Muutke küpsiste eelistusi

Cybersecurity: The Essential Body Of Knowledge New edition [Pehme köide]

4.00/5 (24 hinnangut Goodreads-ist)
(University of Detroit Mercy), (University of Houston)
  • Formaat: Paperback / softback, 528 pages, kõrgus x laius x paksus: 22x185x231 mm, kaal: 839 g
  • Ilmumisaeg: 17-May-2011
  • Kirjastus: Delmar Cengage Learning
  • ISBN-10: 1435481690
  • ISBN-13: 9781435481695
Teised raamatud teemal:
  • Pehme köide
  • Hind: 74,59 €*
  • * hind on lõplik, st. muud allahindlused enam ei rakendu
  • Tavahind: 93,24 €
  • Säästad 20%
  • Raamatu kohalejõudmiseks kirjastusest kulub orienteeruvalt 2-4 nädalat
  • Kogus:
  • Lisa ostukorvi
  • Tasuta tarne
  • Tellimisaeg 2-4 nädalat
  • Lisa soovinimekirja
Cybersecurity: The Essential Body Of Knowledge New editionSuurem pilt
  • Formaat: Paperback / softback, 528 pages, kõrgus x laius x paksus: 22x185x231 mm, kaal: 839 g
  • Ilmumisaeg: 17-May-2011
  • Kirjastus: Delmar Cengage Learning
  • ISBN-10: 1435481690
  • ISBN-13: 9781435481695
Teised raamatud teemal:
Püsilink: https://www.kriso.ee/db/9781435481695.html
CYBERSECURITY: THE ESSENTIAL BODY OF KNOWLEDGE provides a comprehensive, trustworthy framework of practices for assuring information security. This book is organized to help readers understand how the various roles and functions within cybersecurity practice can be combined and leveraged to produce a secure organization.

In this unique book, concepts are not presented as stagnant theory; instead, the content is interwoven in a real world adventure story that runs throughout. In the story, a fictional company experiences numerous pitfalls of cyber security and the reader is immersed in the everyday practice of securing the company through various characters' efforts. This approach grabs learners' attention and assists them in visualizing the application of the content to real-world issues that they will face in their professional life.

Derived from the Department of Homeland Security's Essential Body of Knowledge (EBK) for IT Security, this book is an indispensable resource dedicated to understanding the framework, roles, and competencies involved with information security.

Arvustused

Section I: BACKGROUND. 1. The Field of Cyber Security. 2. The DHS EBK Initiative. 3. Applying the EBK. Section II: EBK ROLES AND REQUIRED CAPABILITIES. 4. The Executive role. 5. The Functional role. 6. The Corollary role. Section II: THE 14 AREAS OF INFORMATION SECURITY. 7. Data Security. 8. Digital Forensics. 9. Enterprise Continuity. 10. Incident Management. 11. IT Security Training and Awareness. 12. IT Systems Operations and Maintenance. 13. Network and Telecommunications Security. 14. Personnel Security. 15. Physical and Environmental Security. 16. Procurement. 17. Regulatory and Standards Compliance. 18. Security Risk Management. 19. Strategic Security Management. 20. System and Application Security.

