9780749440787

It Governance

by ;
  • ISBN13:

    9780749440787

  • ISBN10:

    0749440783

  • Edition: 2nd
  • Format: Hardcover
  • Copyright: 2003-09-01
  • Publisher: Kogan Page Ltd

Note: Supplemental materials are not guaranteed with Rental or Used book purchases.

Purchase Benefits

  • Free Shipping On Orders Over $35!
    Your order must be $35 or more to qualify for free economy shipping. Bulk sales, PO's, Marketplace items, eBooks and apparel do not qualify for this offer.
  • Get Rewarded for Ordering Your Textbooks! Enroll Now
List Price: $165.00 Save up to $41.25
  • Buy Used
    $123.75
    Add to Cart Free Shipping

    USUALLY SHIPS IN 2-4 BUSINESS DAYS

Supplemental Materials

What is included with this book?

Summary

"Companies across the USA, worried that cyberspace will be terrorism's next battleground have shored up security since September 11. About 77% of businesses improved defenses against hackers, viruses and other attacks. Such threats are real. Cyberspace attacks jumped 64% from a year ago." -- USA Today 8/19/02 * 60% of organizations have suffered a data security breach in the last 2 years. 43% of those with sensitive or critical information have suffered an extremely serious one. * IT security is now the key boardroom issue of the e-commerce age. * Aimed at CEOs, FOs, and senior managers in the private and public sectors. * Explains current "best practice"in managing data and information security * Encourages companies to ensure effective management control and legal compliance through attaining BS 7799 / ISO 17799. IT governance is a critical aspect of corporate governance, and recent reports have focused boardroom attention on the need to ensure "best practice" in IT management. This important guide, now up-dated to contain the final BS7799 / ISO17799 nomenclature, explains current best practice in managing data and information security and gives a clear action plan for attaining certification. It is an essential resource for directors and senior managers in organizations of all sorts and sizes but particularly those with well-developed IT systems and those focused on e-commerce. Topics covered include: The need for information security and the benefits of certification; Information security management, policy and scope; Risk assessment; Personnel security; Physical and environmental security, Equipment security; Security controls; Controls agains malicious software; Exchanges ofsoftware, the Internet and e-mail; Access control; Housekeeping, network management and media handling; Mobile computing and teleworking; Systems development and maintenance; Cryptographic controls; Compliance

Author Biography

Alan Calder is a founder director of IT Governance Ltd. Steve Watkins is Head of Corporate Services at HMCPSI

Table of Contents

Foreword xi
Nigel Turnbull
Introduction 1(6)
Background
1(6)
1. Why is information security necessary? 7(12)
Nature of information security threats
8(1)
Prevalence of information security threats
9(1)
Impacts of information security threats
10(1)
Cybercrime
11(3)
Cyberwar
14(2)
Legislation
16(1)
Benefits of an information security management system
17(2)
2. The Combined Code and the Turnbull Report 19(6)
The Combined Code
19(1)
The Turnbull Report
19(4)
IT governance
23(2)
3. BS 7799 25(14)
Benefits of certification
25(1)
History of BS 7799 and ISO 17799
26(1)
Use of the standard
27(1)
ISO 17799
28(2)
PDCA and Process Approach
30(1)
Structured approach to implementation
31(1)
Quality system integration
32(1)
Documentation
33(5)
Continual improvement
38(1)
4. Information security management 39(20)
The management information security forum
39(2)
Information security manager
41(1)
Management review
41(1)
The cross-functional management forum
42(2)
BS 7799 project group
44(5)
Authorization process for information processing facilities
49(1)
Product selection and the Common Criteria
50(2)
Specialist information security advice
52(4)
Co-operation between organizations
56(1)
Independent review of information security
57(1)
Summary
58(1)
5. Information security policy and scope 59(8)
Information security policy
59(5)
A policy statement
64(1)
Costs and monitoring progress
65(2)
6. The risk assessment and statement of applicability 67(18)
Approach to risk
67(12)
Selection of controls and statement of applicability
79(2)
Gap analysis
81(1)
Risk assessment tools
82(1)
Risk treatment plan
83(2)
7. Security of third party access and outsourcing 85(10)
Identification of risks
85(1)
Types of access
86(1)
Reasons for access
87(1)
Onsite contractors
88(2)
Security requirements in third party contracts
90(3)
Outsourcing
93(2)
8. Asset classification and control 95(14)
Asset owners
95(1)
Inventory
95(3)
Information classification
98(3)
Unified classification markings
101(2)
Information labelling and handling
103(5)
Non-disclosure agreements and trusted partners
108(1)
9. Personnel security 109(20)
Job descriptions and competence requirements
109(2)
Personnel screening and policy
111(3)
Confidentiality agreements and terms of employment
114(2)
User training and awareness
116(5)
Responding to security incidents and malfunctions
121(4)
Learning from incidents
125(1)
Disciplinary process
126(3)
10. Physical and environmental security 129(10)
Secure areas
129(8)
Isolated delivery and loading areas
137(2)
11. Equipment security 139(8)
Equipment siting and protection
139(3)
Power supplies
142(1)
Cabling security
143(1)
Equipment maintenance
144(1)
Security of equipment off-premises
145(1)
Secure disposal or re-use of equipment
146(1)
12. General security controls 147(4)
Clear desk and clear screen policy
147(1)
Removal of property
148(3)
13. Communications and operations management 151(12)
Documented operating procedures
151(2)
Operational change control
153(1)
Incident management procedures
154(2)
Segregation of duties
156(1)
Separation of development and operational facilities
156(1)
External facilities management
157(1)
System planning and acceptance
158(5)
14. Controls against malicious software (malware) 163(8)
Viruses, worms and Trojans
163(1)
Anti-malware software
164(2)
Hoax messages
166(1)
Anti-malware controls
167(2)
Airborne viruses
169(2)
15. Housekeeping, network management and media handling 171(10)
Network management
175(2)
Media handling and security
177(4)
16. Exchanges of information and software 181(16)
Information and software exchange agreements
181(1)
Security of media in transit
182(1)
Electronic commerce security
183(2)
Security technologies
185(3)
Server security
188(1)
Security of electronic office systems
189(2)
Publicly available systems
191(2)
Other forms of information exchange
193(4)
17. E-mail and Internet use 197(8)
Security risks in e-mail
197(2)
Misuse of the Internet
199(2)
Internet Acceptable Use Policy (AUP)
201(4)
18. Access control 205(16)
Hackers
205(1)
Hacker techniques
206(3)
System configuration
209(1)
Access control policy
209(12)
19. Network access control 221(12)
Networks
221(4)
Network security
225(8)
20. Operating system access control 233(6)
Automatic terminal identification
233(1)
Terminal logon procedures
234(1)
User identification and authentication
235(1)
Password management system
235(1)
Use of system utilities
236(1)
Duress alarms
237(1)
Terminal time-out
237(1)
Limitation of connection time
237(2)
21. Application access control 239(6)
Monitoring system access and use
241(4)
22. Mobile computing and teleworking 245(4)
Mobile computing
245(1)
Teleworking
246(3)
23. Systems development and maintenance 249(4)
Security requirements analysis and specification
249(1)
Security in application systems
250(3)
24. Cryptographic controls 253(6)
Encryption
254(1)
Public Key Infrastructure (PKI)
255(1)
Digital signatures
256(1)
Non-repudiation services
256(1)
Key management
257(2)
25. Security in development and support processes 259(6)
System files
259(1)
Access control to program source library
260(1)
Development and support processes
261(4)
26. Business continuity management 265(12)
Business continuity management process
265(1)
Business continuity and impact analysis
266(1)
Writing and implementing continuity plans
267(1)
Business continuity planning framework
268(4)
Testing, maintaining and re-assessing business continuity plans
272(5)
27. Compliance 277(18)
Identification of applicable legislation
277(6)
Intellectual Property Rights (IPR)
283(4)
Safeguarding of organizational records
287(1)
Data protection and privacy of personal information
288(1)
Prevention of misuse of information processing facilities
289(1)
Regulation of cryptographic controls
289(1)
Collection of evidence
290(1)
Review of security policy, technical compliance and internal
291(2)
ISMS audits
System audit considerations
293(2)
28. The BS 7799 audit 295(6)
Selection of auditors
295(1)
Initial visit
296(1)
Preparation for audit
297(4)
Appendices 301(10)
I. Useful websites
303(8)
Consultancy firms
303(1)
BS 7799 certification organizations
303(1)
E-learning
304(1)
Microsoft
304(1)
Information security
304(2)
Accounting, finance and economics
306(1)
Business, management and governance
307(1)
Contingency planning and disaster recovery
307(1)
Information technology
308(1)
Risk management
309(2)
II. BS 7799-2:2002 311(6)
III. Further reading 317(2)
Index 319

Rewards Program

Write a Review