Available:*
Library | Item Barcode | Call Number | Material Type | Item Category 1 | Status |
---|---|---|---|---|---|
Searching... | 30000010294096 | TK5105.59 T374 2011 | Open Access Book | Book | Searching... |
On Order
Summary
Summary
Information systems have become a critical element of every organization¿s structure. A malfunction of the information and communication technology (ICT) infrastructure can paralyze the whole organization and have disastrous consequences at many levels. On the other hand, modern businesses and organizations collaborate increasingly with companies, customers, and other stakeholders by technological means. This emphasizes the need for a reliable and secure ICT infrastructure for companies whose principal asset and added value is information.
Information Security Evaluation: A Holistic Approach from a Business Perspective proposes a global and systemic multidimensional integrated approach to the holistic evaluation of the information security posture of an organization. The Information Security Assurance Assessment Model (ISAAM) presented in this book is based on, and integrates, a number of information security best practices, standards, methodologies and sources of research expertise, in order to provide a generic model that can be implemented in organizations of all kinds as part of their efforts towards better governing their information security.
This approach will contribute to improving the identification of security requirements, measures and controls. At the same time, it provides a means of enhancing the recognition of evidence related to the assurance, quality and maturity levels of the organization¿s security posture, thus driving improved security effectiveness and efficiency. The value added by this evaluation model is that it is easy to implement and operate and that through a coherent system of evaluation it addresses concrete needs in terms of reliance on an efficient and dynamic evaluation tool.
Author Notes
Igli Tashi holds a Ph.D. in Information Systems and a Master of Advanced Studies in Legal Issues, Crime and ICT Security, both from the University of Lausanne. He is an expert on information security and risk management issues and works currently as a senior auditor for PricewaterhouseCoopers SA in Switzerland.
Solange Ghernaouti-Helie is a professor in the Faculty of Business and Economics at the University of Lausanne and well-known recognized international expert on cybersecurity and cybercrime-related-issues. She has developed an interdisciplinary and integrative security approach for citizens, organizations and states, and she is author of more than twenty books on telecommunications and security issues.
Table of Contents
Chapter 1 What is Information Security? | |
1.1 Information security stakes and challenges in a competitive world | p. 1 |
1.2 A governance perspective on information security | p. 2 |
1.3 Information security program/system components | p. 6 |
1.4 A Holistic view of information security | p. 10 |
1.5 Information security baseline for evaluation purposes | p. 14 |
1.6 Information security: general roots-of-trust | p. 18 |
1.7 Chapter Summary | p. 20 |
Chapter 2 Risk Management versus Security Management | |
2.1 Introduction | p. 21 |
2.2 A definition of risk management | p. 21 |
2.3 Presentation of the risk management process | p. 23 |
2.4 Risk analysis and assessment process | p. 25 |
2.5 Information security management definitions | p. 28 |
2.6 Information security management components | p. 31 |
2.7 The difference between risk management and information security management processes | p. 34 |
2.8 Information security evaluation issues | p. 35 |
2.9 Questions raised with respect to the information security-related ISO/IEC standards | p. 37 |
2.10 Evaluating information security management | p. 38 |
2.11 Why choose to evaluate information security management in the context of trust? | p. 40 |
2.12 Chapter summary | p. 41 |
Chapter 3 Information Security Assurance: an Assessment Model | |
3.1 The need for a holistic approach to evaluating information security | p. 43 |
3.2 The ISAAM model | p. 44 |
3.3 The concept of assurance within the domain of information security | p. 49 |
3.4 Information security assurance for a culture of security | p. 54 |
3.5 Lessons learned from the current methodologies related to the information security assurance structure | p. 57 |
3.6 Issues related to the quality of information security | p. 62 |
3.7 Information security requirements based on maturity models | p. 68 |
3.8 Chapter summary | p. 77 |
Chapter 4 Evaluating the Organizational Dimension | |
4.1 Introduction | p. 79 |
4.2 The information security governance concept | p. 79 |
4.3 The advantages of information security governance | p. 82 |
4.4 Relationship between information security and governance | p. 82 |
4.5 People, roles, responsibilities and processes | p. 85 |
4.6 Information security measurement system | p. 90 |
4.7 The information security management perspective | p. 96 |
4.8 Information security architecture | p. 100 |
4.9 Information security plan: the road-map of security operational activities | p. 102 |
4.10 Evaluating the organizational dimension | p. 103 |
4.11 The maturity model related to the organizational dimension | p. 108 |
4.12 Chapter summary | p. 109 |
Chapter 5 Evaluating the Functional Dimension | |
5.1 What is the functional dimension in relations to information security? | p. 111 |
5.2 Framing the Problem | p. 111 |
5.3 Information security safeguards | p. 119 |
5.4 Resumption and continuity | p. 131 |
5.5 Evaluating the functional dimension | p. 140 |
5.6 The maturity model related to the functional dimension | p. 143 |
5.7 Chapter summary | p. 144 |
Chapter 6 Evaluating the Human Dimension | |
6.1 The main issues related to the human dimension of information security | p. 145 |
6.2 Staffing | p. 147 |
6.3 Security awareness | p. 148 |
6.4 Security training and education | p. 152 |
6.5 Security culture | p. 155 |
6.6 The human dimension evaluation process | p. 159 |
6.7 The maturity model related to the human dimension | p. 163 |
6.8 Chapter summary | p. 163 |
Chapter 7 Evaluating the Compliance Dimension | |
7.1 Notions of trust and compliance in relation to information security | p. 165 |
7.2 The compliance program | p. 167 |
7.3 Compliance versus security | p. 177 |
7.4 Evaluating the compliance function | p. 180 |
7.5 Chapter summary | p. 186 |
Chapter 8 Concluding Remarks | |
8.1 Effectiveness and efficiency as a priority | p. 189 |
8.2 The value added by, and scope of application of, ISAAM | p. 190 |
8.3 A new evaluation paradigm | p. 191 |
Bibliography | p. 195 |
Index of Keywords and Concepts | p. 199 |