Information Security Governance Simplified
Autor Todd Fitzgeralden Limba Engleză Hardback – 14 dec 2011
Defining the leadership skills required by IS officers, the book examines the pros and cons of different reporting structures and highlights the various control frameworks available. It details the functions of the security department and considers the control areas, including physical, network, application, business continuity/disaster recover, and identity management.
Todd Fitzgerald explains how to establish a solid foundation for building your security program and shares time-tested insights about what works and what doesn’t when building an IS program. Highlighting security considerations for managerial, technical, and operational controls, it provides helpful tips for selling your program to management. It also includes tools to help you create a workable IS charter and your own IS policies. Based on proven experience rather than theory, the book gives you the tools and real-world insight needed to secure your information while ensuring compliance with government regulations.
Preț: 794.08 lei
Preț vechi: 992.61 lei
-20%
Puncte Express: 1191
Preț estimativ în valută:
152.14€ • 164.79$ • 130.47£
152.14€ • 164.79$ • 130.47£
Carte indisponibilă temporar
Doresc să fiu notificat când acest titlu va fi disponibil:
Se trimite...
Preluare comenzi: 021 569.72.76
Specificații
ISBN-13: 9781439811634
ISBN-10: 1439811636
Pagini: 432
Ilustrații: 34 black & white illustrations, 26 black & white tables
Dimensiuni: 155 x 234 x 28 mm
Greutate: 0.73 kg
Ediția:New.
Editura: CRC Press
ISBN-10: 1439811636
Pagini: 432
Ilustrații: 34 black & white illustrations, 26 black & white tables
Dimensiuni: 155 x 234 x 28 mm
Greutate: 0.73 kg
Ediția:New.
Editura: CRC Press
Cuprins
Getting Information Security Right: Top to Bottom
Information Security Governance
Tone at the Top
Tone at the Bottom
Governance, Risk, and Compliance (GRC)
The Compliance Dilemma
Suggested Reading
Developing Information Security Strategy
Evolution of Information Security
Organization Historical Perspective
Fear, Uncertainty, Doubt, Fear, Uncertainty, Doubt
Understand the External Environment
Regulatory
Competition
Emerging Threats
Technology Cost Changes
External Independent Research
The Internal Company Culture
Risk Appetite
Speed
Collaborative versus Authoritative
Trust Level
Growth Seeker or Cost Cutter
Company Size
Outsourcing Posture
Prior Security Incidents, Audits
Security Strategy Development Techniques
Mind Mapping
SWOT Analysis
Balanced Scorecard
Face-to-Face Interviews
Security Planning
Strategic
Tactical
Operational/Project Plans
Suggested Reading
Defining the Security Management Organization
History of the Security Leadership Role Is Relevant
The New Security Officer Mandate
Day 1: Hey, I Got the Job!
Security Leader Titles
Techie versus Leader
The Security Leaders Library
Security Leadership Defined
Security Leader Soft Skills
Seven Competencies for Effective Security Leadership
Security Functions
Learning from Leading Organizations
What Functions Should the Security Officer Be Responsible For?
Assessing Risk and Determining Needs Functions
Implement Policies and Control Functions
Promote Awareness Functions
Monitor and Evaluate Functions
Reporting Model
Suggested Reading
Interacting with the C-Suite
Communication between the CEO, CIO, Other Executives, and CISO
13 "Lucky" Questions to Ask One Another
The CEO, Ultimate Decision Maker
The CEO Needs to Know Why
The CIO, Where Technology Meets the Business
CIO’s Commitment to Security Important
The Security Officer, Protecting the Business
The CEO, CIO, and CISO Are Business Partners
Building Grassroots Support through an Information Security Council
Establishing the Security Council
Appropriate Security Council Representation
"-Inging" the Council: Forming, Storming, Norming, and Performing
Integration with Other Committees
Establish Early, Incremental Success
Let Go of Perfectionism
Sustaining the Security Council
End User Awareness
Security Council Commitment
Suggested Reading
Managing Risk to an Acceptable Level
Risk in Our Daily Lives
Accepting Organizational Risk
Just Another Set of Risks
Management Owns the Risk Decision
Qualitative versus Quantitative Risk Analysis
Risk Management Process
Risk Analysis Involvement
Step 1: Categorize the System
Step 2: Identify Potential Dangers (Threats)
Step 3: Identify Vulnerabilities That Could Be Exploited
Step 4: Identify Existing Controls
Step 5: Determine Exploitation Likelihood Given Existing Controls
Step 6: Determine Impact Severity
Step 7: Determine Risk Level
Step 8: Determine Additional Controls
Risk Mitigation Options
Risk Assumption
Risk Avoidance
Risk Limitation
Risk Planning
Risk Research
Risk Transference
Conclusion
Suggested Reading
Creating Effective Information Security Policies
Why Information Security Policies Are Important
Avoiding Shelfware
Electronic Policy Distribution
Canned Security Policies
Policies, Standards, Guidelines Definitions
Policies Are Written at a High Level
Policies
Security Policy Best Practices
Types of Security Policies
Standards
Procedures
Baselines
Guidelines
Combination of Policies, Standards, Baselines, Procedures, and Guidelines
An Approach for Developing Information Security Policies
Utilizing the Security Council for Policies
The Policy Review Process
Information Security Policy Process
Suggested Reading
Security Compliance Using Control Frameworks
Security Control Frameworks Defined
Security Control Frameworks and Standards Examples
Heath Insurance Portability and Accountability Act (HIPAA)
Federal Information Security Management Act of 2002 (FISMA)
National Institute of Standards and Technology(NIST) Recommended Security Controls for Federal Information Systems (800-53)
Federal Information System Controls Audit Manual (FISCAM)
ISO/IEC 27001:2005 Information Security Management Systems—Requirements
ISO/IEC 27002:2005 Information technology—Security Techniques—Code of Practice for Information Security Management
Control Objectives for Information and Related Technology (COBIT)
Payment Card Industry Data Security Standard (PCI DSS)
Information Technology Infrastructure Library (ITIL)
Security Technical Implementation Guides (STIGs) and National Security Agency (NSA) Guides
Federal Financial Institutions Examination Council (FFIEC) IT Examination Handbook
The World Operates on Standards
Standards Are Dynamic
The How Is Typically Left Up to Us
Key Question: Why Does the Standard Exist?
Compliance Is Not Security, But It Is a Good Start
Integration of Standards and Control Frameworks
Auditing Compliance
Adoption Rate of Various Standards
ISO 27001/2 Certification
NIST Certification
Control Framework Convergence
The 11-Factor Compliance Assurance Manifesto
The Standards/Framework Value Proposition
Suggested Reading
Managerial Controls: Practical Security Considerations
Security Control Convergence
Security Control Methodology
Security Assessment and Authorization Controls
Planning Controls
Risk Assessment Controls
System and Services Acquisition Controls
Program Management Controls
Suggested Reading
Technical Controls: Practical Security Considerations
Access Control Controls
Audit and Accountability Controls
Identification and Authentication
System and Communications Protections
Suggested Reading
Operational Controls: Practical Security Considerations
Awareness and Training Controls
Configuration Management Controls
Contingency Planning Controls
Incident Response Controls
Maintenance Controls
Media Protection Controls
Physical and Environmental Protection Controls
Personnel Security Controls
System and Information Integrity Controls
Suggested Reading
The Auditors Have Arrived, Now What?
Anatomy of an Audit
Audit Planning Phase
Preparation of Document Request List
Gather Audit Artifacts
Provide Information to Auditors
On-Site Arrival Phase
Internet Access
Reserve Conference Rooms
Physical Access
Conference Phones
Schedule Entrance, Exit, Status Meetings
Set Up Interviews
Audit Execution Phase
Additional Audit Meetings
Establish Auditor Communication Protocol
Establish Internal Company Protocol
Media Handling
Audit Coordinator Quality Review
The Interview Itself
Entrance, Exit, and Status Conferences
Entrance Meeting
Exit Meeting
Status Meetings
Report Issuance and Finding Remediation Phase
Suggested Reading
Effective Security Communications
Why a Chapter Dedicated to Security Communications?
End User Security Awareness Training
Awareness Definition
Delivering the Message
Step 1: Security Awareness Needs Assessment
Step 2: Program Design
Step 3: Develop Scope
Step 4: Content Development
Step 5: Communication and Logistics Plan
Step 6: Awareness Delivery
Step 7: Evaluation/Feedback Loops
Security Awareness Training Does Not Have to Be Boring
Targeted Security Training
Continuous Security Reminders
Utilize Multiple Security Awareness Vehicles
Security Officer Communication Skills
Talking versus Listening
Roadblocks to Effective Listening
Generating a Clear Message
Influencing and Negotiating Skills
Written Communication Skills
Presentation Skills
Applying Personality Type to Security Communications
The Four MyersߝBriggs Type Indicator (MBTI)
Preference Scales
Determining Individual MBTI Personality
Summing Up the MBTI for Security
Suggested Reading
The Law and Information Security
Civil Law versus Criminal Law
Electronic Communications Privacy Act of 1986 (ECPA)
The Computer Security Act of 1987
The Privacy Act of 1974
SarbanesߝOxley Act of 2002 (SOX)
GrammߝLeachߝBliley Act (GLBA)
Health Insurance Portability and Accountability Act of 1996
Health Information Technology for Economic and Clinical Health (HITECH) Act
Federal Information Security Management Act of 2002 (FISMA)
Summary
Suggested Reading
Learning from Information Security Incidents
Recent Security Incidents
Texas State Comptroller
Sony PlayStation Network
Student Loan Social Security Numbers Stolen
Social Security Numbers Printed on Outside of Envelopes
Valid E-Mail Addresses Exposed
Office Copier Hard Disk Contained Confidential Information
Advanced Persistent Threat Targets Security Token
Who Will Be Next?
Every Control Could Result in an Incident
Suggested Reading
Ways to Dismantle Information Security Governance Efforts
Final Thoughts
Suggested Reading
Index
Information Security Governance
Tone at the Top
Tone at the Bottom
Governance, Risk, and Compliance (GRC)
The Compliance Dilemma
Suggested Reading
Developing Information Security Strategy
Evolution of Information Security
Organization Historical Perspective
Fear, Uncertainty, Doubt, Fear, Uncertainty, Doubt
Understand the External Environment
Regulatory
Competition
Emerging Threats
Technology Cost Changes
External Independent Research
The Internal Company Culture
Risk Appetite
Speed
Collaborative versus Authoritative
Trust Level
Growth Seeker or Cost Cutter
Company Size
Outsourcing Posture
Prior Security Incidents, Audits
Security Strategy Development Techniques
Mind Mapping
SWOT Analysis
Balanced Scorecard
Face-to-Face Interviews
Security Planning
Strategic
Tactical
Operational/Project Plans
Suggested Reading
Defining the Security Management Organization
History of the Security Leadership Role Is Relevant
The New Security Officer Mandate
Day 1: Hey, I Got the Job!
Security Leader Titles
Techie versus Leader
The Security Leaders Library
Security Leadership Defined
Security Leader Soft Skills
Seven Competencies for Effective Security Leadership
Security Functions
Learning from Leading Organizations
What Functions Should the Security Officer Be Responsible For?
Assessing Risk and Determining Needs Functions
Implement Policies and Control Functions
Promote Awareness Functions
Monitor and Evaluate Functions
Reporting Model
Suggested Reading
Interacting with the C-Suite
Communication between the CEO, CIO, Other Executives, and CISO
13 "Lucky" Questions to Ask One Another
The CEO, Ultimate Decision Maker
The CEO Needs to Know Why
The CIO, Where Technology Meets the Business
CIO’s Commitment to Security Important
The Security Officer, Protecting the Business
The CEO, CIO, and CISO Are Business Partners
Building Grassroots Support through an Information Security Council
Establishing the Security Council
Appropriate Security Council Representation
"-Inging" the Council: Forming, Storming, Norming, and Performing
Integration with Other Committees
Establish Early, Incremental Success
Let Go of Perfectionism
Sustaining the Security Council
End User Awareness
Security Council Commitment
Suggested Reading
Managing Risk to an Acceptable Level
Risk in Our Daily Lives
Accepting Organizational Risk
Just Another Set of Risks
Management Owns the Risk Decision
Qualitative versus Quantitative Risk Analysis
Risk Management Process
Risk Analysis Involvement
Step 1: Categorize the System
Step 2: Identify Potential Dangers (Threats)
Step 3: Identify Vulnerabilities That Could Be Exploited
Step 4: Identify Existing Controls
Step 5: Determine Exploitation Likelihood Given Existing Controls
Step 6: Determine Impact Severity
Step 7: Determine Risk Level
Step 8: Determine Additional Controls
Risk Mitigation Options
Risk Assumption
Risk Avoidance
Risk Limitation
Risk Planning
Risk Research
Risk Transference
Conclusion
Suggested Reading
Creating Effective Information Security Policies
Why Information Security Policies Are Important
Avoiding Shelfware
Electronic Policy Distribution
Canned Security Policies
Policies, Standards, Guidelines Definitions
Policies Are Written at a High Level
Policies
Security Policy Best Practices
Types of Security Policies
Standards
Procedures
Baselines
Guidelines
Combination of Policies, Standards, Baselines, Procedures, and Guidelines
An Approach for Developing Information Security Policies
Utilizing the Security Council for Policies
The Policy Review Process
Information Security Policy Process
Suggested Reading
Security Compliance Using Control Frameworks
Security Control Frameworks Defined
Security Control Frameworks and Standards Examples
Heath Insurance Portability and Accountability Act (HIPAA)
Federal Information Security Management Act of 2002 (FISMA)
National Institute of Standards and Technology(NIST) Recommended Security Controls for Federal Information Systems (800-53)
Federal Information System Controls Audit Manual (FISCAM)
ISO/IEC 27001:2005 Information Security Management Systems—Requirements
ISO/IEC 27002:2005 Information technology—Security Techniques—Code of Practice for Information Security Management
Control Objectives for Information and Related Technology (COBIT)
Payment Card Industry Data Security Standard (PCI DSS)
Information Technology Infrastructure Library (ITIL)
Security Technical Implementation Guides (STIGs) and National Security Agency (NSA) Guides
Federal Financial Institutions Examination Council (FFIEC) IT Examination Handbook
The World Operates on Standards
Standards Are Dynamic
The How Is Typically Left Up to Us
Key Question: Why Does the Standard Exist?
Compliance Is Not Security, But It Is a Good Start
Integration of Standards and Control Frameworks
Auditing Compliance
Adoption Rate of Various Standards
ISO 27001/2 Certification
NIST Certification
Control Framework Convergence
The 11-Factor Compliance Assurance Manifesto
The Standards/Framework Value Proposition
Suggested Reading
Managerial Controls: Practical Security Considerations
Security Control Convergence
Security Control Methodology
Security Assessment and Authorization Controls
Planning Controls
Risk Assessment Controls
System and Services Acquisition Controls
Program Management Controls
Suggested Reading
Technical Controls: Practical Security Considerations
Access Control Controls
Audit and Accountability Controls
Identification and Authentication
System and Communications Protections
Suggested Reading
Operational Controls: Practical Security Considerations
Awareness and Training Controls
Configuration Management Controls
Contingency Planning Controls
Incident Response Controls
Maintenance Controls
Media Protection Controls
Physical and Environmental Protection Controls
Personnel Security Controls
System and Information Integrity Controls
Suggested Reading
The Auditors Have Arrived, Now What?
Anatomy of an Audit
Audit Planning Phase
Preparation of Document Request List
Gather Audit Artifacts
Provide Information to Auditors
On-Site Arrival Phase
Internet Access
Reserve Conference Rooms
Physical Access
Conference Phones
Schedule Entrance, Exit, Status Meetings
Set Up Interviews
Audit Execution Phase
Additional Audit Meetings
Establish Auditor Communication Protocol
Establish Internal Company Protocol
Media Handling
Audit Coordinator Quality Review
The Interview Itself
Entrance, Exit, and Status Conferences
Entrance Meeting
Exit Meeting
Status Meetings
Report Issuance and Finding Remediation Phase
Suggested Reading
Effective Security Communications
Why a Chapter Dedicated to Security Communications?
End User Security Awareness Training
Awareness Definition
Delivering the Message
Step 1: Security Awareness Needs Assessment
Step 2: Program Design
Step 3: Develop Scope
Step 4: Content Development
Step 5: Communication and Logistics Plan
Step 6: Awareness Delivery
Step 7: Evaluation/Feedback Loops
Security Awareness Training Does Not Have to Be Boring
Targeted Security Training
Continuous Security Reminders
Utilize Multiple Security Awareness Vehicles
Security Officer Communication Skills
Talking versus Listening
Roadblocks to Effective Listening
Generating a Clear Message
Influencing and Negotiating Skills
Written Communication Skills
Presentation Skills
Applying Personality Type to Security Communications
The Four MyersߝBriggs Type Indicator (MBTI)
Preference Scales
Determining Individual MBTI Personality
Summing Up the MBTI for Security
Suggested Reading
The Law and Information Security
Civil Law versus Criminal Law
Electronic Communications Privacy Act of 1986 (ECPA)
The Computer Security Act of 1987
The Privacy Act of 1974
SarbanesߝOxley Act of 2002 (SOX)
GrammߝLeachߝBliley Act (GLBA)
Health Insurance Portability and Accountability Act of 1996
Health Information Technology for Economic and Clinical Health (HITECH) Act
Federal Information Security Management Act of 2002 (FISMA)
Summary
Suggested Reading
Learning from Information Security Incidents
Recent Security Incidents
Texas State Comptroller
Sony PlayStation Network
Student Loan Social Security Numbers Stolen
Social Security Numbers Printed on Outside of Envelopes
Valid E-Mail Addresses Exposed
Office Copier Hard Disk Contained Confidential Information
Advanced Persistent Threat Targets Security Token
Who Will Be Next?
Every Control Could Result in an Incident
Suggested Reading
Ways to Dismantle Information Security Governance Efforts
Final Thoughts
Suggested Reading
Index
Recenzii
Todd Fitzgerald’s new book, Information Security Governance Simplified: From the Boardroom to the Keyboard, presents 15 chapters of advice and real-world experience on how to handle the roll out of an effective program …. Todd has taken the time to include for the reader some practical security considerations for managerial, technical, and operational controls. This is followed up with a discussion on how legal issues are impacting the information security program.
—Tom Peltier, CISSP
—Tom Peltier, CISSP
Notă biografică
Todd Fitzgerald, CISSP, CISA, CISM, ISO27000, CGEIT, PMP, HITRUST, and ITILV3 certified, is responsible for external audit technical compliance for National Government Services (NGS), Milwaukee, WI, one of the largest processors of Medicare claims and a subsidiary of WellPoint, Inc., the nation’s leading health benefits company, serving 1 out of 9 Americans. Fitzgerald has initiated, developed, and led information security programs as the Information Security Officer for several companies. Fitzgerald served as the chair/co-chair for the 2011/2010 ISACA North America and Europe Information Security & Risk Management conferences.
Fitzgerald coauthored, with Micki Krause, the 2008 (ISC)2 Press book titled CISO Leadership: Essential Principles for Success. Fitzgerald has authored articles on information security for the 2007 Official (ISC)2 Guide to the CISSP Exam, The Information Security Handbook Series (2003ߝ2012), The HIPAA Program Reference Book, Managing an Information Security and Privacy Awareness and Training Program, CISM Review Manual, and several other security-related publications. He is also a member of the editorial board for (ISC)2 Journal/Information Systems Security Magazine. Fitzgerald is frequently called upon to present at international, national, and local conferences for Information Systems Audit and Control Association (ISACA), Computer Security Institute (CSI), Information Systems Security Association (ISSA), Management Information Systems Training Institute (MISTI), COSAC, and the Centers for Medicare & Medicaid Services (CMS) systems security officer community. He also serves on the board of directors for the HIPAA Collaborative of Wisconsin and several other industry groups. Fitzgerald has received several awards including a Midwest Information Security Executive of the Year Award Finalist award and Health Ethics Trust HIPAA Implementation Award.
Fitzgerald has 32 years of information technology experience, including 20 years of management and the past 13 years focused solely on information security. Prior to joining NGS, he held various broad-based senior information technology management positions for Fortune 500 organizations, including American Airlines, IMS Health, Zeneca (subsidiary of AstraZeneca Pharmaceuticals), and Syngenta, as well as prior positions with Blue Cross Blue Shield of Wisconsin.
Fitzgerald holds a BS in business administration from the University of Wisconsin-Lacrosse, serves as an advisor to the College of Business Administration, as well as an advisor to the Milwaukee Area Technical College information security program. He also earned an MBA with highest honors from Oklahoma State University.
Fitzgerald coauthored, with Micki Krause, the 2008 (ISC)2 Press book titled CISO Leadership: Essential Principles for Success. Fitzgerald has authored articles on information security for the 2007 Official (ISC)2 Guide to the CISSP Exam, The Information Security Handbook Series (2003ߝ2012), The HIPAA Program Reference Book, Managing an Information Security and Privacy Awareness and Training Program, CISM Review Manual, and several other security-related publications. He is also a member of the editorial board for (ISC)2 Journal/Information Systems Security Magazine. Fitzgerald is frequently called upon to present at international, national, and local conferences for Information Systems Audit and Control Association (ISACA), Computer Security Institute (CSI), Information Systems Security Association (ISSA), Management Information Systems Training Institute (MISTI), COSAC, and the Centers for Medicare & Medicaid Services (CMS) systems security officer community. He also serves on the board of directors for the HIPAA Collaborative of Wisconsin and several other industry groups. Fitzgerald has received several awards including a Midwest Information Security Executive of the Year Award Finalist award and Health Ethics Trust HIPAA Implementation Award.
Fitzgerald has 32 years of information technology experience, including 20 years of management and the past 13 years focused solely on information security. Prior to joining NGS, he held various broad-based senior information technology management positions for Fortune 500 organizations, including American Airlines, IMS Health, Zeneca (subsidiary of AstraZeneca Pharmaceuticals), and Syngenta, as well as prior positions with Blue Cross Blue Shield of Wisconsin.
Fitzgerald holds a BS in business administration from the University of Wisconsin-Lacrosse, serves as an advisor to the College of Business Administration, as well as an advisor to the Milwaukee Area Technical College information security program. He also earned an MBA with highest honors from Oklahoma State University.