Atnaujinkite slapukų nuostatas

El. knyga: Information Security: Design, Implementation, Measurement, and Compliance [Taylor & Francis e-book]

(Grover, Missouri, USA)
  • Formatas: 260 pages, 16 Tables, black and white; 3 Illustrations, black and white
  • Išleidimo metai: 20-Jul-2006
  • Leidėjas: Auerbach
  • ISBN-13: 9780429119149
Kitos knygos pagal šią temą:
  • Taylor & Francis e-book
  • Kaina: 184,65 €*
  • * this price gives unlimited concurrent access for unlimited time
  • Standartinė kaina: 263,78 €
  • Sutaupote 30%
Information Security: Design, Implementation, Measurement, and ComplianceDidesnis paveikslėlis
  • Formatas: 260 pages, 16 Tables, black and white; 3 Illustrations, black and white
  • Išleidimo metai: 20-Jul-2006
  • Leidėjas: Auerbach
  • ISBN-13: 9780429119149
Kitos knygos pagal šią temą:
Taylor & Francis e-booksMore info about Taylor & Francis e-books
Partnerių interneto svetainė: https://www.taylorfrancis.com/books/9780429119149
Organizations rely on digital information today more than ever before. Unfortunately, that information is equally sought after by criminals. New security standards and regulations are being implemented to deal with these threats, but they are very broad and organizations require focused guidance to adapt the guidelines to their specific needs.

Fortunately, Information Security: Design, Implementation, Measurement, and Compliance outlines a complete roadmap to successful adaptation and implementation of a security program based on the ISO/IEC 17799:2005 (27002) Code of Practice for Information Security Management. The book first describes a risk assessment model, a detailed risk assessment methodology, and an information security evaluation process. Upon this foundation, the author presents a proposed security baseline for all organizations, an executive summary of the ISO/IEC 17799 standard, and a gap analysis exposing the differences between the recently rescinded version and the newly released version of the standard. Finally, he devotes individual chapters to each of the 11 control areas defined in the standard, covering systematically the 133 controls within the 39 control objectives.

Tim Layton's Information Security is a practical tool to help you understand the ISO/IEC 17799 standard and apply its principles within your organization's unique context.
SECTION I Evaluating and Measuring an Information Security Program
Information Security Risk Assessment Model (ISRAM™)
3(14)
Background
3(1)
Linkage
3(1)
Risk Assessment Types
4(1)
Relationship to Other Models and Standards
5(2)
Terminology
7(1)
Risk Assessment Relationship
8(1)
Information Security Risk Assessment Model (ISRAM)
9(7)
Scope and Type of Assessment
10(1)
Assessment Types
11(2)
Threats
13(1)
Vulnerabilities
13(1)
Control Level of Effectiveness
14(1)
Likelihood
14(1)
Impact
14(1)
Risk Level
14(1)
Recommendations
15(1)
Analysis and Final Report
15(1)
References
16(1)
Global Information Security Assessment Methodology (GISAM™)
17(32)
GISAM and ISRAM Relationship
18(1)
GISAM Design Criteria
19(2)
Information Security Professional
20(1)
Information Security Professional Criteria
20(1)
Management
20(1)
Management Criteria
20(1)
General Assessment Types
21(2)
Quantitative
22(1)
Qualitative
23(1)
GISAM Components
23(25)
Threats
23(4)
Threat Ranking
27(2)
Vulnerabilities
29(1)
Controls
29(1)
Key Risk Indicator (KRI) Controls
30(2)
Control Assessment Scale
32(1)
Likelihood
33(3)
Impact
36(1)
Rating Rationale
37(2)
Control Risk Level
39(1)
Network Security Architecture Evaluation
40(1)
Example Network Security Architecture Criteria List
41(2)
Overall Risk Rating
43(3)
Weighting
46(1)
Recommendations
46(1)
Reporting
47(1)
References
48(1)
Developing an Information Security Evaluation (ISE™) Process
49(6)
The Culmination of ISRAM and GISAM
49(1)
Business Process
50(5)
Step 1: Documentation
50(1)
Step 2: Documentation Review
51(1)
Step 3: Negotiate Meeting Agenda
51(1)
Step 4: Perform GISAM
52(1)
Step 5: Analysis and Findings
53(1)
Step 6: Peer Review
53(1)
Step 7: Submit GISAM Final Report
53(1)
Step 8: Remediation
54(1)
A Security Baseline
55(16)
KRI Security Baseline Controls
55(1)
Security Baseline
56(1)
Information Security Policy Document
57(1)
Management Commitment to Information Security
58(1)
Allocation of Information Security Responsibilities
59(1)
Independent Review of Information Security
60(1)
Identification of Risks Related to External Parties
60(1)
Inventory of Assets
60(1)
Classification Guidelines
61(1)
Screening
61(1)
Information Security Awareness, Education, and Training
62(1)
Removal of Access Rights
62(1)
Physical Security Perimeter
62(1)
Protecting against External and Environmental Threats
63(1)
Secure Disposal or Reuse of Equipment
63(1)
Documented Operating Procedures
63(1)
Change Management
64(1)
Segregation of Duties
64(1)
System Acceptance
64(1)
Controls against Malicious Code
64(1)
Management of Removable Media
65(1)
Information Handling Procedures
65(1)
Physical Media in Transit
65(1)
Electronic Commerce
65(1)
Access Control Policy
66(1)
User Registration
66(1)
Segregation in Networks
66(1)
Teleworking
66(1)
Security Requirements Analysis and Specification
67(1)
Policy on the Use of Cryptographic Controls
67(1)
Protection of System Test Data
67(1)
Control of Technical Vulnerabilities
68(1)
Reporting Information Security Events
68(1)
Including Information Security in the Business Continuity Process
68(1)
Identification of Applicable Legislation
69(1)
Data Protection and Privacy of Personal Information
69(1)
Technical Compliance Checking
69(1)
References
69(2)
Background of the ISO/IEC 17799 Standard
71(6)
History of the Standard
71(1)
Internals of the Standard
72(1)
Guidance for Use
72(1)
High-Level Objectives
73(2)
Security Policy
73(1)
Organization of Information Security
73(1)
Asset Management
73(1)
Human Resources Security
73(1)
Physical and Environmental Security
74(1)
Communications and Operations Management
74(1)
Access Control
74(1)
Information Systems Acquisition, Development, and Maintenance
74(1)
Information Security Incident Management
75(1)
Business Continuity Management
75(1)
Compliance
75(1)
ISO/IEC Defined
75(1)
References
76(1)
ISO/IEC 17799:2005 Gap Analysis
77(40)
Overview
77(2)
Guidance for Use
79(1)
General Changes
79(4)
Terminology
79(1)
New Sections/Clauses
79(1)
New Control Area: Risk Assessment
79(1)
Control Layout and Format
80(1)
The Numbers
80(1)
Main Clause Differences
81(1)
New Control Objectives
82(1)
Security Policy
83(2)
Information Security Policy
84(1)
Information security policy document
84(1)
Review of the information security policy
84(1)
Organization of Information Security
85(3)
Internal Organization
85(1)
Management commitment to information security
85(1)
Information security coordination
85(1)
Allocation of information security responsibilities
85(1)
Authorization process for information processing facilities
86(1)
Confidentiality agreements
86(1)
Contact with authorities
86(1)
Contact with special interest groups
86(1)
Independent review of information security
87(1)
External Parties
87(1)
Identification of risks related to external parties
87(1)
Addressing security when dealing with customers
87(1)
Addressing security in third-party agreements
87(1)
Asset Management
88(1)
Responsibility for Assets
88(1)
Inventory of assets
88(1)
Ownership of assets
88(1)
Acceptable use of assets
88(1)
Information Classification
89(1)
Classification guidelines
89(1)
Information labeling and handling
89(1)
Human Resources Security
89(3)
Prior to Employment
89(1)
Roles and responsibilities
90(1)
Screening
90(1)
Terms and conditions of employment
90(1)
During Employment
90(1)
Management responsibilities
90(1)
Information security awareness, education, and training
91(1)
Disciplinary process
91(1)
Termination or Change of Employment
91(1)
Termination responsibilities
91(1)
Return of assets
91(1)
Removal of access rights
91(1)
Physical and Environmental Security
92(2)
Secure Areas
92(1)
Physical security perimeter
92(1)
Physical entry controls
92(1)
Securing offices, rooms, and facilities
93(1)
Protecting against external and environmental threats
93(1)
Working in secure areas
93(1)
Public access, delivery, and loading areas
93(1)
Equipment Security
93(1)
Equipment siting and protection
93(1)
Supporting utilities
94(1)
Cabling security
94(1)
Equipment maintenance
94(1)
Security of equipment off-premises
94(1)
Secure disposal or reuse of equipment
94(1)
Removal of property
94(1)
Communications and Operations Management
