Information Security Management: Concepts and Practice / Edition 1
by Bel G. Raggad
Information security cannot be effectively managed unless secure methods and standards are integrated into all phases of the information security life cycle. And, although the international community has been aggressively engaged in developing security standards for network and information security worldwide, there are few textbooks available that provide clear
… See more details belowOverview
Information security cannot be effectively managed unless secure methods and standards are integrated into all phases of the information security life cycle. And, although the international community has been aggressively engaged in developing security standards for network and information security worldwide, there are few textbooks available that provide clear guidance on how to properly apply the new standards in conducting security audits and creating risk-driven information security programs.
An authoritative and practical classroom resource, Information Security Management: Concepts and Practice provides a general overview of security auditing before examining the various elements of the information security life cycle. It explains the ISO 17799 standard and walks readers through the steps of conducting a nominal security audit that conforms to the standard. The text also provides detailed guidance for conducting an in-depth technical security audit leading to certification against the 27001 standard. Topics addressed include cyber security, security risk assessments, privacy rights, HIPAA, SOX, intrusion detection systems, security testing activities, cyber terrorism, and vulnerability assessments.
This self-contained text is filled with review questions, workshops, and real-world examples that illustrate effective implementation and security auditing methodologies. It also includes a detailed security auditing methodology students can use to devise and implement effective risk-driven security programs that touch all phases of a computing environment—including the sequential stages needed to maintain virtually air-tight IS management systems that conform to the latest ISO standards.
Product Details
- ISBN-13:
- 9781420078541
- Publisher:
- Taylor & Francis
- Publication date:
- 01/22/2010
- Edition description:
- New Edition
- Pages:
- 868
- Product dimensions:
- 6.40(w) x 9.30(h) x 1.80(d)
Table of Contents
INTRODUCTION
Introduction to Information Security Management
Why Information Security Matters
Information Sensitivity Classification
Information Security Governance
The Computing Environment
Security of Various Components in the Computing
Environment
Security Interdependence
CIA Triad
Security Goals versus Business Goals
The Security Star
Parker’s View of Information Security
What Is Information Security Management?
Defense-In-Depth Security
Security Controls
The NSA Triad for Security Assessment
Introduction to Management Concepts
Brief History of Management
Traditional Management Skills and Security Literacy
Managerial Skills
Redefining Mintzberg’s Managerial Roles
Strategic Management Concepts
IS Security Management Activities
Do We Really Need an Independent Information Security Functional Unit?
The Information Security Management Cycle
IS Security Management versus Functional Management
The Information Security Life Cycle
Security Planning in the SLC
Security Analysis
Security Design
Security Implementation
Security Review
Continual Security
SECURITY PLAN
Security Plan
SP Development Guidelines
SP Methodology
Security Policy
Security Policy, Standards, and Guidelines
Security Policy Methodologies
Business Continuity Planning
Business Disruptions
Business Continuity
Disaster Recovery
Responding to Business Disruptions
Developing a BCP
SECURITY ANALYSIS
Security Risk Management
The Risk Management Life Cycle
The Preparation Effort for Risk Management
A Sustainable Security Culture
Information Needed to Manage Risks
Factors Affecting Security Risk
The ALE Risk Methodology
Operational, Functional, and Strategic Risks
Operational Risk Management: Case of the Naval Safety Center
The ABLE Methodology
Continual Security: Integrated Fault-Event Analysis and Response Framework (IFEAR)
IFEAR Methodology
Fault Tree Analysis
Event Tree Analysis
FTA-ETA Integration
Risk Management
|Simulation and Sensitivity Analysis
Active Security Assessment
Standards for Active Security Assessment
Limits of Active Security Assessment
Can You Hack Your Own System?
Ethical Hacking of a Computing Environment
Ethics in Ethical Hacking
ASA through Penetration Testing
Strategies for Active Security Assessment
Guidelines and Terms between Testers and the Organization
The Active Security Assessment Project
System Availability
Computer Clustering
Review of Cluster Concepts
Types of Clusters
Web Site Availability
Application Centers No Longer the Only Sound Implementation
Computation of Availability in High-Availability Cluster
Related Availability Definitions
How to Obtain Higher Availability: The Cisco Process Nines’ Availability
Common Configurations for Clusters
Self-Healing and Availability
SECURITY DESIGN
Nominal Security Enhancement Design Based on ISO/IEC 27002
History of the ISO/IEC 27002
ISO/IEC 27002
How to Use the ISO/IEC 27002 to Enhance Security
Measurement and Implementations
Strategies to Enhance the ISO/IEC 27002-Based Security Posture
Comparing the ISO/IEC 27002-Based Security Posture Enhancement Strategies
Technical Security Enhancement Based on ISO/IEC 27001
How Organizations Interact with the Standards
General ISMS Framework
The ISMS Model
The Process Approach Ensures the Continual Improvement of the ISMS
Development of the Information Security Management System
Design of the ISMS
Security Inventory Needs
The Integration of ISMS Subsystems
Self-Assessment for Compliance
Revisiting ISMS Scoping
SECURITY IMPLEMENTATION
Security Solutions
Security Solutions
The NIST Security Solution Taxonomy
The ISO Security Solution Taxonomy
The Common Criteria
The Birth of the Common Criteria
Common Uses of the CC
The CC Document
The CC Security Approach
Information Resource Evaluation Methodology
CC Security Evaluation Programs
The American Model of CC Evaluation Programs
A National Model
Some Other CC Evaluation Requirements
Minicase
SECURITY REVIEW
Security Review through Security Audit
Security Audit Means Different Things to Different People
Some Security Audit Activities
Our Definition of Security Audit
Main Features in Security Audit
Application Audit
How Does Security Audit Relate to the Corporate Security Policy?
Structure of a Security Audit
Security Audit versus IT Auditing
Applicable Security-Related Standards
Security Audit Grades
Privacy Rights, Information Technology, and HIPAA
The Problem of Privacy
The Meaning of Privacy
HIPAA
Regulatory Standards: The Privacy Rule
The HIPAA Security Rule
Administrative Safeguards
NIST on HIPAA
Conducting Effective Risk Analysis
CONTINUAL SECURITY
The Sarbanes–Oxley Act and IT Compliance
Methods of Doing Business
Background of the SarbanesOxley Act
SarbanesOxley Act of 2002
Major Provisions of SO
Management Assessment of Internal Controls and IT
Compliance
IT Compliance
International Responses
Advantages to SOX Compliance
Foreign Whistleblowers and SOX
Reconciling SOX and European Conflicting Standards
EU Corporate Governance Initiatives
E.U.’s Eighth Directive
Planning IT Management for SOX: Delayed SOX Impact
Cyberterrorism and Homeland Security
Security Economic Intelligence
Homeland Security
Cyberterrorism in the Literature
Cyberterrorism in the Real World: The FBI Perspective
U.S. Legislative Enactments and Proposed Programs
U.S. Criminal Statutes Affecting the Internet
Statutes and Executive Orders Concerned with Cyberterrorism
International Initiatives
Individual European State Approaches to Security and Counterterrorism
Other International Efforts
Index
Each chapter begins with an Introduction and concludes with a Summary, Review Questions, Workshops, and References
Customer Reviews
Average Review: