Muutke küpsiste eelistusi

Complete Guide to Cybersecurity Risks and Controls [Kõva köide]

2.00/5 (4 hinnangut Goodreads-ist)
(Lawrence Technological University, USA), (Oakland Community College, USA), (Univ. of Detroit Mercy, USA)
  • Formaat: Hardback, 326 pages, kõrgus x laius: 234x156 mm, kaal: 800 g, 70 Illustrations, black and white
  • Sari: Security, Audit and Leadership Series
  • Ilmumisaeg: 04-Apr-2016
  • Kirjastus: Auerbach Publishers Inc.
  • ISBN-10: 1498740545
  • ISBN-13: 9781498740548
Teised raamatud teemal:
Complete Guide to Cybersecurity Risks and ControlsSuurem pilt
  • Formaat: Hardback, 326 pages, kõrgus x laius: 234x156 mm, kaal: 800 g, 70 Illustrations, black and white
  • Sari: Security, Audit and Leadership Series
  • Ilmumisaeg: 04-Apr-2016
  • Kirjastus: Auerbach Publishers Inc.
  • ISBN-10: 1498740545
  • ISBN-13: 9781498740548
Teised raamatud teemal:
Püsilink: https://www.kriso.ee/db/9781498740548.html
Märksõnad:
The Complete Guide to Cybersecurity Risks and Controls presents the fundamental concepts of information and communication technology (ICT) governance and control. In this book, you will learn how to create a working, practical control structure that will ensure the ongoing, day-to-day trustworthiness of ICT systems and data. The book explains how to establish systematic control functions and timely reporting procedures within a standard organizational framework and how to build auditable trust into the routine assurance of ICT operations.

The book is based on the belief that ICT operation is a strategic governance issue rather than a technical concern. With the exponential growth of security breaches and the increasing dependency on external business partners to achieve organizational success, the effective use of ICT governance and enterprise-wide frameworks to guide the implementation of integrated security controls are critical in order to mitigate data theft. Surprisingly, many organizations do not have formal processes or policies to protect their assets from internal or external threats.

The ICT governance and control process establishes a complete and correct set of managerial and technical control behaviors that ensures reliable monitoring and control of ICT operations. The body of knowledge for doing that is explained in this text. This body of knowledge process applies to all operational aspects of ICT responsibilities ranging from upper management policy making and planning, all the way down to basic technology operation.
Preface xi
1 Why Cybersecurity Management Is Important
1(26)
Computing and Culture Shock
1(21)
Six Blind Men and an Elephant
3(2)
What Is Cybersecurity?
5(1)
The Growing Pains of an Emerging Discipline
5(3)
Understanding the Costs and Benefits to an Organization
8(2)
Two Absolute Rules for Cybersecurity Work
10(1)
Why Complete Protection Is Important
10(1)
The Problem of Diversity and Dispersion
11(1)
Introduction: Why Formal Organizational Control Is Crucial
12(2)
Implementing a Strategic Response
14(2)
Frameworks for Ensuring Due Care
16(3)
Process Implementation
19(2)
Monitoring and Accounting for Control Status
21(1)
Chapter Summary
22(2)
Key Concepts
24(1)
Key Terms
24(1)
References
25(2)
2 Control-Based Information Governance, What It Is and How It Works
27(42)
The Value of Formal Control
27(33)
Governance Infrastructures
28(2)
Organizing Things into a Rational Process
30(1)
Security and Control
31(3)
Control Framework Assumptions
34(2)
Introduction: The Problem
36(4)
Information Audit and Control
40(2)
Reasons for Conducting an Audit
42(1)
Conducting an Audit
43(1)
Control Principles
44(6)
Auditing and Validating a Control Infrastructure for a Business
50(1)
Overview of the Auditing Process
51(3)
Audit Management
54(1)
Reporting Problems with Controls: Deficiencies and Weaknesses
55(1)
Auditing Process Steps
56(4)
Chapter Summary
60(6)
Security and Control
61(1)
The Role of Audit
62(2)
Conducting an Audit Process
64(2)
Key Concepts
66(1)
Key Terms
67(1)
References
67(2)
3 A Survey of Control Frameworks, General Structure, and Application
69(38)
What Is Information Security Governance?
70(3)
IT Governance Frameworks---An Overview
73(18)
COSO Framework
73(2)
IT Infrastructure Library Framework
75(2)
ISO 27001
77(2)
COBIT 5
79(1)
National Institute of Standards and Technology
80(4)
Cybersecurity Framework---Improving Critical Infrastructure Cybersecurity
84(2)
Information Security Forum Standard of Good Practice for Information Security
86(2)
Payment Card Industry Data Security Standards
88(3)
SANS Institute
91(1)
IT Security Controls
91(11)
Security Control Organization
94(8)
Chapter Summary
102(2)
Key Terms
104(1)
References
105(2)
4 What Are Controls and Why Are They Important?
107(40)
Picking Up Where
Chapter 1 Left Off
108(1)
Goal-Based Security Controls
109(6)
Preventive Controls
110(1)
Detective Controls
111(1)
Comparing Detection and Prevention Controls
112(1)
Corrective Controls
112(1)
Deterrent Controls
113(1)
Compensating Security Controls
113(1)
Common Security Controls
113(2)
Implementation-Based Security Controls
115(5)
Technical Controls
115(1)
Management Controls
116(1)
Operational Controls
117(1)
Combining Implementation with Goals
117(1)
Tying Security Controls to Architecture
117(3)
The Security Control Formulation and Development Process
120(9)
Categorizing ICT Systems
120(2)
Identifying Information Types
122(1)
Categorization of Information Types
122(1)
Categorization of Information Systems
123(1)
Description of the Information Systems
124(1)
Selection of Security Controls
124(1)
Identification of Common Controls
125(1)
Formal Security Control Selection
126(2)
Milestone: Completion of the Security Plan
128(1)
Implementing Security Controls
128(1)
Setting the Stage for Control Implementation through Security Architecture Design
129(14)
Control Implementation through Security Engineering
130(1)
Security Control Documentation
131(1)
Security Control Assessment
132(2)
Components of Security Control Assessment
134(1)
Conducting Security Control Assessment
135(1)
Authorizing Security Controls
136(1)
Authorization Process
137(1)
Monitoring Security Controls
138(1)
Monitor the System and Environmental Change
139(1)
Conduct Continuous Security Control Assessment
140(1)
Conduct Continuous Remediation Activities
141(1)
Continuously Update the Security Plan and Risk Management Strategy
141(1)
Provide Adequate Security Status Reporting
141(1)
Conduct Ongoing Risk Assessments
142(1)
Chapter Summary
143(1)
Key Concepts
144(1)
Key Terms
144(1)
References
145(2)
5 Implementing a Multitiered Governance and Control Framework in a Business
147(34)
Constructing Practical Systems of Controls
147(19)
Making Information Governance Tangible
148(2)
Control Objectives
150(1)
The Process of Defining and Implementing Security Controls
151(2)
Establishing the Management System
153(2)
Standard Security Principles Derived from Standards
155(7)
Building the Security Control System
162(1)
Initial Setup and Tradeoffs
162(1)
Information Gathering
162(1)
Gap Analysis
163(1)
Risk-Assessment Decision
163(1)
Preliminary Control Baseline
163(1)
Resource Tradeoff
163(1)
Selection of Final Control Set
164(1)
Refinement of the Control Baseline
164(1)
Certification
164(2)
Practical Implementation: How to Establish a Real, Working Control Framework
166(7)
Ensuring Long-Term Control Capability
173(1)
Chapter Summary
174(4)
Key Concepts
178(1)
Key Terms
178(1)
References
179(2)
6 Risk Management and Prioritization Using a Control Perspective
181(32)
Ensuring that Risk Management Process Supports the Organization
181(2)
Five Elements of the Risk Management Process
183(24)
How the Risk Management Plan Uses the Risk Profile
187(1)
Conducting a Risk Assessment in Support of Planning
188(1)
Implementing a Managed Risk Control Process
189(2)
Generic Approaches to Risk
191(1)
Planning for Effective Risk Management
192(2)
Sensitivity of the Information versus Rigor of the Controls
194(2)
Writing the Risk Management Plan
196(1)
Coordinated Approach to Risk Management
196(2)
Ensuring an Effective Set of Risk Controls
198(1)
Risk Management Controls
199(1)
Control Types: Management Controls
199(1)
Control Types: Technical Controls
200(1)
Practical Steps to Implement a Security Control
200(2)
Modeling Risks for Prioritization
202(1)
Risk Management and Operational Evaluation of Change
203(1)
Evaluating the Overall Policy Guidance
204(1)
Program Management Reviews
205(2)
Chapter Summary
207(3)
Key Concepts
210(1)
Key Terms
211(2)
7 Control Formulation and Implementation Process
213(36)
The Control Formulation Process
213(6)
Control Frameworks
216(1)
Standard Control Requirements
217(2)
Creating and Documenting Control Objectives
219(2)
Creating a Management-Level Control Process
221(6)
Assessing Control Performance
227(1)
Measurement-Based Assurance of Controls
228(5)
Assessing and Remediating the Control Environment
233(3)
Developing a Comprehensive ICT Security Control Program
236(6)
Explicitly Controlling ICT Work
238(1)
Assessing the Adequacy of ICT Controls
239(1)
Dealing with Control Risks
240(2)
Chapter Summary
242(4)
Key Concepts
246(1)
Key Terms
247(2)
8 Security Control Validation and Verification
249(34)
Security Control Assessment Fundamentals
251(6)
Fitting Security Control Assessment within the SDLC
252(2)
Adequate Control Implementation: The Proof Is in the Pudding
254(1)
Security Control Validation and Verification Procedures and Methodologies
255(2)
NIST Security Control Assessment Process
257(9)
Task 1 Preparing for Security and Privacy Control Assessments
257(5)
Task 2 Developing Security and Privacy Assessment Plans
262(2)
Task 3 Conducting Security and Privacy Assessments
264(1)
Task 4 Analyzing Assessment Reports
265(1)
Control Testing and Examination Application
266(13)
Distinguishing between Testing and Examination
266(1)
Common Types of Operational and Technical Security Tests
267(1)
Blind Testing
268(1)
Double-Blind Testing
268(1)
Gray Box Testing
269(1)
Double--Gray Box Testing
270(1)
Tandem Testing
271(1)
Reversal Testing
271(1)
Common Operational and Technical Security Examination Techniques
271(2)
Document Review
273(1)
Log Review
274(1)
Ruleset Review
275(1)
System Configuration Review
276(1)
Network Sniffing
277(1)
File Integrity Checking
278(1)
Chapter Summary
279(1)
Key Terms
280(1)
References
281(2)
9 Control Framework Sustainment and Security of Operations
283(34)
Operational Control Assurance: Aligning Purpose with Practice
283(5)
Ensuring the Long-Term Integrity of the Control Set
285(3)
Operational Assurance (Sensing)
288(4)
Analysis
292(3)
Reporting
294(1)
Response Management (Responding)
295(7)
Change Control
297(1)
Postchange Analysis
298(1)
Change Assurance
298(2)
Change Reintegration into the Operational Environment
300(1)
Configuration Management
300(1)
Recertification and Accreditation of Change
301(1)
Secure Migration or Retirement of a Control System
302(1)
Operational Oversight and Infrastructure Assurance of Control Set Integrity
302(10)
Control Architecture
303(2)
Planning---Establishing the Routine Control Operations Process
305(5)
Rationally Managing the Configuration of the Control Set
310(2)
Chapter Summary
312(2)
Key Concepts
314(1)
Key Terms
314(1)
Reference
315(2)
Index 317
Anne Kohnke, PhD, is an assistant professor of IT at Lawrence Technological University and teaches courses in both the information technology and organization development/change management disciplines at the bachelor through doctorate levels. Anne started as an adjunct professor in 2002 and joined the faculty full time in 2011. Her IT career started in the mid-1980s on a help desk, and over the years, Anne developed technical proficiency as a database administrator, network engineer, systems analyst, and technical project manager. After a decade, Anne was promoted to management and worked as an IT director, vice president of IT and chief information security officer (CISO). Her research focuses on cybersecurity, risk management, IT governance, and security countermeasures. Anne earned her PhD from Benedictine University.

Daniel P. Shoemaker, PhD, is principal investigator and senior research scientist at the University of Detroit Mercys Center for Cyber Security and Intelligence Studies. Dan has served 30 years as a professor at UDM with 25 of those years as department chair. He served as a co-chair for both the Workforce Training and Education and the Software and Supply Chain Assurance Initiatives for the Department of Homeland Security, and was a subject matter expert for the NICE Cybersecurity Workforce Framework 2.0. Dan has coauthored six books in the field of cybersecurity and has authored more than one hundred journal publications. Dan earned his PhD from the University of Michigan.

Ken Sigler, MS, is a faculty member of the Computer Information Systems (CIS) program at the Auburn Hills campus of Oakland Community College in Michigan. His primary research is in the areas of software management, software assurance, and cloud computing. He developed the colleges CIS program option entitled "Information Technologies for Homeland Security." Until 2007, Ken served as the liaison for the college to the International Cybersecurity Education Coalition (ICSEC), of which he is one of three founding members. Ken is a member of IEEE, the Distributed Management Task Force (DMTF), and the Association for Information Systems (AIS).