Information Security Governance Simplified: From the Boardroom to the Keyboard

by ;
  • ISBN13:


  • ISBN10:


  • Edition: 1st
  • Format: Hardcover
  • Copyright: 2011-12-20
  • Publisher: CRC Press

Note: Supplemental materials are not guaranteed with Rental or Used book purchases.

Purchase Benefits

  • Free Shipping On Orders Over $35!
    Your order must be $35 or more to qualify for free economy shipping. Bulk sales, PO's, Marketplace items, eBooks and apparel do not qualify for this offer.
  • Get Rewarded for Ordering Your Textbooks! Enroll Now
List Price: $87.95 Save up to $60.13
  • Rent Book $79.16
    Add to Cart Free Shipping


Supplemental Materials

What is included with this book?

  • The New copy of this book will include any supplemental materials advertised. Please check the title of the book to determine if it should include any access cards, study guides, lab manuals, CDs, etc.
  • The Rental and eBook copies of this book are not guaranteed to include any supplemental materials. Typically, only the book itself is included. This is true even if the title states it includes any access cards, study guides, lab manuals, CDs, etc.


Security practitioners must be able to build a cost-effective security program, while at the same time meet the requirements of government regulations. This book lays out these regulations in simple terms and explains how to use the control frameworks to build an effective information security program and governance structure. It discusses how an organization ensures that the information is protected ' ; from the Board of Directors to the Keyboard, or end user, delineating the role each.

