Information Security and Assurance

Communications in Computer and Information Science, 2018

the source, provide a link to the Creative Commons license and indicate if changes were made. The images or other third party material in this book are included in the book's Creative Commons license, unless indicated otherwise in a credit line to the material. If material is not included in the book's Creative Commons license and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder. The use of general descriptive names, registered names, trademarks, service marks, etc. in this publication does not imply, even in the absence of a specific statement, that such names are exempt from the relevant protective laws and regulations and therefore free for general use. The publisher, the authors and the editors are safe to assume that the advice and information in this book are believed to be true and accurate at the date of publication. Neither the publisher nor the authors or the editors give a warranty, express or implied, with respect to the material contained herein or for any errors or omissions that may have been made. The publisher remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Annals of Information Systems, 2010

, except for brief excerpts in connection with reviews or scholarly analysis. Use in connection with any form of information storage and retrieval, electronic adaptation, computer software, or by similar or dissimilar methodology now known or hereafter developed is forbidden. The use in this publication of trade names, trademarks, service marks, and similar terms, even if they are not identified as such, is not to be taken as an expression of opinion as to whether or not they are subject to proprietary rights.

2006

This document has been developed by the National Institute of Standards and Technology (NIST) in furtherance of its statutory responsibilities under the Federal Information Security Management Act (FISMA) of 2002, Public Law 107-347. NIST is responsible for developing standards and guidelines, including minimum requirements, and for providing adequate information security for all agency operations and assets, but such standards and guidelines shall not apply to national security systems. This guideline is consistent with the requirements of the Office of Management and Budget (OMB) Circular A-130, Section 8b(3), Securing Agency Information Systems, as analyzed in A-130, Appendix IV: Analysis of Key Sections. Supplemental information is provided A-130, Appendix III. This guideline has been prepared for use by federal agencies. It may also be used by nongovernmental organizations on a voluntary basis and is not subject to copyright regulations. (Attribution would be appreciated by NIST.) Nothing in this document should be taken to contradict standards and guidelines made mandatory and binding on federal agencies by the Secretary of Commerce under statutory authority. Nor should these guidelines be interpreted as altering or superseding the existing authorities of the Secretary of Commerce, Director of the OMB, or any other federal official. Certain commercial entities, equipment, or materials may be identified in this document in order to describe an experimental procedure or concept adequately. Such identification is not intended to imply recommendation or endorsement by NIST, nor is it intended to imply that the entities, materials, or equipment are necessarily the best available for the purpose. 10 OMB, 'Federal Enterprise Architecture' (FEA), 2002.

2016

The use of general descriptive names, registered names, trademarks, service marks, etc. in this publication does not imply, even in the absence of a specific statement, that such names are exempt from the relevant protective laws and regulations and therefore free for general use.

2020

The use of general descriptive names, registered names, trademarks, service marks, etc. in this publication does not imply, even in the absence of a specific statement, that such names are exempt from the relevant protective laws and regulations and therefore free for general use.

Springer Series in Wireless Technology, 2020

The use of general descriptive names, registered names, trademarks, service marks, etc. in this publication does not imply, even in the absence of a specific statement, that such names are exempt from the relevant protective laws and regulations and therefore free for general use.

people.rit.edu

Current Requirements and Future Perspectives

In this chapter, the reader finds a structured definition to develop, implement, and keep the needed regulatory rules or principles for an Information System Security (ISS). In addition, the reader finds how to ensure the right use of this ISS, as well as in authorization and protection against disaster situations such as an effective system protection when accessing, storing, using, and retrieving the information in normal or contingency situations. This compound is the structure of information security policy that is based on a set of controls as described in NBR ISO/IEC 27002 (ABNT, 2005). The definition of this structure for the information security policy is important because the Norm ABNT (2005) does not indicate nor define—nor explain—how the structure of this policy should be (i.e., which are the fundamental elements and functions, which are the standards of rules for the controls and other practical issues) so that the policy could be effective for the organization. The str...

Springer eBooks, 2018

The use of general descriptive names, registered names, trademarks, service marks, etc. in this publication does not imply, even in the absence of a specific statement, that such names are exempt from the relevant protective laws and regulations and therefore free for general use. The publisher, the authors and the editors are safe to assume that the advice and information in this book are believed to be true and accurate at the date of publication. Neither the publisher nor the authors or the editors give a warranty, express or implied, with respect to the material contained herein or for any errors or omissions that may have been made. The publisher remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

1987

This module is a broad based introduction to infor-Cryptography. The student should be able to demmation protection techniques. Topics include the hisonstrate several encryption techniques, methods by tory and present state of cryptography, operating which they may be attacked, and estimates of the system protection, network protection, fault tolertime required to attack them successfully under ance and safety engineering, physical protection reasonable assumptions. The use of cryptosystems techniques, management tradeoffs, legal issues, and for the protection of information should be well uncurrent research trends. The successful student in derstood, and the concepts of authentication and this course will be prepared for an in-depth course in encryption should be clearly differentiable. Some any of these topics. simple private and public key protocols and design trade-offs, in terms of space and time, should be demonstrable. The statistical nature of language should be clearly understood as a critical key in the analysis of most cryptosystems. A healthy skepticism about products on the market should be demonstrated, and Given the impact of information on society, and the a clear understanding that cryptosystem design is growing number of applications that require privacy difficult should be displayed. and integrity in operation, it is important for soft-Operating System Protection. The student should ware engineers to be aware of the available techbe able to identify a number of different attacks niques and policies for information protection, and against operating systems and to indicate which are their advantages and disadvantages in a wide variety relatively easy to prevent and which are virtually imof situations. This module is designed as a broadly possible. The student should be familiar with a numbased introductin to information protection concepts ber of policies for the protection of information, and applicable to the work of any software engineer, and demonstrate a clear understanding of the place of as such, it has primary responsibility for introducing protection policy in the design of protection systems. some of the problems, solutions, and pitfalls of pro- The student should be able to differentiate between tection systems. If there is a single concept that the attacks that are preventable by proper implementastudent should learn from the module, it is that the tion, those which require protection policy measures design and implementation of sound protection sysfor their limitation, and those for which there is no tems are extremely complex, and the ramifications known defense. A broad knowledge of protection of protection system failure can be extreme. models, including the subject object model, the This module does not provide in-depth coverage. security and integrity models, the lattice and poset For certain audiences, more detailed coverage of (partially ordered set) models, and the difference besome or all topics may be appropriate. The bibliog-tween identification, authentication, and authorizaraphy provides references to sources of additional tion should be shown. The student should undermaterial that may be added at the instructor's discre-stand in depth the concept of defense and be able to tion. explain the rationale behind it. Students should be able to carry on an intelligent discussion with regard to the trusted system evaluation criterion and its role in operating system protection. The role of audit, testing, and life cycle assurance should be clearly SEI-CM-5-1.2 (Preliminary)