94(7)
Operational Procedures and Responsibilities
95(1)
Documented operating procedures
95(1)
Change management
95(1)
Segregation of duties
95(1)
Separation of development, test, and operational facilities
95(1)
Third-Party Service Delivery Management
96(1)
Service delivery
96(1)
Monitoring and review of third-party services
96(1)
Managing and review of third-party services
96(1)
System Planning and Acceptance
96(1)
Capacity management
96(1)
System acceptance
96(1)
Protection Against Malicious and Mobile Code
97(1)
Controls against malicious code
97(1)
Controls against mobile code
97(1)
Backup
97(1)
Information backup
97(1)
Network Security Management
97(1)
Network controls
98(1)
Security of network services
98(1)
Media Handling
98(1)
Management of removable computer media
98(1)
Disposal of media
98(1)
Information handling procedures
98(1)
Security of system documentation
98(1)
Exchange of Information
98(1)
Information exchange policies and procedures
99(1)
Exchange agreements
99(1)
Physical media in transit
99(1)
Electronic messaging
99(1)
Business information systems
99(1)
Electronic Commerce Services
99(1)
Electronic commerce
100(1)
Online transactions
100(1)
Publicly available systems
100(1)
Monitoring
100(1)
Audit logging
100(1)
Monitoring system use
100(1)
Protection of log information
100(1)
Administrator and operator logs
101(1)
Fault logging
101(1)
Clock synchronization
101(1)
Access Control
101(4)
Business Requirements for Access Control
101(1)
Access control policy
101(1)
User Access Management
101(1)
User registration
102(1)
Privilege management
102(1)
User password management
102(1)
Review of user access rights
102(1)
User Responsibilities
102(1)
Password use
102(1)
Unattended user equipment
102(1)
Network Access Control
103(1)
Policy on use of network services
103(1)
User authentication for external connections
103(1)
Equipment identification in the network
103(1)
Remote diagnostic port and configuration protection
103(1)
Segregation in networks
103(1)
Network connection control
103(1)
Network routing control
103(1)
Operating System Access Control
104(1)
Secure log-on procedures
104(1)
User identification and authentication
104(1)
Password management system
104(1)
Use of system utilities
104(1)
Session time-out
104(1)
Limitation of connection time
104(1)
Application and Information Access Control
105(1)
Information access restriction
105(1)
Sensitive system isolation
105(1)
Mobile Computing and Teleworking
105(1)
Mobile computing and communications
105(1)
Teleworking
105(1)
Information Systems Acquisition, Development, and Maintenance
105(4)
Security Requirements of Information Systems
106(1)
Security requirements analysis and specification
106(1)
Correct Processing in Applications
106(1)
Input data validation
106(1)
Control of internal processing
106(1)
Message integrity
106(1)
Output data validation
106(1)
Cryptographic Controls
106(1)
Policy on the use of cryptographic controls
107(1)
Key management
107(1)
Security of System Files
107(1)
Control of operational software
107(1)
Protection of system test data
107(1)
Access control to program source code
107(1)
Security in Development and Support Processes
107(1)
Change control procedures
108(1)
Technical review of applications after operating system changes
108(1)
Restrictions on changes to software packages
108(1)
Information leakage
108(1)
Outsourced software development
108(1)
Technical Vulnerability Management
108(1)
Control of technical vulnerabilities
108(1)
Information Security Incident Management
109(1)
Reporting Information Security Events and Weaknesses
109(1)
Reporting information security events
109(1)
Reporting security weaknesses
109(1)
Management of Information Security Incidents and Improvements
109(1)
Responsibilities and procedures
109(1)
Learning from information security incidents
110(1)
Collection of evidence
110(1)
Business Continuity Management
110(1)
Information Security Aspects of Business Continuity Management
110(1)
Including information security in the business continuity management process
110(1)
Business continuity and risk assessment
110(1)
Developing and implementing continuity plans including information security
111(1)
Business continuity planning framework
111(1)
