Muutke küpsiste eelistusi

IT Security Risk Control Management: An Audit Preparation Plan 1st ed. [Pehme köide]

4.12/5 (8 hinnangut Goodreads-ist)
  • Formaat: Paperback / softback, 311 pages, kõrgus x laius: 254x178 mm, kaal: 662 g, 11 Illustrations, color; 22 Illustrations, black and white; XXXI, 311 p. 33 illus., 11 illus. in color., 1 Paperback / softback
  • Ilmumisaeg: 15-Sep-2016
  • Kirjastus: APress
  • ISBN-10: 1484221397
  • ISBN-13: 9781484221396
Teised raamatud teemal:
  • Pehme köide
  • Hind: 62,59 €*
  • * hind on lõplik, st. muud allahindlused enam ei rakendu
  • Tavahind: 73,64 €
  • Säästad 15%
  • Raamatu kohalejõudmiseks kirjastusest kulub orienteeruvalt 2-4 nädalat
  • Kogus:
  • Lisa ostukorvi
  • Tasuta tarne
  • Tellimisaeg 2-4 nädalat
  • Lisa soovinimekirja
IT Security Risk Control Management: An Audit Preparation Plan 1st ed.Suurem pilt
  • Formaat: Paperback / softback, 311 pages, kõrgus x laius: 254x178 mm, kaal: 662 g, 11 Illustrations, color; 22 Illustrations, black and white; XXXI, 311 p. 33 illus., 11 illus. in color., 1 Paperback / softback
  • Ilmumisaeg: 15-Sep-2016
  • Kirjastus: APress
  • ISBN-10: 1484221397
  • ISBN-13: 9781484221396
Teised raamatud teemal:
Püsilink: https://www.kriso.ee/db/9781484221396.html
Märksõnad:

This book explains how to construct an information security program, from inception to audit, with enduring, practical, hands-on advice and actionable behavior for IT professionals.  Information security is more than configuring firewalls, removing viruses, hacking machines, or setting passwords. Creating and promoting a successful security program requires skills in organizational consulting, diplomacy, change management, risk analysis, and out-of-the-box thinking.

IT Security Risk Control Management provides step-by-step guidance on how to craft a security program that will fit neatly into an organization and change dynamically to suit both the needs of the organization and survive constant changing threats.  Readers will understand the paradoxes of information security and discover handy tools that hook security controls into business processes. 

With this book, you will be able to equip your security program to prepare for and pass such common audits as PCI, SSAE-16 and ISO 27001. In addition, you will learn the depth and breadth of the expertise necessary to become an adaptive and effective security professional. This book:

  • Starts at the beginning of how to approach, scope, and customize a security program to fit an organization.
  • Walks you through how to implement the most challenging processes, pointing out common pitfalls and distractions.
  • Teaches you how to frame security and risk issues to be clear and actionable to decision makers, technical personnel, and users.

What you’ll learn

  • How to organically grow a useful, functional security program appropriate to an organization's culture and requirements
  • How to inform, advise, and influence executives, IT staff, and users on information security
  • How to think like a seasoned security professional, understanding how cyber-criminals subvert systems with subtle and insidious tricks.
  • How to analyze, select, implement, and monitor security controls such as change control, vulnerability management, incident response, and access controls.
  • How to prepare an organization to pass external formal audits such as PCI, SSAE-16 or ISO 27001
  • How to  write clear, easy to follow, comprehensive security policies and procedures

Who This Book Is For

IT professionals moving into the security field; new security managers, directors, project heads, and would-be CISOs; and security specialists from other disciplines moving into information security (e.g., former military security professionals, law enforcement professionals, and physical security professionals). 

Arvustused

Pompon provides step-by-step guidance for successfully establishing a security management system for an organizations IT systems. The introduction provides a good road map to the book, and each chapter finishes with a list of further readings. There is a good index and a very thorough table of contents. This is a good, step-by-step approach to building a security program that should protect an organizations IT systems and, importantly, also be able to demonstrate that protection to an auditor. (David B. Henderson, Computing Reviews, April, 2017)

About the Author xxiii
About the Technical Reviewer xxv
Acknowledgments xxvii
Introduction xxix
Part I Getting a Handle on Things
1(66)
Chapter 1 Why Audit?
3(10)
You Will Be Audited
3(4)
What Is an Audit?
3(1)
Regulated Industries That Require Audits
4(1)
Regulated Industries Without Explicit Audits
4(1)
Business Transactions Can Loop You into an Audit
5(1)
A Lawsuit May Drag You into Something Worse Than an Audit
6(1)
Business-to-Business Audits
6(1)
Will/Should You Audit Your IT Security Controls?
6(1)
Audit Misconceptions
7(1)
The Burden of Audit Is on You
7(1)
Aim Higher Than Compliance
7(1)
Audits Are Useful
7(2)
Audits Make You Look Good
8(1)
The Audit as a Forcing Function
8(1)
Audit Types
9(2)
ISO 27001
9(1)
The SSAE 16
9(1)
PCI DSS
10(1)
Auditors Auditing
10(1)
What Is the Right Audit for You?
11(2)
Chapter 2 Assume Breach
13(10)
The Lesson of Fort Pulaski
13(3)
The Invincible
13(2)
Ownership Changes Hand
15(1)
New Exploit Technology Is Introduced
15(1)
The Complexity of IT Systems
16(3)
A Tangled Web of Code
17(1)
Complexity and Vulnerability
18(1)
Technical Vulnerabilities
19(1)
Attackers Are Motivated
19(1)
The Assume Breach Mindset
20(3)
Living in Assume Breach World
20(3)
Chapter 3 Risk Analysis: Assets and Impacts
23(16)
Why Risk
23(1)
Risk Is Context Sensitive
24(1)
Components of Risk
24(2)
Calculating Likelihood
25(1)
Calculating Impact
26(4)
IT Asset Inventory
27(1)
Asset Value Assessment
27(1)
Assessing Impact
28(1)
Indirect Impacts
29(1)
Compliance Impacts
30(1)
Qualitative vs. Quantitative
30(6)
Qualitative Analysis
30(1)
Clarifying Your Qualitative
30(4)
Quantitative Analysis
34(2)
Annualized Loss Expectancy
36(1)
Formalizing Your Risk Process
36(3)
Chapter 4 Risk Analysis: Natural Threats
39(12)
Disaster Strikes
39(1)
Risk Modeling
40(1)
Modeling Natural Threats
41(2)
Modeling Impact with Failure Mode Effects Analysis
43(4)
Simple FMEA Example
44(1)
Breaking down a System
45(1)
Analyzing Functions
46(1)
Determining Failure Effects
46(1)
Business Impact Analysis
47(3)
Documenting Assumptions
50(1)
Chapter 5 Risk Analysis: Adversarial Risk
51(16)
A Hospital under Attack
51(1)
Adversarial Risk
52(1)
Overview of Attacker Types
52(1)
Understanding Attacker Capability
53(3)
Technical Capability
53(1)
Trickery Capability
54(1)
Time
55(1)
Techniques
55(1)
Understanding Attacker Incentives
56(4)
Monetary Incentives
57(1)
Political Incentives
58(1)
Personal Incentives
59(1)
Common Attack Techniques
60(2)
Kill Chain
60(1)
Stealing Authentication
61(1)
Exfiltration
62(1)
Building the Adversarial Risk Model
62(5)
Qualitative Example
62(2)
Quantitative Example
64(3)
Part II Wrangling the Organization
67(64)
Chapter 6 Scope
69(12)
Developing Scope
69(2)
Compliance Requirement Gathering
71(3)
Zero in on PII
71(2)
PCI DSS scoping
73(1)
SSAE SOC 1 Scoping
73(1)
Supporting Non-IT Departments
73(1)
Double Check
73(1)
Writing Scope Statements
74(1)
Control Inventory
