Table of Contents

Acknowledgments xix

Introduction xxi

Part I Information Security Governance

Chapter 1 Enterprise Governance 3

Introduction to Information Security Governance 4

Reason for Security Governance 6

Security Governance Activities and Results 7

Business Alignment 8

Organizational Culture 9

Acceptable Use Policy 10

Ethics 10

Legal, Regulatory, and Contractual Requirements 11

Organizational Structure, Roles, and Responsibilities 12

Organizational Roles 13

Board of Directors 16

Executive Management 18

Security Steering Committee 19

Business Process and Business Asset Owners 20

Custodial Responsibilities 21

Chief Information Security Officer 21

Chief Privacy Officer 23

Chief Compliance Officer 23

Software Development 23

Data Management 24

Network Management 24

Systems Management 25

IT Operations 25

Governance, Risk, and Compliance 26

Business Resilience 27

Security Operations 27

Security Audit 28

Service Desk 28

Quality Assurance 28

Other Roles 28

General Staff 29

Monitoring Responsibilities 29

Chapter Review 30

Notes 31

Questions 32

Answers 34

Chapter 2 Information Security Strategy 37

Information Security Strategy Development 38

Strategy Objectives 38

Strategy Participants 39

Strategy Resources 40

Strategy Development 55

Strategy Constraints 68

Information Governance Frameworks and Standards 72

Business Model for Information Security 73

The Zachman Framework 81

The Open Group Architecture Framework 83

ISO/IEC 27001 83

NIST Cybersecurity Framework 85

NIST Risk Management Framework 87

Strategic Planning 88

Roadmap Development 89

Developing a Business Case 89

Chapter Review 91

Notes 93

Questions 94

Answers 97

Part II Information Security Risk Management

Chapter 3 Information Security Risk Assessment 101

Emerging Risk and Threat Landscape 102

The Importance of Risk Management 102

Outcomes of Risk Management 103

Risk Objectives 103

Risk Management Technologies 104

Implementing a Risk Management Program 105

The Risk Management Life Cycle 115

Vulnerability and Control Deficiency Analysis 127

Risk Assessment and Analysis 129

Threat Identification 129

Risk Identification 136

Risk Likelihood and Impact 137

Risk Analysis Techniques and Considerations 139

Risk Management and Business Continuity Planning 145

The Risk Register 146

Integration of Risk Management into Other Processes 150

Chapter Review 157

Notes 159

Questions 160

Answers 162

Chapter 4 Information Security Risk Response 165

Risk Treatment / Risk Response Options 166

Risk Mitigation 167

Risk Transfer 168

Risk Avoidance 169

Risk Acceptance 170

Evaluating Risk Response Options 171

Costs and Benefits 172

Residual Risk 173

Iterative Risk Treatment 173

Risk Appetite, Capacity, and Tolerance 174

Legal and Regulatory Considerations 175

The Risk Register 177

Risk and Control Ownership 178

Risk Ownership 178

Control Ownership 179

Risk Monitoring and Reporting 180

Key Risk Indicators 180

Training and Awareness 181

Risk Documentation 182

Chapter Review 182

Notes 183

Questions 184

Answers 186

Part III Information Security Risk Management

Chapter 5 Information Security Program Development 191

Information Security Program Resources 192

Trends 192

Outcomes 193

Charter 194

Scope 195

Information Security Processes 195

Information Security Technologies 196

Information Asset Identification and Classification 199

Asset Identification and Valuation 199

Asset Classification 202

Asset Valuation 209

Industry Standards and Frameworks for Information Security 210

Control Frameworks 210

Information Security Management Frameworks 218

Information Security Architecture 218

Information Security Policies, Procedures, and Guidelines 220

Policy Development 220

Standards 223

Guidelines 223

Requirements 223

Processes and Procedures 224

Information Security Program Metrics 225

Types of Metrics 227

Audiences 231

The Security Balanced Scorecard 232

Chapter Review 233

Notes 236

Questions 237

Answers 239

Chapter 6 Information Security Program Management 241

Information Security Control Design and Selection 242

Control Classification 242

Control Objectives 245

General Computing Controls 246

Controls: Build Versus Buy 247

Control Frameworks 248

Information Security Control Implementation and Integrations 272

Controls Development 272

Control Implementation 275

Security and Control Operations 275

Information Security Control Testing and Evaluation 321

Control Monitoring 322

Control Reviews and Audits 322

Information Security Awareness and Training 339

Security Awareness Training Objectives 339

Creating or Selecting Content for Security Awareness Training 340

Security Awareness Training Audiences 340

Awareness Training Communications 343

Management of External Services 344

Benefits of Outsourcing 345

Risks of Outsourcing 345

Identifying Third Parties 348

Cloud Service Providers 350

TPRM Life Cycle 351

Risk Tiering and Vendor Classification 354

Assessing Third Parties 356

Proactive Issue Remediation 360

Responsive Issue Remediation 362

Security Incidents 362

Information Security Program Communications and Reporting 363

Security Operations 363

Risk Management 363

Internal Partnerships 364

External Partnerships 370

Compliance Management 373

Security Awareness Training 375

Technical Architecture 376

Personnel Management 376

Project and Program Management 382

Budget 382

IT Service Management 383

Service Desk 384

Incident Management 384

Problem Management 385

Change Management 386

Configuration Management 388

Release Management 389

Service-Level Management 391

Financial Management 391

Capacity Management 392

Service Continuity Management 393

Availability Management 393

Asset Management 394

Continuous Improvement 394

Chapter Review 394

Notes 396

Questions 397

Answers 400

Part IV Incident Management

Chapter 7 Incident Management Readiness 405

Incident Response Plan 406

Security Incident Response Overview 408

Incident Response Plan Development 411

Business Impact Analysis 417

Inventory of Key Processes and Systems 417

Statements of Impact 419

Criticality Analysis 420

Determine Maximum Tolerable Downtime 422

Determine Maximum Tolerable Outage 422

Establish Key Recovery Targets 423

Business Continuity Plan (BCP) 426

Business Continuity Planning 427

Disaster Recovery Plan (DRP) 455

Disaster Response Teams' Roles and Responsibilities 456

Recovery Objectives 457

Incident Classification/Categorization 473

Incident Management Training, Testing, and Evaluation 475

Security Incident Response Training 475

Business Continuity and Disaster Response Training 476

Testing Security Incident Response Plans 477

Testing Business Continuity and Disaster Recovery Plans 478

Evaluating Business Continuity Planning 484

Evaluating Disaster Recovery Planning 488

Evaluating Security Incident Response 492

Chapter Review 493

Notes 494

Questions 494

Answers 497

Chapter 8 Incident Management Operations 499

Incident Management Tools and Techniques 502

Incident Response Roles and Responsibilities 502

Incident Response Tools and Techniques 503

Incident Investigation and Evaluation 507

Incident Detection 507

Incident Initiation 509

Incident Analysis 509

Incident Containment Methods 513

Incident Response Communications 515

Crisis Management and Communications 515

Communications in the Incident Response Plan 516

Incident Response Metrics and Reporting 517

Incident Eradication, and Recovery 519

Incident Eradication 520

Incident Recovery 520

Incident Remediation 521

Post-incident Review Practices 522

Closure 522

Post-incident Review 522

Chapter Review 523

Notes 524

Questions 524

Answers 527

Part V Appendix and Glossary

Appendix About the Online Content 531

System Requirements 531

Your Total Seminars Training Hub Account 531

Privacy Notice 531

Single User License Terms and Conditions 531

TotaJTester Online 533

Technical Support 533

Glossary 535

Index 577

Figure Credits

Figure 2-1 Courtesy Xhienne: SWOT pt.svg, CC BY-SA 2.5, https://commons.wikimedia.org/w/index.php?curid=2838770.

Figure 2-2 Adapted from the Business Model for Information Security, ISACA.

Figure 2-3 Adapted from the University of Southern California Marshall School of Business Institute for Critical Information Infrastructure Protection, USA.

Figure 2-5 Courtesy The Open Group.

Figure 2-7 Courtesy High Tech Security Solutions magazine.

Figure 3-1 Source: National Institute for Standards and Technology.

Figure 6-8 Courtesy Bluefoxicy at en.wikipedia.org.

Figure 7-4 Source: NASA.

Figure 7-6 Courtesy Gustavo Basso.

Figure 7-7 Courtesy John Crowley at en.wikipedia.org.