Muutke küpsiste eelistusi

E-raamat: IT Security Governance Guidebook with Security Program Metrics on CD-ROM [Taylor & Francis e-raamat]

(Fred Cohen & Associates, Livermore, California, USA)
  • Formaat: 202 pages, 8 Tables, black and white; 42 Illustrations, black and white
  • Sari: The CISO Toolkit
  • Ilmumisaeg: 14-Nov-2006
  • Kirjastus: Auerbach
  • ISBN-13: 9780429134746
Teised raamatud teemal:
  • Taylor & Francis e-raamat
  • Hind: 193,88 €*
  • * hind, mis tagab piiramatu üheaegsete kasutajate arvuga ligipääsu piiramatuks ajaks
  • Tavahind: 276,97 €
  • Säästad 30%
IT Security Governance Guidebook with Security Program Metrics on CD-ROMSuurem pilt
  • Formaat: 202 pages, 8 Tables, black and white; 42 Illustrations, black and white
  • Sari: The CISO Toolkit
  • Ilmumisaeg: 14-Nov-2006
  • Kirjastus: Auerbach
  • ISBN-13: 9780429134746
Teised raamatud teemal:
Taylor & Francis e-raamatudRohkem infot Taylor & Francis e-raamatute kohta
Raamatu kodulehekülg: https://www.taylorfrancis.com/books/9780429134746
This guide for chief information security officers (CISOs) of large, complex enterprises begins with a broad overview of the basic structure of information protection programs in enterprises. Next, Cohen provides detailed descriptions of at least one commonly encountered issue faced by CISOs in each area of that structure. The CD-ROM contains a collection of metrics formed from repeatable and comparable measurement that are designed to correspond to the enterprise security governance model. Distributed in the U.S. by Taylor & Francis. Annotation ©2007 Book News, Inc., Portland, OR (booknews.com)

The IT Security Governance Guidebook with Security Program Metrics on CD-ROM provides clear and concise explanations of key issues in information protection, describing the basic structure of information protection and enterprise protection programs. Including graphics to support the information in the text, this book includes both an overview of material as well as detailed explanations of specific issues. The accompanying CD-ROM offers a collection of metrics, formed from repeatable and comparable measurement, that are designed to correspond to the enterprise security governance model provided in the text, allowing an enterprise to measure its overall information protection program.
Executive Summary xi
About This Material xii
Chapter 1 The Structure of Information Protection 1(42)
1.1 A Comprehensive Information Protection Program
1(7)
1.1.1 The Architectural Model
1(2)
1.1.2 Risk Management
3(2)
1.1.3 How the Business Works
5(2)
1.1.4 How Information Technology Protection Works
7(1)
1.1.5 Interdependencies
8(1)
1.1.6 But How Much Is Enough? The Duty to Protect
8(1)
1.2 What Is Information Protection Governance All About?
8(14)
1.2.1 The Goal of Governance
8(2)
1.2.2 What Are the Aspects of Governance?
10(11)
1.2.2.1 Structures
10(1)
1.2.2.2 What Are the Rules?
11(1)
1.2.2.3 Principles and Standards
12(1)
1.2.2.4 Power and Influence
13(2)
1.2.2.5 Funding
15(2)
1.2.2.6 Enforcement Mechanisms
17(3)
1.2.2.7 Appeals Processes and Disputes
20(1)
1.2.3 The Overall Control System
21(1)
1.3 Fitting Protection into Business Structures
22(3)
1.3.1 Fitting In
23(1)
1.3.2 The Theory of Groups
23(1)
1.3.3 What Groups Are Needed
24(1)
1.4 Who Is in Charge and Who Does This Person Work for?
25(5)
1.4.1 The CISO
25(1)
1.4.2 The CISO's Team
25(2)
1.4.3 The Structure of the Groups
27(1)
1.4.4 Meetings and Groups the CISO Chairs or Operates
28(1)
1.4.5 Should the CISO Work for the CIO or Others?
28(2)
1.5 Should the CISO, CPO, CSO, or Others Be Combined?
30(1)
1.5.1 Where Should the CISO Be in the Corporate Structure?
31(1)
1.6 Budgets and Situations
31(3)
1.6.1 Direct Budget for the CISO
31(1)
1.6.2 Identifiable Costs
31(3)
1.7 Enforcement and Appeals Processes
34(2)
1.7.1 Top Management Buy-In and Support
34(1)
1.7.2 Power and Influence and Managing Change
34(1)
1.7.3 Responses to Power and Influence
35(1)
1.7.4 Other Power Issues
35(1)
1.8 The Control System
36(3)
1.8.1 Metrics
37(9)
1.8.1.1 Costs
37(1)
1.8.1.2 Performance
37(1)
1.8.1.3 Time
38(1)
1.8.1.4 Lower-Level Metrics
38(1)
1.9 How Long Will It Take?
39(2)
1.10 Summary
41(2)
Chapter 2 Drill-Down 43(138)
2.1 How the Business Works
44(2)
2.2 The Security Oversight Function
46(2)
2.2.1 Duty to Protect
47(1)
2.2.1.1 Externally Imposed Duties
47(1)
2.2.1.2 Internally Imposed Duties
47(1)
2.2.1.3 Contractual Duties
48(1)
2.3 Risk Management and What to Protect
48(21)
2.3.1 Risk Evaluation
48(4)
2.3.1.1 Consequences
48(1)
2.3.1.2 Threats
49(1)
2.3.1.3 Vulnerabilities
49(1)
2.3.1.4 Interdependencies and Risk Aggregations
50(2)
2.3.2 Risk Treatment
52(1)
2.3.2.1 Risk Acceptance
52(1)
2.3.2.2 Risk Avoidance
52(1)
2.3.2.3 Risk Transfer
52(1)
2.3.2.4 Risk Mitigation
52(1)
2.3.3 What to Protect and How Well
53(1)
2.3.4 The Risk Management Space
53(5)
2.3.4.1 Risk Assessment Methodologies and Limitations
54(1)
2.3.4.2 Matching Surety to Risk
55(3)
2.3.5 Enterprise Risk Management Process: An Example
58(7)
2.3.5.1 The Risk Management Process
59(1)
2.3.5.2 Evaluation Processes to Be Used
60(1)
2.3.5.3 The Order of Analysis
61(1)
2.3.5.4 Selection of Mitigation Approach
62(1)
2.3.5.5 Specific Mitigations
63(1)
2.3.5.6 Specific Issues Mandated by Policy
63(1)
2.3.5.7 A Schedule of Risk Management Activities
63(1)
2.3.5.8 Initial Conditions
64(1)
2.3.5.9 Management's Role
64(1)
2.3.5.10 Reviews to Be Conducted
65(1)
2.3.6 Threat Assessment
65(1)
2.3.7 Fulfilling the Duties to Protect
66(3)
2.4 Security Governance
69(42)
2.4.1 Responsibilities at Organizational Levels
69(1)
2.4.2 Enterprise Security Management Architecture
70(2)
2.4.3 Groups That CISO Meets with or Creates and Chairs
72(9)
2.4.3.1 Top-Level Governance Board
72(1)
2.4.3.2 Business Unit Governance Boards
72(1)
2.4.3.3 Policy, Standards, and Procedures Group and Review Board
73(1)
2.4.3.4 Legal Group and Review Board
74(1)
2.4.3.5 Personnel Security Group and Review Board
74(1)
2.4.3.6 Risk Management Group
75(1)
2.4.3.7 Protection Testing and Change Control Group and Review Board
75(1)
2.4.3.8 Technical Safeguards Group and Review Board
76(1)
2.4.3.9 Zoning Boards and Similar Governance Entities
77(1)
2.4.3.10 Physical Security Group and Review Board
77(1)
2.4.3.11 Incident Handling Group and Review Board
78(1)
2.4.3.12 Audit Group and Review Board
79(1)
2.4.3.13 Awareness and Knowledge Group and Review Board
80(1)
2.4.3.14 Documentation Group
81(1)
2.4.4 Issues Relating to Separation of Duties
81(1)
2.4.5 Understanding and Applying Power and Influence
81(10)
2.4.5.1 Physical Power
