Book description
Security practitioners must be able to build a cost-effective security program while at the same time meet the requirements of government regulations. This book lays out these regulations in simple terms and explains how to use the control frameworks to build an effective information security program and governance structure. It discusses how organizations can best ensure that the information is protected and examines all positions from the board of directors to the end user, delineating the role each plays in protecting the security of the organization.
Table of contents
- Cover
- Half Title
- Title Page
- Copyright Page
- Dedication
- Table of Contents
- Foreword
- Acknowledgments
- Introduction
- About the Author
- Chapter 1 Getting Information Security Right: Top to Bottom
- Chapter 2 Developing Information Security Strategy
-
Chapter 3 Defining the Security Management Organization
- History of the Security Leadership Role Is Relevant
- The New Security Officer Mandate
- Day 1: Hey, I Got the Job!
- Security Leader Titles
- Techie versus Leader
- The Security Leaders Library
- Security Leadership Defined
- Security Leader Soft Skills
- Seven Competencies for Effective Security Leadership
-
Security Functions
- Learning from Leading Organizations
- What Functions Should the Security Officer Be Responsible For?
- Assessing Risk and Determining Needs Functions
- Implement Policies and Control Functions
- Promote Awareness Functions
- Monitor and Evaluate Functions
-
Reporting Model
- Business Relationships
- Reporting to the CEO
- Reporting to the Information Systems Department
- Reporting to Corporate Security
- Reporting to the Administrative Services Department
- Reporting to the Insurance and Risk Management Department
- Reporting to the Internal Audit Department
- Reporting to the Legal Department
- Determining the Best Fit
- Suggested Reading
-
Chapter 4 Interacting with the C-Suite
- Communication between the CEO, CIO, Other Executives, and CISO
- 13 “Lucky” Questions to Ask One Another
-
Building Grassroots Support through an Information Security Council
- Establishing the Security Council
- Appropriate Security Council Representation
- “-Inging” the Council: Forming, Storming, Norming, and Performing
- Integration with Other Committees
- Establish Early, Incremental Success
- Let Go of Perfectionism
- Sustaining the Security Council
- End User Awareness
- Security Council Commitment
- Suggested Reading
-
Chapter 5 Managing Risk to an Acceptable Level
- Risk in Our Daily Lives
- Accepting Organizational Risk
- Just Another Set of Risks
- Management Owns the Risk Decision
- Qualitative versus Quantitative Risk Analysis
-
Risk Management Process
- Risk Analysis Involvement
- Step 1: Categorize the System
- Step 2: Identify Potential Dangers (Threats)
- Step 3: Identify Vulnerabilities That Could Be Exploited
- Step 4: Identify Existing Controls
- Step 5: Determine Exploitation Likelihood Given Existing Controls
- Step 6: Determine Impact Severity
- Step 7: Determine Risk Level
- Step 8: Determine Additional Controls
- Risk Mitigation Options
- Conclusion
- Suggested Reading
-
Chapter 6 Creating Effective Information Security Policies
- Why Information Security Policies Are Important
- Avoiding Shelfware
- Electronic Policy Distribution
- Canned Security Policies
- Policies, Standards, Guidelines Definitions
- An Approach for Developing Information Security Policies
- Utilizing the Security Council for Policies
- The Policy Review Process
- Suggested Reading
-
Chapter 7 Security Compliance Using Control Frameworks
- Security Control Frameworks Defined
-
Security Control Frameworks and Standards Examples
- Heath Insurance Portability and Accountability Act (HIPAA)
- Federal Information Security Management Act of 2002 (FISMA)
- National Institute of Standards and Technology (NIST) Recommended Security Controls for Federal Information Systems (800-53)
- Federal Information System Controls Audit Manual (FISCAM)
- ISO/IEC 27001:2005 Information Security Management Systems—Requirements
- ISO/IEC 27002:2005 Information Technology—Security Techniques—Code of Practice for Information Security Management
- Control Objectives for Information and Related Technology (COBIT)
- Payment Card Industry Data Security Standard (PCI DSS)
- Information Technology Infrastructure Library (ITIL)
- Security Technical Implementation Guides (STIGs) and National Security Agency (NSA) Guides
- Federal Financial Institutions Examination Council (FFIEC) IT Examination Handbook
- The World Operates on Standards
- Standards Are Dynamic
- The How Is Typically Left Up to Us
- Key Question: Why Does the Standard Exist?
- Compliance Is Not Security, But It Is a Good Start
- Integration of Standards and Control Frameworks
- Auditing Compliance
- Adoption Rate of Various Standards
- Control Framework Convergence
- The 11-Factor Compliance Assurance Manifesto
- The Standards/Framework Value Proposition
- Suggested Reading
- Chapter 8 Managerial Controls: Practical Security Considerations
- Chapter 9 Technical Controls: Practical Security Considerations
-
Chapter 10 Operational Controls: Practical Security Considerations
- Awareness and Training Controls
- Configuration Management Controls
- Contingency Planning Controls
- Incident Response Controls
- Maintenance Controls
- Media Protection Controls
- Physical and Environmental Protection Controls
- Personnel Security Controls
- System and Information Integrity Controls
- Suggested Reading
- Chapter 11 The Auditors Have Arrived, Now What?
-
Chapter 12 Effective Security Communications
- Why a Chapter Dedicated to Security Communications?
- End User Security Awareness Training
- Delivering the Message
- Security Awareness Training Does Not Have to Be Boring
- Security Officer Communication Skills
- Applying Personality Type to Security Communications
- Suggested Reading
-
Chapter 13 The Law and Information Security
- Civil Law versus Criminal Law
- Electronic Communications Privacy Act of 1986 (ECPA)
- The Computer Security Act of 1987
- The Privacy Act of 1974
- Sarbanes–Oxley Act of 2002 (SOX)
- Gramm–Leach–Bliley Act (GLBA)
- Health Insurance Portability and Accountability Act of 1996
- Health Information Technology for Economic and Clinical Health (HITECH) Act
- Federal Information Security Management Act of 2002 (FISMA)
- Summary
- Suggested Reading
- Chapter 14 Learning from Information Security Incidents
- Chapter 15 17 Ways to Dismantle Information Security Governance Efforts
- Index
Product information
- Title: Information Security Governance Simplified
- Author(s):
- Release date: April 2016
- Publisher(s): CRC Press
- ISBN: 9781439811658
You might also like
audiobook
An Introduction to Information Security and ISO27001:2013
The ideal primer for anyone implementing an information security management system. Written by an acknowledged expert …
book
Building an Information Security Awareness Program
The best defense against the increasing threat of social engineering attacks is Security Awareness Training to …
book
Information Security Policy Development for Compliance
Although compliance standards can be helpful guides to writing comprehensive security policies, many of the standards …
book
Rational Cybersecurity for Business: The Security Leaders' Guide to Business Alignment
Use the guidance in this comprehensive field guide to gain the support of your top executives …