Information Security Governance Simplified

ISBN-10: 1439811636
ISBN-13: 9781439811634
Edition: 2011
Authors: Todd Fitzgerald
Buy it from $86.20
eBook available
This item qualifies for FREE shipping

*A minimum purchase of $35 is required. Shipping is provided via FedEx SmartPost® and FedEx Express Saver®. Average delivery time is 1 – 5 business days, but is not guaranteed in that timeframe. Also allow 1 - 2 days for processing. Free shipping is eligible only in the continental United States and excludes Hawaii, Alaska and Puerto Rico. FedEx service marks used by permission."Marketplace" orders are not eligible for free or discounted shipping.

30 day, 100% satisfaction guarantee

If an item you ordered from TextbookRush does not meet your expectations due to an error on our part, simply fill out a return request and then return it by mail within 30 days of ordering it for a full refund of item cost.

Learn more about our returns policy

New Starting from $87.20
eBooks Starting from $33.58
Rent
Buy
what's this?
Rush Rewards U
Members Receive:
coins
coins
You have reached 400 XP and carrot coins. That is the daily max!
You could win $10,000

Get an entry for every item you buy, rent, or sell.

Study Briefs

Limited time offer: Get the first one free! (?)

All the information you need in one place! Each Study Brief is a summary of one specific subject; facts, figures, and explanations to help you learn faster.

Add to cart
Study Briefs
Psychology Online content $4.95 $1.99
Add to cart
Study Briefs
Lifespan Human Development Online content $4.95 $1.99
Add to cart
Study Briefs
Sociology Online content $4.95 $1.99
Add to cart
Study Briefs
Business Ethics Online content $4.95 $1.99

Customers also bought

Loading
Loading
Loading
Loading
Loading
Loading
Loading
Loading
Loading
Loading

Book details

Copyright year: 2011
Publisher: CRC Press LLC
Publication date: 12/20/2011
Binding: Hardcover
Pages: 431
Size: 6.00" wide x 9.00" long x 1.00" tall
Weight: 1.870

Foreword
Acknowledgments
Introduction
About the Author
Getting Information Security Right: Top to Bottom
Information Security Governance
Tone at the Top
Tone at the Bottom
Governance, Risk, and Compliance (GRC)
The Compliance Dilemma
Suggested Reading
Developing Information Security Strategy
Evolution of Information Security
Organization Historical Perspective
Fear, Uncertainty, Doubt, Fear, Uncertainty, Doubt
Understand the External Environment
Regulatory
Competition
Emerging Threats
Technology Cost Changes
External Independent Research
The Internal Company Culture
Risk Appetite
Speed
Collaborative versus Authoritative
Trust Level
Growth Seeker or Cost Cutter
Company Size
Outsourcing Posture
Prior Security Incidents, Audits
Security Strategy Development Techniques
Mind Mapping
SWOT Analysis
Balanced Scorecard
Face-to-Face Interviews
Security Planning
Strategic
Tactical
Operational/Project Plans
Suggested Reading
Defining the Security Management Organization
History of the Security Leadership Role Is Relevant
The New Security Officer Mandate
Day 1: Hey, I Got the Job!
Security Leader Titles
Techie versus Leader
The Security Leaders Library
Security Leadership Defined
Security Leader Soft Skills
Seven Competencies for Effective Security Leadership
Security Functions
Learning from Leading Organizations
Assess Risk and Determine Needs
Implement Policies and Controls
Promote Awareness
Monitor and Evaluate
Central Management
What Functions Should the Security Officer Be Responsible For?
Assessing Risk and Determining Needs Functions
Risk Assessment/Analysis
Systems Security Plan Development
External Penetration Testing
Implement Policies and Control Functions
Security Policy Development
Security Architecture
Security Control Assessment
Identity and Access Management
Business Continuity and Disaster Recovery
Promote Awareness Functions
End User Security Awareness Training
Intranet Site and Policy Publication
Targeted Awareness
Monitor and Evaluate Functions
Security Baseline Configuration Review
Logging and Monitoring
Vulnerability Assessment
Internet Monitoring/Management of Managed Services
Incident Response
Forensic Investigations
Central Management Functions
Reporting Model
Business Relationships
Reporting to the CEO
Reporting to the Information Systems Department
Reporting to Corporate Security
Reporting to the Administrative Services Department
Reporting to the Insurance and Risk Management Department
Reporting to the Internal Audit Department
Reporting to the Legal Department
Determining the Best Fit
Suggested Reading
Interacting with the C-Suite
Communication between the CEO, CIO, Other Executives, and CISO
13 "Lucky" Questions to Ask One Another
The CEO, Ultimate Decision Maker
The CEO Needs to Know Why
The CIO, Where Technology Meets the Business
CIO's Commitment to Security Is Important
The Security Officer, Protecting the Business
The CEO, CIO, and CISO Are Business Partners
Building Grassroots Support through an Information Security Council
Establishing the Security Council
Oversight of Security Program
Decide on Project Initiatives
Prioritize Information Security Efforts
Review and Recommend Security Policies
Champion Organizational Security Efforts
Recommend Areas Requiring Investment
Appropriate Security Council Representation
"-Inging" the Council: Forming, Storming, Norming, and Performing
Forming
Storming
Norming
Performing
Integration with Other Committees
Establish Early, Incremental Success
Let Go of Perfectionism
Sustaining the Security Council
End User Awareness
Security Council Commitment
Suggested Reading
Managing Risk to an Acceptable Level
Risk in Our Daily Lives
Accepting Organizational Risk
Just Another Set of Risks
Management Owns the Risk Decision
Qualitative versus Quantitative Risk Analysis
Risk Management Process
Risk Analysis Involvement
Step 1: Categorize the System
Step 2: Identify Potential Dangers (Threats)
Human Threats
Environmental/Physical Threats
Technical Threats
Step 3: Identify Vulnerabilities That Could Be Exploited
Step 4: Identify Existing Controls
Step 5: Determine Exploitation Likelihood Given Existing Controls
Step 6: Determine Impact Severity
Step 7: Determine Risk Level
Step 8: Determine Additional Controls
Risk Mitigation Options
Risk Assumption
Risk Avoidance
Risk Limitation
Risk Planning
Risk Research
Risk Transference
Conclusion
Suggested Reading
Creating Effective Information Security Policies
Why Information Security Policies Are Important
Avoiding Shelfware
Electronic Policy Distribution
Canned Security Policies
Policies, Standards, Guidelines Definitions
Policies Are Written at a High Level
Policies
Security Policy Best Practices
Types of Security Policies
Standards
Procedures
Baselines
Guidelines
Combination of Policies, Standards, Baselines, Procedures, and Guidelines
Policy Analogy
An Approach for Developing Information Security Policies
Utilizing the Security Council for Policies
The Policy Review Process
Information Security Policy Process
Suggested Reading
Security Compliance Using Control Frameworks
Security Control Frameworks Defined
Security Control Frameworks and Standards Examples
Heath Insurance Portability and Accountability Act (HIPAA)
Federal Information Security Management Act of2002 (FISMA)
National Institute of Standards and Technology (NIST) Recommended Security Controls for Federal Information Systems (800-53)
Federal Information System Controls Audit Manual (FISCAM)
