Information Security for Managers by Michael Workman, Daniel C. Phelps, John N. Gathegi

THIS CHAPTER, SOMEWHAT LIKE THE LAST ONE, will serve as a good resource for any organizational member who is (or who might be) involved in security assessments and audits, as well as in risk management programs. In the last chapter, we introduced many regulations that require organizations to implement a risk assessment–based approach to their information system security. In an effort to meet this “due care” standard, many organizations are turning to best practices and control frameworks. Although the goal is to assist organizations with appropriate information technology (IT) governance, the increasing number of frameworks and best practices can add complexity and confusion to ...