Testing, maintaining, and reassessing business continuity plans
111(1)
Compliance
111(2)
Compliance with Legal Requirements
111(1)
Identification of applicable legislation
111(1)
Intellectual property rights (IPR)
111(1)
Protection of organizational records
112(1)
Data protection and privacy of personal information
112(1)
Prevention of misuse of information processing facilities
112(1)
Regulation of cryptographic controls
112(1)
Compliance with Security Policies and Standards and Technical Compliance
112(1)
Compliance with security policy and standards
112(1)
Technical compliance checking
112(1)
Information Systems Audit Considerations
113(1)
Information systems audit controls
113(1)
Protection of information systems audit tools
113(1)
References
113(4)
SECTION II Analysis of ISO/IEC 17799:2005 (27002) Controls
Security Policy
117(8)
Information Security Policy
118(4)
Information security policy document
119(2)
Review of the information security policy
121(1)
Summary
122(1)
References
123(2)
Organization of Information Security
125(8)
Internal Organization
126(4)
Management commitment to information security
126(1)
Information security coordination
127(1)
Allocation of information security responsibilities
127(1)
Authorization process for information processing facilities
128(1)
Confidentiality agreements
128(1)
Contact with authorities
129(1)
Contact with special interest groups
129(1)
Independent review of information security
130(1)
External Parties
130(2)
Identification of risks related to external parties
130(1)
Addressing security when dealing with customers
131(1)
Addressing security in third-party agreements
131(1)
Summary
132(1)
References
132(1)
Asset Management
133(6)
Responsibility for Assets
133(2)
Inventory of assets
133(1)
Ownership of assets
134(1)
Acceptable use of assets
134(1)
Information Classification
135(2)
Classification of guidelines
135(1)
Information labeling and handling
136(1)
Summary
137(1)
References
137(2)
Human Resources Security
139(8)
Prior to Employment
139(2)
Roles and responsibilities
139(1)
Screening
140(1)
Terms and conditions of employment
141(1)
During Employment
141(3)
Management responsibilities
142(1)
Information security awareness, education, and training
142(1)
Disciplinary process
143(1)
Termination or Change of Employment
144(1)
Termination responsibilities
144(1)
Return of assets
144(1)
Removal of access rights
145(1)
Summary
145(1)
References
146(1)
Physical and Environmental Security
147(8)
Secure Areas
147(3)
Physical security perimeter
147(1)
Physical entry controls
148(1)
Securing offices, rooms, and facilities
148(1)
Protecting against external and environmental threats
148(1)
Working in secure areas
149(1)
Public access, delivery, and loading areas
149(1)
Equipment Security
150(3)
Equipment siting and protection
150(1)
Supporting utilities
150(1)
Cabling security
151(1)
Equipment maintenance
151(1)
Security of equipment off-premises
152(1)
Secure disposal or reuse of equipment
152(1)
Removal of property
153(1)
Summary
153(1)
References
154(1)
Communications and Operations Management
155(18)
Operational Procedures and Responsibilities
155(2)
Documented operating procedures
155(1)
Change management
156(1)
Segregation of duties
156(1)
Separation of development, test, and operational facilities
157(1)
Third-Party Service Delivery Management
157(2)
Service delivery
158(1)
Monitoring and review of third-party services
158(1)
Managing changes to third-party services
158(1)
System Planning and Acceptance
159(1)
Capacity management
159(1)
System acceptance
159(1)
Protection against Malicious and Mobile Code
160(1)
Controls against malicious code
160(1)
Controls against mobile code
160(1)
Backup
161(1)
Information backup
161(1)
Network Security Management
161(1)
Network controls
162(1)
Security of network services
162(1)
Media Handling
162(2)
Management of removable media
162(1)
Disposal of media
163(1)
Information handling procedures
163(1)
Security of system documentation
164(1)
Exchange of Information
164(2)
Information exchange policies and procedures
164(1)
Exchange agreements
165(1)
Physical media in transit
165(1)
Electronic messaging
166(1)
Business information systems
166(1)
Electronic Commerce Services
166(2)
Electronic commerce
167(1)
Online transactions
167(1)
