The document provides information security considerations and recommendations for IT decision makers and business managers. It discusses the market environment for information security, best practices for information security programs, and how to make effective decisions regarding information security technologies and solutions. Key areas of information security technology are reviewed along with resources for further information.

1. Information Security Considerations and Recommendations for IT Decision Makers and Business Unit General Managers Black Opp Systems John Reno [email_address] August 2009 August 2009 Black Opp Systems

5. Market Environment –Information security system best practices Business Requirements Life Cycle Review Business Drivers Policy Risks Requirements Definition Strategy Risk model Data map Control map Control Implement Manage Audit Business Enablement August 2009 Black Opp Systems

7. Market Environment – Representative issues August 2009 Black Opp Systems Supplier Customer Shopping Purchasing Using and Maintaining Marketing Selling Shipping Service and Support Design Development Payables Receivables Receiving Collaborative Commerce Intellectual Property Search, Discovery, Offering Reputation Trusted Transactions Integrity Electronic Funds Transfer Value Logistics/Supply Chain Management Theft Customer Relationship Management Privacy

9. Market Environment – Threat evolution August 2009 Black Opp Systems Examples: Trends: => Attackers focus on the network layer => Proliferation of worms => Dissolving network perimeter => Attackers focus on the application layer => Attackers shift to client side attacks

10. Market Environment – Threat Economy August 2009 Black Opp Systems Writers Middle Men Second Stage Abusers Bot-Net Management: For Rent, for Lease, for Sale Bot-Net Creation Personal Information Electronic IP Leakage Worms Spyware Tool and Toolkit Writers Viruses Trojans Malware Writers First Stage Abusers Machine Harvesting Information Harvesting Hacker/Direct Attack Internal Theft: Abuse of Privilege Information Brokerage Spammer Phisher Extortionist/ DDoS-for-Hire Pharmer/DNS Poisoning Identity Theft Compromised Host and Application End Value Financial Fraud Commercial Sales Fraudulent Sales Advertising Revenue Espionage (Corporate/ Government) Fame Extorted Pay-Offs Theft

11. Market Environment – Compliance Structure August 2009 Black Opp Systems FISMA HIPAA SOX GLB INTEL COMSEC DoD ISO PCI SP 800-53 DCID NSA Req DoD IA Controls 17799/ 27001 DSS Guide SP 800-68 DISA STIGS NSA Guides Risk Management , Policy, Controls and Configuration Guidance

13. Market Environment -The customer security system: product and service categories August 2009 Black Opp Systems Security Products Risk management Policy management Business continuity Application security Data security Encryption Endpoint and network enforcement SEIM/monitoring Security services Risk management Policy development Assessment Compliance Audit Architecture Implementation

14. Market Environment – Representative Security Framework (NIST) August 2009 Black Opp Systems Security Life Cycle SP 800-39 Determine security control effectiveness (i.e., controls implemented correctly, operating as intended, meeting security requirements for information system). SP 800-53A ASSESS Security Controls Define criticality/sensitivity of information system according to potential worst-case, adverse impact to mission/business. FIPS 199 / SP 800-60 CATEGORIZE Information System Continuously track changes to the information system that may affect security controls and reassess control effectiveness. SP 800-37 / SP 800-53A MONITOR Security State SP 800-37 AUTHORIZE Information System Determine risk to organizational operations and assets, individuals, other organizations, and the Nation; if acceptable, authorize operation. Implement security controls within enterprise architecture using sound systems engineering practices; apply security configuration settings. IMPLEMENT Security Controls SP 800-70 FIPS 200 / SP 800-53 SELECT Security Controls Select baseline security controls; apply tailoring guidance and supplement controls as needed based on risk assessment. ASSESS Security Controls CATEGORIZE Information System MONITOR Security State AUTHORIZE Information System IMPLEMENT Security Controls