81(1)
2.4.5.2 Resource Power
82(1)
2.4.5.3 Positional Power
82(1)
2.4.5.4 Expertise, Personal, and Emotional Power
83(1)
2.4.5.5 Persuasion Model
84(1)
2.4.5.6 Managing Change
85(6)
2.4.6 Organizational Perspectives
91(20)
2.4.6.1 Management
91(1)
2.4.6.2 Policy
92(1)
2.4.6.3 Standards
93(2)
2.4.6.4 Procedures
95(1)
2.4.6.5 Documentation
96(1)
2.4.6.6 Auditing
97(1)
2.4.6.7 Testing and Change Control
97(1)
2.4.6.8 Technical Safeguards: Information Technology
98(3)
2.4.6.9 Personnel
101(1)
2.4.6.10 Incident Handling
102(2)
2.4.6.11 Legal Issues
104(1)
2.4.6.12 Physical Security
105(2)
2.4.6.13 Knowledge
107(1)
2.4.6.14 Awareness
108(2)
2.4.6.15 Organization
110(1)
2.4.6.16 Summary of Perspectives
111(1)
2.5 Control Architecture
111(16)
2.5.1 Protection Objectives
111(7)
2.5.1.1 Integrity
112(1)
2.5.1.2 Availability
113(1)
2.5.1.3 Confidentiality
113(2)
2.5.1.4 Use Control
115(1)
2.5.1.5 Accountability
116(2)
2.5.2 Access Control Architecture
118(1)
2.5.3 Technical Architecture Functional Units and Composites
118(1)
2.5.4 Perimeter Architectures
118(6)
2.5.4.1 Physical Perimeter Architecture
119(3)
2.5.4.2 Logical Perimeter Architecture
122(2)
2.5.4.3 Perimeter Summary
124(1)
2.5.5 Access Process Architecture
124(2)
2.5.5.1 Identification
124(1)
2.5.5.2 Authentication
125(1)
2.5.5.3 Authorization
125(1)
2.5.5.4 Use
126(1)
2.5.6 Change Control Architecture
126(1)
2.5.6.1 Research and Development
126(1)
2.5.6.2 Change Control
127(1)
2.5.6.3 Production
127(1)
2.6 Technical Security Architecture
127(51)
2.6.1 Issues of Context
127(5)
2.6.1.1 Time ("When")
127(1)
2.6.1.2 Location ("Where")
128(1)
2.6.1.3 Purpose ("Why")
129(1)
2.6.1.4 Behaviors ("What")
130(1)
2.6.1.5 Identity ("Who")
130(1)
2.6.1.6 Method ("How")
131(1)
2.6.2 Life Cycles
132(14)
2.6.2.1 Business
132(2)
2.6.2.2 People
134(4)
2.6.2.3 Systems
138(3)
2.6.2.4 Data
141(5)
2.6.3 Protection Process: Data State
146(9)
2.6.3.1 Data at Rest
147(5)
2.6.3.2 Data in Motion
152(2)
2.6.3.3 Data in Use
154(1)
2.6.4 Protection Process: Attack and Defense
155(13)
2.6.4.1 Deter
156(1)
2.6.4.2 Prevent
157(2)
2.6.4.3 Detect
159(4)
2.6.4.4 React
163(2)
2.6.4.5 Adapt
165(2)
2.6.4.6 Detect/React Loop
167(1)
2.6.5 Protection Process: Work Flows
168(4)
2.6.5.1 Work to Be Done
169(1)
2.6.5.2 Process for Completion and Options
169(1)
2.6.5.3 Control Points and Approval Requirements
170(1)
2.6.5.4 Appeals Processes and Escalations
170(1)
2.6.5.5 Authentication Requirements and Mechanisms
170(1)
2.6.5.6 Authorization and Context Limitations
171(1)
2.6.5.7 Work Flow Documentation and Audit
171(1)
2.6.5.8 Control and Validation of the Engine(s)
171(1)
2.6.5.9 Risk Aggregation in the Engine(s)
172(1)
2.6.6 Protective Mechanisms
172(6)
2.6.6.1 Perception
172(1)
2.6.6.2 Structure
173(2)
2.6.6.3 Content Controls
175(1)
2.6.6.4 Behavior
176(2)
2.7 Roll-Up of the Drill-Down
178(3)
Chapter 3 Summary and Conclusions 181(2)
Index 183


Püsilink: https://www.kriso.ee/db/9780429134746_pe.html
Märksõnad: