Available:*
Library | Item Barcode | Call Number | Material Type | Item Category 1 | Status |
---|---|---|---|---|---|
Searching... | 30000010320891 | TK5105.59 F58 2012 | Open Access Book | Book | Searching... |
On Order
Summary
Summary
Security practitioners must be able to build cost-effective security programs while also complying with government regulations. Information Security Governance Simplified: From the Boardroom to the Keyboard lays out these regulations in simple terms and explains how to use control frameworks to build an air-tight information security (IS) program and governance structure.
Defining the leadership skills required by IS officers, the book examines the pros and cons of different reporting structures and highlights the various control frameworks available. It details the functions of the security department and considers the control areas, including physical, network, application, business continuity/disaster recover, and identity management.
Todd Fitzgerald explains how to establish a solid foundation for building your security program and shares time-tested insights about what works and what doesn't when building an IS program. Highlighting security considerations for managerial, technical, and operational controls, it provides helpful tips for selling your program to management. It also includes tools to help you create a workable IS charter and your own IS policies. Based on proven experience rather than theory, the book gives you the tools and real-world insight needed to secure your information while ensuring compliance with government regulations.
Author Notes
Todd Fitzgerald, CISSP, CISA, CISM, CIPM, CIPP/US, CIPP/E, CIPP/C, CGEIT, CRISC, PMP, ISO27000, and ITILv3 certified, is Managing Director and CISO of CISO Spotlight, LLC.
Todd has built and led multiple Fortune 500/large company information security programs for 20 years across multiple industries, named 2016-17 Chicago CISO of the Year by AITP, ISSA, ISACA, Infragard and SIM, ranked Top 50 Information Security Executive, and Information Security Executive (ISE) Award Finalist, and named Ponemon Institute Fellow. Fitzgerald coauthored with Micki Krause the first professional organization Chief Information Security Officer book, CISO Leadership: Essential Principles for Success (Auerbach, 2008). Todd also authored Information Security Governance Simplified: From the Boardroom to the Keyboard (Auerbach, 2012), and co-authored Certified Chief Information Security Officer Body of Knowledge (E-C Council, 2014), and has contributed to over a dozen others. Fitzgerald has participated in the development of materials for the Official (ISC)2 Guide to the CISSP CBK, Information Security Handbook Series, ISACA COBIT 5 for Information Security, and ISACA CSX Cybersecurity Fundamentals.
Fitzgerald is a top-rated RSA Conference speaker and is frequently called upon to present at international, national and local conferences for Information Systems Audit and Control Association (ISACA), Information Systems security Association (ISSA), Management Information Systems Training Institute (MISTI), COSAC, Centers for Medicare and Medicaid Services, T.E.N., and others. Fitzgerald serves on the HIPAA Collaborative of Wisconsin Board of Directors (2002-present), Milwaukee Area Technical College Security Advisory Board, and University of Wisconsin-La Crosse College of Business Administration Board of Advisors.
Prior senior leadership includes SVP, CAO Information Security Northern Trust, Global CISO Grant Thornton International, Ltd, Global CISO ManpowerGroup, Medicare Security Officer/External Audit Oversight WellPoint (now Anthem) Blue Cross Blue Shield-National Government Services, CISO North & Latin America Zeneca/Syngenta and senior Information Technology leadership positions with IMS Health, and American Airlines. Todd earned a B.S. in Business Administration from the University of Wisconsin-La Crosse and Master Business Administration with highest honors from Oklahoma State University.
Table of Contents
Foreword | p. xvii |
Acknowledgments | p. xxi |
Introduction | p. xxiii |
About the Author | p. xxvii |
Chapter 1 Getting Information Security Right: Top to Bottom | p. 1 |
Information Security Governance | p. 2 |
Tone at the Top | p. 5 |
Tone at the Bottom | p. 5 |
Governance, Risk, and Compliance (GRC) | p. 6 |
The Compliance Dilemma | p. 7 |
Suggested Reading | p. 10 |
Chapter 2 Developing Information Security Strategy | p. 11 |
Evolution of Information Security | p. 15 |
Organization Historical Perspective | p. 16 |
Fear, Uncertainty, Doubt, Fear, Uncertainty, Doubt | p. 16 |
Understand the External Environment | p. 17 |
Regulatory | p. 17 |
Competition | p. 18 |
Emerging Threats | p. 19 |
Technology Cost Changes | p. 19 |
External Independent Research | p. 20 |
The Internal Company Culture | p. 20 |
Risk Appetite | p. 21 |
Speed | p. 22 |
Collaborative versus Authoritative | p. 22 |
Trust Level | p. 23 |
Growth Seeker or Cost Cutter | p. 24 |
Company Size | p. 25 |
Outsourcing Posture | p. 25 |
Prior Security Incidents, Audits | p. 26 |
Security Strategy Development Techniques | p. 28 |
Mind Mapping | p. 28 |
SWOT Analysis | p. 30 |
Balanced Scorecard | p. 32 |
Face-to-Face Interviews | p. 32 |
Security Planning | p. 34 |
Strategic | p. 34 |
Tactical | p. 35 |
Operational/Project Plans | p. 35 |
Suggested Reading | p. 36 |
Chapter 3 Defining the Security Management Organization | p. 37 |
History of the Security Leadership Role Is Relevant | p. 37 |
The New Security Officer Mandate | p. 40 |
Day 1: Hey, I Got the Job! | p. 41 |
Security Leader Titles | p. 42 |
Techie versus Leader | p. 43 |
The Security Leaders Library | p. 44 |
Security Leadership Defined | p. 45 |
Security Leader Soft Skills | p. 46 |
Seven Competencies for Effective Security Leadership | p. 46 |
Security Functions | p. 52 |
Learning from Leading Organizations | p. 52 |
Assess Risk and Determine Needs | p. 53 |
Implement Policies and Controls | p. 54 |
Promote Awareness | p. 56 |
Monitor and Evaluate | p. 56 |
Central Management | p. 56 |
What Functions Should the Security Officer Be Responsible For? | p. 57 |
Assessing Risk and Determining Needs Functions | p. 58 |
Risk Assessment/Analysis | p. 58 |
Systems Security Plan Development | p. 59 |
External Penetration Testing | p. 60 |
Implement Policies and Control Functions | p. 61 |
Security Policy Development | p. 61 |
Security Architecture | p. 61 |
Security Control Assessment | p. 62 |
Identity and Access Management | p. 62 |
Business Continuity and Disaster Recovery | p. 63 |
Promote Awareness Functions | p. 64 |
End User Security Awareness Training | p. 64 |
Intranet Site and Policy Publication | p. 65 |
Targeted Awareness | p. 65 |
Monitor and Evaluate Functions | p. 65 |
Security Baseline Configuration Review | p. 66 |
Logging and Monitoring | p. 67 |
Vulnerability Assessment | p. 67 |
Internet Monitoring/Management of Managed Services | p. 68 |
Incident Response | p. 68 |
Forensic Investigations | p. 69 |
Central Management Functions | p. 69 |
Reporting Model | p. 70 |
Business Relationships | p. 71 |
Reporting to the CEO | p. 71 |
Reporting to the Information Systems Department | p. 72 |
Reporting to Corporate Security | p. 72 |
Reporting to the Administrative Services Department | p. 73 |
Reporting to the Insurance and Risk Management Department | p. 73 |
Reporting to the Internal Audit Department | p. 74 |
Reporting to the Legal Department | p. 74 |
Determining the Best Fit | p. 75 |
Suggested Reading | p. 75 |
Chapter 4 Interacting with the C-Suite | p. 77 |
Communication between the CEO, CIO, Other Executives, and CISO | p. 78 |
13 "Lucky" Questions to Ask One Another | p. 80 |
The CEO, Ultimate Decision Maker | p. 81 |
The CEO Needs to Know Why | p. 87 |
The CIO, Where Technology Meets the Business | p. 87 |
CIO's Commitment to Security Is Important | p. 94 |
The Security Officer, Protecting the Business | p. 95 |
The CEO, CIO, and CISO Are Business Partners | p. 100 |
Building Grassroots Support through an Information Security Council | p. 101 |
Establishing the Security Council | p. 101 |
Oversight of Security Program | p. 103 |
Decide on Project Initiatives | p. 103 |
Prioritize Information Security Efforts | p. 103 |
Review and Recommend Security Policies | p. 103 |
Champion Organizational Security Efforts | p. 104 |
Recommend Areas Requiring Investment | p. 104 |
Appropriate Security Council Representation | p. 104 |
"-Inging" the Council: Forming, Storming, Norming, and Performing | p. 107 |
Forming | p. 107 |
Storming | p. 108 |
Norming | p. 108 |
Performing | p. 109 |
Integration with Other Committees | p. 109 |
Establish Early, Incremental Success | p. 111 |
Let Go of Perfectionism | p. 112 |
Sustaining the Security Council | p. 113 |
End User Awareness | p. 114 |
Security Council Commitment | p. 116 |
Suggested Reading | p. 117 |
Chapter 5 Managing Risk to an Acceptable Level | p. 119 |
Risk in Our Daily Lives | p. 120 |
Accepting Organizational Risk | p. 121 |
Just Another Set of Risks | p. 122 |
Management Owns the Risk Decision | p. 122 |
Qualitative versus Quantitative Risk Analysis | p. 123 |
Risk Management Process | p. 124 |
Risk Analysis Involvement | p. 124 |
Step 1: Categorize the System | p. 125 |
Step 2: Identify Potential Dangers (Threats) | p. 128 |
Human Threats | p. 128 |
Environmental/Physical Threats | p. 128 |
Technical Threats | p. 129 |
Step 3: Identify Vulnerabilities That Could Be Exploited | p. 129 |
Step 4: Identify Existing Controls | p. 130 |
Step 5: Determine Exploitation Likelihood Given Existing Controls | p. 131 |
Step 6: Determine Impact Severity | p. 132 |
Step 7: Determine Risk Level | p. 134 |
Step 8: Determine Additional Controls | p. 135 |
Risk Mitigation Options | p. 135 |
Risk Assumption | p. 135 |
Risk Avoidance | p. 136 |
Risk Limitation | p. 136 |
Risk Planning | p. 136 |
Risk Research | p. 136 |
Risk Transference | p. 137 |
Conclusion | p. 137 |
Suggested Reading | p. 137 |
Chapter 6 Creating Effective Information Security Policies | p. 139 |
Why Information Security Policies Are Important | p. 139 |
Avoiding Shelfware | p. 140 |
Electronic Policy Distribution | p. 141 |
Canned Security Policies | p. 142 |
Policies, Standards, Guidelines Definitions | p. 143 |
Policies Are Written at a High Level | p. 143 |
Policies | p. 145 |
Security Policy Best Practices | p. 145 |
Types of Security Policies | p. 147 |
Standards | p. 149 |
Procedures | p. 150 |
Baselines | p. 151 |
Guidelines | p. 152 |
Combination of Policies, Standards, Baselines, Procedures, and Guidelines | p. 153 |
Policy Analogy | p. 153 |
An Approach for Developing Information Security Policies | p. 154 |
Utilizing the Security Council for Policies | p. 155 |
The Policy Review Process | p. 156 |
Information Security Policy Process | p. 161 |
Suggested Reading | p. 161 |
Chapter 7 Security Compliance Using Control Frameworks | p. 163 |
Security Control Frameworks Defined | p. 163 |
Security Control Frameworks and Standards Examples | p. 164 |
Heath Insurance Portability and Accountability Act (HIPAA) | p. 164 |
Federal Information Security Management Act of2002 (FISMA) | p. 164 |
National Institute of Standards and Technology (NIST) Recommended Security Controls for Federal Information Systems (800-53) | p. 164 |
Federal Information System Controls Audit Manual (FISCAM) | p. 165 |
ISO/IEC 27001:2005 Information Security Management Systems-Requirements | p. 165 |
ISO/IEC 27002:2005 Information Technology-Security Techniques-Code of Practice for Information Security Management | p. 166 |
Control Objectives for Information and Related Technology (COBIT) | p. 167 |
Payment Card Industry Data Security Standard (PCI DSS) | p. 167 |
Information Technology Infrastructure Library (ITIL) | p. 168 |
Security Technical Implementation Guides (STIGs) and National Security Agency (NSA) Guides | p. 168 |
Federal Financial Institutions Examination Council (FFIEC) IT Examination Handbook | p. 169 |
The World Operates on Standards | p. 169 |
Standards Are Dynamic | p. 171 |
The How Is Typically Left Up to Us | p. 171 |
Key Question: Why Does the Standard Exist? | p. 173 |
Compliance Is Not Security, But It Is a Good Start | p. 173 |
Integration of Standards and Control Frameworks | p. 174 |
Auditing Compliance | p. 175 |
Adoption Rate of Various Standards | p. 175 |
ISO 27001/2 Certification | p. 176 |
NIST Certification | p. 177 |
Control Framework Convergence | p. 177 |
The 11-Factor Compliance Assurance Manifesto | p. 178 |
The Standards/Framework Value Proposition | p. 183 |
Suggested Reading | p. 183 |
Chapter 8 Managerial Controls: Practical Security Considerations | p. 185 |
Security Control Convergence | p. 185 |
Security Control Methodology | p. 188 |
Security Assessment and Authorization Controls | p. 188 |
Planning Controls | p. 189 |
Risk Assessment Controls | p. 190 |
System and Services Acquisition Controls | p. 191 |
Program Management Controls | p. 193 |
Suggested Reading | p. 211 |
Chapter 9 Technical Controls: Practical Security Considerations | p. 213 |
Access Control Controls | p. 213 |
Audit and Accountability Controls | p. 214 |
Identification and Authentication | p. 215 |
System and Communications Protections | p. 215 |
Suggested Reading | p. 238 |
Chapter 10 Operational Controls: Practical Security Considerations | p. 239 |
Awareness and Training Controls | p. 239 |
Configuration Management Controls | p. 240 |
Contingency Planning Controls | p. 240 |
Incident Response Controls | p. 241 |
Maintenance Controls | p. 241 |
Media Protection Controls | p. 242 |
Physical and Environmental Protection Controls | p. 243 |
Personnel Security Controls | p. 244 |
System and Information Integrity Controls | p. 245 |
Suggested Reading | p. 276 |
Chapter 11 The Auditors Have Arrived, Now What? | p. 277 |
Anatomy of an Audit | p. 278 |
Audit Planning Phase | p. 279 |
Preparation of Document Request List | p. 280 |
Gather Audit Artifacts | p. 284 |
Provide Information to Auditors | p. 285 |
On-Site Arrival Phase | p. 287 |
Internet Access | p. 287 |
Reserve Conference Rooms | p. 288 |
Physical Access | p. 289 |
Conference Phones | p. 290 |
Schedule Entrance, Exit, Status Meetings | p. 290 |
Set Up Interviews | p. 291 |
Audit Execution Phase | p. 292 |
Additional Audit Meetings | p. 293 |
Establish Auditor Communication Protocol | p. 293 |
Establish Internal Company Protocol | p. 294 |
Media Handling | p. 296 |
Audit Coordinator Quality Review | p. 298 |
The Interview Itself | p. 298 |
Entrance, Exit, and Status Conferences | p. 299 |
Entrance Meeting | p. 299 |
Exit Meeting | p. 301 |
Status Meetings | p. 301 |
Report Issuance and Finding Remediation Phase | p. 302 |
Suggested Reading | p. 304 |
Chapter 12 Effective Security Communications | p. 305 |
Why a Chapter Dedicated to Security Communications? | p. 305 |
End User Security Awareness Training | p. 306 |
Awareness Definition | p. 307 |
Delivering the Message | p. 308 |
Step 1: Security Awareness Needs Assessment | p. 308 |
New or Changed Policies | p. 308 |
Past Security Incidents | p. 309 |
Systems Security Plans | p. 309 |
Audit Findings and Recommendations | p. 309 |
Event Analysis | p. 310 |
Industry Trends | p. 310 |
Management Concerns | p. 310 |
Organizational Changes | p. 311 |
Step 2: Program Design | p. 311 |
Target Audience | p. 311 |
Frequency of Sessions | p. 311 |
Number of Users | p. 312 |
Method of Delivery | p. 312 |
Resources Required | p. 312 |
Step 3: Develop Scope | p. 312 |
Determine Participants Needing Training | p. 312 |
Business Units | p. 313 |
Select Theme | p. 313 |
Step 4: Content Development | p. 314 |
Step 5: Communication and Logistics Plan | p. 315 |
Step 6: Awareness Delivery | p. 316 |
Step 7: Evaluation/Feedback Loops | p. 317 |
Security Awareness Training Does Not Have to Be Boring | p. 317 |
Targeted Security Training | p. 317 |
Continuous Security Reminders | p. 319 |
Utilize Multiple Security Awareness Vehicles | p. 319 |
Security Officer Communication Skills | p. 320 |
Talking versus Listening | p. 320 |
Roadblocks to Effective Listening | p. 321 |
Generating a Clear Message | p. 323 |
Influencing and Negotiating Skills | p. 323 |
Written Communication Skills | p. 324 |
Presentation Skills | p. 325 |
Applying Personality Type to Security Communications | p. 326 |
The Four Myers-Briggs Type Indicator (MBTI) Preference Scales | p. 326 |
Extraversion versus Introversion Scale | p. 327 |
Sensing versus Intuition Scale | p. 327 |
Thinking versus Feeling Scale | p. 328 |
Judging versus Perceiving Scale | p. 328 |
Determining Individual MBTI Personality | p. 329 |
Summing Up the MBTI for Security | p. 334 |
Suggested Reading | p. 334 |
Chapter 13 The Law and Information Security | p. 337 |
Civil Law versus Criminal Law | p. 339 |
Electronic Communications Privacy Act of 1986 (ECPA) | p. 340 |
The Computer Security Act of 1987 | p. 341 |
The Privacy Act of 1974 | p. 342 |
Sarbanes-Oxley Act of 2002 (SOX) | p. 342 |
Gramm-Leach-Bliley Act (GLBA) | p. 344 |
Health Insurance Portability and Accountability Act of 1996 | p. 345 |
Health Information Technology for Economic and Clinical Health (HITECH) Act | p. 348 |
Federal Information Security Management Act of 2002 (FISMA) | p. 348 |
Summary | p. 350 |
Suggested Reading | p. 350 |
Chapter 14 Learning from Information Security Incidents | p. 353 |
Recent Security Incidents | p. 355 |
Texas State Comptroller | p. 355 |
Sony PlayStation Network | p. 356 |
Student Loan Social Security Numbers Stolen | p. 358 |
Social Security Numbers Printed on Outside of Envelopes | p. 359 |
Valid E-Mail Addresses Exposed | p. 360 |
Office Copier Hard Disk Contained Confidential Information | p. 362 |
Advanced Persistent Threat Targets Security Token | p. 362 |
Who Will Be Next? | p. 364 |
Every Control Could Result in an Incident | p. 365 |
Suggested Reading | p. 366 |
Chapter 15 17 Ways to Dismantle Information Security Governance Efforts | p. 369 |
Final Thoughts | p. 379 |
Suggested Reading | p. 381 |
Index | p. 383 |