9780749444143

IT Governance : A Manager's Guide to Data Security and BS 7799/ ISO 17799

by ;
  • ISBN13:

    9780749444143

  • ISBN10:

    0749444142

  • Edition: 3rd
  • Format: Hardcover
  • Copyright: 2005-09-10
  • Publisher: Kogan Page Ltd

Note: Supplemental materials are not guaranteed with Rental or Used book purchases.

Purchase Benefits

  • Free Shipping On Orders Over $35!
    Your order must be $35 or more to qualify for free economy shipping. Bulk sales, PO's, Marketplace items, eBooks and apparel do not qualify for this offer.
  • Get Rewarded for Ordering Your Textbooks! Enroll Now
List Price: $190.00 Save up to $47.50
  • Buy Used
    $142.50
    Add to Cart Free Shipping

    USUALLY SHIPS IN 2-4 BUSINESS DAYS

Supplemental Materials

What is included with this book?

Summary

"Written for managers, this addresses how they should comply with best practice on the security, confidentiality and integrity of data stored on IT systems."The Times "Should be read by every computer professional with responsibility for security."IMIS Journal The development of IT governance which recognizes the convergence between business and IT management makes it essential for managers at all levels and in organizations of all sizes to understand how best to deal with information security risks. Also, the Turnbull report on company risk management (alongside laws and regulations throughout the OECD) gives company directors a legal responsibility to act on computer and information security. Containing the latest revisions to BS7799 and ISO17799, this book guides business managers through the issues involved in achieving ISO certification in Information Security Management and covers all aspects of data security.

Author Biography

Alan Calder is a founder director of IT Governance Ltd. Steve Watkins is Head of Corporate Services at HMCPSI

Table of Contents

Foreword by Nigel Turnbull xi
How to use this book xiii
Acknowledgements xv
Introduction 1(142)
The information economy
2(1)
What is IT governance?
3(1)
Information security
4(5)
1. Why is information security necessary?
9(14)
Nature of information security threats
10(1)
Prevalence of information security threats
11(2)
Impacts of information security threats
13(2)
Cybercrime
15(2)
Cyberwar
17(1)
Future risks
18(3)
Legislation
21(1)
Benefits of an information security management system
22(1)
2. The Combined Code, the Turnbull Report and Sarbanes-Oxley
23(10)
The Combined Code
23(1)
The Turnbull Report
24(1)
Revised Combined Code
25(3)
Sarbanes-Oxley
28(2)
IT governance
30(3)
3. BS 7799
33(16)
Benefits of certification
33(2)
History of BS 7799 and ISO/IEC 17799
35(1)
Use of the standard
36(1)
ISO/IEC 17799
36(2)
PDCA and process approach
38(1)
Structured approach to implementation
39(2)
Quality system integration
41(1)
Documentation
42(4)
Continual improvement and metrics
46(3)
4. Organizing information security
49(20)
Internal organization
50(1)
Management review
51(1)
Information security manager
51(2)
The cross-functional management forum
53(1)
BS 7799 project group
54(5)
Approval process for information processing facilities
59(1)
Product selection and the Common Criteria
60(1)
Specialist information security advice
61(5)
Contact with authorities and special interest groups
66(1)
Independent review of information security
67(1)
Summary
68(1)
5. Information security policy and scope
69(10)
Information security policy
69(6)
A policy statement
75(2)
Costs and monitoring progress
77(2)
6. The risk assessment and statement of applicability
79(20)
Establishing security requirements
79(1)
Risks, impacts and risk management
80(13)
Selection of controls and statement of applicability
93(3)
Gap analysis
96(1)
Risk assessment tools
96(1)
Risk treatment plan
97(2)
7. External parties
99(12)
Identification of risks related to external parties
99(2)
Types of access
101(1)
Reasons for access
102(1)
Outsourcing
103(2)
On-site contractors
105(1)
Addressing security when dealing with customers
106(1)
Addressing security in third party agreements
107(4)
8. Asset management
111(16)
Asset owners
111(1)
Inventory
112(3)
Acceptable use of assets
115(1)
Information classification
115(3)
Unified classification markings
118(2)
Information labelling and handling
120(5)
Non-disclosure agreements and trusted partners
125(2)
9. Human resources security
127(16)
Job descriptions and competence requirements
128(1)
Screening
129(3)
Terms and conditions of employment
132(2)
During employment
134(5)
Disciplinary process
139(1)
Termination or change of employment
140(3)
10. Physical and environmental security 143(10)
Secure areas
143(8)
Public access, delivery and loading areas
151(2)
11. Equipment security 153(10)
Equipment siting and protection
153(3)
Supporting utilities
156(2)
Cabling security
158(1)
Equipment maintenance
159(1)
Security of equipment off-premises
160(1)
Secure disposal or reuse of equipment
161(1)
Removal of property
161(2)
12. Communications and operations management 163(14)
Documented operating procedures
163(2)
Change management
165(1)
Segregation of duties
166(1)
Separation of development, test and operational facilities
167(1)
Third party service delivery management
168(1)
Monitoring and review of third party services
169(1)
Managing changes to third party services
170(1)
System planning and acceptance
171(6)
13. Controls against malicious software (malware) and back-ups 177(12)
Viruses, worms and Trojans
177(2)
Spyware
179(1)
Anti-malware software
179(1)
Hoax messages
180(1)
Anti-malware controls
181(3)
Airborne viruses
184(1)
Controls against mobile code
185(1)
Back-up
185(4)
14. Network security management and media handling 189(6)
Network management
189(3)
Media handling
192(3)
15. Exchanges of information 195(8)
Information exchange policies and procedures
195(3)
Exchange agreements
198(1)
Physical media in transit
199(1)
Business information systems
199(4)
16. Electronic commerce services 203(10)
E-commerce issues
203(3)
Security technologies
206(2)
Server security
208(1)
Online transactions
209(1)
Publicly available information
210(3)
17. E-mail and internet use 213(8)
Security risks in e-mail
214(2)
Spam
216(1)
Misuse of the internet
216(2)
Internet acceptable use policy (AUP)
218(3)
18. Access control 221(18)
Hackers
221(1)
Hacker techniques
222(3)
System configuration
225(1)
Access control policy
225(3)
User access management
228(8)
Clear desk and clear screen policy
236(3)
19. Network access control 239(12)
Networks
239(4)
Network security
243(8)
20. Operating system access control 251(6)
Secure log-on procedures
251(2)
User identification and authentication
253(1)
Password management system
253(1)
Use of system utilities
254(1)
Session time-out
254(1)
Limitation of connection time
255(2)
21. Application access control and teleworking 257(8)
Application and information access control
257(2)
Mobile computing and teleworking
259(6)
22. Systems acquisition, development and maintenance 265(6)
Security requirements analysis and specification
265(1)
Correct processing in applications
266(5)
23. Cryptographic controls 271(8)
Encryption
272(1)
Public key infrastructure (PKI)
273(1)
Digital signatures
274(1)
Non-repudiation services
275(1)
Key management
275(4)
24. Security in development and support processes 279(8)
System files
279(2)
Access control to program source code
281(1)
Development and support processes
281(4)
Vulnerability management
285(2)
25. Monitoring and information security incident management 287(16)
Monitoring
287(5)
Information security events
292(5)
Management of information security incidents and improvements
297(6)
26. Business continuity management 303(12)
Business continuity management process
304(1)
Business continuity and risk assessment
305(1)
Developing and implementing continuity plans
306(1)
Business continuity planning framework
307(4)
Testing, maintaining and reassessing business continuity plans
311(4)
27. Compliance 315(22)
Identification of applicable legislation
316(8)
Intellectual property rights (IPR)
324(4)
Safeguarding of organizational records
328(2)
Data protection and privacy of personal information
330(1)
Prevention of misuse of information processing facilities
331(1)
Regulation of cryptographic controls
331(1)
Compliance with security policies and standards
332(3)
Information systems audit considerations
335(2)
28. The BS 7799 audit 337(6)
Selection of auditors
337(2)
Initial visit
339(1)
Preparation for audit
340(3)
Appendices 343(14)
I. Useful websites
345(8)
IT governance
345(1)
BS 7799 certification organizations
345(1)
E-learning
346(1)
Microsoft
346(1)
Information security
346(3)
Accounting, finance and economics
349(1)
Business, management and governance
350(1)
Contingency planning and disaster recovery
350(1)
Information technology
351(1)
Risk management
352(1)
II. ISO/IEC 17799:2005
353(2)
III. Further reading
355(2)
Index 357

Rewards Program

Write a Review