Publicly available information
168(1)
Monitoring
168(3)
Audit logging
168(1)
Monitoring system use
169(1)
Protection of log information
169(1)
Administrator and operator logs
169(1)
Fault logging
170(1)
Clock synchronization
170(1)
Summary
171(1)
References
171(2)
Access Control
173(12)
Business Requirements for Access Control
173(1)
Access control policy
173(1)
User Access Management
174(1)
User registration
174(1)
Privilege management
174(1)
User password management
175(1)
Review of user access rights
175(1)
User Responsibilities
175(1)
Password use
176(1)
Unattended user equipment
176(1)
Clear desk and clear screen policy
176(1)
Network Access Control
176(3)
Policy on use of network services
177(1)
User authentication for external connections
177(1)
Equipment identification in networks
177(1)
Remote diagnostic and configuration port protection
178(1)
Segregation in networks
178(1)
Network connection control
178(1)
Network routing control
179(1)
Operating System Access Control
179(3)
Secure log-on procedures
180(1)
User identification and authentication
180(1)
Password management system
180(1)
Use of system utilities
181(1)
Session time-out
181(1)
Limitation of connection time
181(1)
Application and Information Access Control
182(1)
Information access restriction
182(1)
Sensitive system isolation
182(1)
Mobile Computing and Teleworking
183(1)
Mobile computing and communications
183(1)
Teleworking
183(1)
Summary
184(1)
References
184(1)
Information Systems Acquisition, Development, and Maintenance
185(10)
Security Requirements of Information Systems
185(1)
Security requirements analysis and specification
185(1)
Correct Processing in Applications
186(1)
Input data validation
186(1)
Control of internal processing
186(1)
Message integrity
187(1)
Output data validation
187(1)
Cryptographic Controls
187(1)
Policy on the use of cryptographic controls
187(1)
Key management
188(1)
Security of System Files
188(2)
Control of operational software
188(1)
Protection of system test data
189(1)
Access control to program source code
189(1)
Security in Development and Support Processes
190(2)
Change control procedures
190(1)
Technical review of applications after operating system changes
190(1)
Restrictions on changes to software packages
190(1)
Information leakage
191(1)
Outsourced software development
191(1)
Technical Vulnerability Management
192(1)
Control of technical vulnerabilities
192(1)
Summary
192(1)
References
193(2)
Information Security Incident Management
195(4)
Reporting Information Security Events and Weaknesses
195(2)
Reporting information security events
195(1)
Reporting security weaknesses
196(1)
Management of Information Security Incidents and Improvements
197(1)
Responsibilities and procedures
197(1)
Learning from information security incidents
197(1)
Collection of evidence
198(1)
Summary
198(1)
References
198(1)
Business Continuity Management
199(4)
Information Security Aspects of Business Continuity Management
199(2)
Including information security in the business continuity management process
199(1)
Business continuity and risk assessment
199(1)
Developing and implementing continuity plans including information security
200(1)
Business continuity planning framework
200(1)
Testing, maintaining, and reassessing business continuity plans
200(1)
Summary
201(1)
References
201(2)
Compliance
203(6)
Compliance with Legal Requirements
203(2)
Identification of applicable legislation
203(1)
Intellectual property rights (IPR)
203(1)
Protection of organizational records
204(1)
Data protection and privacy of personal information
204(1)
Prevention of misuse of information processing facilities
204(1)
Regulation of cryptographic controls
205(1)
Compliance with Security Policies and Standards, and Technical Compliance
205(1)
Compliance with security policies and standards
205(1)
Technical compliance checking
206(1)
Information Systems Audit Considerations
206(1)
Information systems audit controls
206(1)
Protection of information systems audit tools
206(1)
Summary
207(1)
References
207(2)
Appendix A
209(2)
ISO Standards Cited in ISO/IEC 17799:2005
209(2)
Appendix B
211(2)
General References
211(2)
Index 213


Timothy P. Layton
Pastovi nuoroda: https://www.kriso.lt/db/9780429119149_pe.html
Raktažodžiai: