Note: Supplemental materials are not guaranteed with Rental or Used book purchases.
Purchase Benefits
What is included with this book?
Krag Brotby, cism, has more than twenty-five years of experience in the computer security field with a focus on governance, metrics, and architecture. A frequent presenter at security conferences, he has authored a variety of publications on information security risk management, governance, and metrics. A principal author and editor of the ISACA CISM review manual and related presentation materials, he has served on the CISM Practice Analysis Task Force defining the information security practice area for the coming years.
Acknowledgments | p. xi |
Introduction | p. xiii |
Governance Overview-How Do We Do It? What Do We Get Out of It? | p. 1 |
What Is It? | p. 1 |
Back to Basics | p. 2 |
Origins of Governance | p. 3 |
Governance Definition | p. 5 |
Information Security Governance | p. 5 |
Six Outcomes of Effective Security Governance | p. 6 |
Defining Information, Data, Knowledge | p. 7 |
Value of Information | p. 7 |
Why Governance? | p. 9 |
Benefits of Good Governance | p. 11 |
Aligning Security with Business Objectives | p. 11 |
Providing the Structure and Framework to Optimize Allocations of Limited Resources | p. 12 |
Providing Assurance that Critical Decisions are Not Based on Faulty Information | p. 13 |
Ensuring Accountability for Safeguarding Critical Assets | p. 13 |
Increasing Trust of Customers and Stakeholders | p. 14 |
Increasing the Company's Worth | p. 14 |
Reducing Liability for Information Inaccuracy or Lack of Due Care in Protection | p. 14 |
Increasing Predictability and Reducing Uncertainty of Business Operations | p. 15 |
A Management Problem | p. 15 |
Legal and Regulatory Requirements | p. 17 |
Security Governance and Regulation | p. 18 |
Roles and Responsibilities | p. 21 |
The Board of Directors | p. 22 |
Executive Management | p. 22 |
Security Steering Committee | p. 24 |
The CISO | p. 24 |
Strategic Metrics | p. 27 |
Governance Objectives | p. 28 |
Strategic Direction | p. 29 |
Ensuring Objectives are Achieved | p. 29 |
Risks Managed Appropriately | p. 30 |
Verifying that Resources are Used Responsibly | p. 31 |
Information Security Outcomes | p. 33 |
Defining Outcomes | p. 33 |
Strategic Alignment-Aligning Security Activities in Support of Organizational Objectives | p. 34 |
Risk Management-Executing Appropriate Measures to Manage Risks and Potential Impacts to an Acceptable Level | p. 36 |
Business Process Assurance/Convergence-Integrating All Relevant Assurance Processes to Improve Overall Security and Efficiency | p. 39 |
Value Delivery-Optimizing Investments in Support of Organizational Objectives | p. 42 |
Resource Management-Using Organizational Resources Efficiently and Effectively | p. 44 |
Performance Measurement-Monitoring and Reporting on Security Processes to Ensure that Objectives are Achieved | p. 45 |
Security Governance Objectives | p. 47 |
Security Architecture | p. 48 |
Managing Complexity | p. 48 |
Providing a Framework and Road Map | p. 50 |
Simplicity and Clarity through Layering and Modularization | p. 50 |
Business Focus Beyond the Technical Domain | p. 50 |
Objectives of Information Security Architectures | p. 50 |
SABSA Framework for Security Service Management | p. 54 |
SABSA Development Process | p. 54 |
SABSA Life Cycle | p. 54 |
SABSA Attributes | p. 56 |
CobiT | p. 58 |
Capability Maturity Model | p. 59 |
ISO/IEC 27001/27002 | p. 63 |
ISO 27001 | p. 64 |
ISO 27002 | p. 67 |
Other Approaches | p. 68 |
National Cybersecurity Task Force, Information Security Governance: A Call to Action | p. 68 |
Risk Management Objectives | p. 75 |
Risk Management Responsibilities | p. 76 |
Managing Risk Appropriately | p. 76 |
Determining Risk Management Objectives | p. 77 |
Recovery Time Objectives | p. 78 |
Current State | p. 81 |
Current State of Security | p. 81 |
SABSA | p. 82 |
CobiT | p. 82 |
CMM | p. 82 |
ISO/IEC 27001, 27002 | p. 83 |
Cyber Security Taskforce Governance Framework | p. 83 |
Current State of Risk Management | p. 84 |
Gap Analysis-Unmitigated Risk | p. 84 |
SABSA | p. 85 |
CMM | p. 85 |
Developing a Security Strategy | p. 87 |
Failures of Strategy | p. 88 |
Attributes of a Good Security Strategy | p. 89 |
Strategy Resources | p. 91 |
Utilizing Architecture for Strategy Development | p. 94 |
Using CobiT for Strategy Development | p. 94 |
Using CMM for Strategy Development | p. 96 |
Strategy Constraints | p. 96 |
Contextual Constraints | p. 97 |
Operational Constraints | p. 97 |
Sample Strategy Development | p. 99 |
The Process | p. 100 |
Implementing Strategy | p. 109 |
Action Plan Intermediate Goals | p. 109 |
Action Plan Metrics | p. 110 |
Reengineering | p. 110 |
Inadequate Performance | p. 110 |
Elements of Strategy | p. 110 |
Policy Development | p. 111 |
Standards | p. 116 |
Summary | p. 125 |
Security Program Development Metrics | p. 127 |
Information Security Program Development Metrics | p. 127 |
Program Development Operational Metrics | p. 129 |
Information Security Management Metrics | p. 131 |
Management Metrics | p. 132 |
Security Management Decision Support Metrics | p. 132 |
CISO Decisions | p. 134 |
Strategic Alignment-Aligning Security Activities in Support of Organizational Objectives | p. 134 |
Risk Management-Executing Appropriate Measures to Manage Risks and Potential Impacts to an Acceptable Level | p. 137 |
Metrics for Risk Management | p. 138 |
Assurance Process Integration | p. 141 |
Value Delivery-Optimizing Investments in Support of the Organization's Objectives | p. 142 |
Resource Management-Using Organizational Resources Efficiently and Effectively | p. 144 |
Performance Measurement-Monitoring and Reporting on Security Processes to Ensure that Organizational Objectives are Achieved | p. 145 |
Information Security Operational Metrics | p. 145 |
IT and Information Security Management | p. 145 |
Compliance Metrics | p. 146 |
Incident Management and Response Metrics | p. 155 |
Incident Management Decision Support Metrics | p. 156 |
Is It Actually and Incident? | p. 156 |
What Kind of Incident Is It? | p. 157 |
Is It a Security Incident? | p. 157 |
What Is the Security Level? | p. 157 |
Are there Multiple Events and/or Impacts | p. 158 |
Will an Incident Need Triage? | p. 158 |
What Is the Most Effective Response? | p. 158 |
What Immediate Actions Must be Taken? | p. 158 |
Which Incident Response Teams and Other Personnel Must be Mobilized? | p. 159 |
Who Must be Notified? | p. 159 |
Who Is in Charge? | p. 159 |
Is It Becoming a Disaster? | p. 159 |
Conclusion | p. 161 |
SABSA Business Attributes and Metrics | p. 163 |
Cultural Worldviews | p. 181 |
Heirarchists | p. 181 |
Egalitarians | p. 181 |
Individualists | p. 182 |
Fatalists | p. 182 |
Index | p. 185 |
Table of Contents provided by Ingram. All Rights Reserved. |
The New copy of this book will include any supplemental materials advertised. Please check the title of the book to determine if it should include any access cards, study guides, lab manuals, CDs, etc.
The Used, Rental and eBook copies of this book are not guaranteed to include any supplemental materials. Typically, only the book itself is included. This is true even if the title states it includes any access cards, study guides, lab manuals, CDs, etc.