International IT Governance : An Executive Guide to ISO 17799/ISO 27001

Note: Supplemental materials are not guaranteed with Rental or Used book purchases.

ISBN: 9780749447489 | 0749447486
Cover: Paperback
Copyright: 8/31/2006

Rent

(Recommended)

$54.80

Term

Due

Price

Semester

Dec 13

$57.68

Quarter

Aug 16

$54.80

Short Term

Jul 14

$51.91

*This item is part of an exclusive publisher rental program and requires an additional convenience fee. This fee will be reflected in the shopping cart.
Buy New

Usually Ships in 3-5 Business Days

$78.80

The development of IT Governance, which recognizes the convergence between business and IT management, makes it essential for managers at all levels and in organizations of all sizes to understand how best to deal with information security risks. "International IT Governance" explores new legislation, including the launch of ISO/IEC 27001, which makes a single, global standard of information security best practice available.

How to use this book

Acknowledgments

xiii

Introduction

(144)

1. Why is information security necessary?

(14)

Nature of information security threats

(1)

Prevalence of information security threats

(3)

Impacts of information security threats

(1)

Cybercrime

(2)

Cyberwar

(1)

Future risks

(4)

Legislation

(1)

Benefits of an information security management system

(3)

2. Sarbanes—Oxley and regulatory compliance

(8)

Sarbanes—Oxley

(3)

Enterprise risk management

(1)

Regulatory compliance

(2)

IT governance

(2)

3. Information security standards

(14)

Benefits of certification

(1)

History of ISO/IEC 27001 and ISO/IEC 17799

(1)

Use of the standard

(1)

ISO/IEC 17799

(2)

PDCA and process approach

(1)

Structured approach to implementation

(2)

Quality system integration

(1)

Documentation

(4)

Continual improvement and metrics

(2)

4. Organizing information security

(18)

Internal organization

(1)

Management review

(1)

Information security manager

(1)

The cross-functional management forum

(2)

ISO/IEC 27001 project group

(5)

Approval process for information processing facilities

(1)

Product selection and the Common Criteria

(1)

Specialist information security advice

(3)

Contact with authorities and with special interest groups

(1)

Independent review of information security

(1)

Summary

(1)

5. Information security policy and scope

(10)

Information security policy

(7)

A policy statement

(1)

Costs and monitoring progress

(2)

6. The risk assessment and Statement of Applicability

(22)

Establishing security requirements

(1)

Risks, impacts and risk management

(13)

Selection of controls and Statement of Applicability

(4)

Gap analysis

(1)

Risk assessment tools

(1)

Risk treatment plan

(3)

7. External parties

(14)

Identification of risks related to external parties

(2)

Types of access

(1)

Reasons for access

(2)

Outsourcing

100

(1)

On-site contractors

101

(2)

Addressing security when dealing with customers

103

(1)

Addressing security in third party agreements

104

(5)

8. Asset management

109

(18)

Asset owners

109

(1)

Inventory

110

(3)

Acceptable use of assets

113

(1)

Information classification

113

(3)

The US government classification system

116

(1)

Unified classification markings

117

(2)

Information labeling and handling

119

(5)

Non-disclosure agreements and trusted partners

124

(3)

9. Human resources security

127

(18)

Job descriptions and competence requirements

128

(1)

Screening

129

(3)

Terms and conditions of employment

132

(2)

During employment

134

(6)

Disciplinary process

140

(1)

Termination or change of employment

141

(4)

10. Physical and environmental security

145

(12)

Secure areas

145

(9)

Public access, delivery and loading areas

154

(3)

11. Equipment security

157

(10)

Equipment siting and protection

157

(3)

Supporting utilities

160

(2)

Cabling security

162

(1)

Equipment maintenance

163

(1)

Security of equipment off-premises

164

(1)

Secure disposal or reuse of equipment

165

(1)

Removal of property

165

(2)

12. Communications and operations management

167

(14)

Documented operating procedures

167

(2)

Change management

169

(1)

Segregation of duties

170

(1)

Separation of development, test and operational facilities

171

(1)

Third party service delivery management

172

(2)

Monitoring and review of third party services

174

(1)

Managing changes to third party services

175

(1)

System planning and acceptance

176

(5)

13. Controls against malicious software (malware) and back-ups

181

(14)

Viruses, worms and Trojans

182

(1)

Anti-malware software

183

(1)

Hoax messages

184

(1)

Anti-malware controls

185

(3)

Airborne viruses

188

(1)

Controls against mobile code

189

(1)

Back-up

190

(5)

14. Network security management and media handling

195

(8)

Network management

195

(3)

Media handling

198

(5)

15. Exchanges of information

203

(8)

Information exchange policies and procedures

203

(3)

Exchange agreements

206

(1)

Physical media in transit

207

(1)

Business information systems

208

(3)

16. Electronic commerce services

211

(12)

E-commerce issues

211

(3)

Security technologies

214

(3)

Server security

217

(1)

Online transactions

218

(1)

Publicly available information

219

(4)

17. E-mail and internet use

223

(8)

Security risks in e-mail

224

(2)

Misuse of the internet

226

(2)

Internet acceptable use policy (AUP)

228

(3)

18. Access control

231

(18)

Hackers

232

(1)

Hacker techniques

232

(3)

System configuration

235

(1)

Access control policy

236

(2)

User access management

238

(9)

Clear desk and clear screen policy

247

(2)

19. Network access control

249

(12)

Networks

249

(4)

Network security

253

(8)

20. Operating system access control

261

(6)

Secure log-on procedures

261

(2)

User identification and authentication

263

(1)

Password management system

263

(1)

Use of system utilities

264

(1)

Session time-out

265

(1)

Limitation of connection time

265

(2)

21. Application access control and teleworking

267

(8)

Application and information access control

267

(2)

Mobile computing and teleworking

269

(6)

22. Systems acquisition, development and maintenance

275

(6)

Security requirements analysis and specification

276

(1)

Correct processing in applications

276

(5)

23. Cryptographic controls

281

(8)

Encryption

282

(1)

Public key infrastructure (PKI)

283

(1)

Digital signatures

284

(1)

Non-repudiation services

285

(1)

Key management

286

(3)

24. Security in development and support processes

289

(10)

System files

289

(2)

Access control to program source code

291

(1)

Development and support processes

291

(4)

Vulnerability management

295

(4)

25. Monitoring and information security incident management

299

(16)

Monitoring

299

(5)

Information security events

304

(5)

Management of information security incidents and improvements

309

(6)

26. Business continuity management

315

(12)

Business continuity management process

316

(1)

Business continuity and risk assessment

317

(1)

Developing and implementing continuity plans

318

(2)

Business continuity planning framework

320

(3)

Testing, maintaining and reassessing business continuity plans

323

(4)

27 Compliance

327

(18)

Identification of applicable legislation

328

(7)

Intellectual property rights (IPR)

335

(2)

Safeguarding of organizational records

337

(2)

Data protection and privacy of personal information

339

(1)

Prevention of misuse of information processing facilities

339

(1)

Regulation of cryptographic controls

340

(1)

Compliance with security policies and standards

341

(2)

Information systems audit considerations

343

(2)

28. The ISO/IEC 27001 audit

345

(6)

Selection of auditors

346

(1)

Initial visit

347

(1)

Preparation for audit

348

(3)

Useful websites

351

(4)

FREE SHIPPING

Amazon no longer offers textbook rentals. We do!

International IT Governance : An Executive Guide to ISO 17799/ISO 27001

Summary

Table of Contents

Supplemental Materials