| Description |
xxix, 523 pages : illustrations ; 24 cm |
| Contents |
Contents note continued: Attacks on Cryptosystems -- Defending from Attacks -- The Information Security Manager's Checklist -- ch. 32 Access Controls and Biometrics -- Identification -- Authentication -- Something You Know -- Something You Have -- Something You Are -- Something You Produce -- Somewhere You Are -- Authorization -- Accountability -- Types of Access Control -- Mandatory Access Controls (MACs) -- Nondiscretionary Controls -- Discretionary Access Controls (DACs) -- Data Classification Model -- Management of the Classified Information Asset -- Evaluating Biometrics -- False Reject Rate -- False Accept Rate -- Crossover Error Rate -- Acceptability of Biometrics -- Managing Access Controls -- The Information Security Manager's Checklist -- ch. 33 Physical Security -- Physical Security -- Physical Access Controls -- Physical Security Controls -- Physical and Environmental Controls for Computer Rooms -- Fire Security and Safety -- Fire Detection and Response -- |
|
Contents note continued: Documenting the Results of Risk Assessment -- Repeat as Required -- The Information Security Manager's Checklist -- ch. 10 Risk Management: Risk Control -- Risk Control Strategies -- Self-Protection -- Risk Transfer -- Self-Insurance -- Avoidance -- Managing Risk -- Feasibility Studies and Cost-Benefit Analysis -- Cost-Benefit Analysis -- Other Feasibility Studies -- Alternatives to Feasibility Analysis -- Defending Risk Control Decisions -- The Information Security Manager's Checklist -- ch. 11 Alternate Approaches to Risk Management -- The OCTAVE Method -- Important Aspects of the OCTAVE Method -- Phases, Processes, and Activities -- Preparing for the OCTAVE Method -- Phase 1: Build Asset-Based Threat Profiles -- Phase 2: Identify Infrastructure Vulnerabilities -- Phase 3: Develop Security Strategy and Plans -- Microsoft Risk Management Approach -- Assessing Risk -- Conducting Decision Support -- Implementing Controls -- |
|
Contents note continued: Failure of Supporting Utilities and Structural Collapse -- Heating, Ventilation, and Air-Conditioning -- Power Management and Conditioning -- Maintenance of Facility Systems -- Interception of Data -- Mobile and Portable Systems -- Special Considerations for Physical Security Threats -- The Information Security Manager's Checklist -- Appendix A Information Security Self-Assessment Checklists -- Appendix B Information Security Certification Guidelines-The CISSP/SSCP -- Appendix C Information Security Certification Guidelines-The CISM |
|
Contents note continued: ISO 27002 Guidance on Systems Certification and Accreditation -- The Information Security Manager's Checklist -- ch. 14 Dealing with Regulatory Compliance and Other Legal Issues -- Law and Ethics in Information Security -- Organizational Liability and the Need for Counsel -- Policy versus Law -- Types of Law -- Major Regulatory Issues Today -- Privacy and HIPAA -- Financial Reporting and SOX -- PCI and GLB -- The Information Security Manager's Checklist -- ch. 15 Key Laws for Every IT Security Manager -- Relevant U.S. Laws -- General Computer Crime Laws -- Export and Espionage Laws -- U.S. Copyright Law -- Freedom of Information Act of 1966 (FOIA) -- State and Local Regulations -- International Laws and Legal Bodies -- European Council Cyber-Crime Convention -- Agreement on Trade-Related Aspects of Intellectual Property Rights -- Digital Millennium Copyright Act (DMCA) -- United Nations Charter -- The Information Security Manager's Checklist -- |
|
Contents note continued: Measuring Program Effectiveness -- Before You Start -- Roles and Responsibilities -- The Information Security Manager's Checklist -- ch. 12 Standards for Managing the Information Security Program -- The ISO 27000 Series -- ISO/IEC 27001:2005: The Information Security Management System -- NIST Security Models -- NIST Special Publication 800-12 -- NIST Special Publication 800-14 -- NIST Special Publication 800-18 Rev. 1 -- Other Models -- IETF Security Architecture -- INCITS/CS1 Small Organization Baseline Information Security Handbook (SOBISH) -- Baselining and Best Business Practices -- The Information Security Manager's Checklist -- ch. 13 Emerging Trends in Certification and Accreditation -- Information Systems Security Certification and Accreditation -- Certification versus Accreditation -- NIST Guidance on the Certification and Accreditation of Federal Information Technology Systems -- CNSS Guidance on Certification and Accreditation -- |
|
Contents note continued: Placing Information Security Within the Organization -- The Information Security Manager's Checklist -- ch. 7 Conducting an Information Security Assessment -- Conducting Security Assessments -- Security Controls -- Access Controls (AC) -- Awareness and Training Controls (AT) -- Audit and Accountability Controls (AU) -- Certification, Accreditation, and Security Assessments (CA) -- Configuration Management Controls (CM) -- Contingency Planning Controls (CP) -- Identification and Authentication Controls (IA) -- Incident Response Controls (IR) -- Maintenance Controls (MA) -- Media Protection Controls (MP) -- Physical and Environmental Protection Controls (PE) -- Planning Controls (PL) -- Personnel Security Controls (PS) -- Risk Assessment Controls (RA) -- System and Services Acquisition Controls (SA) -- System and Communication Protection Controls (SC) -- System and Information Integrity Controls (SI) -- Performing the Assessment -- Using the Results -- |
|
Contents note continued: Responsible Individual -- Schedule of Reviews -- Review Procedures and Practices -- Policy and Revision Date -- Automated Policy Management -- The Information Security Manager's Checklist -- ch. 18 Information Security Policy Types: EISP, ISSP, and SysSP -- Issue-Specific Security Policy (ISSP) -- Statement of Policy -- Authorized Access and Usage of Equipment -- Prohibited Use of Equipment -- Systems Management -- Violations of Policy -- Policy Review and Modification -- Limitations of Liability -- System-Specific Security Policy (SysSP) -- Managerial Guidance SysSPs -- Technical Specifications SysSPs -- Combination SysSPs -- The Information Security Manager's Checklist -- ch. 19 Employment Policies and Practices -- Personnel and Security -- Job Descriptions -- Interviews -- Background Checks -- Employment Contracts -- New Hire Orientation -- On-the-Job Security Training -- Evaluating Performance -- Termination -- |
|
Contents note continued: Security Considerations for Nonemployees -- Temporary Employees -- Contract Employees -- Consultants -- Business Partners -- Internal Control Strategies -- Privacy and the Security of Personnel Data -- The Information Security Manager's Checklist -- ch. 20 Security Education Training and Awareness (SETA) -- SETA Overview -- Security Education -- Developing Information Security Curricula -- Security Training -- Customizing Training by User -- Training Techniques -- Security Awareness -- Employee Behavior and Awareness -- Employee Accountability -- Awareness Techniques -- Developing Security Awareness Components -- The Information Security Manager's Checklist -- ch. 21 Contingency Planning-Preparing for the Worst -- What Is Contingency Planning? -- Components of Contingency Planning -- Business Impact Analysis -- Timing and Sequence of CP Elements -- Testing Contingency Plans -- The Information Security Manager's Checklist -- |
|
Contents note continued: The Information Security Manager's Checklist -- ch. 8 Risk Management -- Risk Management -- Know Ourselves -- Know the Enemy -- Creating an Inventory of Information Assets -- Identifying Hardware, Software, and Network Assets -- Identifying People, Procedures, and Data Assets -- Classifying and Categorizing Assets -- Assessing Values for Information Assets -- Listing Assets in Order of Importance -- Data Classification Model -- Security Clearances -- Management of the Classified Information Asset -- Threat Identification -- Identify and Prioritize Threats and Threat-Agents -- Vulnerability Assessment -- The TVA Worksheet -- The Information Security Manager's Checklist -- ch. 9 Risk Management: Risk Assessment -- Vulnerability Risk Model -- Approaches to Risk Assessment -- Likelihood -- Assessing Potential Loss -- Percentage of Risk Mitigated by Current Controls -- Uncertainty -- Risk Determination -- Identify Possible Controls -- Access Controls -- |
|
Contents note continued: The Security Life Cycle -- Investigation in the SLC -- Analysis in the SLC -- Design in the SLC -- Implementation in the SLC -- Maintenance and Change in the SLC -- Performance Measures -- The Information Security Manager's Checklist -- ch. 5 Information Security Roles and Responsibilities -- Information Security Positions -- Chief Information Security Officer (CISO or CSO) -- Security Manager -- Security Technician -- Credentials for Information Security Professionals -- (ISC) Certifications -- ISACA Certifications -- SANS Global Information Assurance Certifications (GIAC) -- CompTIAs Security+ -- Certification Costs -- Entering the Information Security Profession -- The Information Security Manager's Checklist -- ch. 6 Positioning the Information Security Function -- Organizing for Security -- Does Size Matter? -- Security in Large Organizations -- Security in Medium-Sized Organizations -- Security in Small Organizations -- |
|
Contents note continued: ch. 16 Ethics in IT and InfoSec, Who Watches the Watchers? -- Ethics and Motives -- Differences in Ethical Concepts -- The Nine Country Study -- Vulnerability Research and Disclosure -- Ethics and Education -- Deterring Unethical and Illegal Behavior -- Professional Organizations and Their Codes of Ethics -- Ethics and the Profession -- Association of Computing Machinery (ACM) -- International Information Systems Security Certification Consortium, Inc. (ISC) -- System Administration, Networking, and Security Institute (SANS) -- Information Systems Audit and Control Association (ISACA) -- Information Systems Security Association -- Unified Ethical Framework -- Enforcement -- The Information Security Manager's Checklist -- ch. 17 Information Security Policy Development and Implementation -- Information Security Policy, Standards, and Practices -- Definitions -- Enterprise Information Security Policy (EISP) -- EISP Elements -- Policy Management -- |
|
Contents note continued: ch. 22 The Incident Response Plan -- Incident Response Planning -- Incident Response Policy -- The Incident Response Plan -- Preparing to Plan -- Incident Detection -- Incident Classification -- Incident Response -- Incident Recovery -- Law Enforcement Involvement -- The Information Security Manager's Checklist -- ch. 23 The Disaster Recovery Plan -- What Is Disaster Recovery? -- DR Policy -- Disaster Classification -- Planning for Disaster -- Crisis Management -- Responding to the Disaster -- Sample Disaster Recovery Plan -- The Information Security Manager's Checklist -- ch. 24 The Business Continuity Plan -- Business Resumption Planning -- BC Planning Policy Statement -- Continuity Strategies -- Hot Sites -- Warm Sites -- Cold Sites -- Shared-Use Options -- Implementing the BC Strategy -- Preparation for BC Actions -- Relocation to the Alternate Site -- Return to the Primary Site -- The Information Security Manager's Checklist -- |
|
Contents note continued: ch. 25 Communications and Operations Management -- Networking Fundamentals -- Types of Networks -- Network Standards -- OSI Reference Model and Security -- The Physical Layer -- Data Link Layer -- Network Layer -- Transport Layer -- Session Layer -- Presentation Layer -- Application Layer -- The Internet and TCP/IP -- Application Layer -- Transport Layer -- Internetwork Layer -- Subnet Layers -- Configuration and Change Management -- Technical Configuration Management -- Technical Change Management -- Nontechnical Configuration and Change Management -- Establishing a Change Management Process -- The Information Security Manager's Checklist -- ch. 26 Firewalls -- The Development of Firewalls -- Firewall Architectures -- Packet Filtering Routers -- Screened-Host Firewalls -- Dual-Homed Host Firewalls -- Screened-Subnet Firewalls (with DMZ) -- Selecting the Right Firewall -- Managing Firewalls -- The Information Security Manager's Checklist -- |
|
Contents note continued: ch. 27 Remote Access Protection -- First Step: Policy -- Identifying Use Cases -- Consider the Impacts -- Develop Policies -- Technology Selection -- Dial-up -- Virtual Private Networks -- Wireless Networking Protection -- Wired Equivalent Privacy (WEP) -- Wi-Fi Protected Access (WPA) -- Wi-Max -- Managing Wireless Connections -- Implementation Issues -- Deployment and Training -- Audit and Assurance -- The Information Security Manager's Checklist -- ch. 28 Intrusion Detection and Prevention Systems -- Intrusion Detection and Prevention System Basics -- IDPS Terminology -- Why Use an IDPS? -- Types of IDPS Systems -- Network-Based IDPS -- Host-Based IDPS -- IDPS Detection Methods -- IDPS Response Behavior -- Deployment and Implementation of an IDPS -- IDPS Control Strategies -- IDPS Deployment -- Honey Pots, Honey Nets, and Padded Cell Systems -- Trap and Trace Systems -- Active Intrusion Prevention -- The Information Security Manager's Checklist -- |
|
Contents note continued: ch. 29 Scanning and Analysis Tools -- The Scanning and Analysis Toolbox -- Port Scanners -- Firewall Analysis Tools -- Operating System Detection Tools -- Vulnerability Scanners -- Packet Sniffers -- Wireless Security Tools -- Insource or Outsource -- The Information Security Manager's Checklist -- ch. 30 Cryptography in Theory -- Crypto in Context -- Overview of Cryptography -- Basic Encryption Definitions -- Cipher Methods -- Encryption Key Size -- Using Cryptography -- The Information Security Manager's Checklist -- ch. 31 Cryptography in Practice -- Confidentiality with Anonymity -- Public Key Infrastructure (PM) -- Digital Signatures -- Digital Certificates -- Hybrid Cryptography Systems -- Protocols for Secure Communications -- Securing Internet Communication with SSL -- Securing E-mail with S/MIME, PEM, and PGP -- Securing Web Transactions with SET, SSL/TLS -- Securing Wireless Networks with WEP and WPA -- Securing TCP/IP with IPSec and PGP -- |
|
Machine generated contents note: ch. 1 Information Security -- Information Security Defined -- Critical Terminology of Information Security -- The Responsibility for Information Security -- Information Security Categories -- A Model for an Information Security Program -- The Information Security Manager's Checklist -- ch. 2 Risk Management and Information Assets -- What Is a Threat? -- Threat Categories -- The Information Security Manager's Checklist -- ch. 3 Attacks on Information Assets -- Attacks, Exploits, and Vulnerabilities -- The Information Security Manager's Checklist -- ch. 4 Information Technology and Information Security Governance -- The Link Between Governance and Planning -- The Role of Planning -- Precursors to Planning -- Statement of Values -- Mission Statement -- Vision Statement -- Strategic Planning -- Creating the InfoSec Strategic Plan -- Planning Levels -- InfoSec Planning and the CISO -- Planning for Information Security Implementation -- |
| Summary |
Features: -- |
|
Information Security Certification Guidelines, Key topics in the book are mapped to dominant professional certifications, the CISSP (Certified Information Systems Security Professional), SSCP (System Security Certified Professional), and the CISM (Certified Information Security Manager). This resource will facilitate review and study for those seeking certification --Book Jacket |
|
Information Security Self-Assessment Checklists, A set of detailed program assessment questions offers users the opportunity to compare a developing information security program against industry security standards. The checklist is used to help evaluate the state of information security in your organization, determine compliance, and, provide guidance on performing continuous improvement. -- |
|
Technical and Managerial Details Boxes, Interspersed throughout the book, these sections highlight interesting topics and detailed technical issues, giving the reader the option of delving into selected topics more deeply. -- |
|
The Information Security Manager's Checklist, A handy checklist of issues and considerations drawn from nationally and internationally recognized organizations and experts in the field provides important information to consider when developing or managing an information security program. -- |
|
This book is geared toward helping information security managers by providing concise guidance on assessing and improving an organization's security. It also addresses the needs of IT managers as they step into their first information security role. This book will help information security managers and IT managers respond in ways that meet the immediate needs and expectations of their organizations and to create and maintain a solid information security program. -- |
| Bibliography |
Includes bibliographical references and index |
| Subject |
Computer networks -- Security measures -- Management.
|
|
Computer security.
|
|
Data protection.
|
| Author |
Mattord, Herbert J.
|
| LC no. |
2011925445 |
| ISBN |
1435480309 |
|
9781435480308 |