ISO/IEC 27001:2005 Information Security Management Systems-Requirements
ISO/IEC 27002:2005 Information Technology-Security Techniques-Code of Practice for Information Security Management
Control Objectives for Information and Related Technology (COBIT)
Payment Card Industry Data Security Standard (PCI DSS)
Information Technology Infrastructure Library (ITIL)
Security Technical Implementation Guides (STIGs) and National Security Agency (NSA) Guides
Federal Financial Institutions Examination Council (FFIEC) IT Examination Handbook
The World Operates on Standards
Standards Are Dynamic
The How Is Typically Left Up to Us
Key Question: Why Does the Standard Exist?
Compliance Is Not Security, But It Is a Good Start
Integration of Standards and Control Frameworks
Auditing Compliance
Adoption Rate of Various Standards
ISO 27001/2 Certification
NIST Certification
Control Framework Convergence
The 11-Factor Compliance Assurance Manifesto
The Standards/Framework Value Proposition
Suggested Reading
Managerial Controls: Practical Security Considerations
Security Control Convergence
Security Control Methodology
Security Assessment and Authorization Controls
Planning Controls
Risk Assessment Controls
System and Services Acquisition Controls
Program Management Controls
Suggested Reading
Technical Controls: Practical Security Considerations
Access Control Controls
Audit and Accountability Controls
Identification and Authentication
System and Communications Protections
Suggested Reading
Operational Controls: Practical Security Considerations
Awareness and Training Controls
Configuration Management Controls
Contingency Planning Controls
Incident Response Controls
Maintenance Controls
Media Protection Controls
Physical and Environmental Protection Controls
Personnel Security Controls
System and Information Integrity Controls
Suggested Reading
The Auditors Have Arrived, Now What?
Anatomy of an Audit
Audit Planning Phase
Preparation of Document Request List
Gather Audit Artifacts
Provide Information to Auditors
On-Site Arrival Phase
Internet Access
Reserve Conference Rooms
Physical Access
Conference Phones
Schedule Entrance, Exit, Status Meetings
Set Up Interviews
Audit Execution Phase
Additional Audit Meetings
Establish Auditor Communication Protocol
Establish Internal Company Protocol
Media Handling
Audit Coordinator Quality Review
The Interview Itself
Entrance, Exit, and Status Conferences
Entrance Meeting
Exit Meeting
Status Meetings
Report Issuance and Finding Remediation Phase
Suggested Reading
Effective Security Communications
Why a Chapter Dedicated to Security Communications?
End User Security Awareness Training
Awareness Definition
Delivering the Message
Step 1: Security Awareness Needs Assessment
New or Changed Policies
Past Security Incidents
Systems Security Plans
Audit Findings and Recommendations
Event Analysis
Industry Trends
Management Concerns
Organizational Changes
Step 2: Program Design
Target Audience
Frequency of Sessions
Number of Users
Method of Delivery
Resources Required
Step 3: Develop Scope
Determine Participants Needing Training
Business Units
Select Theme
Step 4: Content Development
Step 5: Communication and Logistics Plan
Step 6: Awareness Delivery
Step 7: Evaluation/Feedback Loops
Security Awareness Training Does Not Have to Be Boring
Targeted Security Training
Continuous Security Reminders
Utilize Multiple Security Awareness Vehicles
Security Officer Communication Skills
Talking versus Listening
Roadblocks to Effective Listening
Generating a Clear Message
Influencing and Negotiating Skills
Written Communication Skills
Presentation Skills
Applying Personality Type to Security Communications
The Four Myers-Briggs Type Indicator (MBTI) Preference Scales
Extraversion versus Introversion Scale
Sensing versus Intuition Scale
Thinking versus Feeling Scale
Judging versus Perceiving Scale
Determining Individual MBTI Personality
Summing Up the MBTI for Security
Suggested Reading
The Law and Information Security
Civil Law versus Criminal Law
Electronic Communications Privacy Act of 1986 (ECPA)
The Computer Security Act of 1987
The Privacy Act of 1974
Sarbanes-Oxley Act of 2002 (SOX)
Gramm-Leach-Bliley Act (GLBA)
Health Insurance Portability and Accountability Act of 1996
Health Information Technology for Economic and Clinical Health (HITECH) Act
Federal Information Security Management Act of 2002 (FISMA)
Summary
Suggested Reading
Learning from Information Security Incidents
Recent Security Incidents
Texas State Comptroller
Sony PlayStation Network
Student Loan Social Security Numbers Stolen
Social Security Numbers Printed on Outside of Envelopes
Valid E-Mail Addresses Exposed
Office Copier Hard Disk Contained Confidential Information
Advanced Persistent Threat Targets Security Token
Who Will Be Next?
Every Control Could Result in an Incident
Suggested Reading
17 Ways to Dismantle Information Security Governance Efforts
Final Thoughts
Suggested Reading
Index

×
Free shipping on orders over $35*

*A minimum purchase of $35 is required. Shipping is provided via FedEx SmartPost® and FedEx Express Saver®. Average delivery time is 1 – 5 business days, but is not guaranteed in that timeframe. Also allow 1 - 2 days for processing. Free shipping is eligible only in the continental United States and excludes Hawaii, Alaska and Puerto Rico. FedEx service marks used by permission."Marketplace" orders are not eligible for free or discounted shipping.

Learn more about the TextbookRush Marketplace.

×