Preface xix
Chapter 1 Information Security Is Important 1(18)
The Story Begins: Zero Hour
1(1)
Assuring Information: Failure Is Never an Option
2(2)
Body of Knowledge
2(1)
Two Common Sense Assumptions for Cybersecurity
3(1)
The Attack Builds: Hours 20 to 36
4(1)
Instilling Order in a Virtual World
5(2)
Coordination of Efforts and Intent
5(1)
Information Diversity and Dispersion
6(1)
Picking up the Pieces: Hours 36 to 72
7(1)
Strategic Governance Processes
8(1)
Creating a Strategic Governance Process
8(1)
Strategic Planning and the Strategic Governance Process
8(1)
The Story Concludes: A New Paradigm
9(2)
A Standard Model for Ensuring Best Practice in Cybersecurity
11(4)
The DHS Essential Body of Knowledge
11(2)
Finding an Appropriate Model
13(1)
The National Strategy to Secure Cyberspace
13(1)
The National Security Professional Development Program
13(1)
The Federal Information Security Management Act (FISMA)
14(1)
Chapter Summary
15(1)
Key Terms
15(1)
Questions from the CIO
16(1)
Hands-On Projects
17(2)
Chapter 2 A Global Roadmap for Security 19(20)
Narrowing the Search: More Questions
19(2)
EBK Competency Areas
21(2)
Fifty-three Critical Work Functions
22(1)
Fourteen Competency Areas
23(1)
Getting Real: Focusing on Implementation
23(1)
Roles in the EBK
24(2)
Organization of Roles in the EBK Framework
26(3)
Executive Roles
27(1)
Functional Roles
27(1)
Corollary Roles
28(1)
Common Functions
29(1)
The Story Continues: It's Never As Easy As It Seems
30(3)
Converting Roles, Competencies, and Functions into an Actionable Plan
32
The Importance of Planning
13(20)
The Story Evolves: Learning How to Make Adjustments
33(1)
Adapting the EBK to the Actual Situation
34(2)
Chapter Summary
36(1)
Key Terms
36(1)
Questions from the CIO
37(1)
Hands-On Projects
38(1)
Chapter 3 Adapting Best Practice: Tailoring a Solution That Fits 39(26)
The Story Changes Venues: The Road to Singapore
39(2)
Walking the Talk
41(3)
The Story Progresses: A New Day in Singapore
44(1)
Developing Solutions from the EBK
45(2)
Context
45(1)
Scope
46(1)
Availability of Resources
46(1)
The Singapore Team: Turning Concepts into Practice
47(1)
The Chief Information Security Officer
48(1)
Tailored Operating Procedures for the CISO Role
49(2)
Wrapping Up in Singapore: Tailoring the CISO Role
51(1)
Example: Model EBK-Based Procedures for Two Positions
51(4)
Another Aspect: Tailoring a Process from Parts of Jobs
55(2)
Defining Requirements for a Non-EBK Role
57(4)
Chapter Summary
61(1)
Key Terms
61(1)
Questions from the CIO
62(1)
Hands-On Projects
63(2)
Chapter 4 Defining the Company's Executive Roles 65(32)
Meanwhile, Back in the States...
65(2)
Assigning Competencies to Roles
67(1)
Assessing the Role of the Boss
67(1)
Defining the Role of the Chief Information Officer
68(7)
The CIO and Management of Data Security
69(1)
The CIO and Management of Enterprise Continuity
69(1)
The CIO and Incident Management
70(1)
The CIO and IT Training and Awareness
70(1)
The CIO and Physical and Environmental Security
70(1)
The CIO and Management of Procurement
71(1)
The CIO and the Management and Evaluation of Legal, Regulatory, and Standards Compliance
72(1)
The CIO and the Management and Evaluation of Security Risk Programs
73(1)
The CIO and the Management of the Strategic Management Function
73(1)
The CIO and the Management of System and Application Security Programs
74(1)
Assessing the Architect's New Role
75(1)
Leading the Data Security Function: The Information Security Officer
76(9)
The Information Security Officer and the Management of Data Security
77(1)
The ISO and the Management and Design of Digital Forensics Programs
78(1)
The ISO Role and the Management of Enterprise Continuity
79(1)
The ISO and Incident Management
80(1)
The ISO and the Management of IT Training and Awareness
80(1)
The ISO and the Management of the Physical and Environmental Security Function
81(1)
The ISO and the Management of Acquisitions
81(1)
The ISO and the Management and Evaluation of Legal, Regulatory, and Standards Compliance
82(1)
The ISO and the Management and Evaluation of Security Risk Programs
82(1)
The ISO and the Management, Design, and Evaluation of Strategic Management Programs
83(1)
The ISO and the Management of System and Application Security Programs
84(1)
Ensuring the Corporate Commitment to Security: A New Breed of Security Manager
85(1)
Enforcing the Rules: The IT Security Compliance Officer
86(2)
The SCO and Data Security Compliance
86(1)
The SCO and Compliance for Digital Forensics
87(1)
The SCO and the Evaluation of Enterprise Continuity for Compliance
87(1)
The SCO and the Evaluation of Incident Management for Compliance
88(1)
The SCO and the Evaluation of IT Systems Operations and Maintenance for Compliance
88(1)
The SCO and the Evaluation of Network and Telecommunications Security for Compliance
88(1)
Evaluation of Personnel Security for Compliance
88(5)
The SCO and the Evaluation of IT Training and Awareness for Compliance
89(1)
The SCO and the Evaluation of Physical and Environmental Security for Compliance
89(1)
The SCO and the Evaluation of Procurement for Compliance
89(1)
The SCO and the Design, Implementation, and Evaluation of Legal, Regulatory, and Standards Compliance Processes
90(1)
The SCO and the Implementation and Evaluation of Security Risk Programs for Compliance
91(1)
The SCO and the Evaluation of Strategic Management Programs for Compliance
92(1)
The SCO and the Evaluation of System and Application Security Programs for Compliance
92(1)
Chapter Summary
93(1)
Key Terms
93(1)
Questions from the CIO
94(1)
Hands-On Projects
95(2)
Chapter 5 Defining the Company's Functional Security Roles 97(32)
Building the Information Security Team
97(2)
The Digital Forensics Professional Role
99(3)
Daily Tasks
100(2)
Operational Duties
102(1)
The Digital Forensics Professional and the Assurance of the Integrity of Forensic Investigations
102(2)
Incident Management Controls
103(1)
On the Job with a Digital Forensics Professional
104(2)
Network and Telecommunications Security
105(1)
Evaluation of Procurement Processes for Forensic Concerns
105(1)
Risk Management Procedures
106(1)
Designing the Security Response: The IT Security Engineer
106(2)
The IT Security Engineer Role
108(6)
Data Security Processes
108(1)
IT Systems Operations and Maintenance Processes
109(2)
Network and Telecommunications Security Processes
111(1)
Risk Management Procedures for the Company
112(1)
System and Application Security
112(2)
The Perils of Day-to-Day Monitoring
114(1)
On the Job with an IT Security Operations and Maintenance Professional
115(5)
Data Security
115(1)
Digital Forensics
116(1)
Enterprise Continuity
116(1)
Incident Management
116(1)
Incident Response
117(1)
Systems Operations and Maintenance
117(1)
Network and Telecommunications
118(1)
Operational Aspects of Procurement
119(1)
Security Risk Programs
120(1)
System and Application Security
120(1)
Doing the Actual Work of Security: The IT Security Professional
120(1)
On the Job with an IT Security Professional
121(5)
Data Security
122(1)
Enterprise Continuity Programs
122(1)
Incident Management Programs
122(1)
Security Training and Awareness Programs
123(1)
Personnel Security Programs
123(1)
Physical and Environmental Security Programs
124(1)
Regulatory and Standards Compliance Process
125(1)
Risk Management Programs
125(1)
Chapter Summary
126(1)
Key Terms
126(1)
Questions from the CIO
127(1)
Hands-On Projects
128(1)
Chapter 6 Defining the Corollary Roles for Security 129(20)
Including Security Functions from Other Areas
129(2)
Ensuring the Physical Protection of Information
131(2)
Physical Security Professional
133(4)
The Physical Security Specialist and the Design and Implementation of Enterprise Continuity Programs
133(1)
The Physical Security Specialist and the Implementation of Physical Security Incident Management Controls
134(1)
The Physical Security Specialist and the Design and Evaluation of Physical Security Aspects of Personnel Security
134(1)
The Physical Security Specialist and the Design and Evaluation of the Physical and Environmental Security Program
135(1)
The Physical Security Specialist and the Design, Implementation, and Evaluation of Risk Management Programs
136(1)
Keeping the Company Liability-Free
137(1)
Privacy Professional
138(5)
The Privacy Specialist and the Design and Evaluation of Data Security for Privacy Considerations
138(1)
The Privacy Specialist and the Design and Evaluation of Incident Management Programs
139(1)
The Privacy Specialist and the Design, Implementation, and Evaluation of IT Security Training and Awareness Programs
140(1)
The Privacy Specialist and the Design and Evaluation of Personnel Security Programs to Ensure Privacy
141(1)
The Privacy Specialist and the Management, Design, Implementation, and Evaluation of Legal, Regulatory, and Standards Compliance
141(1)
The Privacy Specialist and the Management, Design, Implementation and Evaluation of Risk Management Programs for Privacy
142(1)
Ensuring the Security of the Things That the Organization Buys
143(1)
Procurement Professional
144(1)
The Procurement Specialist and the Management, Design, Implementation, and Evaluation of Secure Procurement Processes
144(1)
Procurement as a Major Organizational Function
145(1)
Chapter Summary
145(1)
Key Terms
146(1)
Questions from the CIO
146(1)
Hands-On Projects
147(2)
Chapter 7 The Data Security Competency 149(24)
Rewinding the Story Back to the Start: Defining the Required Competencies
149(2)
Data Security: The Manage Function
151(1)
Data Security and Policy Assurance
151(1)
Designing an Effective Approach to Assuring Trusted Access
152(3)
The Identification Principle and Data Security
152(1)
The Authentication Principle and Data Security
153(1)
Ensuring Tighter Security Through Multifactor Authentication
154(1)
Designing Data Security into the Operation
155(1)
Turning Policy into Concrete Practice
156(2)
Factoring Risk into the Development of Policy
156(1)
Asset Baseline Formulation-Identifying What Has to Be Protected
157(1)
Understanding Priorities Through Risk Analysis
157(1)
Aligning Policy to Priority and Implementing Controls
157(1)
Ensuring Optimum Resource Allocation
158(1)
Classification
158(1)
Privilege
158(1)
Managing the Automated Data Security Process-Account Management
159(1)
Standard Models for Securing Data
160(4)
Criterion-Based Access Control
160(1)
Policy-Based Access Control
161(1)
Strict Control-the Mandatory Access Control Model
161(1)
Controlling Access Through Assignment-Discretionary Access Control
162(1)
Controlling Access by Type-Role-Based Access Control
163(1)
Data Security: The Implement Function
164(1)
Establishing Effective, Operational Intrusion Detection
164(1)
Incident Reporting and Operational Response
165(1)
Cryptography-Another Part of the Data Security Puzzle
165(2)
Keys and Algorithms
166(1)
Cryptography for the Masses-Public Key Infrastructures
166(1)
Data Security: The Evaluate Function
167(1)
Data Security and the Maintenance of Continuous Effectiveness
167(3)
The Data Security Evaluation Plan
168(1)
Maintaining a Record Through Status Accounting
169(1)
Status Accounting and the Assessment of Control Performance
169(1)
Chapter Summary
170(1)
Key Terms
170(1)
Questions from the CIO
171(1)
Hands-On Projects
172(1)
Chapter 8 The Digital Forensics Competency 173(20)
The CIO Gets a Monday Morning Surprise
173(2)
Ensuring the Integrity of the Process
175(3)
