book

Security Policies and Implementation Issues, 3rd Edition

Name: Security Policies and Implementation Issues, 3rd Edition
ISBN: 9781284199925

by Robert Johnson, Chuck Easttom

October 2020

Intermediate to advanced

476 pages

17h 50m

English

Jones & Bartlett Learning

Read now

Unlock full access

Cover
Title Page
Copyright Page
Brief Contents
Contents
Dedication
Preface
Acknowledgments
About the Authors
CHAPTER 1 Information Systems Security Policy Management

What Is Information Systems Security?
Information Systems Security Management Life CycleAlign, Plan, and OrganizeBuild, Acquire, and ImplementDeliver, Service, and SupportMonitor, Evaluate, and AssessISO/IEC 38500
What Is Information Assurance?
ConfidentialityIntegrityAuthenticationAvailabilityNonrepudiation
What Is Governance?
Why Is Governance Important?
What Are Information Systems Security Policies?
How Policies and Standards DifferHow Policies and Procedures Differ
Creating Policies
Where Do Information Systems Security Policies Fit Within an Organization?
Why Information Systems Security Policies Are Important
Policies That Support Operational SuccessChallenges of Running a Business Without PoliciesDangers of Not Implementing PoliciesDangers of Implementing the Wrong Policies
When Do You Need Information Systems Security Policies?
Business Process Reengineering (BPR)Continuous ImprovementMaking Changes in Response to Problems
Why Enforcing and Winning Acceptance for Policies Is Challenging
CHAPTER SUMMARY
KEY CONCEPTS AND TERMSCHAPTER 1 ASSESSMENTENDNOTES
CHAPTER 2 Business Drivers for Information Security Policies
Why Are Business Drivers Important?
Maintaining Compliance
Compliance Requires Proper Security ControlsSecurity Controls Enforce Information Security PoliciesPreventive Security ControlsDetective Security ControlCorrective Security ControlMitigating Security Controls
Mitigating Risk Exposure
Educate Employees and Drive Security AwarenessPrevent Loss of Intellectual PropertyLabeling Data and Data ClassificationProtect Digital AssetsSecure Privacy of DataFull Disclosure and Data EncryptionLower Risk Exposure
Minimizing Liability of the Organization
Separation Between Employer and EmployeeAcceptable Use PoliciesConfidentiality Agreement and Nondisclosure AgreementBusiness Liability Insurance Policies
Implementing Policies to Drive Operational Consistency
Forcing Repeatable Business Processes Across the Entire OrganizationDifferences Between Mitigating and Compensating ControlsPolicies Help Prevent Operational Deviation
CHAPTER SUMMARY
KEY CONCEPTS AND TERMSCHAPTER 2 ASSESSMENTENDNOTES
CHAPTER 3 Compliance Laws and Information Security Policy Requirements
U.S. Compliance Laws
What Are U.S. Compliance Laws?Federal Information Security Management Act (FISMA)Health Insurance Portability and Accountability Act (HIPAA)HITECHGramm-Leach-Bliley Act (GLBA)Sarbanes-Oxley (SOX) ActFamily Educational Rights and Privacy Act (FERPA)Children’s Internet Protection Act (CIPA)Why Did U.S. Compliance Laws Come About?
Whom Do the Laws Protect?
Which Laws Require Proper Security Controls to Be Included in Policies?
Which Laws Require Proper Security Controls for Handling Privacy Data?
Aligning Security Policies and Controls with Regulations
Industry Leading Practices and Self-Regulation
Some Important Industry Standards
Payment Card Industry Data Security Standard (PCI DSS)Clarified Statement on Standards for Attestation Engagements No. 18 (SSAE18)Information Technology Infrastructure Library (ITIL)
International Laws
General Data Protection Regulation (GDPR)European Telecommunications Standards Institute (ETSI)Asia-Pacific Economic Framework (APEC)
CHAPTER SUMMARY
KEY CONCEPTS AND TERMSCHAPTER 3 ASSESSMENTENDNOTES
CHAPTER 4 Business Challenges Within the Seven Domains of IT Responsibility
The Seven Domains of a Typical IT Infrastructure
User DomainWorkstation DomainLAN DomainLAN-to-WAN DomainWAN DomainRemote Access DomainSystem/Application Domain
Information Security Business Challenges and Security Policies That Mitigate Risk Within the Seven Domains
User DomainWorkstation DomainLAN DomainLAN-to-WAN DomainWAN DomainRemote Access DomainSystem/Application DomainInventoryPerimeterDevice Management
