Advertisement

Implementing an Information Security Program

  • Cliff GlantzEmail author
  • Joseph Lenaeus
  • Guy Landine
  • Lori Ross O’Neil
  • Rosalyn Leitch
  • Christopher Johnson
  • John Lewis
  • Robert Rodger
Chapter
Part of the Terrorism, Security, and Computation book series (TESECO)

Abstract

The threats to information security have dramatically increased with the proliferation of information systems and the internet. Chemical, biological, radiological, nuclear, and explosives (CBRNe) facilities need to address these threats in order to protect themselves from the loss of intellectual property, theft of valuable or hazardous materials, and sabotage. Project 19 of the European Union CBRN Risk Mitigation Centres of Excellence Initiative is designed to help CBRN security managers, information technology/cybersecurity managers, and other decision-makers deal with these threats through the application of cost-effective information security programs. Project 19 has developed three guidance documents that are publically available to cover information security best practices, planning for an information security management system, and implementing security controls for information security.

Keywords

Information security Security controls Information security management system Risk-based security Cybersecurity Blended attack 

Notes

Acknowledgments

This chapter was produced in connection with Project 19 of the European Union Chemical Biological Radiological and Nuclear Risk Mitigation Centres of Excellence Initiative. The initiative is implemented in cooperation with the United Nations Interregional Crime and Justice Research Institute and the European Commission Joint Research Center. The initiative is developed with the technical support of relevant international and regional organizations, the European Union Member States, and other stakeholders, through coherent and effective cooperation at the national, regional, and international level. Special thanks go to Odhran McCarthy and the staff at the United Nations Interregional Crime and Justice Research Institute for their support, patience, and technical guidance during this project.