Creating a Trustworthy and Sustainable Forensics Function
176(2)
Meanwhile, Back at the Bat Cave, the Forensics People Start the Ball Rolling
178(6)
Creating a Digital Forensics Process
180(4)
Putting Forensics on an Operational Footing
184(6)
Reconstructing Events
186(2)
Managing the Forensics Process Through Evaluation
188(2)
Ensuring Correctness Through Routine Evaluations
190(1)
Chapter Summary
190(1)
Key Terms
191(1)
Questions from the CIO
191(1)
Hands-On Projects
192(1)
Chapter 9 The Enterprise Continuity Competency 193(26)
1500 Hrs. on a Wednesday Afternoon
193(1)
Continuity Management: Ensuring Effective Recovery from an Adverse Event
194(1)
Friday-0900
195(1)
Successful Preparation Is No Accident
196(2)
Identifying Contingencies to Address
197(1)
Preparedness Planning
197(1)
The Role of Estimation Methods and Tools in Planning
197(1)
Preparing and Maintaining an Effective Response
197(1)
Risk Assessment and Preparedness Planning
198(1)
Successful Recovery Is No Walk in the Park
198(2)
Anticipating Disasters
200(1)
Documenting a Recovery Plan
200(1)
Friday 0950: The CIO Discovers the Advantages of a Solid Plan
201(3)
Drawing the Right Set of Assumptions
202(1)
Two Essential Factors in the Development of the Continuity Plan
203(1)
Creating a Practical Enterprise Continuity Process
204(3)
Identification and Prioritization of Protected Functions
205(1)
Designing the Continuity Solution
206(1)
Ensuring that Everybody Knows What to Do
207(1)
Friday 14:00: The Plan Gets Implemented
207(1)
Deploying the Enterprise Continuity Process
208(3)
Ensuring Continuous Availability Through Redundancy
209(1)
Total Redundancy: Data Recovery Hotsites
209(1)
Partial Redundancy: Data Recovery Warmsites
210(1)
Simple Operational Redundancy: Data Recovery Coldsites
211(1)
Monday 0900: The Lights Come Back On
211(1)
Ensuring the Continuing Effectiveness of Enterprise Continuity Process
212(2)
Looking at the Consequences
213(1)
Understanding the Impact of Threats
214(1)
Chapter Summary
214(1)
Key Terms
215(1)
Questions from the CIO
216(1)
Hands-On Projects
217(2)
Chapter 10 The Incident Management Competency 219(20)
Ensuring That the Company Dodges the Bullet
219(2)
Considerations in the Incident Management Process
221(2)
Foreseen and Unforeseen Events
221(1)
Keeping Watch: Monitoring and Incident Identification
221(1)
Getting the Incident Report to the Right People
222(1)
Potential Incidents and Active Incidents
222(1)
Establishing a Structured Response
223(2)
Arraying Resources to Ensure the Right Level of Response
224(1)
Formulating the IRT
224(1)
Managing the IRT
225(1)
The Right Strategy Emerges
225(2)
Creating a Systematic Response
227(1)
Developing Baseline Metrics
228(1)
The CISO Steps up to the Plate
228(1)
Planning for Incident Management
229(3)
Making Incident Management Routine
230(1)
Incident Response and Data
230(1)
Containment Considerations-the Problem of Dependencies
231(1)
Automating the Incident Management Process
231(1)
Ensuring Consistent Execution
232(1)
Auditing and the Incident Management Process
232(4)
The Audit Function and Assessment of Performance
233(1)
Conducting an Audit
233(1)
Ensuring the Correctness of Audit Evidence
234(1)
Penetration Testing: A Different Type of Audit
234(2)
Chapter Summary
236(1)
Key Terms
237(1)
Questions from the CIO
237(1)
Hands-On Projects
238(1)
Chapter 11 IT Security Training and Awareness 239(22)
The Human Factor Is Always a Problem
239(1)
Ensuring Secure Behavior
240(3)
The Broad Focus of Awareness
241(1)
The Narrower Focus of Training
242(1)
Motivating Consistent Performance
242(1)
Building a Knowledgeable Workforce
243(2)
Designing the Training and Awareness Program
245(1)
Routine Tasks
246(1)
Operational Duties
246(1)
Management Practice
246(1)
Training and Awareness: A Constant Evolution
246(3)
Who Receives Training?
