INFOSEC MANAGEMENT

This section includes papers from a variety of sources that bear on the management of information security.

Video Reviews

This section include page-long summaries and evaluations of some excellent awarness and training films available on CDs and DVDs from various sources.

Backups     PDF

Consolidated 20 articles originally published in Network World Security Strategies newsletter.

Botnet Response: Why Inadequate?     PDF

Research student Akshay Awasthi asked me a question for his research paper and I have posted my answer here.

Cloud Storage: The Risks and Rewards     PDF

Excellent review article by Jérémy Legendre -- originally his term paper for the IS340 Introduction to Information Assurance course in Fall 2012. Mildly edited by Mich and posted with permission of the author.

Computer Security Incident Response Team Management     PDF

How to set up and run an effective CSIRT.

CYBER OPSEC    ZIP

Protecting Yourself Online. Interagency OPSEC Support Staff materials (public domain) from 2010. ZIP archive (2.4GB) contains contents of the DVD for installation. See the description file (PDF).

Developing Security Policies      PDF

Chapter 44 from the Computer Security Handbook, 4th Edition (CSH4) reviews methods for developing security policies in specific organizations. It was later updated to become Chapter 66 of the CSH5.

DISA TRAINING MATERIALS

The Defense Information Systems Agency (DISA) stopped producing the excellent training CD-ROM "Computer Incident Response Team Management" in 2007. In response to my enquiry about providing the CD-ROM to MSIA students enrolled in the CSIRTM Elective, someone from DISA with a bit of gender confusion about me caused by my name responded "Dear Ms Kabay, / Thank you for your interest! However we discontinued that product, CIRT Management, just recently. We do have a few copies may have kept on hand, if you want a copy, then you can make copies of it for your students. There is no charge for our products. . . ."*

The same lack of restrictions applies to all of the following public-domain, US-government-created CD-ROM contents from DISA which I have ZIPped up for you. Feel free to download the ZIP files and install them to disk. Use the README files or click on the appropriate start file for instructions on installation of the specific title. May be freely copied and distributed on condidion that there is no charge and that no data are modified in any manner.

_____________________
*By the way, DISA helpfully offered and then shipped me a few copies left over. The stack of large cardboard boxes in front of my home was seven feet high and contained over one thousand copies of the CIRT disk. MORAL: don't accept "a few" anything from a government agency without asking "How many are a few?"
[Note added in March 2015: after forcing every security and computer science major at Norwich University from 2004 on to accept a copy of the CIRT CD (apparently being used as coasters, coffee-cup covers and miniature Frisbees
®) and also desperately offering them to visiting high school students at Norwich Open House events as if the CDs were treasures, we are down to the last dozen copies. Baruch Hashem!]

  • DISA Computer Incident Response Team Management CD-ROM    OVERVIEW      ZIP

  • DISA Computer Network Defense CD-ROM      OVERVIEW     ZIP

  • DISA Cyberlaw CD-ROM      OVERVIEW     ZIP

  • DISA CyberProtect v2 CD-ROM      OVERVIEW     ZIP

  • DISA Database Security CD-ROM      OVERVIEW     ZIP

  • DISA System Security Awareness CD-ROM      OVERVIEW     ZIP

End of Passwords, The      PDF

Why I hate passwords as a method for authentication.

English in China     MP3

The Bus Driver and the Tour Guide were Not What They Seemed: A cautionary tale from a trip to the People's Republic of China in 1994. (2 MB sound file)

Facilities Security Audit Checklist     PDF

Questions to help you evaluate the security of your building.

IA_JCS

INFORMATION ASSURANCE: Legal, Regulatory, Policy, and Organizational Considerations, 4th Edition.     PDF

White Paper on the Clinton Administration's Policy on Critical Infrastructure Protection: Presidential Decision Directive 63, May 1998. 535 pp. Appendices, Indices. Published by United States Joint Chiefs of Staff, August 1999.

Identification, Authentication and Authorization on the World Wide Web     PDF

This white paper appeared in 1997 as part of the ICSA (International Computer Security Association) [previously National Computer Security Association and later TruSecure and then CyberTrust] Web site. This version has a few updates to the identifying information (e.g., removing and old e-mail address) but is otherwise as originally written (and thus now out of date). This later became the basis of an evolving chapter in the Computer Security Handbook editions from Wiley.

Identity Theft Resource Center Advice for 2010    PDF

10 practical measures you can take to reduce the likelihood of successful identity theft and the nightmare of recovering from the damage to your finances and reputation. With thanks to the ITRC for their excellent work and permission to distribute their document.

Implementing Computer Security: If Not Now, When?      PDF

This little paper reviews key threats to information and urges managers not to wait in developing and implementing security policies.

ITAR Sticks Users with Unfair Encryption Restrictions      PDF

In 1993, Phil Zimmermann and others were being harrassed for violating the International Traffic in Arms Regulations (ITAR) because strong cryptography was being shared across international boundaries. This Network World Security Perspectives article was one of many attacks on the policy.

Passwords    PDF

Compilation of articles on passwords originally published in Network World Security Strategies.

Net Present Value of Information Security    PDF

Thoughts about ways of presenting information security as more than just loss-avoidance. This paper was later published with additions by colleagues Karen Worstell and Mike Gerdes of AtomicTangerine and published on the now-defunct SecurityPortal Web site. Over the years I have added to my original version with corrections and updates.

Personnel Management and INFOSEC    PDF

Hiring, management and firing with an eye to information assurance. Later became a chapter in the Computer Security Handbook, 4th Edition and then in the 5th edition.

Preparing for the Next Solar Max    PDF

Solar storms threaten the critical infrastructure. Get ready.

Protecting Your Reputation in Cyberspace    PDF

This paper looks at how we can use e-mail and other electronic communications responsibly and professionally. It is intended to provide useful information for corporate INFOSEC awareness programs.

Securing Your Business in the Age of the Internet    PDF

Five pages this time to convince your bosses to pay attention to INFOSEC.   

Security on a Budget
   PDF    PPT (no narration)
   MP3 (narration for lecture)

About 40 minutes of narrated lecture on the key elements of managing information security effectively. Delivered via Vermont Interactive Television to an audience in Germany at a conference sponsored by Network World Deutschland in December 2002. If you would like to hear the lecture as well as see the slides, you can download the MP3 file (~ 8MB) and move through the slideshow as you listen to the sound. The first 7.5 minutes are in German, so you can skip ahead if you want to start with the English section.

Security Breach Notification Laws    PDF

Foley & Lardner LLP and Evershades prepared a comprehensive summary of security breach notification laws in November 2009 covering US and international laws. This PDF file is posted for free download with permission of the authors.

Social Psychology and INFOSEC: Psycho-Social Factors in the Implementation of Information Security Policy
PDF    PPT

This paper was first delivered at the 16th National Computer Security Conference in 1993, where it was accorded one of the two Best Paper awards. This version has been updated and was published as Chapter 35 of the Computer Security Handbook, 4th Edition and then updated as Chapter 50 in the 5th Edition.   

Stopping Chain Letters and Hoaxes on the Internet    PDF

This was originally a response to a friend who kept sending jokes, frightening rumors and virus hoaxes to everyone she knew with instructions to send the jokes, frightening rumors and virus hoaxes to everyone they knew and so on ad nauseam.  Now return to the beginning of this description and read it again.  And again.  And. . . .

Using Email Safely and Well (v10)    PDF

Compilation of several short papers published from 1995 through 2007; updated January 2016:

1          FIRST E-IMPRESSIONS
2          DISCRETION IN E-MAIL CRITICISM          
3          HTML-FORMATTED E-MAIL DOESN’T WORK RELIABLY
4          CC + REPLY ALL = TROUBLE:
5          BCC PREVENTS E-MAIL NUISANCES
6          BURYING YOUR E-MAIL MESSAGE          
7          MISLEADING SUBJECT LINES
8          E-MAIL DISCLAIMER STIMULATES EXPLETIVES
9          FORWARDING CORPORATE E-MAIL
10        E-MAIL SUBJECT LINES EXPLOITED BY WORMS
11        INTERNET E-MAIL AND THE FIREWALL
11.1     Management Implications of External Access
11.2     E-mail Access to FTP
11.3     Denial of Service
12        ORGANIZATIONAL E-MAIL ADDRESSES
13        THE KEEPER OF THE LISTS
14        MAILSTORMS

VA Data Insecurity Saga    PDF

A collection of articles from Network World Security Strategies discussing the loss of control over personally identifiable data at Veterans Affairs.

Velocihackers and Tyrannosaurus superior    PDF

A 1993 column from Network World (the paper version) that reviews the movie Jurassic Park and draws lessons for security experts from the misadventures of the heroes and villains.

What's Important for Information Security:  A Manager's Guide     PDF

Yet another attempt to reach managers who are not yet interested in security.    

Waving the Red Flag: Rules for Reducing Identity Theft     PDF

Commentary on the Notice of Proposed Rulemaking for banks and other financial institutions for Red Flag guidelines against identity theft.

Wireless LAN Security     ZIP (6 MB)

Training materials from the Government of Canada Communications Security Establishment (with both English and French versions). May be freely copied and distributed on condidion that there is no charge and that no data are modified in any manner.    

Copyright © 2017 M. E. Kabay.  All rights reserved.

The opinions expressed in any of the writings on this Web site represent the authorís opinions and do not necessarily represent the opinions or positions of his employers, associates, colleagues, students, relatives, friends, enemies, cats, dog or plants. Materials copyrighted by M. E. Kabay from this Website may be freely used for non-commercial teaching (i.e., specifically in any courses for academic credit or in free industry training at workshops or within organizations) but may not be re-posted on any Website or used in commercial training (where participants must pay fees for participation in the conference or workshop or where the instructor is paid) without express written permission. Any unauthorized sale of these copyrighted materials will be prosecuted to the full extent of the law.

Updated 2016-07-15