Cover image for IT security governance guidebook with security program metrics on CD-ROM
Title:
IT security governance guidebook with security program metrics on CD-ROM
Personal Author:
Publication Information:
Boca Raton, FL : Auerbach Publications, 2007
Physical Description:
1v + 1 CD-ROM
ISBN:
9780849384356
General Note:
Accompanied by compact disc : CP 8941

Available:*

Library
Item Barcode
Call Number
Material Type
Status
Searching...
30000010132714 TK5105.59 C63 2007 Open Access Book
Searching...

On Order

Summary

Summary

The IT Security Governance Guidebook with Security Program Metrics on CD-ROM provides clear and concise explanations of key issues in information protection, describing the basic structure of information protection and enterprise protection programs. Including graphics to support the information in the text, this book includes both an overview of material as well as detailed explanations of specific issues. The accompanying CD-ROM offers a collection of metrics, formed from repeatable and comparable measurement, that are designed to correspond to the enterprise security governance model provided in the text, allowing an enterprise to measure its overall information protection program.


Table of Contents

Executive Summaryp. xi
About This Materialp. xii
Chapter 1 The Structure of Information Protectionp. 1
1.1 A Comprehensive Information Protection Programp. 1
1.1.1 The Architectural Modelp. 1
1.1.2 Risk Managementp. 3
1.1.3 How the Business Worksp. 5
1.1.4 How Information Technology Protection Worksp. 7
1.1.5 Interdependenciesp. 8
1.1.6 But How Much Is Enough? The Duty to Protectp. 8
1.2 What Is Information Protection Governance All About?p. 8
1.2.1 The Goal of Governancep. 8
1.2.2 What Are the Aspects of Governance?p. 10
1.2.2.1 Structuresp. 10
1.2.2.2 What Are the Rules?p. 11
1.2.2.3 Principles and Standardsp. 12
1.2.2.4 Power and Influencep. 13
1.2.2.5 Fundingp. 15
1.2.2.6 Enforcement Mechanismsp. 17
1.2.2.7 Appeals Processes and Disputesp. 20
1.2.3 The Overall Control Systemp. 21
1.3 Fitting Protection into Business Structuresp. 22
1.3.1 Fitting Inp. 23
1.3.2 The Theory of Groupsp. 23
1.3.3 What Groups Are Neededp. 24
1.4 Who Is in Charge and Who Does This Person Work for?p. 25
1.4.1 The CISOp. 25
1.4.2 The CISO's Teamp. 25
1.4.3 The Structure of the Groupsp. 27
1.4.4 Meetings and Groups the CISO Chairs or Operatesp. 28
1.4.5 Should the CISO Work for the CIO or Others?p. 28
1.5 Should the CISO, CPO, CSO, or Others Be Combined?p. 30
1.5.1 Where Should the CISO Be in the Corporate Structure?p. 31
1.6 Budgets and Situationsp. 31
1.6.1 Direct Budget for the CISOp. 31
1.6.2 Identifiable Costsp. 31
1.7 Enforcement and Appeals Processesp. 34
1.7.1 Top Management Buy-In and Supportp. 34
1.7.2 Power and Influence and Managing Changep. 34
1.7.3 Responses to Power and Influencep. 35
1.7.4 Other Power Issuesp. 35
1.8 The Control Systemp. 36
1.8.1 Metricsp. 37
1.8.1.1 Costsp. 37
1.8.1.2 Performancep. 37
1.8.1.3 Timep. 38
1.8.1.4 Lower-Level Metricsp. 38
1.9 How Long Will It Take?p. 39
1.10 Summaryp. 41
Chapter 2 Drill-Downp. 43
2.1 How the Business Worksp. 44
2.2 The Security Oversight Functionp. 46
2.2.1 Duty to Protectp. 47
2.2.1.1 Externally Imposed Dutiesp. 47
2.2.1.2 Internally Imposed Dutiesp. 47
2.2.1.3 Contractual Dutiesp. 48
2.3 Risk Management and What to Protectp. 48
2.3.1 Risk Evaluationp. 48
2.3.1.1 Consequencesp. 48
2.3.1.2 Threatsp. 49
2.3.1.3 Vulnerabilitiesp. 49
2.3.1.4 Interdependencies and Risk Aggregationsp. 50
2.3.2 Risk Treatmentp. 52
2.3.2.1 Risk Acceptancep. 52
2.3.2.2 Risk Avoidancep. 52
2.3.2.3 Risk Transferp. 52
2.3.2.4 Risk Mitigationp. 52
2.3.3 What to Protect and How Wellp. 53
2.3.4 The Risk Management Spacep. 53
2.3.4.1 Risk Assessment Methodologies and Limitationsp. 54
2.3.4.2 Matching Surety to Riskp. 55
2.3.5 Enterprise Risk Management Process: An Examplep. 58
2.3.5.1 The Risk Management Processp. 59
2.3.5.2 Evaluation Processes to Be Usedp. 60
2.3.5.3 The Order of Analysisp. 61
2.3.5.4 Selection of Mitigation Approachp. 62
2.3.5.5 Specific Mitigationsp. 63
2.3.5.6 Specific Issues Mandated by Policyp. 63