247(1)
The Role of Discipline
247(1)
The Role of Knowledge and Capability
247(1)
Data and Feedback
248(1)
Ensuring Disciplined Practice
248(1)
Moving the Training Function up the Ladder of Success
249(1)
Determining the Actual Training Needs
250(1)
Implementing a Capability Maturity Process
250(5)
Recognition
250(2)
Informal Practice
252(1)
Security Management
252(1)
Deliberate Control
253(2)
Ensuring Continuous Effectiveness
255(1)
Establishing an Effective Review Process
255(2)
Defining and Enforcing Proper Procedure
256(1)
Ensuring that the Training Process Is Sustainable
257(1)
Improving the Process Through Assessment
257(1)
Review Data as an Organizational Resource
258(1)
Chapter Summary
258(1)
Key Terms
258(1)
Questions from the CIO
259(1)
Hands-On Projects
260(1)
Chapter 12 Securing the IT Systems Operations and Maintenance Function 261(24)
Getting the Concept into Practice
261(2)
Establishing a Coherent Process: Strategic Planning
263(2)
Implementing the Process: The Operational Security Plan
264(1)
Designing the Operational Security Function
265(5)
Designing a Controls Framework
268(1)
Human Factors: Ensuring Proper Performance
269(1)
Technology: Ensuring Proper Support
270(1)
Establishing Reliable Day-to-Day Security
270(7)
Turning Operational Security into a Process
272(1)
Implementing the Security of Operations Process
273(1)
Identifying and Reporting Incidents
273(1)
Performing an Effective Analysis
274(3)
Maintaining Operational Capability
277(4)
Evaluating Everyday Risk
279(1)
Ensuring a Secure Architecture
280(1)
Management Data and the Security of Operations Function
281(1)
Chapter Summary
281(1)
Key Terms
282(1)
Questions from the CIO
282(1)
Hands-On Projects
283(2)
Chapter 13 Network and Telecommunications Security 285(20)
Back in Familiar Territory
285(3)
Creating a Managed Network
288(2)
Acceptable Use Policies
288(1)
Remote Access Policies
288(1)
Network Security Control Policies
289(1)
Culture Always Comes First
290(2)
Defining the Boundaries of Trust
292(2)
Policy Development for Network Components
292(1)
Policy Development and the Secure Network Design
293(1)
Putting the Pieces Together
294(2)
Implementing the Network Security Function
296(4)
Network Security Devices: The Firewall
297(1)
Software-Based 1DSs
298(2)
Staying on Top of Change
300(2)
Ensuring the Security Is Always Up to Date
301(1)
Attacking Your Own Network
301(1)
Read Your Security Audit Reports
302(1)
Chapter Summary
302(1)
Key Terms
303(1)
Questions from the CIO
303(1)
Hands-On Projects
304(1)
Chapter 14 Personnel Security 305(22)
The People Problem
305(2)
Planning for Personnel Security
307(4)
Defining the Boundaries of Control
308(1)
Identifying Personnel Security Functions Based on Risk
309(1)
Ensuring Reliable Behavior
309(1)
Managing Change to the Workforce
309(1)
Documenting the Personnel Security Function
310(1)
The Special Situation of Contractors
311(1)
Making Personnel Security Real
311(1)
Screening and Hiring Personnel
312(4)
Job Definition: Building Security In
313(1)
Background Screening and Hiring
314(1)
The Special Circumstance of Clearance Levels
314(1)
Managing the Personnel Security Process
314(1)
Defining the Principles of Control
315(1)
Implementing the Personnel Security Process
316(5)
Practical Considerations for Implementing Security
317(1)
Implementing Trust Through the Screening Process
318(1)
Workforce Training and Education
318(1)
Keeping Identities Up to Date
319(1)
Personnel Changes
319(2)
Evaluating the Success of the Process
321(2)
Evaluating Formal Codes of Conduct
322(1)
Personnel Reviews
322(1)
Chapter Summary
323(1)
Key Terms
324(1)
Questions from the CIO
324(1)
Hands-On Projects
325(2)
Chapter 15 Physical Security 327(22)
Bridging the Great Divide
327(2)
The Physical Security Plan
329(4)
Defining Protected Space
330(1)
The Physical Security Process
331(1)
Physical Security Threat Assessments
332(1)
Designing for Physical Protection
333(1)
Incorporating Physical Security into the Information Protection Scheme
334(4)
Threat Identification and Strategy
335(1)
Maintaining Secure Access
336(1)
Establishing the Right Internal Countermeasures
336(1)
Ensuring Against Malicious Actions in the Secure Space
337(1)
Understanding the Variables in Physical Access Control
338(2)
Meshing the Controls with the Plan
340(1)
Implementing the Measures to Control Access
340(3)
Perimeter Controls: Barriers
341(1)
Perimeter Controls: Locks
342(1)
Intrusion Detection in the Physical Space
342(1)
Evaluating the Physical Security Process
343(1)
How to Measure Success – Conventionally and Otherwise
344(1)
Chapter Summary
345(1)
Key Terms
346(1)
Questions from the CIO
347(1)
Hands-On Projects
348(1)
Chapter 16 Procurement 349(24)
Surviving the Supply Chain
349(3)
Making the Business and Assurance Case
352(4)
Factoring Risk into the Process
353(1)
Developing the Request for Proposals
353(1)
Selecting the Right Supplier
354(1)
Developing the Procurement Plan
354(2)
Designing an Effective Procurement System
356(1)
Incorporating Security into the Process
357(3)
Understanding the Constraints
358(1)
Formulating the Contract
358(1)
Administering the Contract
359(1)
Implementing Effective Supply Chains
360(2)
Developing the Assurance Framework
362(3)
Using Standard Assessment to Identify Trusted Suppliers
364(1)
Evaluating Capability: Defining the Process Dimension
364(1)
Evaluating Performance: the Capability Dimension
364(1)
Evaluating the Procurement Process
365(1)
Types of Reviews
366(2)
The Security Review Process
367(1)
Launching the Security Review Program
367(1)
Chapter Summary
368(1)
Key Terms
369(1)
Questions from the CIO
370(1)
Hands-On Projects
371(2)
Chapter 17 Legal and Regulatory Compliance 373(24)
The CEO Learns the Facts of Life
373(2)
Compliance and Coordination
375(5)
Building Management Control
376(1)
The Need for a Comprehensive Approach
376(1)
Planning for Control
377(1)
Control Objectives and Procedures
377(1)
Sorting Out Complexity in Compliance Management
378(1)
Developing Meaningful Metrics
378(2)
The Compliance Officer Goes for a Run
380(1)
Designing from Policy to Practice
381(3)
Tailoring Compliance
382(1)
Defining Concrete Policies
382(1)
Refining Control Statements
383(1)
An Example of the Functional Decomposition Process
383(1)
Documenting Work Practices
383(1)
The Compliance Officer Gets up Early
384(2)
Finding Out What You Need to Have
386(4)
Step One: Control Environment
386(2)
Step Two: Assessment of Risks
388(1)
Step Three: Instituting the Proper Controls
388(1)
Step Four: Assessing the Effectiveness of the Control Set
389(1)
Step Five: Documenting the Finished Product
389(1)
The Compliance Officer Gets a New Job
390(1)
Evaluation Programs and Compliance
391(3)
Audits and Enforcement
392(1)
Managing and Improving the Compliance Process
392(1)
Critical Success Factors
393(1)
Chapter Summary
394(1)
Key Terms
395(1)
Questions from the CIO
395(1)
Hands-On Projects
396(1)
Chapter 18 The Risk Management Competency 397(26)
The CEO Gets Nervous
397(2)
Ensuring That Risk Management Supports Business Goals
399(5)
The Risk Management Plan
399(1)
Implementing a Managed Process
400(1)
Risk-Handling Strategies
401(1)
Setting Up the Risk Management Planning Process
402(2)
The CISO Designs a Castle
404(1)
The Coordinated Approach to Risk Management
405(5)
Risk Management Planning and Risk Assessments
406(1)
Conducting a Risk Assessment in Support of Planning
407(1)
Designing for Effective Risk Management
407(2)
Risk Management Controls
409(1)
Implementing Risk Management
410(2)
Targeting the Security Controls
412(2)
Modeling Risks for Prioritization
413(1)
Measuring the Risk Management Process
414(1)
The CISO and His Team Go All-In
414(2)
Risk Management and Operational Evaluation of Change
416(3)
Evaluating the Overall Guidance
417(1)
Program Management Review
418(1)
Chapter Summary
419(1)
Key Terms
420(1)
Questions from the CIO
420(1)
Hands-On Projects
421(2)
Chapter 19 Strategic Management 423(24)
Looking at the Long Term
423(2)
Keeping the Process Coherent
425(4)
Ensuring Cooperation Across Functions
426(1)
Creating a Strategic Management Model