74(1)
Control Effectiveness and Efficiency
75(1)
Scoping Adjacent Systems
75(1)
Scope Barriers
76(3)
Technical Barriers
77(1)
Physical Barriers
78(1)
Process Barriers
78(1)
Scoping Hints
79(2)
Start Small and Expand
79(1)
But Not Too Small
79(1)
Simplification
79(2)
Chapter 7 Governance
81(18)
Governance Frameworks
82(1)
The ISMS
82(1)
Establish the ISMS
83(7)
The ISMS Steering Committee
83(2)
Duties of the ISMS Committee
85(1)
Key Roles
86(2)
ISMS Charter
88(2)
Obtain Executive Sponsorship
90(1)
Plan: Implement and Operate a Security Program
90(1)
Decide upon and Publish the Goals
90(1)
Do: Risk Treatment
91(6)
Risk Treatment
93(4)
Check: Monitor and Review Security Program
97(1)
Act: Maintain and Improve Security Program
98(1)
Chapter 8 Talking to the Suits
99(14)
When Security Appears to be Anti-Business
99(1)
Who Really Decides?
100(1)
Understanding the Organization
100(3)
How to Ask
101(1)
Who Do You Ask
101(1)
What to Ask
101(2)
What to Do with This
103(1)
Answering Questions
103(2)
Do the Research
103(1)
Don't Wander Outside Your Area of Expertise
104(1)
How to Talk Their Talk
104(1)
Explaining Risk
105(8)
Proposing a Course of Action
107(6)
Chapter 9 Talking to the Techs
113(10)
IT Security vs. IT
114(1)
Techie Traps
115(3)
The Infinitely Long IT Work Queue
115(1)
Perpetual Design
116(1)
Dragging Projects
117(1)
Other Tools
117(1)
Working with Other Security Pros
118(5)
IT Security Roles
118(1)
Hiring for Security
119(4)
Chapter 10 Talking to the Users
123(8)
Specific Challenges for the Users
123(2)
Complexity
124(1)
Different Paradigm, Different Goals
124(1)
Culture Clashes
125(1)
Tools for Helping Users
125(4)
Empathy
125(1)
Let the Work Flow Smoothly
126(1)
Work with the Users
127(1)
Get Users on Your Side
128(1)
Security Awareness Training
129(2)
Part III Managing Risk with Controls
131(128)
Chapter 11 Policy
133(12)
What Is Policy?
133(1)
What Isn't Policy
134(1)
Writing Policy
134(2)
Policy and the Law
135(1)
Keep It Simple
135(1)
Policies Don't Have to Be Perfect
135(1)
Key Policy: Security Policy
136(2)
Components of the Policy
136(1)
Scope
136(1)
Policy Goal
136(1)
Governance
136(1)
Risk Management
136(1)
Expectations for User Behavior
137(1)
Sample Security Policy
137(1)
Key Policy: Acceptable Usage Policy
138(5)
Goal
139(1)
Scope
139(1)
Privacy Disclaimers
139(1)
Handling the Data
139(1)
Handling the Machines
139(1)
Define Misuse
140(1)
Social Media
140(1)
Security Responsibilities
140(1)
Sanctions
140(1)
Sample Acceptable Usage Policy
141(2)
Policy Rollout
143(2)
Chapter 12 Control Design
145(8)
A Control Not Used Is a Control Wasted
145(1)
What Is a Control?
146(1)
What Is a Good Control?
146(1)
Proportionate to Risk
146(1)
Standardized and Measured
147(1)
Documented
147(1)
Control Lists
147(1)
Controls in Combination
148(2)
Key Controls
148(1)
Compensating Controls
149(1)
Control Functions and Failures
149(1)
Control Cost
150(3)
Reducing the Cost of Controls
151(2)
Chapter 13 Administrative Controls
153(12)
Control Maturity
153(2)
Capability Maturity Model
154(1)
The Power of Good Admin Controls
155(1)
Differences in Documents
155(1)
Critical Admin Control: Asset Management
156(1)
Sample Asset Management Policy
156(1)
Sample Asset Management Standard
156(1)
Critical Admin Control: Change Control
157(3)
Sample Change Control Policy
158(1)
Change Control Standards
159(1)
Change Control Tracking
159(1)
Critical Admin Control: Application Security
160(2)
Sample Application Security Policy
160(1)
Application Security Standards
161(1)
Software Acquisition
161(1)
Critical Manual Control: Record and Media Management
162(3)
Sample Record and Media Management Policy
162(3)
Chapter 14 Vulnerability Management
165(10)
Organizing Vulnerability Management
166(1)
Sample Vulnerability Management Policy
166(1)
Vulnerability Management Breakdown of Responsibilities
166(1)
Hardening Standards
167(2)
Sample Hardening and Vulnerability Management Standard
167(1)
How to Fill in the Hardening Standards?
168(1)
Vulnerability Discovery
169(4)
Vulnerability Notification
169(1)
Discovery Scanning
169(2)
Vulnerability Scanning
171(1)
Penetration Testing
172(1)
Dynamic Application Testing
172(1)
Prioritization and Risk Scoring
173(1)
Higher Priority
173(1)
Lower Priority
173(1)
More Food for Thought
174(1)
Patching
174(1)
Scan Again
174(1)
Chapter 15 People Controls
175(12)
Policy for the People
175(1)
Sample Human Resource Security Policy
175(1)
Employee Role Changes
176(1)
Background Screening
177(3)
When to Check
178(1)
Who to Check
178(1)
What to Check
179(1)
What to Do When There's a Problem
180(1)
Employment Agreements
180(1)
Security Training
181(1)
Sanctions for Policy Violations
181(1)
Managing the Insider Threat
182(2)
Monitoring
182(1)
Least Privilege
183(1)
Strong User Management
183(1)
Segregation of Duties
183(1)
Know Your User
184(1)
Filtering
184(1)
Processes, Not Individuals
184(3)
Chapter 16 Logical Access Control
187(10)
Defining Access Control
187(1)
Sample Logical Access Control Policy
187(1)
Authentication
188(4)
Something You Know
188(1)
Something You Have
189(1)
Something You Are
190(1)
Multifactor Authentication
190(1)
Authentication Standards
190(2)
Authorization
192(2)
Role-based Access Control
192(2)
System Authorization
194(1)
Sample Authorization Standards
194(1)
Accountability
194(1)
Access Control Tools
195(2)
Chapter 17 Network Security
197(22)
Understand Networking Technology
197(1)
Network-based Attacks
198(8)
Remote Exploits
199(1)
Remote Password Guessing
200(1)
Drive-by-Download Attacks
200(1)
Network Denial of Service
201(1)
Sniffing
202(2)
Impersonation
204(1)
Man-in-the-Middle
204(1)
Exfiltration of Data
205(1)
Network Controls
206(13)
Sample Network Security Policy
206(2)
Network Security Standards
208(1)
Network Security Procedures
208(1)
Firewalls
209(2)
IDS/IPS
211(1)
Transmission Encryption
212(7)
Chapter 18 More Technical Controls
219(12)
Internet Services Security
219(5)
Web Services
219(2)
E-mail Security
221(2)
DNS Security
223(1)
Encrypting Data at Rest
224(3)
Why Is Encryption Hard to Do?
225(1)
Storage Crypto Policy and Standards
226(1)
Tokenization
226(1)
Malware Controls
227(1)
Anti-Malware Policy and Standards
227(1)
Malware Defense in Depth
227(1)
Building Custom Controls
228(3)
Chapter 19 Physical Security Controls
231(8)
Getting a Handle on Physical Security
231(1)
Physical Risk Assessments
232(1)
Physical Security Policy
232(2)
Sample Physical Security Policy
233(1)
Personnel Security
234(1)
Visitor Security
234(1)
Training
234(1)
Security in the Offices
235(1)
Clean Desk Policies
235(1)
Network Access Controls
236(1)
Secured Facilities Controls
236(1)
Racks and Cages
236(1)
Cameras
236(1)
Alarms
236(1)
Guards
237(1)
Environmental Controls
237(1)
Media and Portable Media Controls
237(1)
Media Destruction
237(1)
Laptop Controls
238(1)
Convergence of IT and Physical Security Controls
238(1)
Chapter 20 Response Controls
239(20)
Logging
239(5)
Sample Logging Policy
240(1)
What You Must Log
240(1)
Look at Your Logs
241(2)
Protecting Your Logs
243(1)
Backup and Failover
244(1)
Keep Backups Offsite and Safe
244(1)
What to Back Up
244(1)
Backup Policy
245(1)
Failover Systems
245(1)
Business Continuity Planning
245(3)
Sample Business Continuity Policy
246(1)
Expectations for Recovery
246(1)
Disaster Recovery Planning
247(1)
Incident Response Planning
248(1)
Incident Response Policy
248(1)
Incident Response Plan
249(6)
A Team Effort
249(2)
Communication Strategies
251(1)
Procedures for Common Scenarios
251(1)
Gathering Data
252(1)
Hunting and Fixing
253(1)
Legal Reporting Requirements
253(1)
Working with Law Enforcement
254(1)
Human Side of Incident Response
254(1)
After Action Analysis
255(4)
Root Cause Analysis
255(1)
Executive Summary
256(1)
Practicing
256(3)
Part IV Being Audited
259(42)
Chapter 21 Starting the Audit
261(14)
Getting Ready for Audit
261(2)
Picking an Auditor
263(1)
We're All on the Same Side
264(1)
What Happens During Audit
264(4)
Scope Review
265(1)
Control Review
265(1)
Audit Evidence Gathering
266(1)
Roles During an Audit
267(1)
Specific Audits
268(5)
SSAE 16 Audits
269(2)
ISO 27001 Audits
271(1)
PCI DSS Audit
272(1)
Disagreeing with Auditors
273(2)
Chapter 22 Internal Audit
275(8)
The Role of Internal Audit
275(2)
Internal Auditor Independence
275(1)
Internal Auditor Competence
276(1)
How Small Can the Role Go?
277(1)
To Heal, Not to Punish
277(1)
Check Before the Auditors Check
277(1)
The Internal Audit Process
278(5)
Measuring a Control
278(3)
Publish to Management
281(1)
Keep Records
281(2)
Chapter 23 Third-Party Security
283(10)
Which Third Parties Are Relevant?
283(1)
Analysis of Third Parties
284(3)
Risk Analysis
284(1)
Control Gap Analysis Approach
285(1)
Getting Answers
286(1)
Reading Their Audit Reports
286(1)
Analyzing It All
287(1)
Controlling Third-Party Risk
287(5)
Sample Policy for Third-Party Management
288(1)
Software Procurement
288(1)
Security Service Agreements
289(2)
Technical Controls
291(1)
Document Your Work
292(1)
Chapter 24 Post Audit Improvement
293(8)
Reviewing Everything
293(3)
Reviewing What Worked
293(2)
Reviewing What Didn't Work
295(1)
Analyzing the Data
296(2)
Looking for Systematic Issues
297(1)
Look for Things that Aren't Broken yet, but Will Be
297(1)
Making Changes
298(2)
Look Before You Leap
298(1)
Improving the Controls
298(1)
Bridge Letters
299(1)
Rolling out a Change Plan
299(1)
We Can Never Stop Trying to Improve
300(1)
Index 301
Ray Pompon is currently the Director of Security at Linedata. With over 20 years of experience in Internet security, he works closely with Federal investigators in cyber-crime investigations and apprehensions. He has been directly involved in several major intrusion cases, including the FBI undercover Flyhook operation and the NW Hospital botnet prosecution. For six years, Ray was president and founder of the Seattle chapter of InfraGard, the FBI public-private partnership. He is a lecturer and on the board of advisors for three information assurance certificate programs at the University of Washington. Ray has written many articles and white papers on advanced technology topics and is frequently asked to speak as a subject matter expert on Internet security issues. National journalists have solicited and quoted his thoughts and perspective on the topic of computer security numerous times. He is a Certified Information Systems Security Professional as well as GIAC certified in the Law of Data Security & Investigations.