowingSosesonssthetemmsnnttsnetnnnmentemenemestetetne
What to Secure

7. A disciplined change process is necessary because:

A. discipline is important
B. the protection scheme must be continuously aligned to the business case
C. items that are left out of the protection scheme will still be protected
D. change never happens

8. Documented baselines serve as:

A. a warning against threats . Ve
B. the model for good security practice .
C. the basis for access control
D. a proxy for the information asset itself

Essay Quiz
In your own words, briefly answer the following:

. Why is it important to control changes to asset baselines?

. Why is the labeling process approached hierarchically?
. Differentiate asset baselines from control baselines.
NY.
WW
PB How do the asset management procedures relate to overall information
assurance policy?
5. What is the role of risk assessment when it comes to baseline formulation?
iy). Why is organizational buy-in so important to good asset management?
7. What is the purpose of version management, why is it necessary, what are the
outcomes if it is not practiced?
8. Why is it logical to begin the information assurance process with an information
identification step?
9. Why must labels be unique, what purpose does unique labeling serve in the
real world?
10. Why is assignment of accountability important? What would be the consequence
of not having it?

Case Exercise
Complete the following case exercise as directed by your instructor:
Refer to the Heavy Metal Technology Case in Appendix A. You have been assigned
the baseline management responsibility for the project to upgrade the target
acquisition and display (TADS) for the AH64-D Apache Longbow attack helicopter.
To start the process, you know you must first identify and array acomplete and coherent
baseline of high-level documentation items. Using the project materials outlined in
Information Assurance for the Enterprise
24
the case (and others you want to add because you feel they are appropriate), perform
the following tasks: \

e Identify all distinct types of documentation.

e Relate these documentation items to each other. If there are implied relationships,
what are they?
e Provide unique labels for each item that reflects their relationship to each other
and through which another reader could easily see that relationship.
e Formulate these items into a coherent baseline.
e Define a change control system to assure that the integrity of each of these items
will be preserved over time
e Justify the effectiveness of that control scheme.
Another random document with
no related content on Scribd:
 Afstand ROUTE. Afstand naar Soort
van elke plaats. v. d.
plaats tot weg.
plaats. Heen. Terug.
1.9 29.6 23.9 ,,
Joure

4.4 Ousterhaule. 34.— 19.5 G. S.

2.9 36.9 16.6 S.
Rotsterhaule
3.2 Vierhuizen. 40.1 13.4 ,,
2.6 Delfstrahuizen. 42.7 10.8 G.
3.4 46.1 7.4 S. G.
Echten [132]
3.9 50.— 3.5 G.
Oosterzee
3.5 53.5 — ,,
LEMMER

Door de Schrans verlaat men Leeuwarden 1637 en volgt den

straatweg rechtuit. Door Irnsum en voorbij de Oude Schouw rechtsaf

357 naar Terhorne. Daar linksaf en rechtuit. Voorbij Snikzwaag

rechtsaf naar Joure. Door Joure en even vóór het tramstation

rechtsaf. 405. Ruim 1 K.M. verder links den straatweg op, dien

men volgt tot Rotsterhaule, aldaar rechtuit en dan rechtsaf 844.

Voorbij Delfstrahuizen rechtsaf en in Oosterzee linksaf. Aan den dijk

gekomen rechtsaf 95 en achter langs den dijk naar Lemmer.

De geheele weg mag en kan met automobielen bereden worden.
[132]
[Inhoud]

431d Blad 3–8 van den Bonds-atlas.

Afstand ROUTE. Afstand naar Soort

van elke plaats. v. d.
plaats tot weg.
plaats. Heen. Terug.
— 55.9
LEEUWARDEN

7.— 7.— 48.9 S.

Wijtgaard

3.— De 3 Romers. 10.— 45.9 ,,

4.2 14.2 41.7 ,,
Irnsum

1.8 16.— 39.9 ,,

Oude Schouw
2.7 18.7 37.2 ,,
Akkrum
12.— 30.7 25.2 ,,
Heerenveen
 Afstand ROUTE. Afstand naar Soort
van elke plaats. v. d.
plaats tot weg.
plaats. Heen. Terug.

4.5 35.2 20.7 S. G.

Rottum
3.— St. Johannesga. 38.2 17.7 G.
1.1 39.3 16.6 ,,
Rotsterhaule
3.2 Vierhuizen. 42.5 13.4 ,,
2.6 Delfstrahuizen. 45.1 10.8 S.
3.4 48.5 7.4 S. G.
Echten
3.9 52.4 3.5 G.[133]
Oosterzee
3.5 55.9 — G.
LEMMER

Door de Schrans verlaat men Leeuwarden 1637 en volgt den

straatweg rechtuit naar Akkrum. Door A. en aan het einde der

keibestrating rechtsaf 870 en rechtuit naar Heerenveen. Door

H. rechtuit en na 1 K.M. rechtsaf, over den spoorweg. Voorbij
Rottum rechts- en dan linksaf. In Rotsterhaule links- en dan rechtsaf

844. Voorbij Delfstrahuizen rechtsaf en in Oosterzee linksaf. Aan

den dijk gekomen 95, rechtsaf naar Lemmer.

De weg is goed berijdbaar, de grintweg echter grootendeels niet

over de geheele breedte.
De geheele weg mag en kan met automobielen bereden worden.
[133]
[Inhoud]

432a Blad 8 van den Bonds-atlas.

Afstand ROUTE. Afstand naar elke Soort

van plaats. v. d.
plaats tot weg.
plaats. Heen. Terug.
— 26.— —
WOLVEGA

2.2 Sonnega. 2.2 23.8 G.

2.— Oldetrijne. 4.2 21.8 S.
4.4 Nijetrijne. 8.6 17.4 ,,
2.7 Spanga. 11.3 14.7 ,,
5.8 Schoterzijl. 17.1 8.9 S. G.
8.9 26.— — G.
LEMMER

Aan het einde van het dorp Wolvega rechts- en dan linksaf. In

Sonnega rechtuit 436 en steeds den straatweg volgen. Voorbij

Spanga aan het einde van den straatweg linksaf 1366 en op

den dijk bij Schoterzijl rechtsaf 1367 en achter langs den dijk
naar Lemmer.

De weg is vrij goed berijdbaar.

De geheele weg mag en kan met automobielen bereden worden.
[Inhoud]

432b Blad 7–8 van den Bonds-atlas.

Afstand ROUTE. Afstand naar Soort

van elke plaats. v. d.
plaats tot weg.
plaats. Heen. Terug.
— 26.4
WOLVEGA

1.8 Sonnega. 1.8 24.6 G.

4.1 5.9 20.5 ,,[134]
Oldelamer
4.3 Monnikeburen. 10.2 16.2 ,,
2.4 12.6 13.8 ,,
Scherpenzeel

4.9 Schoterzijl. 17.5 8.9 ,,

8.9 26.4 — ,,
LEMMER

Aan het einde van het dorp Wolvega rechts- en dan linksaf. Te

Sonnega rechtsaf 436 en 2 K.M. verder aan splitsing linksaf

1406 naar Oldelamer. Voorbij Scherpenzeel rechtsaf 1366

en op den dijk bij Schoterzijl 1367 weer rechts en langs den
dijk naar Lemmer. [134]

De weg is goed berijdbaar, echter slechts gedeeltelijk over de

geheele breedte.

De geheele weg mag en kan met automobielen bereden worden.

[Inhoud]

432c Blad 7–8 van den Bonds-atlas.

Afstand ROUTE. Afstand naar elke Soort

van plaats. v. d.
plaats tot weg.
plaats. Heen. Terug.
— 35.1
WOLVEGA

4.4 4.4 30.7 S.

De Blesse

2.6 Blesdijke. 7.— 28.1 ,,

2.9 Oldemarkt. 9.9 25.2 S. G.
5.— Ossenzijl. 14.9 20.2 G.
7.2 22.1 13.— ,,
Kuinre
2.1 Slijkenburg. 24.2 10.9 ,,
2.— Schoterzijl. 26.2 8.9 ,,
8.9 35.1 — ,,
LEMMER

Men volgt den straatweg in de richting Steenwijk en slaat bij de

Blesse rechtsaf naar Blesdijk en Oldemarkt. Te O. rechtsaf 193

en daarop linksaf en langs de kerk. Bij de volgende splitsing rechtsaf

194 en voorbij het klooster, dat rechts blijft liggen, op den

zeedijk rechtsaf 333 naar Kuinre. Door Kuinre en in Slijkenburg

links houden. In Schoterzijl verlaat men den dijk en rijdt achter den
dijk langs naar Lemmer.

De weg is vrij goed berijdbaar.

De geheele weg mag en kan met automobielen bereden worden.

[135]
[Inhoud]

433 Blad 7–8 van den Bonds-atlas.

Afstand ROUTE. Afstand naar elke Soort

van plaats. v. d.
plaats tot weg.
plaats. Heen. Terug.
— 28.9
LEMMER

5.2 Tacozijl. 5.2 23.7 G.

3.5 8.7 20.2 ,,
Sondel
2.7 11.4 17.5 ,,
Nijemirdum

3.— Oudemirdum. 14.4 14.5 ,,

2.7 Huis Rijs. 17.1 11.8 ,,
4.1 21.2 7.7 ,,
Hemelum
3.3 Warns. 24.5 4.4 ,,
4.4 28.9 — ,,
STAVOREN
Vanaf Lemmer volgt men den dijk in westelijke richting tot even

voorbij Tacozijl, dan langs de vaart naar Sondel. Hier linksaf

1135 en over Nijemirdum en Oudemirdum tot het Huis „Rijs”. (D e
z e e r s c h o o n e , m e e r d a n 2 0 0 H.A. g r o o t e
w a n d e l b o s s c h e n a c h t e r „H u i s R ij s ” z ij n v o o r h e t
publiek toegankelijk, terwijl bij den heer B. H.
van der Goot, te Harich, rentmeester van den
eigenaar der bezittingen, kaarten zijn te
bekomen, die het recht geven in de bosschen
o o k t e m o g e n f i e t s e n .) Bij het „Huis Rijs” blijft men rechtuit

gaan 1729. 1 K.M. verder bij den wegwijzer ook rechtuit, en op

den volgenden dwarsweg links naar Hemelum. Aldaar rechtuit. Te

Warns voorbij de school rechtsaf 1271. 1½ K.M. verder links;

kort vóór Stavoren bij een molen rechtsaf naar het station
Stavoren 32 of rechtuit naar Stavoren zelf.

De weg is grootendeels goed berijdbaar. Tusschen Lemmer en

Sondel zijn vele hekken over den weg.

De geheele weg mag en kan met automobielen bereden worden.

[136]
[Inhoud]

434a Blad 7–8 van den Bonds-atlas.

Afstand ROUTE. Afstand naar Soort

van elke plaats. v. d.
plaats tot weg.
plaats. Heen. Terug.
— 47.3
HEERENVEEN

—.8 Nijehaske. —.8 46.5 G.

6.1 Haskerhorne. 6.9 40.4 ,,
2.2 Westermeer. 9.1 38.2 ,,
—.6 9.7 37.6 ,,
Joure

6.4 St. Nicolaasga. 16.1 31.2 ,,

3.5 Spannenburg 19.6 27.7 ,,
(Wollegaast).
1.6 21.2 26.1 ,,
Tjerkgaast
2.4 23.6 23.7 ,,
Sloten
1.4 25.— 22.3 ,,
Wijckel
 Afstand ROUTE. Afstand naar Soort
van elke plaats. v. d.
plaats tot weg.
plaats. Heen. Terug.
(2.9) (—) (—) (G.)
(Sondel )
3.4 28.4 18.9 G.
Balk
(1.5) (—) (—) (G.)
(Harich )
3.5 31.9 15.4 G.
Kippenburg
(3.7) (Oudemirdum). (—) (—) (S.)
3.6 Huis Rijs. 35.5 11.8 G.
4.1 39.6 7.7 ,,
Hemelum
3.3 Warns. 42.9 4.4 ,,
4.4 47.3 — ,,
STAVOREN

Men volgt de tramrails, langs het station en kort daarna linksaf over

den spoorweg. Vóór Joure bij het „Huis ter Huivre” linksaf 405
en dan rechtuit over de Scharsterbrug en langs het Huis ter Heide.