Table of Contents

Forewordp. xvii
Acknowledgmentsp. xxi
Introductionp. xxiii
About the Authorp. xxvii
Getting Information Security Right: Top to Bottomp. 1
Information Security Governancep. 2
Tone at the Topp. 5
Tone at the Bottomp. 5
Governance, Risk, and Compliance (GRC)p. 6
The Compliance Dilemmap. 7
Suggested Readingp. 10
Developing Information Security Strategyp. 11
Evolution of Information Securityp. 15
Organization Historical Perspectivep. 16
Fear, Uncertainty, Doubt, Fear, Uncertainty, Doubtp. 16
Understand the External Environmentp. 17
Regulatoryp. 17
Competitionp. 18
Emerging Threatsp. 19
Technology Cost Changesp. 19
External Independent Researchp. 20
The Internal Company Culturep. 20
Risk Appetitep. 21
Speedp. 22
Collaborative versus Authoritativep. 22
Trust Levelp. 23
Growth Seeker or Cost Cutterp. 24
Company Sizep. 25
Outsourcing Posturep. 25
Prior Security Incidents, Auditsp. 26
Security Strategy Development Techniquesp. 28
Mind Mappingp. 28
SWOT Analysisp. 30
Balanced Scorecardp. 32
Face-to-Face Interviewsp. 32
Security Planningp. 34
Strategicp. 34
Tacticalp. 35
Operational/Project Plansp. 35
Suggested Readingp. 36
Defining the Security Management Organizationp. 37
History of the Security Leadership Role Is Relevantp. 37
The New Security Officer Mandatep. 40
Day 1: Hey, I Got the Job!p. 41
Security Leader Titlesp. 42
Techie versus Leaderp. 43
The Security Leaders Libraryp. 44
Security Leadership Definedp. 45
Security Leader Soft Skillsp. 46
Seven Competencies for Effective Security Leadershipp. 46
Security Functionsp. 52
Learning from Leading Organizationsp. 52
Assess Risk and Determine Needsp. 53
Implement Policies and Controlsp. 54
Promote Awarenessp. 56
Monitor and Evaluatep. 56
Central Managementp. 56
What Functions Should the Security Officer Be Responsible For?p. 57
Assessing Risk and Determining Needs Functionsp. 58
Risk Assessment/Analysisp. 58
Systems Security Plan Developmentp. 59
External Penetration Testingp. 60
Implement Policies and Control Functionsp. 61
Security Policy Developmentp. 61
Security Architecturep. 61
Security Control Assessmentp. 62
Identity and Access Managementp. 62
Business Continuity and Disaster Recoveryp. 63
Promote Awareness Functionsp. 64
End User Security Awareness Trainingp. 64
Intranet Site and Policy Publicationp. 65
Targeted Awarenessp. 65
Monitor and Evaluate Functionsp. 65
Security Baseline Configuration Reviewp. 66
Logging and Monitoringp. 67
Vulnerability Assessmentp. 67
Internet Monitoring/Management of Managed Servicesp. 68
Incident Responsep. 68
Forensic Investigationsp. 69
Central Management Functionsp. 69
Reporting Modelp. 70
Business Relationshipsp. 71
Reporting to the CEOp. 71
Reporting to the Information Systems Departmentp. 72
Reporting to Corporate Securityp. 72
Reporting to the Administrative Services Departmentp. 73
Reporting to the Insurance and Risk Management Departmentp. 73
Reporting to the Internal Audit Departmentp. 74
Reporting to the Legal Departmentp. 74
Determining the Best Fitp. 75
Suggested Readingp. 75
Interacting with the C-Suitep. 77
Communication between the CEO, CIO, Other Executives, and CISOp. 78
13 "Lucky" Questions to Ask One Anotherp. 80
The CEO, Ultimate Decision Makerp. 81
The CEO Needs to Know Whyp. 87
The CIO, Where Technology Meets the Businessp. 87
CIO's Commitment to Security Is Importantp. 94
The Security Officer, Protecting the Businessp. 95
The CEO, CIO, and CISO Are Business Partnersp. 100
Building Grassroots Support through an Information Security Councilp. 101
Establishing the Security Councilp. 101
Oversight of Security Programp. 103
Decide on Project Initiativesp. 103
Prioritize Information Security Effortsp. 103
Review and Recommend Security Policiesp. 103
Champion Organizational Security Effortsp. 104
Recommend Areas Requiring Investmentp. 104
Appropriate Security Council Representationp. 104
"-Inging" the Council: Forming, Storming, Norming, and Performingp. 107
Formingp. 107
Stormingp. 108
Normingp. 108
Performingp. 109
Integration with Other Committeesp. 109
Establish Early, Incremental Successp. 111
Let Go of Perfectionismp. 112
Sustaining the Security Councilp. 113
End User Awarenessp. 114
Security Council Commitmentp. 116
Suggested Readingp. 117
Managing Risk to an Acceptable Levelp. 119
Risk in Our Daily Livesp. 120
Accepting Organizational Riskp. 121
Just Another Set of Risksp. 122
Management Owns the Risk Decisionp. 122
Qualitative versus Quantitative Risk Analysisp. 123
Risk Management Processp. 124
Risk Analysis Involvementp. 124
Step 1: Categorize the Systemp. 125
Step 2: Identify Potential Dangers (Threats)p. 128
Human Threatsp. 128
Environmental/Physical Threatsp. 128
Technical Threatsp. 129
Step 3: Identify Vulnerabilities That Could Be Exploitedp. 129
Step 4: Identify Existing Controlsp. 130
Step 5: Determine Exploitation Likelihood Given Existing Controlsp. 131
Step 6: Determine Impact Severityp. 132
Step 7: Determine Risk Levelp. 134
Step 8: Determine Additional Controlsp. 135
Risk Mitigation Optionsp. 135
Risk Assumptionp. 135
Risk Avoidancep. 136
Risk Limitationp. 136
Risk Planningp. 136
Risk Researchp. 136
Risk Transferencep. 137
Conclusionp. 137
Suggested Readingp. 137
Creating Effective Information Security Policiesp. 139
Why Information Security Policies Are Importantp. 139
Avoiding Shelfwarep. 140
Electronic Policy Distributionp. 141
Canned Security Policiesp. 142
Policies, Standards, Guidelines Definitionsp. 143
Policies Are Written at a High Levelp. 143
Policiesp. 145
Security Policy Best Practicesp. 145
Types of Security Policiesp. 147
Standardsp. 149
Proceduresp. 150
Baselinesp. 151
Guidelinesp. 152
Combination of Policies, Standards, Baselines, Procedures, and Guidelinesp. 153
Policy Analogyp. 153
An Approach for Developing Information Security Policiesp. 154
Utilizing the Security Council for Policiesp. 155
The Policy Review Processp. 156
Information Security Policy Processp. 161
Suggested Readingp. 161
Security Compliance Using Control Frameworksp. 163
Security Control Frameworks Definedp. 163
Security Control Frameworks and Standards Examplesp. 164
Heath Insurance Portability and Accountability Act (HIPAA)p. 164
Federal Information Security Management Act of2002 (FISMA)p. 164
National Institute of Standards and Technology (NIST) Recommended Security Controls for Federal Information Systems (800-53)p. 164
Federal Information System Controls Audit Manual (FISCAM)p. 165
ISO/IEC 27001:2005 Information Security Management Systems-Requirementsp. 165
ISO/IEC 27002:2005 Information Technology-Security Techniques-Code of Practice for Information Security Managementp. 166
Control Objectives for Information and Related Technology (COBIT)p. 167
Payment Card Industry Data Security Standard (PCI DSS)p. 167
Information Technology Infrastructure Library (ITIL)p. 168
Security Technical Implementation Guides (STIGs) and National Security Agency (NSA) Guidesp. 168
Federal Financial Institutions Examination Council (FFIEC) IT Examination Handbookp. 169
The World Operates on Standardsp. 169
Standards Are Dynamicp. 171
The How Is Typically Left Up to Usp. 171
Key Question: Why Does the Standard Exist?p. 173
Compliance Is Not Security, But It Is a Good Startp. 173
Integration of Standards and Control Frameworksp. 174
Auditing Compliancep. 175
Adoption Rate of Various Standardsp. 175
ISO 27001/2 Certificationp. 176
NIST Certificationp. 177
Control Framework Convergencep. 177
The 11-Factor Compliance Assurance Manifestop. 178
The Standards/Framework Value Propositionp. 183
Suggested Readingp. 183
Managerial Controls: Practical Security Considerationsp. 185
Security Control Convergencep. 185
Security Control Methodologyp. 188
Security Assessment and Authorization Controlsp. 188
Planning Controlsp. 189
Risk Assessment Controlsp. 190
System and Services Acquisition Controlsp. 191
Program Management Controlsp. 193
Suggested Readingp. 211
Technical Controls: Practical Security Considerationsp. 213
Access Control Controlsp. 213
Audit and Accountability Controlsp. 214
Identification and Authenticationp. 215
System and Communications Protectionsp. 215
Suggested Readingp. 238
Operational Controls: Practical Security Considerationsp. 239
Awareness and Training Controlsp. 239
Configuration Management Controlsp. 240
Contingency Planning Controlsp. 240
Incident Response Controlsp. 241
Maintenance Controlsp. 241
Media Protection Controlsp. 242
Physical and Environmental Protection Controlsp. 243
Personnel Security Controlsp. 244
System and Information Integrity Controlsp. 245
Suggested Readingp. 276
The Auditors Have Arrived, Now What?p. 277
Anatomy of an Auditp. 278
Audit Planning Phasep. 279
Preparation of Document Request Listp. 280
Gather Audit Artifactsp. 284
Provide Information to Auditorsp. 285
On-Site Arrival Phasep. 287
Internet Accessp. 287
Reserve Conference Roomsp. 288
Physical Accessp. 289
Conference Phonesp. 290
Schedule Entrance, Exit, Status Meetingsp. 290
Set Up Interviewsp. 291
Audit Execution Phasep. 292
Additional Audit Meetingsp. 293
Establish Auditor Communication Protocolp. 293
Establish Internal Company Protocolp. 294
Media Handlingp. 296
Audit Coordinator Quality Reviewp. 298
The Interview Itselfp. 298
Entrance, Exit, and Status Conferencesp. 299
Entrance Meetingp. 299
Exit Meetingp. 301
Status Meetingsp. 301
Report Issuance and Finding Remediation Phasep. 302
Suggested Readingp. 304
Effective Security Communicationsp. 305
Why a Chapter Dedicated to Security Communications?p. 305
End User Security Awareness Trainingp. 306
Awareness Definitionp. 307
Delivering the Messagep. 308
Step 1: Security Awareness Needs Assessmentp. 308
New or Changed Policiesp. 308
Past Security Incidentsp. 309
Systems Security Plansp. 309
Audit Findings and Recommendationsp. 309
Event Analysisp. 310
Industry Trendsp. 310
Management Concernsp. 310
Organizational Changesp. 311
Step 2: Program Designp. 311
Target Audiencep. 311
Frequency of Sessionsp. 311
Number of Usersp. 312
Method of Deliveryp. 312
Resources Requiredp. 312
Step 3: Develop Scopep. 312
Determine Participants Needing Trainingp. 312
Business Unitsp. 313
Select Themep. 313
Step 4: Content Developmentp. 314
Step 5: Communication and Logistics Planp. 315
Step 6: Awareness Deliveryp. 316
Step 7: Evaluation/Feedback Loopsp. 317
Security Awareness Training Does Not Have to Be Boringp. 317
Targeted Security Trainingp. 317
Continuous Security Remindersp. 319
Utilize Multiple Security Awareness Vehiclesp. 319
Security Officer Communication Skillsp. 320
Talking versus Listeningp. 320
Roadblocks to Effective Listeningp. 321
Generating a Clear Messagep. 323
Influencing and Negotiating Skillsp. 323
Written Communication Skillsp. 324
Presentation Skillsp. 325
Applying Personality Type to Security Communicationsp. 326
The Four Myers-Briggs Type Indicator (MBTI) Preference Scalesp. 326
Extraversion versus Introversion Scalep. 327
Sensing versus Intuition Scalep. 327
Thinking versus Feeling Scalep. 328
Judging versus Perceiving Scalep. 328
Determining Individual MBTI Personalityp. 329
Summing Up the MBTI for Securityp. 334
Suggested Readingp. 334
The Law and Information Securityp. 337
Civil Law versus Criminal Lawp. 339
Electronic Communications Privacy Act of 1986 (ECPA)p. 340
The Computer Security Act of 1987p. 341
The Privacy Act of 1974p. 342
Sarbanes-Oxley Act of 2002 (SOX)p. 342
Gramm-Leach-Bliley Act (GLBA)p. 344
Health Insurance Portability and Accountability Act of 1996p. 345
Health Information Technology for Economic and Clinical Health (HITECH) Actp. 348
Federal Information Security Management Act of 2002 (FISMA)p. 348
Summaryp. 350
Suggested Readingp. 350
Learning from Information Security Incidentsp. 353
Recent Security Incidentsp. 355
Texas State Comptrollerp. 355
Sony PlayStation Networkp. 356
Student Loan Social Security Numbers Stolenp. 358
Social Security Numbers Printed on Outside of Envelopesp. 359
Valid E-Mail Addresses Exposedp. 360
Office Copier Hard Disk Contained Confidential Informationp. 362
Advanced Persistent Threat Targets Security Tokenp. 362
Who Will Be Next?p. 364
Every Control Could Result in an Incidentp. 365
Suggested Readingp. 366
17 Ways to Dismantle Information Security Governance Effortsp. 369
Final Thoughtsp. 379
Suggested Readingp. 381
Indexp. 383
Table of Contents provided by Ingram. All Rights Reserved.

Rewards Program

Write a Review