search for books and compare prices
Tables of Contents for Management of Information Security
Chapter/Section Title
Page #
Page Count
Preface
xv
Section I--Introduction
Introduction to the Management of Information Security
1
24
Introduction
2
1
What Is Security?
3
7
NSTISSC Security Model
5
1
Key Concepts of Information Security
6
4
What is Management?
10
9
The Difference Between Leadership and Management
11
1
Characteristics of a Leader
11
1
Characteristics of Management
12
4
Solving Problems
16
3
Principles of Information Security Management
19
2
Chapter Summary
21
1
Review Questions
22
1
Exercises
23
1
Case Exercises
23
2
Section II-Planning
Planning for Security
25
38
Introduction
26
2
Components of Organizational Planning
28
9
Mission
28
1
Vision
29
1
Values
30
1
Strategy
31
3
Planning and the CISO
34
3
Planning for Information Security Implementation
37
22
Introduction to the Systems Development Life Cycle
39
3
The Security Systems Development Life Cycle (SecSDLC)
42
14
Comparing the SDLC and the SecSDLC
56
3
Chapter Summary
59
1
Review Questions
60
1
Exercises
61
1
Case Exercises
61
2
Planning for Contingencies
63
42
Introduction
64
1
What Is Contingency Planning?
65
2
Components of Contingency Planning
67
19
Incident Response Plan
67
9
Disaster Recovery
76
6
Business Continuity Planning
82
2
Timing and Sequence of CP Elements
84
2
Putting a Contingency Plan Together
86
9
Business Impact Analysis
87
3
Combining the DRP and the BCP
90
5
Testing Contingency Plans
95
3
Desk Check
95
1
Structured Walk-Through
95
1
Simulation
95
1
Parallel Testing
96
1
Full Interruption
96
2
A Single Continuity Plan
98
1
Chapter Summary
99
2
Review Questions
101
1
Exercises
101
1
Case Exercises
102
3
Section III--Policy and Programs
Information Security Policy
105
50
Introduction
106
1
Why Policy?
107
3
Policy, Standards, and Practices
108
2
Enterprise Information Security Policy
110
6
Integrating an Organization's Mission and Objectives into the EISP
110
1
EISP Elements
110
2
Example EISP
112
4
Issue-Specific Security Policy
116
5
Components of the ISSP
117
2
Implementing the ISSP
119
2
System-Specific Policy
121
5
Management Guidance SysSPs
121
1
Technical Specifications SysSPs
122
4
Combination SysSPs
126
1
Guidelines for Policy Development
126
25
The Policy Project
127
4
Automated Tools
131
1
The Information Securities Policy Made Easy Approach
132
15
SP 800-18: Guide for Developing Security Plans for Information Technology Systems Policy Management
147
1
A Final Note on Policy
148
3
Chapter Summary
151
1
Review Questions
152
1
Exercises
152
1
Case Exercises
153
2
Developing the Security Program
155
54
Introduction
156
1
Organizing for Security
156
10
Security in Large Organizations
160
3
Security in Medium-Sized Organizations
163
1
Security in Small Organizations
163
3
Placing Information Security Within An Organization
166
14
Option 1: Information Technology
168
1
Option 2: Security
169
2
Option 3: Administrative Services
171
1
Option 4: Insurance and Risk Management
172
1
Option 5: Strategy and Planning
173
2
Option 6: Legal
175
1
Option 7: Internal Audit
176
1
Option 8: Help Desk
177
1
Option 9: Accounting and Finance Through IT
178
1
Option 10: Human Resources
179
1
Option 11: Facilities Management
179
1
Option 12: Operations
179
1
Summary of Reporting Relationships
179
1
Components of the Security Program
180
1
Information Security Roles and Titles
181
3
Chief Information Security Officer
182
1
Security Managers
182
1
Security Administrators and Analysts
183
1
Security Technicians
183
1
Security Staffers
184
1
Security Consultants
184
1
Security Officers and Investigators
184
1
Help Desk Personnel
184
1
Implementing Security Education, Training, and Awareness Programs
184
20
Security Education
186
3
Security Training
189
2
Training Techniques
191
4
Security Awareness
195
9
Chapter Summary
204
1
Review Questions
205
1
Exercises
206
1
Case Exercises
206
3
Security Management Models and Practices
209
40
Introduction
210
1
Security Management Models
211
20
BS 7799 Part 1 (ISO 17799:2002 Standard): Code of Practice for Information Security Management
211
3
BS 7799 Part 2: The Information Security Management System
214
2
The Security Management Index and ISO 17799
216
1
RFC 2196 Site Security Handbook
217
1
NIST Security Models
218
11
A Hybrid Security Management Model
229
2
Security Management Practices
231
8
Standards of Due Care/Due Diligence
231
1
Best Security Practices
231
4
The Gold Standard
235
1
Selecting Best Practices
235
1
Benchmarking and Best Practices Limitations
236
1
Baselining
237
2
Emerging Trends in Certification and Accreditation
239
5
SP 800-37: Guidelines for the Security Certification and Accreditation of Federal IT Systems
239
2
SP 800-53: Minimum Security Controls for Federal IT Systems
241
3
Chapter Summary
244
1
Review Questions
245
1
Exercises
246
1
Case Exercises
246
3
Appendix A Appendix: NIST SP 800-26, Security Self-Assessment Guide for Information Technology Systems, and the Human Firewall Council's Security Management Index Survey
249
274
NIST SP 800-26, Security Self-Assessment Guide for Information Technology Systems
250
28
Utilizing the Completed Questionnaire
250
1
Questionnaire Analysis
251
1
Questionnaire Cover Sheet
251
1
The Self-Assessment Guide Questions
252
26
Human Firewall Council's Security Management Index Survey
278
7
Security Management Index Scoring Methodology
278
1
Questionnaire
279
1
Security Policy
279
1
Organizational Security
279
1
Asset Classification & Control
280
1
Personnel Security
280
1
Physical and Environmental Security
281
1
Communications & Operations Management
281
1
Access Control
282
1
Systems Development and Maintenance
283
1
Business Continuity Management
284
1
Compliance
284
1
Section IV--Protection
Risk Management: Identifying and Assessing Risk
285
34
Introduction
286
1
Risk Management
287
3
Knowing Ourselves
287
1
Knowing the Enemy
287
1
Accountability for Risk Management
288
2
Risk Identification
290
18
Creating an Inventory of Information Assets
290
4
Classifying and Categorizing Assets
294
1
Assessing Values for Information Assets
295
2
Listing Assets in Order of Importance
297
1
Data Classification Model
297
2
Security Clearances
299
1
Management of the Classified Information Asset
299
2
Threat Identification
301
7
Risk Assessment
308
4
Introduction to Risk Assessment
308
1
Likelihood
309
1
Assessing Potential Loss
309
1
Percentage of Risk Mitigated by Current Controls
310
1
Uncertainty
310
1
Risk Determination
310
1
Identify Possible Controls
310
1
Access Controls
311
1
Documenting the Results of Risk Assessment
312
2
Chapter Summary
314
1
Review Questions
315
1
Exercises
316
1
Case Exercises
317
2
Risk Management: Assessing and Controlling Risk
319
42
Introduction
320
1
Risk Control Strategies
321
5
Avoidance
321
3
Transference
324
1
Mitigation
324
1
Acceptance
325
1
Risk Control Strategy Selection
326
2
Evaluation, Assessment, and Maintenance of Risk Controls
327
1
Categories of Controls
328
3
Control Function
328
1
Architectural Layer
329
1
Strategy Layer
329
1
Information Security Principle
329
2
Feasibility Studies and Cost-Benefit Analysis
331
9
Cost-Benefit Analysis
332
5
Other Feasibility Studies
337
2
Alternatives to Feasability
339
1
Risk Management Discussion Points
340
3
Risk Appetite
340
1
Residual Risk
340
1
Documenting Results
341
2
Recommended Risk Control Practices
343
2
Qualitative Measures
344
1
Delphi Technique
344
1
A Single-Source Approach to Risk Management
344
1
The Octave Method
345
11
Important Aspects of the Octave Method
345
2
Phases, Processes, and Activities
347
1
Preparing for the Octave Method
347
2
Phase 1: Build Asset-Based Threat Profiles
349
3
Phase 2: Identify Infrastructure Vulnerabilities
352
2
Phase 3: Develop Security Strategy and Plans
354
2
Chapter Summary
356
1
Review Questions
357
1
Exercises
358
1
Case Exercises
359
2
Protection Mechanisms
361
52
Introduction
362
2
Access Controls
364
11
Authentication
364
7
Authorization
371
1
Evaluating Biometrics
372
1
Acceptability of Biometrics
372
1
Managing Access Controls
373
2
Firewalls
375
10
The Development of Firewalls
375
3
Firewall Architectures
378
3
Selecting the Right Firewall
381
1
Managing Firewalls
381
4
Dial-Up Protection
385
2
Radius and Tacacs
385
1
Managing Dial-Up Connections
386
1
Intrusion Detection Systems
387
8
Host-Based IDS
388
1
Network-Based IDS
389
1
Signature-Based IDS
389
1
Statistical Anomaly-Based IDS
389
1
Managing Intrusion Detection Systems
390
1
Scanning and Analysis Tools
390
1
Port Scanners
391
1
Vulnerability Scanners
392
1
Packet Sniffers
393
1
Content Filters
393
1
Trap and Trace
393
1
Managing Scanning and Analysis Tools
394
1
Cryptography
395
14
Encryption Definitions
395
1
Encryption Operations
396
7
Using Cryptographic Controls
403
3
Managing Cryptographic Controls
406
3
Chapter Summary
409
1
Review Questions
410
1
Exercises
410
1
Case Exercises
411
2
Section V--People and Projects
Personnel and Security
413
38
Introduction
414
1
Staffing the Security Function
415
12
Qualifications and Requirements
415
1
Entering the Information Security Profession
416
1
Information Security Positions
417
10
Information Security Professional Credentials
427
9
Certified Information Systems Security Professional (CISSP) and Systems Security Certified Practitioner (SSCP)
427
1
Global Information Assurance Certification (GIAC)
428
1
Security Certified Program (SCP)
429
1
TruSecure ICSA Certified Security Associate (TICSA)
430
1
Security+
431
1
Certified Information Systems Auditor (CISA) and Certified Information Security Manager (CISM)
432
1
Certified Information Forensics Investigator (CIFI)
433
1
Certification Costs
433
3
Employment Policies and Practices
436
11
Hiring
436
2
Contracts and Employment
438
1
Security as Part of Performance Evaluation
438
1
Termination Issues
438
2
Personnel Security Practices
440
1
Security of Personnel and Personal Data
441
1
Security Considerations for Nonemployees
441
6
Chapter Summary
447
1
Review Questions
448
1
Exercises
449
1
Case Exercises
449
2
Law and Ethics
451
36
Introduction
452
1
Law and Ethics in Information Security
453
1
The Legal Environment
453
16
Types of Law
453
1
Relevant U.S. Laws
453
11
International Laws and Legal Bodies
464
1
State and Local Regulations
465
3
Policy versus Law
468
1
Ethical Concepts in Information Security
469
1
Differences in Ethical Concepts
470
6
Ethics and Education
473
1
Deterring Unethical and Illegal Behavior
473
3
Certifications and Professional Organizations
476
6
Association of Computing Machinery (ACM)
476
1
International Information Systems Security Certification Consortium, Inc. (ISC)2
477
1
System Administration, Networking, and Security Institute (SANS)
477
1
Information Systems Audit and Control Association (ISACA)
478
1
Computer Security Institute (CSI)
478
1
Information Systems Security Association
478
1
Other Security Organizations
478
2
Key U.S. Federal Agencies
480
2
Organizational Liability and the Need for Counsel
482
1
Chapter Summary
483
1
Review Questions
483
1
Exercises
484
1
Case Exercises
484
3
Information Security Project Management
487
36
Introduction
488
2
Project Management
490
1
Applying Project Management to Security
491
18
PMBoK Knowledge Areas
491
8
Additional Project Planning Considerations
499
3
Controlling the Project
502
2
Conversion Strategies
504
1
To Outsource or Not
504
1
Dealing With Change
505
2
Considerations for Organizational Change
507
2
Project Management Tools
509
10
Work Breakdown Structure
510
4
Task-Sequencing Approaches
514
4
Automated Project Tools
518
1
Chapter Summary
519
1
Review Questions
519
1
Exercises
520
1
Case Exercises
521
2
Glossary
523
12
Index
535