In St. Nicolaasga 406 rechts houden en 1 K.M. verder links. Bij

het gehucht Wollegaast, meer bekend onder den naam van het
Logement „Spannenburg” of „Het Wapen van Friesland”, kruist men

den straatweg 89; door Sloten rechtuit; in Wijckel om de kerk

heen 1679. (I n d e k e r k t e W ij c k e l
bezienswaardig praalgraf van Menno van
C o e h o o r n , t e b e z i c h t i g e n à 1 0 ct. d e p e r s o o n ), en
rechtsaf naar Balk. Van den spoorwegovergang bij Heerenveen tot
Balk volgt men steeds de telegraafpalen. In B. over een ophaalbrug

en dan linksaf 173. Rechtuit het dorp door en langs

Kippenburg. Bij het huis „Rijs” rechtsaf 1729. (D e z e e r

s c h o o n e , m e e r d a n 2 0 0 H.A. g r o o t e
w a n d e l b o s s c h e n a c h t e r „H u i s R ij s ” z ij n v o o r h e t
publiek toegankelijk, terwijl bij den heer B. H.
van der Goot, te Harich, rentmeester van den
eigenaar der bezittingen, kaarten zijn te
bekomen, die het recht geven in de bosschen te
m o g e n f i e t s e n .) 1 K.M. verder bij den wegwijzer ook rechtuit
en op den volgenden dwarsweg links naar Hemelum. Aldaar rechtuit.

Te Warns voorbij de school rechtsaf 1271. 1½ K.M. verder,

links, kort vóór Stavoren bij een molen rechtsaf naar het station
Stavoren 33 of rechtuit naar Stavoren zelf. Mirns blijft links liggen.
Voorbij Mirns komt men op den zeedijk, waarop vele hekken zijn.

De weg is tot Mirns vrij goed berijdbaar, verder is [137]de weg minder
goed, soms zelfs slecht. Bij het Huis ter Heide boschrijk. Bij
Kippenburg voert de weg, en ook de zijweg naar Oudemirdum, door
een boschrijke streek (Gaasterland).

Naar Sondel: In Wijckel rechtuit 1679. 34

Naar Harich: In Balk de brug over zijnde, links 173, en dan

rechts 174.

Naar Oudemirdum: Bij Kippenburg linksaf. 35

De geheele weg mag en kan met automobielen bereden worden.
[Inhoud]

434b Blad 7–8 van den Bonds-atlas.

Afstand ROUTE. Afstand naar Soort

van elke plaats. v. d.
plaats tot weg.
plaats. Heen. Terug.
— 51.9
HEERENVEEN

—.8 Nijehaske. —.8 51.1 G.

5.7 Haskerhorne. 6.5 45.4 ,,[138]
2.— Westermeer. 8.5 43.4 ,,
—.6 9.1 42.8 ,,
Joure

6.2 St. Johannesga. 15.3 36.6 ,,

3.5 Spannenburg 18.8 33.1 ,,
(Wollegaast).
6.5 25.3 26.6 S. G.
Woudsend
2.— IJpecolsga. 27.3 24.6 G.
4.9 32.2 19.7 ,,
Harich
1.1 33.3 18.6 ,,
Balk
 Afstand ROUTE. Afstand naar Soort
van elke plaats. v. d.
plaats tot weg.
plaats. Heen. Terug.
3.3 36.6 15.3 ,,
Kippenburg
3.6 Huis Rijs. 40.2 11.7 ,,
3.1 Mirns. 43.3 8.6 ,,
8.6 51.9 — ,,
STAVOREN

Men volgt de tramrails, langs het station en kort daarop linksaf over

den spoorweg. Vóór Joure bij het „Huis ter Huivre” linksaf 405
en dan rechtuit over de Scharsterbrug en langs het „Huis ter Heide”.

In St. Nicolaasga 406 rechts houden en 1 K.M. verder [138]links.

Bij het gehucht Wollegaast, meer bekend onder den naam van het
Logement „Spannenburg” of het „Wapen van Friesland”, slaat men

op den straatweg rechtsaf 89 en 5 K.M. verder bij K.M.-paal 34

linksaf 1508 naar Woudsend. In W. rechtuit en voorbij

IJpecolsga bij een wegwijzer linksaf. Even vóór Harich 36 weder links

1728 en in Balk rechtsaf 174. Rechtuit naar en langs

Kippenburg.

Bij het „Huis Rijs” rechtsaf 1729. (D e z e e r s c h o o n e ,

m e e r d a n 2 0 0 H.A. g r o o t e w a n d e l b o s s c h e n a c h t e r
„H u i s R ij s ” z ij n v o o r h e t p u b l i e k t o e g a n k e l ij k ,
terwijl bij den heer B. H. van der Goot, te
Harich, rentmeester van den eigenaar der
bezittingen, kaarten zijn te bekomen, die het
recht geven in de bosschen ook te mogen
f i e t s e n .) 1 K.M. verder bij den wegwijzer linksaf en dan steeds
rechtuit. Mirns blijft links liggen. Voorbij Mirns bereikt men den
zeedijk en loopt de weg deels op, deels achter dien dijk; tusschen
Mirns en Stavoren eenige hekken, deze worden gewoonlijk geopend
door jongens, die daarvoor een cent ontvangen, het geven van geld
is echter niet verplicht.

De weg is grootendeels goed berijdbaar. Bij Kippenburg voert de

weg door een boschrijke streek Gaasterland. Vóór Mirns loopt de
weg over een hoogte en vóór Stavoren eveneens over een hoogte,
genaamd „Het Roode Klif”; beide heuvels bieden een mooi
vèrgezicht. [139]

De geheele weg mag en kan met automobielen bereden worden.

[Inhoud]

434c Blad 7–8 van den Bonds-atlas.

Afstand ROUTE. Afstand naar Soort

van elke plaats. v. d.
plaats tot weg.
plaats. Heen. Terug.
— 49.6
HEERENVEEN

—.8 Nijehaske. —.8 48.8 G.

5.7 Haskerhorne. 6.5 43.1 ,,
2.— Westermeer. 8.5 41.1 ,,
—.6 9.1 40.5 ,,
Joure

6.2 St. Nicolaasga. 15.3 34.3 ,,

3.5 Spannenburg 18.8 30.8 ,,
(Wollegaast).
6.5 25.3 24.3 S. G.
Woudsend
2.1 IJpecolsga. 27.4 22.2 G.
4.2 Elahuizen. 31.6 17.— ,,[140]
1.4 33.— 16.6 ,,
Nijega
2.6 Oudega. 35.6 14.— ,,
 Afstand ROUTE. Afstand naar Soort
van elke plaats. v. d.
plaats tot weg.
plaats. Heen. Terug.
2.2 37.8 11.8 ,,
Kolderwolde
4.1 41.9 7.7 ,,
Hemelum
3.3 45.2 4.4 ,,
Warns
4.4 49.6 — ,,
STAVOREN

Men volgt de tramrails, langs het station en kort daarna linksaf over

den spoorweg. Vóór Joure bij het „Huis ter Huivre” linksaf 405
en dan rechtuit over de Scharsterbrug en langs het „Huis ter Heide”.

In St. Nicolaasga 406 rechts houden en 1 K.M. verder links. Bij

het gehucht Wollegaast, meer bekend onder den naam van het
logement „Spannenburg” of het „Wapen van Friesland”, slaat men op

den straatweg rechtsaf 89 en 5 K.M. verder bij K.M.-paal 34

linksaf 1508 naar Woudsend. Alhier rechtuit. Voorbij IJpecolsga

bij een wegwijzer rechtsaf en steeds rechtuit naar Warns. Aldaar

even voorbij de school rechtsaf. 1271, 1½ K.M. verder, links,

kort vóór Stavoren bij een molen rechtsaf naar het station Stavoren
37
of rechtuit naar Stavoren zelf.

De geheele weg mag en kan met automobielen bereden worden.

[140]
[Inhoud]

435a Blad 7 van den Bonds-atlas.

Afstand ROUTE. Afstand naar elke Soort

van plaats. v. d.
plaats tot weg.
plaats. Heen. Terug.
— 27.9
STAVOREN

8.6 Mirns. 8.6 19.3 G.

3.1 Huis Rijs. 11.7 16.2 ,,
4.1 15.8 12.1 ,,
Hemelum
3.3 19.1 8.8 ,,
Warns
3.2 Molkwerum. 22.3 5.6 ,,
5.6 27.9 — ,,
STAVOREN

Men volgt vanaf Stavoren zuidwaarts den zeedijk, waarop vele

hekken zijn. Vóór Mirns verlaat de weg dezen dijk linksaf. Dan langs
Mirns, dat rechts blijft liggen, en rechtuit. 2½ K.M. nadat men den
dijk verlaten heeft, slaat men bij een handwijzer rechtsaf naar „Huis
Rijs”. (D e z e e r s c h o o n e , m e e r d a n 2 0 0 H.A. g r o o t e
w a n d e l b o s s c h e n a c h t e r „H u i s R ij s ”, z ij n v o o r h e t
publiek toegankelijk, terwijl bij den heer B. H.
van der Goot, te Harich, rentmeester van den
eigenaar der bezittingen, kaarten zijn te
bekomen, die het recht geven in de bosschen
o o k t e m o g e n f i e t s e n .)

Van „Huis Rijs”, denzelfden weg terug, doch nu bij den

bovengenoemden wegwijzer rechtuit. 3 K.M. voorbij „Huis Rijs” links
naar Hemelum en rechtuit naar Warns. Aldaar even voorbij de school

rechtsaf 1271.

In Molkwerum even voorbij de kerk linksaf 1272, [141]over een

brug en dan rechtuit naar den zeedijk, hier linksaf 1762 naar
Stavoren; vóór Stavoren links langs het emplacement van den
spoorweg, dan rechts den spoorweg over en langs de andere zijde
van het emplacement naar Stavoren.

De weg is goed berijdbaar. Tusschen Molkwerum en Stavoren zijn

eenige hekken, deze worden gewoonlijk geopend door jongens, die
daarvoor 1 cent ontvangen; het geven van geld is echter niet
verplicht.

De geheele weg mag en kan met automobielen bereden worden.

[Inhoud]

435b Blad 7 van den Bonds-atlas.

Afstand ROUTE. Afstand naar elke Soort

van plaats. v. d.
plaats tot weg.
plaats. Heen. Terug.
— 28.3
STAVOREN

8.6 Mirns. 8.6 19.7 G.

3.1 Huis Rijs. 11.7 16.6 ,,
4.9 Galamadammen. 16.6 11.7 ,,
2.1 18.7 9.6 ,,
Koudum
4.— Molkwerum. 22.7 5.6 ,,
5.6 28.3 — ,,
STAVOREN

Men volgt vanaf Stavoren zuidwaarts den zeedijk, waarop vele

hekken zijn. Vóór Mirns verlaat de weg dezen dijk linksaf. Dan langs
Mirns, dat rechts blijft liggen, en rechtuit. 2½ K.M. nadat men den
dijk verlaten heeft, slaat men bij een handwijzer rechtsaf naar „Huis
Rijs”. (D e z e e r s c h o o n e , m e e r d a n 2 0 0 H.A. g r o o t e
wandelbosschen achter Huis „Rijs” zijn voor het
publiek toegankelijk, terwijl bij den heer B. H.
van der Goot, te Harich, rentmeester van den
eigenaar der bezittingen, kaarten zijn te
bekomen, die het recht geven in de bosschen
o o k t e [142]m o g e n f i e t s e n .)

