Cantitate/Preț
Produs

Information Security Governance Simplified

Autor Todd Fitzgerald
en Limba Engleză Hardback – 14 dec 2011
Security practitioners must be able to build cost-effective security programs while also complying with government regulations. Information Security Governance Simplified: From the Boardroom to the Keyboard lays out these regulations in simple terms and explains how to use control frameworks to build an air-tight information security (IS) program and governance structure.
Defining the leadership skills required by IS officers, the book examines the pros and cons of different reporting structures and highlights the various control frameworks available. It details the functions of the security department and considers the control areas, including physical, network, application, business continuity/disaster recover, and identity management.
Todd Fitzgerald explains how to establish a solid foundation for building your security program and shares time-tested insights about what works and what doesn’t when building an IS program. Highlighting security considerations for managerial, technical, and operational controls, it provides helpful tips for selling your program to management. It also includes tools to help you create a workable IS charter and your own IS policies. Based on proven experience rather than theory, the book gives you the tools and real-world insight needed to secure your information while ensuring compliance with government regulations.
Citește tot Restrânge

Preț: 79408 lei

Preț vechi: 99261 lei
-20%

Puncte Express: 1191

Preț estimativ în valută:
15214 16479$ 13047£

Carte indisponibilă temporar

Doresc să fiu notificat când acest titlu va fi disponibil:

Preluare comenzi: 021 569.72.76

Specificații

ISBN-13: 9781439811634
ISBN-10: 1439811636
Pagini: 432
Ilustrații: 34 black & white illustrations, 26 black & white tables
Dimensiuni: 155 x 234 x 28 mm
Greutate: 0.73 kg
Ediția:New.
Editura: CRC Press

Cuprins

Getting Information Security Right: Top to Bottom
Information Security Governance
Tone at the Top
Tone at the Bottom
Governance, Risk, and Compliance (GRC)
The Compliance Dilemma
Suggested Reading
Developing Information Security Strategy
Evolution of Information Security
Organization Historical Perspective
     Fear, Uncertainty, Doubt, Fear, Uncertainty, Doubt
Understand the External Environment 
     Regulatory 
     Competition 
     Emerging Threats 
     Technology Cost Changes 
     External Independent Research
The Internal Company Culture 
     Risk Appetite 
     Speed
     Collaborative versus Authoritative
     Trust Level 
     Growth Seeker or Cost Cutter 
     Company Size 
     Outsourcing Posture
Prior Security Incidents, Audits
Security Strategy Development Techniques 
     Mind Mapping
     SWOT Analysis 
     Balanced Scorecard 
     Face-to-Face Interviews
Security Planning 
     Strategic 
     Tactical 
     Operational/Project Plans
Suggested Reading
Defining the Security Management Organization
History of the Security Leadership Role Is Relevant
The New Security Officer Mandate
Day 1: Hey, I Got the Job!
Security Leader Titles
Techie versus Leader
The Security Leaders Library
Security Leadership Defined
Security Leader Soft Skills
Seven Competencies for Effective Security Leadership
Security Functions 
     Learning from Leading Organizations
What Functions Should the Security Officer Be Responsible For?
Assessing Risk and Determining Needs Functions
Implement Policies and Control Functions
Promote Awareness Functions
Monitor and Evaluate Functions
Reporting Model
Suggested Reading
Interacting with the C-Suite
Communication between the CEO, CIO, Other Executives, and CISO
13 "Lucky" Questions to Ask One Another
     The CEO, Ultimate Decision Maker 
     The CEO Needs to Know Why 
     The CIO, Where Technology Meets the Business 
     CIO’s Commitment to Security Important 
     The Security Officer, Protecting the Business 
     The CEO, CIO, and CISO Are Business Partners
Building Grassroots Support through an Information Security Council 
     Establishing the Security Council
     Appropriate Security Council Representation 
     "-Inging" the Council: Forming, Storming, Norming, and Performing
Integration with Other Committees
Establish Early, Incremental Success
Let Go of Perfectionism
Sustaining the Security Council
End User Awareness
Security Council Commitment
Suggested Reading
Managing Risk to an Acceptable Level
Risk in Our Daily Lives
Accepting Organizational Risk
Just Another Set of Risks
Management Owns the Risk Decision
Qualitative versus Quantitative Risk Analysis
Risk Management Process
     Risk Analysis Involvement 
     Step 1: Categorize the System 
     Step 2: Identify Potential Dangers (Threats)
     Step 3: Identify Vulnerabilities That Could Be Exploited 
     Step 4: Identify Existing Controls 
     Step 5: Determine Exploitation Likelihood Given Existing Controls
     Step 6: Determine Impact Severity 
     Step 7: Determine Risk Level 
     Step 8: Determine Additional Controls
Risk Mitigation Options
     Risk Assumption
     Risk Avoidance 
     Risk Limitation 
     Risk Planning 
     Risk Research 
     Risk Transference
Conclusion
Suggested Reading
Creating Effective Information Security Policies
Why Information Security Policies Are Important
Avoiding Shelfware
Electronic Policy Distribution
Canned Security Policies
Policies, Standards, Guidelines Definitions
     Policies Are Written at a High Level 
     Policies 
     Security Policy Best Practices 
     Types of Security Policies 
     Standards 
     Procedures 
     Baselines 
     Guidelines 
     Combination of Policies, Standards, Baselines, Procedures, and Guidelines
An Approach for Developing Information Security Policies
Utilizing the Security Council for Policies
The Policy Review Process 
     Information Security Policy Process
Suggested Reading
Security Compliance Using Control Frameworks
Security Control Frameworks Defined
Security Control Frameworks and Standards Examples 
     Heath Insurance Portability and Accountability Act (HIPAA) 
     Federal Information Security Management Act of 2002 (FISMA) 
     National Institute of Standards and Technology(NIST) Recommended Security Controls for Federal Information Systems (800-53) 
     Federal Information System Controls Audit Manual (FISCAM) 
     ISO/IEC 27001:2005 Information Security Management Systems—Requirements 
     ISO/IEC 27002:2005 Information technology—Security Techniques—Code of Practice for Information Security Management 
     Control Objectives for Information and Related Technology (COBIT) 
     Payment Card Industry Data Security Standard (PCI DSS)
     Information Technology Infrastructure Library (ITIL) 
     Security Technical Implementation Guides (STIGs) and National Security Agency (NSA) Guides 
     Federal Financial Institutions Examination Council (FFIEC) IT Examination Handbook
The World Operates on Standards
Standards Are Dynamic
The How Is Typically Left Up to Us
Key Question: Why Does the Standard Exist?
Compliance Is Not Security, But It Is a Good Start
Integration of Standards and Control Frameworks
Auditing Compliance
Adoption Rate of Various Standards 
     ISO 27001/2 Certification
     NIST Certification
Control Framework Convergence
The 11-Factor Compliance Assurance Manifesto
The Standards/Framework Value Proposition
Suggested Reading
Managerial Controls: Practical Security Considerations
Security Control Convergence
Security Control Methodology
Security Assessment and Authorization Controls
Planning Controls
Risk Assessment Controls
System and Services Acquisition Controls
Program Management Controls
Suggested Reading
Technical Controls: Practical Security Considerations
Access Control Controls
Audit and Accountability Controls
Identification and Authentication
System and Communications Protections
Suggested Reading
Operational Controls: Practical Security Considerations
Awareness and Training Controls
Configuration Management Controls
Contingency Planning Controls
Incident Response Controls
Maintenance Controls
Media Protection Controls
Physical and Environmental Protection Controls
Personnel Security Controls
System and Information Integrity Controls
Suggested Reading
The Auditors Have Arrived, Now What?
Anatomy of an Audit
Audit Planning Phase 
     Preparation of Document Request List
     Gather Audit Artifacts 
     Provide Information to Auditors
On-Site Arrival Phase 
     Internet Access 
     Reserve Conference Rooms 
     Physical Access 
     Conference Phones 
     Schedule Entrance, Exit, Status Meetings 
     Set Up Interviews
Audit Execution Phase 
     Additional Audit Meetings 
     Establish Auditor Communication Protocol 
     Establish Internal Company Protocol 
     Media Handling
     Audit Coordinator Quality Review 
     The Interview Itself 
Entrance, Exit, and Status Conferences 
     Entrance Meeting 
     Exit Meeting 
     Status Meetings
Report Issuance and Finding Remediation Phase
Suggested Reading
Effective Security Communications
Why a Chapter Dedicated to Security Communications?
End User Security Awareness Training 
     Awareness Definition
Delivering the Message 
     Step 1: Security Awareness Needs Assessment
     Step 2: Program Design
     Step 3: Develop Scope
     Step 4: Content Development 
     Step 5: Communication and Logistics Plan
     Step 6: Awareness Delivery 
     Step 7: Evaluation/Feedback Loops
Security Awareness Training Does Not Have to Be Boring 
     Targeted Security Training 
     Continuous Security Reminders
     Utilize Multiple Security Awareness Vehicles
Security Officer Communication Skills 
     Talking versus Listening 
     Roadblocks to Effective Listening 
     Generating a Clear Message 
     Influencing and Negotiating Skills 
     Written Communication Skills 
     Presentation Skills
Applying Personality Type to Security Communications 
     The Four MyersߝBriggs Type Indicator (MBTI) 
     Preference Scales
     Determining Individual MBTI Personality
     Summing Up the MBTI for Security
Suggested Reading
The Law and Information Security
Civil Law versus Criminal Law
Electronic Communications Privacy Act of 1986 (ECPA)
The Computer Security Act of 1987
The Privacy Act of 1974
SarbanesߝOxley Act of 2002 (SOX)
GrammߝLeachߝBliley Act (GLBA)
Health Insurance Portability and Accountability Act of 1996
Health Information Technology for Economic and Clinical Health (HITECH) Act
Federal Information Security Management Act of 2002 (FISMA)
Summary
Suggested Reading
Learning from Information Security Incidents
Recent Security Incidents 
     Texas State Comptroller
     Sony PlayStation Network 
     Student Loan Social Security Numbers Stolen 
     Social Security Numbers Printed on Outside of Envelopes 
     Valid E-Mail Addresses Exposed 
     Office Copier Hard Disk Contained Confidential Information 
     Advanced Persistent Threat Targets Security Token
Who Will Be Next?
Every Control Could Result in an Incident
Suggested Reading
Ways to Dismantle Information Security Governance Efforts
Final Thoughts
Suggested Reading
Index

