دانلود کتاب Management of Information Security

فهرست مطالب :

Cover
Brief Contents
Contents
Preface
Chapter 1: Introduction To The Management Of Information Security
Introduction To Security
CNSS Security Model
The Value Of Information And The C.I.A. Triad
Key Concepts Of Information Security: Threats And Attacks
The 12 Categories Of Threats
What Is Management?
Behavioral Types Of Leaders
Management Characteristics
Governance
Solving Problems
Principles Of Information Security Management
Planning
Policy
Programs
Protection
People
Projects
Chapter Summary
Review Questions
Exercises
Closing Case
Discussion Questions
Ethical Decision Making
Endnotes
Chapter 2: Compliance: Law And Ethics
InfoSec And The Law
Types Of Law
Relevant U.S. Laws
International Laws And Legal Bodies
State And Local Regulations
Policy Versus Law
Ethics In InfoSec
Ethics And Education
Deterring Unethical And Illegal Behavior
Professional Organizations And Their Codes Of Conduct
Association For Computing Machinery (ACM)
International Information Systems Security Certification Consortium, Inc. (ISC)2
SANS
Information Systems Audit And Control Association (ISACA)
Information Systems Security Association (ISSA)
Organizational Liability And The Need For Counsel
Key Law Enforcement Agencies
Chapter Summary
Review Questions
Exercises
Closing Case
Discussion Questions
Ethical Decision Making
Endnotes
Chapter 3: Governance And Strategic Planning For Security
The Role Of Planning
Precursors To Planning
Strategic Planning
Creating A Strategic Plan
Planning Levels
Planning And The CISO
Information Security Governance
The ITGI Approach To Information Security Governance
NCSP Industry Framework For Information Security Governance
CERT Governing For Enterprise Security Implementation
ISO/IEC 27014:2013 Governance Of Information Security
Security Convergence
Planning For Information Security Implementation
Introduction To The Security Systems Development Life Cycle
Chapter Summary
Review Questions
Exercises
Closing Case
Discussion Questions
Ethical Decision Making
Endnotes
Chapter 4: Information Security Policy
Why Policy?
Policy, Standards, And Practices
Enterprise Information Security Policy
Integrating An Organization’s Mission And Objectives Into The EISP
EISP Elements
Example EISP Elements
Issue-Specific Security Policy
Elements Of The ISSP
Implementing The ISSP
System-specific Security Policy
Managerial Guidance SysSPs
Technical Specification SysSPs
Guidelines For Effective Policy Development And Implementation
Developing Information Security Policy
Policy Distribution
Policy Reading
Policy Comprehension
Policy Compliance
Policy Enforcement
Policy Development And Implementation Using The SecSDLC
Automated Tools
Other Approaches To Information Security Policy Development
SP 800-18, Rev. 1: Guide For Developing Security Plans For Federal Information Systems
A Final Note On Policy
Chapter Summary
Review Questions
Exercises
Closing Case
Discussion Questions
Ethical Decision Making
Endnotes
Chapter 5: Developing The Security Program
Organizing For Security
Security In Large Organizations
Security In Medium-Sized Organizations
Security In Small Organizations
Placing Information Security Within An Organization
Components Of The Security Program
Information Security Roles And Titles
Chief Information Security Officer
Convergence And The Rise Of The True CSO
Security Managers
Security Administrators And Analysts
Security Technicians
Security Staffers And Watchstanders
Security Consultants
Security Officers And Investigators
Help Desk Personnel
Implementing Security Education, Training, And Awareness Programs
Security Education
Security Training
Training Techniques
Security Awareness
Project Management In Information Security
Projects Versus Processes
PMBOK Knowledge Areas
Project Management Tools
Chapter Summary
Review Questions
Exercises
Closing Case
Discussion Questions
Ethical Decision Making
Endnotes
Chapter 6: Risk Management: Identifying And Assessing Risk
Introduction To Risk Management
Knowing Yourself
Knowing The Enemy
Accountability For Risk Management
Risk Identification
Identification And Prioritization Of Information Assets
Threat Assessment
The TVA Worksheet
Risk Assessment And Risk Appetite
Assessing Risk
Likelihood
Assessing Potential Impact On Asset Value (Consequences)
Percentage Of Risk Mitigated By Current Controls
Uncertainty
Risk Determination
Likelihood And Consequences
Documenting The Results Of Risk Assessment
Risk Appetite
Chapter Summary
Review Questions
Exercises
Closing Case
Discussion Questions
Ethical Decision Making
Endnotes
Chapter 7: Risk Management: Controlling Risk
Introduction To Risk Control
Risk Control Strategies
Defense
Transference
Mitigation
Acceptance
Termination
Managing Risk
Feasibility And Cost–Benefit Analysis
Other Methods Of Establishing Feasibility
Alternatives To Feasibility Analysis
Recommended Risk Control Practices
Qualitative And Hybrid Measures
Delphi Technique
The OCTAVE Methods
Microsoft Risk Management Approach
FAIR
ISO 27005 Standard For InfoSec Risk Management
NIST Risk Management Model
Other Methods
Selecting The Best Risk Management Model
Chapter Summary
Review Questions
Exercises
Closing Case
Discussion Questions
Ethical Decision Making
Endnotes
Chapter 8: Security Management Models
Introduction To Blueprints, Frameworks, And Security Models
Access Control Models
Categories Of Access Controls
Other Forms Of Access Control
Security Architecture Models
Trusted Computing Base
Information Technology System Evaluation Criteria
The Common Criteria
Academic Access Control Models
Bell-LaPadula Confidentiality Model
Biba Integrity Model
Clark-Wilson Integrity Model
Graham-Denning Access Control Model
Harrison-Ruzzo-Ullman Model
Brewer-Nash Model (Chinese Wall)
Other Security Management Models
The ISO 27000 Series
NIST Security Publications
Control Objectives For Information And Related Technology
Committee Of Sponsoring Organizations
Information Technology Infrastructure Library
Information Security Governance Framework
Chapter Summary
Review Questions
Exercises
Closing Case
Discussion Questions
Ethical Decision Making
Endnotes
Chapter 9: Security Management Practices
Introduction To Security Practices
Benchmarking
Standards Of Due Care/Due Diligence
Selecting Recommended Practices
Limitations To Benchmarking And Recommended Practices
Baselining
Support For Benchmarks And Baselines
Performance Measurement In InfoSec Management
InfoSec Performance Management
Building The Performance Measurement Program
Specifying InfoSec Measurements
Collecting InfoSec Measurements
Implementing InfoSec Performance Measurement
Reporting InfoSec Performance Measurements
Trends In Certification And Accreditation
NIST SP 800-37, Rev. 1: Guide For Applying The Risk Management Framework To Federal Information Systems: A Security Life Cycle Approach
Chapter Summary
Review Questions
Exercises
Closing Case
Discussion Questions
Ethical Decision Making
Endnotes
Chapter 10: Planning For Contingencies
Introduction To Contingency Planning
Fundamentals Of Contingency Planning
Components Of Contingency Planning
Business Impact Analysis
Contingency Planning Policies
Incident Response
Getting Started
Incident Response Policy
Incident Response Planning
Detecting Incidents
Reacting To Incidents
Recovering From Incidents
Disaster Recovery
The Disaster Recovery Process
Disaster Recovery Policy
Disaster Classification
Planning To Recover
Responding To The Disaster
Simple Disaster Recovery Plan
Business Continuity
Business Continuity Policy
Continuity Strategies
Timing And Sequence Of CP Elements
Crisis Management
Business Resumption
Testing Contingency Plans
Final Thoughts On CP
Managing Investigations In The Organization
Digital Forensics Team
Affidavits And Search Warrants
Digital Forensics Methodology
Evidentiary Policy And Procedures
Law Enforcement Involvement
Chapter Summary
Review Questions
Exercises
Closing Case
Discussion Questions
Ethical Decision Making
Endnotes
Chapter 11: Personnel And Security
Introduction To Personnel And Security
Staffing The Security Function
Information Security Positions
Information Security Professional Credentials
(ISC)2 Certifications
ISACA Certifications
GIAC Certifications
EC-Council Certifications
Comp TIA Certifications
ISFCE Certifications
Certification Costs
Entering The Information Security Profession
Employment Policies And Practices
Hiring
Contracts And Employment
Security As Part Of Performance Evaluation
Termination Issues
Personnel Security Practices
Security Of Personnel And Personal Data
Security Considerations For Temporary Employees, Consultants, And Other Workers
Chapter Summary
Review Questions
Exercises
Closing Case
Discussion Questions
Ethical Decision Making
Endnotes
Chapter 12: Protection Mechanisms
Introduction To Protection Mechanisms
Access Controls And Biometrics
Managing Network Security
Firewalls
Intrusion Detection And Prevention Systems
Remote Access Protection
Wireless Networking Protection
Scanning And Analysis Tools
Managing Server-Based Systems With Logging
Cryptography
Encryption Operations
Using Cryptographic Controls
Managing Cryptographic Controls
Chapter Summary
Review Questions
Exercises
Closing Case
Discussion Questions
Ethical Decision Making
Endnotes
APPENDIX
NIST SP 800-26, Security Self-Assessment Guide for Information Technology Systems
ISO 17799: 2005 Overview
The OCTAVE Method of Risk Management
Microsoft Risk Management Approach
Glossary
Index