Actueel Opinie Interviews Recensies Videos.
- The Stone of Israel and the Two Witnesses: Destinys Epilogue.
- 20th European Symposium of Computer Aided Process Engineering: ESCAPE-20 (Computer Aided Chemical Engineering).
- 101 Selected Sayings of Mahatma Gandhi.
- Compare. Shop. Earn..
- Architecting Secure Software Systems?
- Never miss out on PAYBACK Points!!
Beoordeel zelf slecht matig voldoende goed zeer goed. Architecting Secure Software Systems. Gebonden, blz. Auerbach Publishers Inc. Auteurs Over dit boek Artikelen en interviews Recensies. Samenvatting Rubriek: Computer en informatica. Lezersrecensies Beoordeel zelf slecht matig voldoende goed zeer goed. Algemene beoordeling slecht matig voldoende goed zeer goed. Uw recensie. Bedankt voor uw beoordeling Uw reactie is inmiddels op de website geplaatst en zal door onze redactie beoordeeld worden. Bekijk uw recensie. Lezersrecensies 1 Vond u deze recensie nuttig? NaN Vandaag.
Contactformulier Vult u alstublieft onderstaande gegevens zo volledig mogelijk in, dan kunnen wij u optimaal van dienst zijn.
Wij nemen binnen een werkdag contact met u op. U kunt ons ook bellen op Aanhef Dhr. Hieronder kunt u uw verzoek toelichten of een vraag stellen. Bedankt voor uw aanvraag Wij nemen zo spoedig mogelijk contact met u op. Download brochure Vult u alstublieft onderstaande gegevens in om onze brochure in PDF-formaat te downloaden. Het downloaden start direct na het verzenden van deze gegevens. Download brochure. Therefore, a request for Los Angeles data from an HR clerk in New York might be fully trusted if the data request originated from the New York network, but not from the Internet.
In addition, users can move from a higher to a lower area of trust without restriction. It is quite common for a business to allow employees to access the Internet from an internal network without authenticating their identity, but quite uncommon to allow anyone on the Internet access to their internal network without authentication. Furthermore, data can move from areas of lower trust to higher trust, but not from higher to lower. For example, financial information that is available to the public on the Internet should be available to the chief financial officer CFO from the internal network.
Yet, information that is available to the CFO on the internal network should not be available to the public on the Internet.
Figure 2 below shows three different trust levels used for the organization's physical domain. Figure 2. Finally, all company data and resources should be classified upon entry to an organization, using descriptors such as public, private, proprietary, privileged, confidential, top secret, sensitive, and restricted. The specific labels used are less important than the meanings assigned to each and whether they are defined clearly, applied consistently companywide, manageable in number, and reviewed periodically.
Because security costs increase as access to the data becomes more restricted, and data classification can change based on the value and nature of the information, the classification should be as cost effective as possible and based on the value of the information. For instance, corporate policies do not need to be stored on a separate encrypted network or be monitored by an intrusion detection system.
Another aspect of data classification is that of access control. Access to data and resources can be granted using the following three controls:. Companywide data should be classified based on this role-based access control to enable the organization to define roles and functions, as well as grant, modify, or remove user rights more effectively.
Assessments are an essential component of the security architecture because they enable the company to determine the architecture's effectiveness. As part of the assessment, internal auditors can recommend that the organization creates a cross-functional team consisting of the following:. Before the assessment, auditors should solicit input from each of the team members above as early in the planning stage as possible to ensure all potential risks and concerns are addressed and a good understanding of the environment is available to guide the development of audit activities.
In addition, auditors need to consider the use of an independent external provider with the skills and tools necessary to assess the environment in thorough detail if the required capacity is not available within the company. This is particularly relevant where vulnerability assessments and penetration testing are concerned due to the highly specialized nature of the work and the continuously expanding scope of the threat environment.
