Coverart for item
The Resource Building a Practical Information Security Program

Building a Practical Information Security Program

Label
Building a Practical Information Security Program
Title
Building a Practical Information Security Program
Creator
Contributor
Subject
Language
eng
Cataloging source
MiAaPQ
Literary form
non fiction
Nature of contents
dictionaries
Building a Practical Information Security Program
Label
Building a Practical Information Security Program
Link
http://libproxy.rpi.edu/login?url=https://ebookcentral.proquest.com/lib/rpi/detail.action?docID=4711748
Publication
Copyright
Related Contributor
Related Location
Related Agents
Related Authorities
Related Subjects
Carrier category
online resource
Carrier category code
cr
Carrier MARC source
rdacarrier
Color
multicolored
Content category
text
Content type code
txt
Content type MARC source
rdacontent
Contents
  • Front Cover -- Building a Practical Information Security Program -- Building a Practical Information Security Program -- Copyright -- Contents -- About the Authors -- JASON ANDRESS -- MARK LEARY -- 0 - Why We Need Security Programs -- WHAT DO WE MEAN WHEN WE SAY INFORMATION SECURITY? -- Confidentiality, Integrity, and Availability Triad -- Confidentiality -- Integrity -- Availability -- Relating the CIA Triad to Security -- Compliance and Risk -- Compliance Based -- Risk Based -- SECURITY FOCUS AREAS -- Technical -- Management -- Board Level -- Industry -- National -- UNDERSTANDING THE THREATS WE FACE -- Motivations and Intent -- External Threats -- Internal Threats -- Regulatory Risks -- BENEFITS OF A FORMAL SECURITY PROGRAM -- Ensure Security of Information Assets -- Cataloging Assets -- Classifying Assets -- Provide a Framework for Security -- Codifies the Desired Security Level -- Provides a Mechanism to Assess Risk -- Helps Mitigate Risk -- Helps Keep Program and Practices Up To Date -- ACTIONS -- References -- 1 - Develop an Information Security Strategy -- INFORMATION SECURITY STRATEGIC PLANNING PRINCIPLES -- DEVELOP THE ORGANIZATIONAL VISION AND MISSION STATEMENTS -- DESCRIBE THE INFORMATION SECURITY ENVIRONMENT -- DELIVERING THE INFORMATION SECURITY STRATEGIC PLAN -- INFORMATION SECURITY CAPABILITY ROAD MAP DEVELOPMENT -- STAKEHOLDER ENGAGEMENT -- SUMMARY -- ACTIONS -- 2 - Integrate Security Into the Organization -- UNDERSTAND THE ORGANIZATIONAL SECURITY CULTURE -- INTEGRATE INFORMATION SECURITY INTO BUSINESS PROCESSES -- ESTABLISH INFORMATION SECURITY BUSINESS RELATIONSHIP MANAGEMENT -- SUMMARY -- ACTIONS -- 3 - Establish a Security Organization -- KEY FACTORS IN DETERMINING THE ORGANIZATIONAL STRUCTURE -- Mission -- Risk Appetite -- Culture -- Size -- Budget -- WHERE SHOULD SECURITY REPORT? -- Inside or Outside of IT -- Operations
  • Governance, Risk, and Compliance -- Direct Reporting -- Other Areas -- Ability to Support Security -- RESPONSIBILITIES WITHIN SECURITY -- Bigger Equals More Complex -- CISO/CSO/CIO/CFO/CEO-Relationships and Roles -- Information Security Committee -- Risk -- Privacy -- Responsibility for Data -- Data Steward -- Data Custodian -- Data Owner -- Data User -- RELATIONSHIPS WITH EXTERNAL ORGANIZATIONS AND AUTHORITIES -- Industry -- Other Organizations in the Same Industry -- Industry Bodies -- Auditors -- Law Enforcement and Government -- Local -- Federal -- International -- ACTIONS -- References -- 4 - Why Information Security Policies? -- ALIGN INFORMATION SECURITY POLICIES TO THE ORGANIZATIONAL PROFILE -- TYPES OF INFORMATION SECURITY POLICIES -- Organizational Policy -- Standards -- Procedures -- Guidelines -- Checklists -- INFORMATION SECURITY POLICY GOVERNANCE AND MANAGEMENT -- Information Security Policy Governance -- Information Security Policy Management -- Policy Development -- Policy Publication -- Policy Management -- Policy Retirement -- SUMMARY -- ACTIONS -- 5 - Manage the Risks -- DEVELOP A RISK MANAGEMENT FRAMEWORK -- Why We Need a Framework -- Discipline and Structure -- SDLC Integration -- Choosing an Existing Framework -- National Institute for Science and Technology -- International Organization for Standardization -- Federal Information Processing Standard -- Developing a Framework From Scratch -- EVALUATE OBJECTIVES FOR RISK MANAGEMENT -- Business Objectives -- Strategic -- Financial -- Operational -- Compliance -- Security Objectives -- Objectives Inherited From the Business -- Strategic -- Financial -- Operational -- Compliance -- Security-Specific Objectives -- Confidentiality -- Integrity -- Availability -- RESPONDING TO THE RESULTS OF RISK ASSESSMENTS -- Who Decides How to Respond? -- Centralized Risk Groups -- Lines of Business
  • Information Security -- Collaborative Groups -- Types of Responses -- Avoid -- Mitigate -- Accept -- Transfer -- COMMUNICATING RISK TO THE BUSINESS -- Communications Channels -- Understand the Business -- Know Who the Stakeholders Are -- Targeting Communication -- Alerting for Issues or Changes -- Alerting Mechanisms -- Conspicuous Alerting -- Alert Fatigue -- Communicating Responsibilities to Users -- Training and Awareness -- Accountability -- Receiving Communications From Users -- Communication Mechanisms -- Setting Expectations -- Incident Reporting -- RISK MANAGEMENT AND CONTROLS -- What Security Controls Provide Us -- Assurance That Requirements Are Met -- Assurance That Risks Are Being Dealt With -- Key Controls -- Establish -- Evaluate -- Effectiveness -- Control Activities -- Monitoring -- Review -- Reporting -- Controls and Audit Findings -- Auditing Against Frameworks -- Audit Findings Centered on Controls -- Auditing How Controls Are Applied -- GAINING MANAGEMENT BUY IN -- Establish Business Relevancy -- Discuss Objectives and How They Will Be Met -- Relate to Compliance -- Be Prepared With Data -- Communicate Needs -- ACTIONS -- References -- 6 - Protect the Data -- DATA CLASSIFICATION -- Data Sensitivity and Criticality -- ACCESS CONTROL CONSIDERATIONS -- Administrative Controls -- Technical Controls -- Rights Management -- Physical Controls -- PHYSICAL AND ENVIRONMENTAL SECURITY FOR FACILITIES -- Secure Areas -- Badges -- Video -- Equipment -- Protecting Equipment -- Utilities -- Disposal -- ZONES OF TRUST AND CONTROL -- Security Zones -- Implementing Zones -- Network Segmentation -- Access Between Zones -- Limiting Zone Interface Points -- Access Control Lists -- Monitoring -- ENSURING DATA CONFIDENTIALITY -- Where We Use Encryption -- In Motion -- At Rest -- At Use -- MAKING USE OF TESTED TECHNOLOGIES -- Customization
  • Why Developing Your Own Encryption Is a Bad Idea -- ACTIONS -- References -- 7 - Manage the Security of Third Parties and Vendors -- THIRD PARTY AGREEMENTS -- Regulatory Agreements -- Defining Sensitive Data -- Breach Notifications -- Industry-Specific Issues -- Retail -- Education -- Security Agreements -- Information Security Agreement -- Information Privacy Agreement -- Auditing and Monitoring Agreement -- Foreign Corrupt Practices Agreement -- ENSURING COMPLIANCE -- Risk Assessment -- Enforcement Mechanisms -- Auditing and Monitoring -- Third Party Reviews -- Reporting -- Termination -- ACTIONS -- References -- 8 - Conduct Security Awareness and Training -- PARTNERING WITH STAKEHOLDERS -- Who Are the Stakeholders for Security Training? -- Board of Directors -- Management -- Individual Contributors -- TARGETING TRAINING NEEDS FOR THE AUDIENCE -- Training for All Staff -- Passwords -- Internet Usage -- Social Engineering -- Malware -- Social Media -- Sensitive Data -- Information Security Policies -- Additional Training for Technical Staff -- Information Technology Staff -- Incident Reporting and Response -- Data Protection -- Environmental Security -- Software Development -- Secure Software Development -- Vulnerabilities -- Software Development Life Cycle -- Training for Management -- Compliance -- Sensitive and Regulated Data -- Enforcing Security Policy -- Incident Response -- TRAINING AND AWARENESS METHODS -- Instructor-Led Training -- Computer-Based Training -- Games/Contests -- Security-Related Media -- Giveaways -- EVALUATE THE EFFECTIVENESS OF TRAINING -- Effectiveness Metrics -- Counting Incidents -- Testing Users -- Penetration Testing -- Report on Training Effectiveness -- ACTIONS -- References -- 9 - Security Compliance Management and Auditing -- ESTABLISHING AN INFORMATION SECURITY COMPLIANCE MANAGEMENT PROGRAM
  • PUBLISHING AN INFORMATION SECURITY COMPLIANCE POLICY -- DEPLOY AN INFORMATION SECURITY COMPLIANCE PROCESS -- Step 1: Determine Applicable Security Policies, Laws, and Regulations -- Step 2: Prepare the Information Security Compliance Management Plan -- Step 3: Data Collection and Asset Identification -- Step 4: Perform Risk Analysis -- Step 5: Report Findings and Recommendations -- Step 6: Execute the Implementation Plan -- Step 7: Periodically Monitor, Test, Review, and Modify the Information Security Compliance Management Program -- INFORMATION SECURITY COMPLIANCE MANAGEMENT IN MERGERS AND ACQUISITIONS -- SUMMARY -- ACTIONS -- 10 - Information Security Program Metrics -- BUILDING THE SECURITY METRICS PROGRAM -- Step 1. Identify the Stakeholders -- Step 2: Define Metrics Program Goals and Objectives -- Step 3: Decide Which Metrics to Report -- ISO 27004:2009-Information Security Management-Measurement -- NIST Special Publication 800-55 Revision 1-Performance Measurement Guide -- Questions Relevant to Meaningfulness -- Questions Relevant to Measurability -- Questions Relevant to Correctness -- Questions Relevant to Usefulness -- Step 4: Establish Targets and Threshold -- Step 5: Develop Strategies for Collecting Metrics Data -- Step 6: Determine How Metrics Will Be Reported -- Step 7: Create a Remediation Action Plan -- Step 8: Conduct a Formal Program Review Cycle -- INFORMATION SECURITY METRICS AND KEY PERFORMANCE INDICATORS -- Examples of Strategic KPIs -- Examples of IT Risk Management KPIs -- Examples of Operational Security KPIs -- EXTERNAL BENCHMARKING -- COMMON OBJECTIONS TO INFORMATION SECURITY METRICS PROGRAMS -- SUMMARY -- ACTIONS -- Reference -- Index -- A -- B -- C -- D -- E -- F -- G -- H -- I -- J -- K -- L -- M -- N -- O -- P -- R -- S -- T -- U -- V -- Back Cover
http://library.link/vocab/cover_art
https://contentcafe2.btol.com/ContentCafe/Jacket.aspx?Return=1&Type=S&Value=9780128020883&userID=ebsco-test&password=ebsco-test
Dimensions
unknown
http://library.link/vocab/discovery_link
{'f': 'http://opac.lib.rpi.edu/record=b4367877'}
Extent
1 online resource (204 pages)
Form of item
online
Isbn
9780128020883
Media category
computer
Media MARC source
rdamedia
Media type code
c
Sound
unknown sound
Specific material designation
remote

Library Locations

    • Folsom LibraryBorrow it
      110 8th St, Troy, NY, 12180, US
      42.729766 -73.682577
Processing Feedback ...