CHAPTER SUMMARY
KEY CONCEPTS AND TERMSCHAPTER 4 ASSESSMENTENDNOTES
CHAPTER 5 Information Security Policy Implementation Issues
Human Nature in the Workplace
Basic Elements of MotivationPrideSelf-InterestSuccessPersonality Types of EmployeesLeadership, Values, and Ethics
Organizational Structures
Flat OrganizationsHierarchical OrganizationsAdvantages of a Hierarchical ModelDisadvantages of a Hierarchical Model
The Challenge of User Apathy
The Importance of Executive Management Support
Selling Information Security Policies to an ExecutiveBefore, During, and After Policy Implementation
The Role of Human Resources Policies
Relationship Between HR and Security PoliciesLack of Support
Policy Roles, Responsibilities, and Accountability
Change ModelResponsibilities During ChangeStep 1: Create UrgencyStep 2: Create a Powerful CoalitionStep 3: Create a Vision for ChangeStep 4: Communicate the VisionStep 5: Remove ObstaclesStep 6: Create Short-Term WinsStep 7: Build on the ChangeStep 8: Anchor the Changes in Corporate CultureRoles and Accountabilities
When Policy Fulfillment Is Not Part of Job Descriptions
Impact on Entrepreneurial Productivity and Efficiency
Tying Security Policy to Performance and Accountability
CHAPTER SUMMARY
KEY CONCEPTS AND TERMSCHAPTER 5 ASSESSMENTENDNOTES
CHAPTER 6 IT Security Policy Frameworks
What Is an IT Policy Framework?
What Is a Program Framework Policy or Charter?
Purpose and MissionScopeResponsibilitiesComplianceIndustry-Standard Policy FrameworksISO/IEC 27002 (2015)ISO/IEC 30105ISO 27007NIST Special Publication (SP) 800-53What Is a Policy?What Are Standards?Issue-Specific or Control StandardsSystem-Specific or Baseline StandardsWhat Are Procedures?Exceptions to StandardsWhat Are Guidelines?
Business Considerations for the Framework
Roles for Policy and Standards Development and Compliance
Information Assurance Considerations
ConfidentialityIntegrityAvailability
Information Systems Security Considerations
Unauthorized Access to and Use of the SystemUnauthorized Disclosure of the InformationDisruption of the System or ServicesModification of InformationDestruction of Information Resources
Best Practices for IT Security Policy Framework Creation
Case Studies in Policy Framework Development
Private Sector Case StudyPrivate Sector Case Study TwoPublic Sector Case StudyPrivate Sector Case Study Three
CHAPTER SUMMARY
KEY CONCEPTS AND TERMSCHAPTER 6 ASSESSMENTENDNOTES
CHAPTER 7 How to Design, Organize, Implement, and Maintain IT Security Policies
Policies and Standards Design Considerations
Operating ModelsPrinciples for Policy and Standards DevelopmentThe Importance of Transparency with Regard to Customer DataTypes of Controls for Policies and StandardsSecurity Control Types
Document Organization Considerations
Sample TemplatesSample Policy TemplateSample Standard TemplateSample Procedure TemplateSample Guideline Template
Considerations for Implementing Policies and Standards
Building Consensus on IntentReviews and ApprovalsPublishing Your Policy and Standards LibraryAwareness and TrainingSecurity Newsletter
Policy Change Control Board
Business Drivers for Policy and Standards Changes
Maintaining Your Policy and Standards Library
Updates and Revisions
Best Practices for Policies and Standards Maintenance
Case Studies and Examples of Designing, Organizing, Implementing, and Maintaining IT Security Policies
Private Sector Case Study 1Private Sector Case Study 2Public Sector Case Study
CHAPTER SUMMARY
KEY CONCEPTS AND TERMSCHAPTER 7 ASSESSMENTENDNOTES
CHAPTER 8 IT Security Policy Framework Approaches
IT Security Policy Framework Approaches
Risk Management and Compliance ApproachThe Physical Domains of IT Responsibility Approach
Roles, Responsibilities, and Accountability for Personnel
The Seven Domains of a Typical IT InfrastructureOrganizational StructureOrganizational Culture
Separation of Duties
Layered Security ApproachDomain of Responsibility and AccountabilityFirst Line of DefenseSecond Line of DefenseThird Line of Defense
Governance and Compliance
IT Security ControlsIT Security Policy Framework
Best Practices for IT Security Policy Framework Approaches
What Is the Difference Between GRC and ERM?
Case Studies and Examples of IT Security Policy Framework Approaches
Private Sector Case StudyPublic Sector Case StudyE-Commerce Case Study
CHAPTER SUMMARY
KEY CONCEPTS AND TERMSCHAPTER 8 ASSESSMENTENDNOTES
CHAPTER 9 User Domain Policies
The Weakest Link in the Information Security Chain
Social EngineeringPhishingHuman MistakesInsiders
Seven Types of Users
EmployeesSystems AdministratorsSecurity PersonnelContractorsVendorsGuests and General PublicControl PartnersContingentSystem
Why Govern Users with Policies?
Acceptable Use Policy (AUP)
The Privileged-Level Access Agreement (PAA)
Security Awareness Policy (SAP)
Best Practices for User Domain Policies
Understanding Least Access Privileges and Best Fit Access Privileges
Case Studies and Examples of User Domain Policies
Government Laptop CompromisedThe NASA Raspberry PiDefense Data Stolen
CHAPTER SUMMARY
KEY CONCEPTS AND TERMSCHAPTER 9 ASSESSMENT
CHAPTER 10 IT Infrastructure Security Policies
Anatomy of an Infrastructure Policy
Format of a Standard
Workstation Domain Policies
Control StandardsBaseline StandardsProceduresGuidelines
Mobile Device Domain Policies
LAN Domain Policies
Control StandardsBaseline StandardsProceduresGuidelines
LAN-to-WAN Domain Policies
Control StandardsBaseline StandardsProceduresGuidelines
WAN Domain Policies
Control StandardsBaseline StandardsProceduresGuidelines
Remote Access Domain Policies
Control StandardsBaseline StandardsProceduresGuidelines
System/Application Domain Policies
Control StandardsBaseline StandardsProceduresGuidelines
Telecommunications Policies
Control StandardsBaseline StandardsProceduresGuidelines
Best Practices for IT Infrastructure Security Policies
Cloud Security Policies
Case Studies and Examples of IT Infrastructure Security Policies
State Government Case StudyPublic Sector Case StudyCritical Infrastructure Case Study
CHAPTER SUMMARY
KEY CONCEPTS AND TERMSCHAPTER 10 ASSESSMENT
CHAPTER 11 Data Classification and Handling Policies and Risk Management Policies
Data Classification Policies
When Is Data Classified or Labeled?The Need for Data ClassificationProtecting InformationRetaining InformationRecovering InformationLegal Classification SchemesMilitary Classification SchemesBusiness Classification SchemesDeveloping a Customized Classification SchemeClassifying Your Data
Data Handling Policies
The Need for Policy Governing Data at Rest and in TransitPolicies, Standards, and Procedures Covering the Data Life Cycle
Identifying Business Risks Related to Information Systems
Types of RiskDevelopment and Need for Policies Based on Risk Management
Risk and Control Self-Assessment
Risk Assessment Policies
Risk ExposurePrioritization of Risks, Threats, and VulnerabilitiesRisk Management StrategiesVulnerability AssessmentsVulnerability WindowsCommon Vulnerability Scan ToolsPatch Management
Quality Assurance Versus Quality Control
Best Practices for Data Classification and Risk Management Policies
Case Studies and Examples of Data Classification and Risk Management Policies
Private Sector Case Study 1Public Sector Case StudyPrivate Sector Case Study 2
CHAPTER SUMMARY
KEY CONCEPTS AND TERMSCHAPTER 11 ASSESSMENT
CHAPTER 12 Incident Response Team (IRT) Policies
Incident Response Policy
What Is an Incident?
Incident Classification
The Response Team Charter
Incident Response Team Members
Responsibilities During an Incident
Users on the Front LineSystem AdministratorsInformation Security PersonnelManagementSupport ServicesOther Key Roles
Business Impact Analysis (BIA) Policies
Component PriorityComponent RelianceImpact ReportDevelopment and Need for Policies Based on the BIA
Procedures for Incident Response
Discovering an IncidentReporting an IncidentContaining and Minimizing the DamageCleaning Up After the IncidentDocumenting the Incident and ActionsAnalyzing the Incident and ResponseCreating Mitigation to Prevent Future IncidentsHandling the Media and Deciding What to DiscloseBusiness Continuity Planning PoliciesDealing with Loss of Systems, Applications, or Data Availability
Response and Recovery Time Objectives Policies Based on the BIA
Best Practices for Incident Response Policies
Disaster Recovery Plan Policies
Disaster Declaration PolicyAssessment of the Disaster’s Severity and of Potential Downtime
Case Studies and Examples of Incident Response Policies
Private Sector Case StudyPublic Sector Case StudyCritical Infrastructure Case Study
CHAPTER SUMMARY
KEY CONCEPTS AND TERMSCHAPTER 12 ASSESSMENT
CHAPTER 13 IT Security Policy Implementations
Simplified Implementation Process
Target State
Distributed InfrastructureOutdated TechnologyLack of Standardization Throughout the IT Infrastructure
Executive Buy-in, Cost, and Impact
Executive Management SponsorshipOvercoming Nontechnical HindrancesDistributed EnvironmentUser TypesOrganizational Challenges
Policy Language
Employee Awareness and Training
Organizational and Individual AcceptanceMotivationDeveloping an Organization-Wide Security Awareness PolicyConducting Security Awareness Training SessionsHuman Resources Ownership of New Employee OrientationReview of Acceptable Use Policies (AUPs)
Information Dissemination—How to Educate Employees
Hard Copy DisseminationPosting Policies on the IntranetUsing EmailBrown Bag Lunches and Learning Sessions
Policy Implementation Issues
Governance and Monitoring
Best Practices for IT Security Policy Implementations
Case Studies and Examples of IT Security Policy Implementations
CIO MagazineSANSPublic Sector Case Study
CHAPTER SUMMARY
KEY CONCEPTS AND TERMSCHAPTER 13 ASSESSMENTENDNOTES
CHAPTER 14 IT Security Policy Enforcement
Organizational Support for IT Security Policy Enforcement
Executive Management SponsorshipGovernance Versus Management Organizational StructureThe Hierarchical Organizational Approach to Security Policy ImplementationProject CommitteeArchitecture Review CommitteeExternal Connection CommitteeVendor Governance CommitteeSecurity Compliance CommitteeOperational Risk CommitteeFront-Line Managers’ and Supervisors’ Responsibility and AccountabilityGrass-Roots Employees
An Organization’s Right to Monitor User Actions and Traffic
Internet UseEmail UseComputer Use
Compliance Law: Requirement or Risk Management?
What Is Law and What Is Policy?
What Security Controls Work to Enforce Protection of Personal Data?
What Automated Security Controls Can Be Implemented Through Policy?
What Manual Security Controls Assist with Enforcement?
Legal Implications of IT Security Policy Enforcement
Who Is Ultimately Accountable for Risks, Threats, and Vulnerabilities?
Where Must IT Security Policy Enforcement Come From?
Best Practices for IT Security Policy Enforcement
Case Studies and Examples of Successful and Unsuccessful IT Security Policy Enforcement
Private Sector Case StudyPublic Sector Case Study 1Public Sector Case Study 2
CHAPTER SUMMARY
KEY CONCEPTS AND TERMSCHAPTER 14 ASSESSMENT
CHAPTER 15 IT Policy Compliance and Compliance Technologies
Creating a Baseline Definition for Information Systems Security
Policy-Defining Overall IT Infrastructure Security DefinitionVulnerability Window and Information Security Gap Definition
Tracking, Monitoring, and Reporting IT Security Baseline Definition and Policy Compliance
Automated SystemsRandom Audits and Departmental ComplianceOverall Organizational Report Card for Policy Compliance
Automating IT Security Policy Compliance
Automated Policy DistributionTraining Administrators and UsersOrganizational AcceptanceTesting for EffectivenessAudit TrailsConfiguration Management and Change Control ManagementConfiguration Management DatabaseTracking, Monitoring, and Reporting Configuration ChangesCollaboration and Policy Compliance Across Business AreasVersion Control for Policy Implementation Guidelines and Compliance
Compliance Technologies and Solutions
COSO Internal Control—Integrated FrameworkSCAPSNMPWBEMDigital Signing
Best Practices for IT Security Policy Compliance Monitoring
Case Studies and Examples of Successful IT Security Policy Compliance Monitoring
Private Sector Case Study 1Private Sector Case Study 2Nonprofit Sector Case Study
CHAPTER SUMMARY
KEY CONCEPTS AND TERMSCHAPTER 15 ASSESSMENT
APPENDIX A Answer Key
APPENDIX B Standard Acronyms
Glossary of Key Terms
References
Index

Overview

PART OF THE NEW JONES & BARTLETT LEARNING INFORMATION SYSTEMS SECURITY & ASSURANCE SERIES Security Policies and Implementation Issues, Third Edition offers a comprehensive, end-to-end view of information security policies and frameworks from the raw organizational mechanics of building to the psychology of implementation. Written by industry experts, the new Third Edition presents an effective balance between technical knowledge and soft skills, while introducing many different concepts of information security in clear simple terms such as governance, regulator mandates, business drivers, legal considerations, and much more. With step-by-step examples and real-world exercises, this book is a must-have resource for students, security officers, auditors, and risk leaders looking to fully understand the process of implementing successful sets of security policies and frameworks. Instructor Materials for Security Policies and Implementation Issues include: PowerPoint Lecture Slides Instructor's Guide Sample Course Syllabus Quiz & Exam Questions Case Scenarios/Handouts About the Series This book is part of the Information Systems Security and Assurance Series from Jones and Bartlett Learning. Designed for courses and curriculums in IT Security, Cybersecurity, Information Assurance, and Information Systems Security, this series features a comprehensive, consistent treatment of the most current thinking and trends in this critical subject area. These titles deliver fundamental information-security principles packed with real-world applications and examples. Authored by Certified Information Systems Security Professionals (CISSPs), they deliver comprehensive information on all aspects of information security. Reviewed word for word by leading technical experts in the field, these books are not just current, but forward-thinking—putting you in the position to solve the cybersecurity challenges not just of today, but of tomorrow, as well.

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Read now

Unlock full access

More than 5,000 organizations count on O’Reilly

O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.

Julian F.

Head of Cybersecurity

I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.

Addison B.

Field Engineer

I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.

Amir M.

Data Platform Tech Lead

I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.

Mark W.

Embedded Software Engineer

Security Policies and Implementation Issues, 2nd Edition

Publisher Resources

ISBN: 9781284199925

Cloud Computing

Data Engineering

Data Science

AI & ML

Programming Languages

Software Architecture

IT/Ops

Security

Design

Business

Soft Skills

Security Policies and Implementation Issues, 3rd Edition

by Robert Johnson, Chuck Easttom

Overview

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

More than 5,000 organizations count on O’Reilly

Julian F.

Addison B.

Amir M.

Mark W.

You might also like

Security Policies and Implementation Issues, 2nd Edition

Writing Information Security Policies

Security Program and Policies: Principles and Practices, Second Edition

Information Security Management, 2nd Edition

Publisher Resources