References

  1. 1.
    Schneier B.: Modeling Security Threats. In: Dr. Dobb’s Journal (1999). Accessed March 20, 2017 at https://www.schneier.com/paper-attacktrees-ddj-ft.html
  2. 2.
    United Nations Interregional Criminal Justice Research Institute: How to Implement Security Controls for an Information Security Program at CBRN Facilities. UNICRI, Turin, Italy (2015b). Accessed March 20, 2017 at http://www.pnnl.gov/main/publications/external/technical_reports/PNNL-25112.pdf
  3. 3.
    United Nations Interregional Criminal Justice Research Institute: Information Security Management System Planning for CBRN Facilities. UNICRI, Turin, Italy (2015c). Accessed March 20, 2017 at http://www.pnnl.gov/main/publications/external/technical_reports/PNNL-24874.pdf
  4. 4.
    United Nations Interregional Criminal Justice Research Institute: Information Security Best Practices for CBRN Facilities. UNICRI, Turin, Italy (2015a). Accessed March 20, 2017 at http://www.pnnl.gov/main/publications/external/technical_reports/PNNL-25112.pdf
  5. 5.
    International Organization for Standardization: ISO/IEC 27000:2014 Information Technology—Security Techniques—Information Security Management Systems—Overview and Vocabulary (2013)Google Scholar
  6. 6.
    International Organization for Standardization: ISO 27001 Controls and Objectives Annex A (2014)Google Scholar
  7. 7.
    The White House Plan: National Strategy for Information Sharing and Safeguarding (2012). Accessed March 20, 2017 at https://obamawhitehouse.archives.gov/sites/default/files/docs/2012sharingstrategy_1.pdf
  8. 8.
    IEEE Standard for Developing Software Life Cycle Processes in: Institute of Electrical and Electronics Engineers IEEE Standard 1074-1995 (1997). Accessed March 20, 2017 at http://arantxa.ii.uam.es/~sacuna/is1/normas/IEEE_Std_1074_1997.pdf
  9. 9.
    Council on Cyber Security: Critical Security Controls for Effective Cyber Defense, Version 5 (2015). Accessed March 20, 2017 at https://www.cisecurity.org/critical-controls/Library.cfm
  10. 10.
    Australian Signals Directorate: ‘Top 4’ Strategies to Mitigate Targeted Cyber Intrusions: Mandatory Requirement Explained. Australian Signals Directorate/Defence Signals Directorate, Australian Government, Department of Defence, Intelligence and Security (2013). Accessed March 20, 2017 at http://www.asd.gov.au/publications/Top_4_Strategies_Explained.pdf
  11. 11.
    National Rural Electric Cooperative Association: Guide to Developing a Cyber Security and Risk Mitigation Plan. NRECA/Cooperative Research Network Smart Grid Demonstration Project. Arlington, Virginia (2014a). Available by using the download tool at https://groups.cooperative.com/smartgriddemo/public/CyberSecurity/Pages/default.aspx. Accessed March 20, 2017
  12. 12.
    National Rural Electric Cooperative Association: Cyber Security Plan Template. NRECA/Cooperative Research Network Smart Grid Demonstration Project. Arlington, Virginia (2014b). Available by using the download tool at https://groups.cooperative.com/smartgriddemo/public/CyberSecurity/Pages/default.aspx. Accessed November 23, 2015.
  13. 13.
    NIST - National Institute of Standards and Technology. 1995. An Introduction to Computer Security: The NIST Handbook. NIST Special Publication 800-12. National Institute of Standards and Technology, Gaithersburg, Maryland. Accessed July 26, 2017 at http://csrc.nist.gov/publications/nistpubs/800-12/handbook.pdf.
  14. 14.
    NIST - National Institute of Standards and Technology. 2013a. Guide to Industrial Control Systems (ICS) Security. NIST Special Publication 800-82, revision 1, National Institute of Standards and Technology, Gaithersburg, Maryland. Accessed July 26, 2017 at http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r1.pdf.
  15. 15.
    NIST - National Institute of Standards and Technology. 2013b. Security and Privacy Controls for Federal Information Systems and Organizations. NIST Special Publication 800-53, revision 4. Accessed July 26, 2017 http://dx.doi.org/10.6028/NIST.SP.800-53r4.
  16. 16.
    NIST - National Institute of Standards and Technology. 2014. “The Security Content Automation Protocol (SCAP).” Accessed July 26, 2017 at http://scap.nist.gov/.
  17. 17.
    CERT. 2010. “Insider Threat Deep Dive: IT Sabotage.” Published September 22, 2010. Accessed July 26, 2017 at http://www.cert.org/blogs/insider-threat/post.cfm?EntryID=57.
  18. 18.
    Council on CyberSecurity. 2014. “The Critical Security Controls for Effective Cyber Defense Version 5.1” Accessed July 26, 2017 at http://www.counciloncybersecurity.org/critical-controls/.
  19. 19.
    ASD – Australian Signals Directorate. 2014. “Top 35 Strategies to Mitigate Targeted Cyber Intrusions.” Accessed July 26, 2017 at https://www.checkpoint.com/asd-top-35-mitigation-strategies/.
  20. 20.
    ISO/IEC – International Standards Organization/International Electrotechnical Commission. 2013. Information Technology—Security Techniques—Code of Practice for Information Security Controls. ISO/IEC 27002:2013. Accessed July 26, 2017 at http://www.iso.org/iso/catalogue_detail?csnumber=54533.

Copyright information

© Springer International Publishing AG 2017

Authors and Affiliations

  • Cliff Glantz
    • 1
    Email author
  • Joseph Lenaeus
    • 1
  • Guy Landine
    • 1
  • Lori Ross O’Neil
    • 1
  • Rosalyn Leitch
    • 1
  • Christopher Johnson
    • 2
  • John Lewis
    • 3
  • Robert Rodger
    • 3
  1. 1.Pacific Northwest National LaboratoryRichlandUSA
  2. 2.University of GlasgowGlasgowScotland
  3. 3.National Nuclear LaboratorySellafieldUK

Personalised recommendations