In some cases, it may even be more efficient to rely on a service provider to keep up with the constant flux in the required field of knowledge rather than attempt to get internal resources up to speed a few times per year. Once the necessary information is gathered from those responsible for each architecture component or activity, auditors are ready to begin the assessment process. To maximize their efforts, auditors need to become familiar with influencing factors, including but not limited to:.
Architecting Secure Software Systems - CRC Press Book
In addition, auditors should consider "breaking" the architecture into manageable pieces. To do this, auditors need to perform a review of the documented policies and procedures for completeness, aligning them with recognized standards and by relevance to the environment and business needs. This needs to be followed by a review of the security organization and associated business processes for concerns such as staffing levels, training, and segregation of duties. A separate technical audit for design, configuration, and operation of the security infrastructure also should take place and might include vulnerability and penetration testing.
Effective and well-planned security architectures can help an IT department manage companywide risks consistently by leveraging industry best practices and allowing the department to make better, quicker decisions. In addition, security architectures can reduce the cost of managing IT risks, improve flexibility and adaptability to changes by implementing common IT practices and solutions, and promote interoperability and integration while minimizing risks. Internal auditors who wish to obtain more information about the security architecture process could visit the following articles, Web sites, and publications:.
- The Park! Continue the Exploration....
- 1st Edition.
- The top 5 software architecture patterns: How to make the right choice.
- How to choose the right software architecture: The top 5 patterns.
Inclusion and exclusion of who and what is subject to the domain of the security architecture. Access and border control. Validation and adjustment of the architecture. Guidance The security architecture should be created and implemented based on established security guidance i. These companywide policies and procedures should: Document and communicate management's goals and objectives for the architecture. Define the organization's response to laws, regulations, and standards of due care i. Identify the elements, function, and scope of the security architecture. Support other functional policies e.
These elements include: Standards that define common expectations on each security tool or procedure, such as the organization's firewall design or specific antivirus software in use. Procedures that provide step-by-step instructions on actions to be performed to complete a task, such as user registration or incident response activities. Baselines that identify a minimum level of expected performance and provide a starting point for measuring the degree of compliance with management expectations, such as server-build specifications and intrusion detection system configurations.
Guidelines that provide general items or approaches to consider, such as product evaluation criteria or government recommendations. Common security architecture users include: The executive managers responsible for establishing corporate strategy and monitoring corporate goals.
The information security employees responsible for the security environment's daily operation and monitoring. The application and data owners who use the IT applications and related business data. The data custodians or the IT staff responsible for maintaining IT applications and database infrastructure. The end-users or employees who interact with the IT applications and data on a daily basis.
The internal auditors who are responsible for reviewing the identity management system's compliance with internal and external rules. Inclusion and Exclusion The security architecture should protect all elements of the company's IT environment — from publicly accessible Web and e-mail servers and financial reporting systems to confidential human resources HR data and private customer information. Access and Border Control Access to IT and business resources should be controlled through a series of layers — from broad and general to discrete and granular.
Validation and Adjustment Developing secure borders and restricting access based on business need is not a one-time process — businesses grow and change, people come and go, and technology advances. Training By nature, most people are helpful and focus on performing their tasks efficiently. Technology The hardware and software used to deploy, manage, and monitor the security architecture is the element most frequently associated with security.
Design Frameworks Organizations can choose from a variety of existing frameworks when creating their security architecture. Access to data and resources can be granted using the following three controls: Principle of Least Privilege, in which access is granted only to resources that are required for specific, authorized functions e.
Mandatory access control, in which technical, low-level access is granted by the custodian of the application or data e. Discretionary access control, in which high-level access is established by the application or data owner based on need e.
Architecting secure software systems
As part of the assessment, internal auditors can recommend that the organization creates a cross-functional team consisting of the following: Information security staff, subject-matter experts who will be responsible for the architecture's daily security. IT and operations management staff who will be responsible for supplying the IT infrastructure that supports the organization.
System and network administrators familiar with the IT environment and responsible for implementing much of the technical element of the security architecture.