426(1)
Organizing for Proper Alignment
427(1)
Thinking Through What to Protect
427(1)
Integrating Cultures as Well as Process
428(1)
Designing for Governance
429(2)
Establishing Control
431(4)
Governance Structures
432(1)
Developing a Governance Process
432(1)
Planning for Governance
433(1)
A Framework for Strategic Management
434(1)
Ensuring the Strategic Perspective
435(1)
Control Objectives and Business Goals
436(3)
Defining Control Objectives
436(1)
Steps to Evaluate Control
436(2)
The Details of Implementation
438(1)
Making Strategy Quantitative
439(1)
Making Informed Decisions
440(3)
Ensuring Performance
441(1)
Evolving the Organization
442(1)
Assessing Organizational Capability
442(1)
Chapter Summary
443(1)
Key Terms
444(1)
Questions from the CIO
444(1)
Hands-On Projects
445(2)
Chapter 20 System and Application Security 447(30)
Conflicts Happen
447(3)
Security in the Lifecycle
450(1)
Adopting a Top-Down Perspective
451(5)
Measurement against Benchmarks
452(1)
Identifying and Judging Risks
452(1)
Eliminating Hidden Problems
452(1)
Aligning Processes
453(1)
Ensuring Better Resource Allocation
453(1)
The CISO Plans an Attack
454(2)
Security Policies and Design
456(5)
Building the Operational Framework
456(1)
Coordination of the Process and Planning For Security
457(3)
The CISO Takes a Meeting
460(1)
Implementing the Process
461(3)
Human Considerations
462(1)
Establishing the Overall Operation
462(1)
Launching the Program
463(1)
Establishing the Application and System Security Plan
464(1)
Application and System Security Product Assurance
464(1)
Application and System Security Process Assurance
465(1)
Creating an Information-Based Management Process
465(1)
Monitoring Security Status
466(5)
Launching a Comprehensive Evaluation Process
467(1)
Implementing the Process
467(3)
Assurance of Process
470(1)
Getting the Participants on the Same Page
471(2)
Scheduling and Holding Joint Reviews
472(1)
Project Status Monitoring
473(1)
Chapter Summary
473(1)
Key Terms
474(1)
Questions from the CIO
474(1)
Hands-On Projects
475(2)
Appendix A Operating Scenario: Humongous Holdings 477(8)
Glossary 485(8)
Index 493
Dan Shoemaker is a professor and senior research scientist at the Center for Cyber Security and Intelligence Studies--a National Security Agency (NSA) Center of Academic Excellence--at the University of Detroit Mercy (UDM). He also served as chair of the Computer and Information Systems Department at UDM for 25 years and holds a visiting appointment at London South Bank University. Dr. Shoemaker is co-chair of the Software Assurance Workforce Training and Education working group within the Department of Homeland Security's National Cybersecurity Division (NCSD). He has also served the NCSD as a member of the working group that developed its Essential Body of Knowledge, and as an expert panelist on three national working groups. A prolific author, Dr. Shoemaker is one of three domain editors for the Software Assurance Common Body of Knowledge. He lectures internationally on cybersecurity, information assurance, and software engineering topics, and he founded the International Cybersecurity Education Coalition (ICSEC) to connect higher education institutions and expand teaching of standard information assurance curricula throughout the Midwest. Dr. Shoemaker is the recipient of the Michigan Homeland Security annual Statewide award for Educators (2007). Wm. Arthur Conklin is an Assistant Professor and Director of the Center for Information Security Research and Education in the College of Technology at the University of Houston. He received his Ph.D. in Business Administration, from The University of Texas at San Antonio (UTSA). He holds Security+, CISSP, CSSLP, IAM and IEM certifications. His research interests include the use of systems theory to explore information security, specifically in Cyber Physical Systems. He has an extensive background in secure coding and is a co-chair of the DHS Software Assurance Forum working group for workforce education, training and development.