Skip to content

IT Governance An International Guide to Data Security and ISO27001/ISO27002

ISBN-10: 0749464852

ISBN-13: 9780749464851

Edition: 5th 2012 (Revised)

Authors: Alan Calder, Steve Watkins, Ian Hallsworth

List price: $49.99
Blue ribbon 30 day, 100% satisfaction guarantee!
Buy eBooks
what's this?
Rush Rewards U
Members Receive:
Carrot Coin icon
XP icon
You have reached 400 XP and carrot coins. That is the daily max!

Customers also bought

Book details

List price: $49.99
Edition: 5th
Copyright year: 2012
Publisher: Kogan Page, Limited
Publication date: 4/3/2012
Binding: Paperback
Pages: 384
Size: 6.14" wide x 9.13" long x 0.83" tall
Weight: 1.254
Language: English

Alan Calder is a founder-director of IT Governance Ltd, which provides IT governance and information security services through its website www.itgovernance.co.uk. He is the author of Corporate Governance, IT Governance and International IT Governance, all published by Kogan Page.

Introduction
Why is information security necessary?
The nature of information security threats
Information insecurity
Impacts of information security threats
Cybercrime
Cyberwar
Advanced persistent threat
Future risks
Legislation
Benefits of an information security management system
The UK Combined Code, the Turnbull Report and Sarbanes-Oxley
The Combined Code
The Turnbull Report
The Revised Combined Code
Sarbanes-Oxley
Enterprise risk management
Regulatory compliance
IT governance
ISO27001
Benefits of certification
The history of ISO27001 and ISO27002
The ISO/TEC 27000 series of standards
Use of the standard
ISO/EEC 27002
The Plan-Do-Check-Act and process approach
Structured approach to implementation
Quality system integration
Documentation
Continual improvement and metrics
Organizing information security
Internal organization
Management review
The information security manager
The cross-functional management forum
The ISO27001 project group
Approval process for information processing facilities
Specialist information security advice
Contact with authorities and special interest groups
Independent review of information security
Summary
Information security policy and scope
Information security policy
A policy statement
Costs and the monitoring of progress
The risk assessment and Statement of Applicability
Establishing security requirements
Risks, impacts and risk management
Selection of controls and Statement of Applicability
Gap analysis
Risk assessment tools
Risk treatment plan
Measures of effectiveness
External parties
Identification of risks related to external parties
Types of access
Reasons for access
Outsourcing
On-site contractors
Addressing security when dealing with customers
Addressing security in third-party agreements
Asset management
Asset owners
Inventory
Acceptable use of assets
Information classification
Unified classification markings
Government classification markings
Information lifecycle
Information labelling and handling
Non-disclosure agreements and trusted partners
Human resources security
Job descriptions and competency requirements
Screening
Terms and conditions of employment
During employment
Disciplinary process
Termination or change of employment
Physical and environmental security
Secure areas
Public access, delivery and loading areas
Equipment security
Equipment siting and protection
Supporting utilities
Cabling security
Equipment maintenance
Security of equipment off-premises
Secure disposal or reuse of equipment
Removal of property
Communications and operations management
Documented operating procedures
Change management
Segregation of duties
Separation of development, test and operational facilities
Third-party service delivery management
Monitoring and review of third-party services
Managing changes to third-party services
System planning and acceptance
Controls against malicious software (malware) and back-ups
Viruses, worms and Trojans
Spyware
Anti-malware software
Hoax messages
Phishing and pharming
Anti-malware controls
Airborne viruses
Controls against mobile code
Back-up
Network security management and media handling
Network management
Media handling
Exchanges of information
Information exchange policies and procedures
Exchange agreements
Physical media in transit
Business information systems
E-commerce services
E-commerce issues
Security technologies
Server security
Online transactions
Publicly available information
E-mail, internet use and social media
Security risks in e-mail
Spam
Misuse of the internet
Internet acceptable use policy
Social media
Access control
Hackers
Hacker techniques
System configuration
Access control policy
User access management
Clear desk and clear screen policy
Network access control
Networks
Network security
Server virtualization
Operating system access control
Secure log-on procedures
User identification and authentication
Password management system
Use of system utilities
Session time-out
Limitation of connection time
Application access control and teleworking
Application and information access control
Mobile computing and teleworking
Teleworking
Systems acquisition, development and maintenance
Security requirements analysis and specification
Correct processing in applications
Cryptographic controls
Encryption
Public key infrastructure
Digital signatures
Non-repudiation services
Key management
Security in development and support processes
System files
Access control to program source code
Development and support processes
Vulnerability management
Monitoring and information security incident management
Monitoring
Information security events
Management of information security incidents and improvements
Legal admissibility
Business continuity management
ISO22301
The business continuity management process
Business continuity and risk assessment
Developing and implementing continuity plans
Business continuity planning framework
Testing, maintaining and reassessing business continuity plans
Compliance
Identification of applicable legislation
Intellectual property rights
Safeguarding of organizational records
Data protection and privacy of personal information
Prevention of misuse of information processing facilities
Regulation of cryptographic controls
Compliance with security policies and standards
Information systems audit considerations
The ISO27001 audit
Selection of auditors
Initial audit
Preparation for audit
Terminology
Useful websites
Further reading
Index