Van „Huis Rijs”, denzelfden weg terug, doch nu bij den

bovengenoemden wegwijzer rechtuit. 3 K.M. voorbij „Huis Rijs”
rechts en spoedig weder linksaf en langs Galamadammen naar

Koudum. Hier linksaf 1270 en langs de Koudumervaart over den

spoorweg naar Molkwerum. Hier rechtsaf 1272 en op den

zeedijk linksaf 1762. Vóór Stavoren links langs het

emplacement van den spoorweg, dan rechts den spoorweg over en
langs de andere zijde van het emplacement naar Stavoren.

De weg is goed berijdbaar. Tusschen Molkwerum en Stavoren zijn

eenige hekken, deze worden gewoonlijk geopend door jongens, die
daarvoor 1 cent ontvangen; het geven van geld is echter niet
verplicht.

De geheele weg mag en kan met automobielen bereden worden.

[Inhoud]

436a Blad 3–8 van den Bonds-atlas.

Afstand ROUTE. Afstand naar Soort

van elke plaats. v. d.
plaats tot weg.
plaats. Heen. Terug.
— 54.6
LEEUWARDEN

7.— 7.— 47.6 S.

Wijtgaard

3.— De 3 Romers. 10.— 44.6 ,,

4.2 14.2 40.4 ,,
Irnsum

1.8 16.— 38.6 ,,

Oude Schouw
2.7 18.7 35.9 ,,[143]
Akkrum
12.— 30.7 23.9 ,,
Heerenveen
 Afstand ROUTE. Afstand naar Soort
van elke plaats. v. d.
plaats tot weg.
plaats. Heen. Terug.

3.6 Oude Schoot. 34.3 20.3 ,,

7.6 41.9 12.7 ,,
Wolvega

4.4 46.3 8.3 ,,

De Blesse

8.3 54.6 — ,,
STEENWIJK

Door de Schrans verlaat men Leeuwarden 1637 en volgt den

straatweg rechtuit naar Akkrum. Door A. en aan het einde der

keibestrating rechtsaf 870 en rechtuit naar Heerenveen. Men

volgt den straatweg steeds rechtuit. Vóór Wolvega gaat men over
den spoorweg.

De weg is goed berijdbaar. Bij Heerenveen het bekende landgoed

„Oranjewoud” en eenige andere schoone landgoederen.

De geheele weg mag en kan met automobielen bereden worden.

[143]
[Inhoud]

436b Blad 3–8–9 van den Bonds-atlas.

Afstand ROUTE. Afstand naar Soort

van elke plaats. v. d.
plaats tot weg.
plaats. Heen. Terug.
— 73.7
LEEUWARDEN

7.— 7.— 66.7 S.

Wijtgaard

3.— De 3 Romers. 10.— 63.7 ,,

4.2 14.2 59.5 ,,
Irnsum

1.8 16.— 57.7 ,,[144]

Oude Schouw
2.7 18.7 55.— ,,
Akkrum
4.2 22.9 50.8 G.
Oldeboorn
11.6 Beets. 34.5 39.2 S.
 Afstand ROUTE. Afstand naar Soort
van elke plaats. v. d.
plaats tot weg.
plaats. Heen. Terug.
1.6 36.1 37.6 ,,
Beetsterzwaag

7.2 43.3 30.4 S. G.

Gorredijk

(6.8) (Tijnje). (—) (—) (S.)

6.— Oldehorne. 49.3 24.4 S. G.
4.— 53.3 20.4 G.
Oldeberkoop
5.6 58.9 14.8 S.
Noordwolde

2.7 Wilhelmina’s oord. 61.6 12.1 ,,

3.8 65.4 8.3 ,,
Frederiksoord
(9.3) (—) (—) (S.)
(Havelte )
8.3 73.7 — G.
STEENWIJK

Door de Schrans verlaat men Leeuwarden 1637 en volgt den

straatweg rechtuit naar Akkrum. Door A. en aan het einde der

keibestrating 870 rechtuit en den spoorweg over. Te Oldeboorn