2.3.5.7 A Schedule of Risk Management Activitiesp. 63
2.3.5.8 Initial Conditionsp. 64
2.3.5.9 Management's Rolep. 64
2.3.5.10 Reviews to Be Conductedp. 65
2.3.6 Threat Assessmentp. 65
2.3.7 Fulfilling the Duties to Protectp. 66
2.4 Security Governancep. 69
2.4.1 Responsibilities at Organizational Levelsp. 69
2.4.2 Enterprise Security Management Architecturep. 70
2.4.3 Groups That CISO Meets with or Creates and Chairsp. 72
2.4.3.1 Top-Level Governance Boardp. 72
2.4.3.2 Business Unit Governance Boardsp. 72
2.4.3.3 Policy, Standards, and Procedures Group and Review Boardp. 73
2.4.3.4 Legal Group and Review Boardp. 74
2.4.3.5 Personnel Security Group and Review Boardp. 74
2.4.3.6 Risk Management Groupp. 75
2.4.3.7 Protection Testing and Change Control Group and Review Boardp. 75
2.4.3.8 Technical Safeguards Group and Review Boardp. 76
2.4.3.9 Zoning Boards and Similar Governance Entitiesp. 77
2.4.3.10 Physical Security Group and Review Boardp. 77
2.4.3.11 Incident Handling Group and Review Boardp. 78
2.4.3.12 Audit Group and Review Boardp. 79
2.4.3.13 Awareness and Knowledge Group and Review Boardp. 80
2.4.3.14 Documentation Groupp. 81
2.4.4 Issues Relating to Separation of Dutiesp. 81
2.4.5 Understanding and Applying Power and Influencep. 81
2.4.5.1 Physical Powerp. 81
2.4.5.2 Resource Powerp. 82
2.4.5.3 Positional Powerp. 82
2.4.5.4 Expertise, Personal, and Emotional Powerp. 83
2.4.5.5 Persuasion Modelp. 84
2.4.5.6 Managing Changep. 85
2.4.6 Organizational Perspectivesp. 91
2.4.6.1 Managementp. 91
2.4.6.2 Policyp. 92
2.4.6.3 Standardsp. 93
2.4.6.4 Proceduresp. 95
2.4.6.5 Documentationp. 96
2.4.6.6 Auditingp. 97
2.4.6.7 Testing and Change Controlp. 97
2.4.6.8 Technical Safeguards: Information Technologyp. 98
2.4.6.9 Personnelp. 101
2.4.6.10 Incident Handlingp. 102
2.4.6.11 Legal Issuesp. 104
2.4.6.12 Physical Securityp. 105
2.4.6.13 Knowledgep. 107
2.4.6.14 Awarenessp. 108
2.4.6.15 Organizationp. 110
2.4.6.16 Summary of Perspectivesp. 111
2.5 Control Architecturep. 111
2.5.1 Protection Objectivesp. 111
2.5.1.1 Integrityp. 112
2.5.1.2 Availabilityp. 113
2.5.1.3 Confidentialityp. 113
2.5.1.4 Use Controlp. 115
2.5.1.5 Accountabilityp. 116
2.5.2 Access Control Architecturep. 118
2.5.3 Technical Architecture Functional Units and Compositesp. 118
2.5.4 Perimeter Architecturesp. 118
2.5.4.1 Physical Perimeter Architecturep. 119
2.5.4.2 Logical Perimeter Architecturep. 122
2.5.4.3 Perimeter Summaryp. 124
2.5.5 Access Process Architecturep. 124
2.5.5.1 Identificationp. 124
2.5.5.2 Authenticationp. 125
2.5.5.3 Authorizationp. 125
2.5.5.4 Usep. 126
2.5.6 Change Control Architecturep. 126
2.5.6.1 Research and Developmentp. 126
2.5.6.2 Change Controlp. 127
2.5.6.3 Productionp. 127
2.6 Technical Security Architecturep. 127
2.6.1 Issues of Contextp. 127
2.6.1.1 Time ("When")p. 127
2.6.1.2 Location ("Where")p. 128
2.6.1.3 Purpose ("Why")p. 129
2.6.1.4 Behaviors ("What")p. 130
2.6.1.5 Identity ("Who")p. 130
2.6.1.6 Method ("How")p. 131
2.6.2 Life Cyclesp. 132
2.6.2.1 Businessp. 132
2.6.2.2 Peoplep. 134
2.6.2.3 Systemsp. 138
2.6.2.4 Datap. 141
2.6.3 Protection Process: Data Statep. 146
2.6.3.1 Data at Restp. 147
2.6.3.2 Data in Motionp. 152
2.6.3.3 Data in Usep. 154
2.6.4 Protection Process: Attack and Defensep. 155
2.6.4.1 Deterp. 156
2.6.4.2 Preventp. 157
2.6.4.3 Detectp. 159
2.6.4.4 Reactp. 163
2.6.4.5 Adaptp. 165
2.6.4.6 Detect/React Loopp. 167
2.6.5 Protection Process: Work Flowsp. 168
2.6.5.1 Work to Be Donep. 169
2.6.5.2 Process for Completion and Optionsp. 169
2.6.5.3 Control Points and Approval Requirementsp. 170
2.6.5.4 Appeals Processes and Escalationsp. 170
2.6.5.5 Authentication Requirements and Mechanismsp. 170
2.6.5.6 Authorization and Context Limitationsp. 171
2.6.5.7 Work Flow Documentation and Auditp. 171
2.6.5.8 Control and Validation of the Engine(s)p. 171
2.6.5.9 Risk Aggregation in the Engine(s)p. 172
2.6.6 Protective Mechanismsp. 172
2.6.6.1 Perceptionp. 172
2.6.6.2 Structurep. 173
2.6.6.3 Content Controlsp. 175
2.6.6.4 Behaviorp. 176
2.7 Roll-Up of the Drill-Downp. 178
Chapter 3 Summary and Conclusionsp. 181
Indexp. 183