Table of Contents
Acknowledgments xix
Introduction xxi
Part I Information Security Governance
Chapter 1 Enterprise Governance 3
Introduction to Information Security Governance 4
Reason for Security Governance 6
Security Governance Activities and Results 7
Business Alignment 8
Organizational Culture 9
Acceptable Use Policy 10
Ethics 10
Legal, Regulatory, and Contractual Requirements 11
Organizational Structure, Roles, and Responsibilities 12
Organizational Roles 13
Board of Directors 16
Executive Management 18
Security Steering Committee 19
Business Process and Business Asset Owners 20
Custodial Responsibilities 21
Chief Information Security Officer 21
Chief Privacy Officer 23
Chief Compliance Officer 23
Software Development 23
Data Management 24
Network Management 24
Systems Management 25
IT Operations 25
Governance, Risk, and Compliance 26
Business Resilience 27
Security Operations 27
Security Audit 28
Service Desk 28
Quality Assurance 28
Other Roles 28
General Staff 29
Monitoring Responsibilities 29
Chapter Review 30
Notes 31
Questions 32
Answers 34
Chapter 2 Information Security Strategy 37
Information Security Strategy Development 38
Strategy Objectives 38
Strategy Participants 39
Strategy Resources 40
Strategy Development 55
Strategy Constraints 68
Information Governance Frameworks and Standards 72
Business Model for Information Security 73
The Zachman Framework 81
The Open Group Architecture Framework 83
ISO/IEC 27001 83
NIST Cybersecurity Framework 85
NIST Risk Management Framework 87
Strategic Planning 88
Roadmap Development 89
Developing a Business Case 89
Chapter Review 91
Notes 93
Questions 94
Answers 97
Part II Information Security Risk Management
Chapter 3 Information Security Risk Assessment 101
Emerging Risk and Threat Landscape 102
The Importance of Risk Management 102
Outcomes of Risk Management 103
Risk Objectives 103
Risk Management Technologies 104
Implementing a Risk Management Program 105
The Risk Management Life Cycle 115
Vulnerability and Control Deficiency Analysis 127
Risk Assessment and Analysis 129
Threat Identification 129
Risk Identification 136
Risk Likelihood and Impact 137
Risk Analysis Techniques and Considerations 139
Risk Management and Business Continuity Planning 145
The Risk Register 146
Integration of Risk Management into Other Processes 150
Chapter Review 157
Notes 159
Questions 160
Answers 162
Chapter 4 Information Security Risk Response 165
Risk Treatment / Risk Response Options 166
Risk Mitigation 167
Risk Transfer 168
Risk Avoidance 169
Risk Acceptance 170
Evaluating Risk Response Options 171
Costs and Benefits 172
Residual Risk 173
Iterative Risk Treatment 173
Risk Appetite, Capacity, and Tolerance 174
Legal and Regulatory Considerations 175
The Risk Register 177
Risk and Control Ownership 178
Risk Ownership 178
Control Ownership 179
Risk Monitoring and Reporting 180
Key Risk Indicators 180
Training and Awareness 181
Risk Documentation 182
Chapter Review 182
Notes 183
Questions 184
Answers 186
Part III Information Security Risk Management
Chapter 5 Information Security Program Development 191
Information Security Program Resources 192
Trends 192
Outcomes 193
Charter 194
Scope 195
Information Security Processes 195
Information Security Technologies 196
Information Asset Identification and Classification 199
Asset Identification and Valuation 199
Asset Classification 202
Asset Valuation 209
Industry Standards and Frameworks for Information Security 210
Control Frameworks 210
Information Security Management Frameworks 218
Information Security Architecture 218
Information Security Policies, Procedures, and Guidelines 220
Policy Development 220
Standards 223
Guidelines 223
Requirements 223
Processes and Procedures 224
Information Security Program Metrics 225
Types of Metrics 227
Audiences 231
The Security Balanced Scorecard 232
Chapter Review 233
Notes 236
Questions 237
Answers 239
Chapter 6 Information Security Program Management 241
Information Security Control Design and Selection 242
Control Classification 242
Control Objectives 245
General Computing Controls 246
Controls: Build Versus Buy 247
Control Frameworks 248
Information Security Control Implementation and Integrations 272
Controls Development 272
Control Implementation 275
Security and Control Operations 275
Information Security Control Testing and Evaluation 321
Control Monitoring 322
Control Reviews and Audits 322
Information Security Awareness and Training 339
Security Awareness Training Objectives 339
Creating or Selecting Content for Security Awareness Training 340
Security Awareness Training Audiences 340
Awareness Training Communications 343
Management of External Services 344
Benefits of Outsourcing 345
Risks of Outsourcing 345
Identifying Third Parties 348
Cloud Service Providers 350
TPRM Life Cycle 351
Risk Tiering and Vendor Classification 354
Assessing Third Parties 356
Proactive Issue Remediation 360
Responsive Issue Remediation 362
Security Incidents 362
Information Security Program Communications and Reporting 363
Security Operations 363
Risk Management 363
Internal Partnerships 364
External Partnerships 370
Compliance Management 373
Security Awareness Training 375
Technical Architecture 376
Personnel Management 376
Project and Program Management 382
Budget 382
IT Service Management 383
Service Desk 384
Incident Management 384
Problem Management 385
Change Management 386
Configuration Management 388
Release Management 389
Service-Level Management 391
Financial Management 391
Capacity Management 392
Service Continuity Management 393
Availability Management 393
Asset Management 394
Continuous Improvement 394
Chapter Review 394
Notes 396
Questions 397
Answers 400
Part IV Incident Management
Chapter 7 Incident Management Readiness 405
Incident Response Plan 406
Security Incident Response Overview 408
Incident Response Plan Development 411
Business Impact Analysis 417
Inventory of Key Processes and Systems 417
Statements of Impact 419
Criticality Analysis 420
Determine Maximum Tolerable Downtime 422
Determine Maximum Tolerable Outage 422
Establish Key Recovery Targets 423
Business Continuity Plan (BCP) 426
Business Continuity Planning 427
Disaster Recovery Plan (DRP) 455
Disaster Response Teams' Roles and Responsibilities 456
Recovery Objectives 457
Incident Classification/Categorization 473
Incident Management Training, Testing, and Evaluation 475
Security Incident Response Training 475
Business Continuity and Disaster Response Training 476
Testing Security Incident Response Plans 477
Testing Business Continuity and Disaster Recovery Plans 478
Evaluating Business Continuity Planning 484
Evaluating Disaster Recovery Planning 488
Evaluating Security Incident Response 492
Chapter Review 493
Notes 494
Questions 494
Answers 497
Chapter 8 Incident Management Operations 499
Incident Management Tools and Techniques 502
Incident Response Roles and Responsibilities 502
Incident Response Tools and Techniques 503
Incident Investigation and Evaluation 507
Incident Detection 507
Incident Initiation 509
Incident Analysis 509
Incident Containment Methods 513
Incident Response Communications 515
Crisis Management and Communications 515
Communications in the Incident Response Plan 516
Incident Response Metrics and Reporting 517
Incident Eradication, and Recovery 519
Incident Eradication 520
Incident Recovery 520
Incident Remediation 521
Post-incident Review Practices 522
Closure 522
Post-incident Review 522
Chapter Review 523
Notes 524
Questions 524
Answers 527
Part V Appendix and Glossary
Appendix About the Online Content 531
System Requirements 531
Your Total Seminars Training Hub Account 531
Privacy Notice 531
Single User License Terms and Conditions 531
TotaJTester Online 533
Technical Support 533
Glossary 535
Index 577
Figure Credits
Figure 2-1 Courtesy Xhienne: SWOT pt.svg, CC BY-SA 2.5, https://commons.wikimedia.org/w/index.php?curid=2838770.
Figure 2-2 Adapted from the Business Model for Information Security, ISACA.
Figure 2-3 Adapted from the University of Southern California Marshall School of Business Institute for Critical Information Infrastructure Protection, USA.
Figure 2-5 Courtesy The Open Group.
Figure 2-7 Courtesy High Tech Security Solutions magazine.
Figure 3-1 Source: National Institute for Standards and Technology.
Figure 6-8 Courtesy Bluefoxicy at en.wikipedia.org.
Figure 7-4 Source: NASA.
Figure 7-6 Courtesy Gustavo Basso.
Figure 7-7 Courtesy John Crowley at en.wikipedia.org.