Muutke küpsiste eelistusi

E-raamat: Practical Guide to Security Assessments

1.00/5 (2 hinnangut Goodreads-ist)
(Amper, Politziner, & Mattia, P.C., New Jersey, USA)
  • Formaat: 520 pages
  • Ilmumisaeg: 29-Sep-2004
  • Kirjastus: Auerbach
  • Keel: eng
  • ISBN-13: 9781135500306
Teised raamatud teemal:
  • Formaat - EPUB+DRM
  • Hind: 74,09 €*
  • * hind on lõplik, st. muud allahindlused enam ei rakendu
  • Lisa ostukorvi
  • Lisa soovinimekirja
  • See e-raamat on mõeldud ainult isiklikuks kasutamiseks. E-raamatuid ei saa tagastada.
Practical Guide to Security AssessmentsSuurem pilt
  • Formaat: 520 pages
  • Ilmumisaeg: 29-Sep-2004
  • Kirjastus: Auerbach
  • Keel: eng
  • ISBN-13: 9781135500306
Teised raamatud teemal:

DRM piirangud

  • Kopeerimine (copy/paste):

    ei ole lubatud

  • Printimine:

    ei ole lubatud

  • Kasutamine:

    Digitaalõiguste kaitse (DRM)
    Kirjastus on väljastanud selle e-raamatu krüpteeritud kujul, mis tähendab, et selle lugemiseks peate installeerima spetsiaalse tarkvara. Samuti peate looma endale  Adobe ID Rohkem infot siin. E-raamatut saab lugeda 1 kasutaja ning alla laadida kuni 6'de seadmesse (kõik autoriseeritud sama Adobe ID-ga).

    Vajalik tarkvara
    Mobiilsetes seadmetes (telefon või tahvelarvuti) lugemiseks peate installeerima selle tasuta rakenduse: PocketBook Reader (iOS / Android)

    PC või Mac seadmes lugemiseks peate installima Adobe Digital Editionsi (Seeon tasuta rakendus spetsiaalselt e-raamatute lugemiseks. Seda ei tohi segamini ajada Adober Reader'iga, mis tõenäoliselt on juba teie arvutisse installeeritud )

    Seda e-raamatut ei saa lugeda Amazon Kindle's. 

Kairab, a professional in audit and security, presents a method for conducting information security assessments, from initial planning to the final report. The method stresses gaining an understanding of business goals and processes and then determining whether security measures are properly aligned with business risks. The book includes an appendix that contains questionnaires which can be modified and used to conduct security assessments, and will be of use to novice and experienced information security professionals and to those in management who need to evaluate security risks. Annotation ©2004 Book News, Inc., Portland, OR (booknews.com)

The modern dependence upon information technology and the corresponding information security regulations and requirements force companies to evaluate the security of their core business processes, mission critical data, and supporting IT environment. Combine this with a slowdown in IT spending resulting in justifications of every purchase, and security professionals are forced to scramble to find comprehensive and effective ways to assess their environment in order to discover and prioritize vulnerabilities, and to develop cost-effective solutions that show benefit to the business.

A Practical Guide to Security Assessments is a process-focused approach that presents a structured methodology for conducting assessments. The key element of the methodology is an understanding of business goals and processes, and how security measures are aligned with business risks. The guide also emphasizes that resulting security recommendations should be cost-effective and commensurate with the security risk. The methodology described serves as a foundation for building and maintaining an information security program.

In addition to the methodology, the book includes an Appendix that contains questionnaires that can be modified and used to conduct security assessments.

This guide is for security professionals who can immediately apply the methodology on the job, and also benefits management who can use the methodology to better understand information security and identify areas for improvement.


Taking a process-focused approach, A Practical Guide to Security Assessments presents a structured methodology for conducting assessments. The key element of the methodology is an understanding of business goals and processes, and how security measures are aligned with business risks. The guide also emphasizes that resulting security recommendations should be cost-effective and commensurate with the security risk. The methodology described serves as a foundation for building and maintaining an information security program. The book includes an appendix that contains questionnaires that can be modified and used to conduct security assessments.

Chapter 1 Introduction 1(4)
Chapter 2 Evolution of Information Security 5(40)
Introduction
5(1)
Distributed Systems and the Internet
5(1)
Business-to-Business (B2B) Relationships
6(1)
Remote Access
6(1)
Enterprise Resource Planning (ERP)
7(2)
Information Security Today
9(1)
Why Protect Information Assets?
9(6)
The Internet and the Availability and Accessibility of Information
10(1)
Shift from Paper-Based to Electronic-Based Information
11(1)
Integration of Systems
11(2)
Legislation
13(1)
Cyber-Related Threats
14(1)
Growing Role of Internal Audit
15(1)
Security Standards
16(7)
Best Practice Standards
17(1)
Technical Standards
18(1)
Marketplace Standards
19(4)
Better Business Bureau (BBB) Online Privacy Seal
19(2)
AICPA/CICA WebTrust Program
21(2)
Organizational Impacts
23(6)
Rise of the Chief Security Officer
24(3)
Autonomous Departments Devoted to Information Security
27(2)
Independence and the Ability to Escalate
27(1)
Expertise
28(1)
Security Certifications
29(5)
Vendor-Neutral Certifications
30(4)
Certified Information Systems Security Professional (CISSP)
30(2)
Certified Information Systems Auditor (CISA)
32(1)
System Administration and Network Security Certifications (SANS) - GIAC (Global Information Assurance Certification)
33(1)
CISM (Certified Information Security Manager)
33(1)
Vendor-Specific Certifications
34(1)
Trends in Information Security
34(8)
Focus on the Overall Information Security Program
35(2)
Security Spending Is Tightening
37(1)
Growing Awareness of Information Security
38(1)
Outsourcing Security Functions
38(4)
Government Regulations
42(1)
Notes
42(3)
Chapter 3 The Information Security Program and How a Security Assessment Fits In 45(22)
What Is an Information Security Program?
45(10)
Security Strategy
45(2)
Security Policies and Procedures
47(2)
Security Organization
49(1)
Executive Support
50(1)
Training and Awareness
51(2)
Toolsets
53(1)
Enforcement
54(1)
How Does a Security Assessment Fit In?
55(3)
Why Conduct a Security Assessment?
58(4)
Obtaining an Independent View of Security
58(1)
Managing Security Risks Proactively
59(1)
Determining Measures to Take to Address Any Regulatory Concerns
60(1)
Justification for Funds
61(1)
The Security Assessment Process
62(3)
Executive Summary
65(2)
Chapter 4 Planning 67(36)
Defining the Scope
67(20)
Business Drivers
69(5)
Proactive Approach to Security
70(1)
Regulatory Concerns
70(1)
Justification for Additional Funds for Information Security Initiatives
71(1)
Security Incident Has Occurred
71(1)
Disgruntled Employees
72(1)
Changes in the IT Environment
73(1)
Mergers and Acquisitions
73(1)
Scope Definition
74(5)
Analysis
76(1)
Define the Scope of Work
77(2)
Potential Scope Issues
79(3)
Scope Creep
79(1)
Incorrect Assumptions
79(1)
Lack of Standards
80(1)
Staffing
80(2)
Consultant's Perspective
82(1)
Client's Perspective
83(11)
Internal Employees
83(1)
Third-Party Consultants
84(3)
Kickoff Meeting
87(5)
Develop Project Plan
92(2)
Set Client Expectations
94(6)
Understanding the Meaning of a Security Assessment
94(3)
Key Communications
97(3)
Status Meetings
97(1)
Deliverable Template
98(2)
Executive Summary
100(2)
Defining Scope
100(1)
Staffing
100(1)
Kickoff Meeting
101(1)
Develop Project Plan
101(1)
Set Client Expectations
102(1)
Notes
102(1)
Chapter 5 Initial Information Gathering 103(36)
Benefits of Initial Preparation
103(2)
Credibility with the Customer
103(1)
Ability to Ask the Right Questions
104(1)
Gather Publicly Available Information
105(1)
Where Is This Information Found?
105(12)
Company Web Site
107(4)
General Company News
107(1)
Operations-Related Information
108(1)
Planned Initiatives
109(1)
Management Team
109(1)
Financial Information
109(1)
Web-Based Offerings
110(1)
Sense of Dependency on the Web Presence
110(1)
Financial Statements
111(5)
Form 10K - Annual Report
111(4)
Form 10Q - Quarterly Report
115(1)
Form 8K - Report of Unscheduled Material Events
115(1)
Trade Journals
116(1)
Other Articles on the Internet
117(1)
Gather Information from the Client
117(6)
Analyze Gathered Information
123(1)
Prepare Initial Question Sets
123(11)
Business Process-Related Questions
125(7)
Significant Business Processes and Supporting Technologies
126(3)
Integration Points with Other Departments
129(1)
Past Security Incidents
130(2)
Planned Initiatives
132(1)
Other Interviewee-Specific Questions
132(1)
Traditional Security-Related Questions
132(2)
Develop and Document Template for Final Report
134(2)
Executive Summary
136(3)
Gather Publicly Available Information
137(1)
Gather Information Using an Initial Questionnaire
137(1)
Analyze Gathered Info
137(1)
Prepare Initial Question Sets
138(1)
Develop and Document Template for Final Report
138(1)
Chapter 6 Business Process Evaluation 139(26)
General Review of Company and Key Business Processes
142(9)
Critical Business Processes
145(2)
Business Environment
147(1)
Planned Changes That May Impact Security
148(1)
Organization Structure
148(3)
Management Concerns Regarding Information Security
151(1)
Finalize Question Sets for Process Reviews
151(3)
Meet with Business Process Owners
154(2)
Preparation for Meetings
154(1)
Interviews with Process Owners
154(2)
Potential Pitfalls
156(1)
Analyze Information Collected and Document Findings
156(2)
Status Meeting with Client
158(3)
Findings
160(1)
Status Based on Project Plan
160(1)
Discussion of Critical Technologies
160(1)
Potential Concerns During This Phase
161(1)
Executive Summary
162(3)
Chapter 7 Technology Evaluation 165(28)
General Review of Technology and Related Documentation
166(4)
Develop Question Sets for Technology Reviews
170(4)
Meet with Technology Owners and Conduct Detailed Testing
174(13)
Interviews
176(1)
Hands-On Testing
177(7)
Reasons for Conducting Detailed Testing
177(3)
Test Planning and Related Considerations
180(1)
Manual vs. Automated Testing
181(1)
Tool Selection
182(1)
Process for Conducting Detailed Technology Testing
183(1)
Common Detailed Technology Testing
184(3)
Analyze Information Collected and Document Findings
187(2)
Status Meeting with Client
189(1)
Potential Concerns During This Phase
189(2)
Executive Summary
191(2)
Chapter 8 Risk Analysis and Final Presentation 193(36)
Risk Analysis and Risk Score Calculation
193(12)
Risk Score Calculation
197(8)
Business Impact
198(2)
Calculation of Business Impact
200(1)
Analysis of Business Impact
200(1)
Probability - Medium
200(1)
Potential Impact to the Business - Medium
201(1)
Level of Control
201(3)
Determination of Risk Score
204(1)
Finalize Findings and Risks
205(5)
Finalize Wording for Findings
205(4)
Document Risks and Criticality
209(1)
Develop Recommendations and Prepare Draft Report
210(12)
Develop and Document Recommendations
212(2)
Characteristics of Good Recommendations
214(4)
Address the Risk
214(1)
Provide Enough Detail
215(1)
Cost Effectiveness (Return on Security Investment)
215(3)
Other General Recommendations
218(11)
Ongoing Assessment
219(1)
Managed Security Services
220(2)
Discuss Draft Report with Client
222(2)
Present Final Report to Management
224(2)
Potential Concerns During This Phase
226(1)
Executive Summary
227(1)
Notes
228(1)
Chapter 9 Information Security Standards 229(16)
International Standards Organization 17799 (ISO 17799)
229(3)
Use in a Security Assessment
232(1)
Common Criteria (CC)
232(2)
Structure of the Common Criteria
233(1)
Use in a Security Assessment
233(1)
COBIT (Control Objectives for Information [ Related] Technology)
234(4)
COBIT Structure
234(4)
IT Governance Self Assessment
235(1)
Management's IT Concern Diagnostic
236(1)
Control Objectives
236(1)
Management Guidelines
237(1)
Use in a Security Assessment
238(1)
ITIL (IT Infrastructure Library) Security Management
238(2)
Use in a Security Assessment
239(1)
SAS (Statement on Auditing Standards) 70
239(1)
Use in a Security Assessment
240(1)
AICPA SysTrust
240(1)
Use in a Security Assessment
240(1)
AICPA WebTrust
241(1)
Use in a Security Assessment
241(1)
RFC 2196 - Site Security Handbook
241(1)
Use in a Security Assessment
242(1)
Other Resources
242(1)
SANS (SysAdmin, Audit, Network, Security)/FBI (Federal Bureau of Investigation) Top 20 List
242(1)
Vendor Best Practices
243(1)
Notes
243(2)
Chapter 10 Information Security Legislation 245(10)
Relevance of Legislation in Security Assessments
245(1)
HIPAA (Health Insurance Portability and Accountability Act)
246(2)
GLBA (Gramm-Leach-Bliley Act)
248(2)
Sarbanes-Oxley Act
250(1)
21 CFR Part 11
251(1)
Safe Harbor
252(1)
Federal Information Security Management Act (FIMSA)
252(1)
Other Legislative Action
253(1)
Notes
254(1)
Appendices Security Questionnaires and Checklists 255(232)
Appendix A Preliminary Checklist to Gather Information
259(12)
Appendix B Generic Questionnaire for Meetings with Business Process Owners
271(6)
Appendix C Generic Questionnaire for Meetings with Technology Owners
277(6)
Appendix D Data Classification
283(8)
Appendix E Data Retention
291(6)
Appendix F Backup and Recovery
297(12)
Appendix G Externally Hosted Services
309(16)
Appendix H Physical Security
325(18)
Appendix I Employee Termination
343(8)
Appendix J Incident Handling
351(10)
Appendix K Business to Business (B2B)
361(10)
Appendix L Business to Consumer (B2C)
371(14)
Appendix M Change Management
385(6)
Appendix N User ID Administration
391(12)
Appendix O Managed Security
403(12)
Appendix P Media Handling
415(8)
Appendix Q HIPAA Security
423(64)
Index 487


Kairab, Sudhanshu
Lisainfo e-raamatute kohta Lisainfo e-raamatute kohta
Püsilink: https://www.kriso.ee/db/97811355003066e.html
Märksõnad: