Book description
The security field evolves rapidly becoming broader and more complex each year. The common thread tying the field together is the discipline of management. The Best Damn Security Manager's Handbook Period has comprehensive coverage of all management issues facing IT and security professionals and is an ideal resource for those dealing with a changing daily workload.Coverage includes Business Continuity, Disaster Recovery, Risk Assessment, Protection Assets, Project Management, Security Operations, and Security Management, and Security Design & Integration.
Compiled from the best of the Syngress and Butterworth Heinemann libraries and authored by business continuity expert Susan Snedaker, this volume is an indispensable addition to a serious security professional's toolkit.
* An all encompassing book, covering general security management issues and providing specific guidelines and checklists
* Anyone studying for a security specific certification or ASIS certification will find this a valuable resource
* The only book to cover all major IT and security management issues in one place: disaster recovery, project management, operations management, and risk assessment
Table of contents
- Copyright
- About the Authors
-
1. From Vulnerability to Patch
- 1. Windows of Vulnerability
- 2. Vulnerability Assessment 101
- 3. Vulnerability Assessment Tools
- 4. Vulnerability Assessment: Step One
- 5. Vulnerability Assessment: Step Two
- 6. Going Further
- 7. Vulnerability Management
- 8. Vulnerability Management Tools
- 9. Vulnerability and Configuration Management
- 10. Regulatory Compliance
-
11. Tying It All Together
- Introduction
- A Vulnerability Management Methodology
- Step One: Know Your Assets
- Step Two: Categorize Your Assets
- Step Three: Create a Baseline Scan of Assets
- Step Four: Perform a Penetration Test on Certain Assets
- Step Five: Remediate Vulnerabilities and Risk
- Step Six: Create a Vulnerability Assessment Schedule
- Step Seven: Create a Patch and Change Management Process
- Step Eight: Monitor for New Risks to Assets
-
2. Network Security Evaluation
- 12. Introducing the INFOSEC Evaluation Methodology
-
13. Before the Evaluation Starts
- Introduction
-
The Evaluation Request
-
Why Are Evaluations Requested?
-
Compliance With Laws and Regulations
- The Sarbanes-Oxley Act
- Federal Information Security Management Act
- Health Insurance Portability and Accountability Act of 1996
- The Gramm-Leach-Bliley Act
- The Family Educational Rights and Privacy Act
- The DoD Information Technology Security Certification and Accreditation Process
- The National Information Assurance Certification and Accreditation Process
- Defense Information Assurance Certification and Accreditation Process
- ISO 17799
- The North American Electric Reliability Council
- Response to Suspicious Activities
- Third-Party Independent Reviews of Security Posture
- It’s The Right Thing To Do
-
Compliance With Laws and Regulations
- How Are Evaluations Requested?
-
Why Are Evaluations Requested?
- Validating the Evaluation Request
- The Formal Engagement Agreement
- Customer and Evaluation Team Approval
- Summary
-
14. Setting Expectations
- Introduction
- Objectives of the Pre-Evaluation Phase
- Understanding Concerns and Constraints
- Obtaining Management Buy-In
- Obtaining Technical Staff Buy-In
- Establishing Points of Contact
- Summary
-
15. Scoping the Evaluation
- Introduction
- Focusing the Evaluation
- Identifying the Rules of Engagement
- Finding the Sources of Scoping Information
- Staffing Your Project
- Summary
-
16. Legal Principles for Information Security Evaluations
- Introduction
- Uncle Sam Wants You: How Your Company’s Information Security Can Affect U.S. National Security
- Legal Standards Relevant to Information Security
-
Do It Right or Bet the Company: Tools to Mitigate Legal Liability
- We Did our Best; What is the Problem?
-
What Can Be Done?
- Understand your Legal Environment
- Comprehensive and Ongoing Security Assessments, Evaluations, and Implementation
- Use Contracts to Define Rights and Protect Information
- Use Qualified Third-party Professionals
- Making Sure Your Standards-of-care Assessments Keep Up with Evolving Law
- Plan for the Worst
- Insurance
-
What to Cover in IEM Contracts
-
What, Who, When, Where, How, and How Much
- What
-
Who
- Statement of Parties to the Contractual Agreement
- Authority of Signatories to the Contractual Agreement
- Roles and Responsibilities of Each Party to the Contractual Agreement
- Non-disclosure and Secrecy Agreements
- Assessment Personnel
- Crisis Management and Public Communications
- Indemnification, Hold Harmless, and Duty to Defend
- Ownership and Control of Information
- Intellectual Property Concerns
- Licenses
- When
- Where
- How
- How Much
- Murphy’s Law (When Something Goes Wrong)
- Where the Rubber Meets the Road: The LOA as Liability Protection
-
What, Who, When, Where, How, and How Much
-
The First Thing We Do...? Why You Want Your Lawyers Involved From Start to Finish
- Attorney-client Privilege
- Advice of Counsel Defense
- Establishment and Enforcement of Rigorous Assessment, Interview, and Report-writing Standards
- Creating a Good Record for Future Litigation
- Maximizing Ability to Defend Litigation
- Dealing with Regulators, Law Enforcement, Intelligence, and Homeland Security Officials
- The Ethics of Information Security Evaluation
-
17. Building the Technical Evaluation Plan
- Introduction
- Purpose of the Technical Evaluation Plan
-
Building the Technical Evaluation Plan
- Source of the Technical Evaluation Plan Information
- TEP Section I: Points of Contact
- TEP Section II: Methodology Overview
- TEP Section III: Criticality Information
- TEP Section IV: Detailed Network Information
- TEP Section V: Customer Concerns
- TEP Section VI: Customer Constraints
- TEP Section VII: Rules of Engagement
- TEP Section VIII: Coordination Agreements
- TEP Section IX: Letter of Authorization
- TEP Section X: Timeline of Events
- Customizing and Modifying the Technical Evaluation Plan
- Getting the Signatures
- Summary
- 18. Starting Your Onsite Efforts
- 19. Network Discovery Activities
- 20. Collecting the Majority of Vulnerabilities
- 21. Fine-Tuning the Evaluation
- 22. The Onsite Closing Meeting
- 23. Post-Evaluation Analysis
- 24. Creating Measurements and Trending Results
- 25. Trending Metrics
-
26. Final Reporting
- Introduction
- Pulling All the Information Together
- Making Recommendations
- Creating the Final Report
- Presenting the Final Report
- Summary
-
27. Summing Up the INFOSEC Evaluation Methodology
- Introduction
- The Pre-Evaluation Phase
- The Onsite Evaluation
- The Post-Evaluation Phase
- Examples of INFOSEC Tools by Baseline Activity
- Port Scanning
- SNMP Scanning
- Enumeration and Banner Grabbing
- Wireless Enumeration*
- Vulnerability Scanning
- Host Evaluation
- Network Device Analysis
- Password-Compliance Testing
- Application-Specific Scanning
- Network Protocol Analysis
- Technical Evaluation Plan Outline and Sample
- Sample Technical Evaluation Plan
- I. Evaluation Points of Contact
- II. Methodology Overview
- III. Organizational and System Criticality Information
- IV. Detailed Network Information
- V. Customer Concerns
- VI. Customer Constraints
- VII. Rules of Engagement
- VIII. Internal and External Customer Requirements
- IX. Coordination Agreements
- X. Letter of Authorization
- XI. Timeline of Evaluation Events
-
3. Business Continuity & Disaster Recovery
-
28. Business Continuity and Disaster Recovery Overview
- Introduction
- Business Continuity and Disaster Recovery Defined
- Components of Business
- The Cost of Planning versus the Cost of Failure
- Types of Disasters
- Business Continuity and Disaster Recovery Planning Basics
- Summary
-
29. Project Initiation
- Introduction
- Elements of Project Success
- Project Plan Components
- Key Contributors and Responsibilities
- Project Definition
- Business Continuity and Disaster Recovery Project Plan
- Plan Maintenance
- Summary
-
30. Risk Assessment
- Introduction
- Risk Management Basics
- Risk Assessment Components
- Threat Assessment Methodology
- Vulnerability Assessment
- Summary
- 31. Business Impact Analysis
- 32. Mitigation Strategy Development
-
33. Business Continuity/Disaster Recovery Plan Development
- Introduction
- Phases of the Business Continuity and Disaster Recovery
-
Defining BC/DR Teams and Key Personnel
- Crisis Management Team
- Management
- Damage Assessment Team
- Operations Assessment Team
- IT Team
- Administrative Support Team
- Transportation and Relocation Team
- Media Relations Team
- Human Resources Team
- Legal Affairs Team
- Physical/Personnel Security Team
- Procurement Team (Equipment and Supplies)
- General Team Guidelines
- BC/DR Contact Information
- Defining Tasks, Assigning Resources
- Communications Plans
- Event Logs, Change Control, and Appendices
- What’s Next
- Summary
- 34. Emergency Response and Recovery
-
35. Training, Testing, and Auditing
- Introduction
- Training for Disaster Recovery and Business Continuity
- Testing the BC/DR Plan
- Performing IT Systems and Security Audits
- Summary
- 36. BC/DR Plan Maintenance
-
37. BC/DR Checklists
- Risk Assessment
- Mitigation Strategies
- Crisis Communications Checklist
- Business Continuity and Disaster Recovery Response Checklist
-
Emergency and Recovery Response Checklist
- Activation Checklists
-
Emergency Response Checklists
- Emergency Checklist One—General Emergency Response
- Emergency Checklist Two—Evacuation or Shelter-in-Place Response
- Emergency Checklist Three—Specific Emergency Responses
- Emergency Checklist Four—Emergency Response Contact List, Maps, Floor Plans
- Emergency Checklist Five—Emergency Supplies and Equipment
- Recovery Checklists
- Business Continuity Checklist
- IT Recovery Checklists
- Training, Testing, and Auditing Checklists
- Training and Testing
- IT Auditing
- BC/DR Plan Maintenance Checklist
- Change Management
-
28. Business Continuity and Disaster Recovery Overview
Product information
- Title: The Best Damn IT Security Management Book Period
- Author(s):
- Release date: April 2011
- Publisher(s): Syngress
- ISBN: 9780080557335
You might also like
book
EU GDPR – An international guide to compliance
This pocket guide will help you understand the Regulation, the broader principles of data protection, and …
book
Microsoft System Center 2016 Service Manager Cookbook - Second Edition
Discover over 100 practical recipes to help you master the art of IT service management for …
book
Advanced Persistent Training : Take Your Security Awareness Program to the Next Level
Gain greater compliance with corporate training by addressing the heart of the very awareness vs. compliance …
book
Managing Risk and Security in Outsourcing IT Services
With cloud computing quickly becoming a standard in today's IT environments, many security experts are raising …