Recenzii

Todd Fitzgerald’s new book, Information Security Governance Simplified: From the Boardroom to the Keyboard, presents 15 chapters of advice and real-world experience on how to handle the roll out of an effective program …. Todd has taken the time to include for the reader some practical security considerations for managerial, technical, and operational controls. This is followed up with a discussion on how legal issues are impacting the information security program.
Tom Peltier, CISSP

Notă biografică

Todd Fitzgerald, CISSP, CISA, CISM, ISO27000, CGEIT, PMP, HITRUST, and ITILV3 certified, is responsible for external audit technical compliance for National Government Services (NGS), Milwaukee, WI, one of the largest processors of Medicare claims and a subsidiary of WellPoint, Inc., the nation’s leading health benefits company, serving 1 out of 9 Americans. Fitzgerald has initiated, developed, and led information security programs as the Information Security Officer for several companies. Fitzgerald served as the chair/co-chair for the 2011/2010 ISACA North America and Europe Information Security & Risk Management conferences.
Fitzgerald coauthored, with Micki Krause, the 2008 (ISC)2 Press book titled CISO Leadership: Essential Principles for Success. Fitzgerald has authored articles on information security for the 2007 Official (ISC)2 Guide to the CISSP Exam, The Information Security Handbook Series (2003ߝ2012), The HIPAA Program Reference Book, Managing an Information Security and Privacy Awareness and Training Program, CISM Review Manual, and several other security-related publications. He is also a member of the editorial board for (ISC)2 Journal/Information Systems Security Magazine. Fitzgerald is frequently called upon to present at international, national, and local conferences for Information Systems Audit and Control Association (ISACA), Computer Security Institute (CSI), Information Systems Security Association (ISSA), Management Information Systems Training Institute (MISTI), COSAC, and the Centers for Medicare & Medicaid Services (CMS) systems security officer community. He also serves on the board of directors for the HIPAA Collaborative of Wisconsin and several other industry groups. Fitzgerald has received several awards including a Midwest Information Security Executive of the Year Award Finalist award and Health Ethics Trust HIPAA Implementation Award.
Fitzgerald has 32 years of information technology experience, including 20 years of management and the past 13 years focused solely on information security. Prior to joining NGS, he held various broad-based senior information technology management positions for Fortune 500 organizations, including American Airlines, IMS Health, Zeneca (subsidiary of AstraZeneca Pharmaceuticals), and Syngenta, as well as prior positions with Blue Cross Blue Shield of Wisconsin.
Fitzgerald holds a BS in business administration from the University of Wisconsin-Lacrosse, serves as an advisor to the College of Business Administration, as well as an advisor to the Milwaukee Area Technical College information security program. He also earned an MBA with highest honors from Oklahoma State University.