Log In
Or create an account ->
Imperial Library
Home
About
News
Upload
Forum
Help
Login/SignUp
Index
Cover
Title Page
Copyright Page
Brief Contents
Contents
Dedication
Preface
Acknowledgments
About the Authors
CHAPTER 1 Information Systems Security Policy Management
What Is Information Systems Security?
Information Systems Security Management Life Cycle
Align, Plan, and Organize
Build, Acquire, and Implement
Deliver, Service, and Support
Monitor, Evaluate, and Assess
ISO/IEC 38500
What Is Information Assurance?
Confidentiality
Integrity
Authentication
Availability
Nonrepudiation
What Is Governance?
Why Is Governance Important?
What Are Information Systems Security Policies?
How Policies and Standards Differ
How Policies and Procedures Differ
Creating Policies
Where Do Information Systems Security Policies Fit Within an Organization?
Why Information Systems Security Policies Are Important
Policies That Support Operational Success
Challenges of Running a Business Without Policies
Dangers of Not Implementing Policies
Dangers of Implementing the Wrong Policies
When Do You Need Information Systems Security Policies?
Business Process Reengineering (BPR)
Continuous Improvement
Making Changes in Response to Problems
Why Enforcing and Winning Acceptance for Policies Is Challenging
CHAPTER SUMMARY
KEY CONCEPTS AND TERMS
CHAPTER 1 ASSESSMENT
ENDNOTES
CHAPTER 2 Business Drivers for Information Security Policies
Why Are Business Drivers Important?
Maintaining Compliance
Compliance Requires Proper Security Controls
Security Controls Enforce Information Security Policies
Preventive Security Controls
Detective Security Control
Corrective Security Control
Mitigating Security Controls
Mitigating Risk Exposure
Educate Employees and Drive Security Awareness
Prevent Loss of Intellectual Property
Labeling Data and Data Classification
Protect Digital Assets
Secure Privacy of Data
Full Disclosure and Data Encryption
Lower Risk Exposure
Minimizing Liability of the Organization
Separation Between Employer and Employee
Acceptable Use Policies
Confidentiality Agreement and Nondisclosure Agreement
Business Liability Insurance Policies
Implementing Policies to Drive Operational Consistency
Forcing Repeatable Business Processes Across the Entire Organization
Differences Between Mitigating and Compensating Controls
Policies Help Prevent Operational Deviation
CHAPTER SUMMARY
KEY CONCEPTS AND TERMS
CHAPTER 2 ASSESSMENT
ENDNOTES
CHAPTER 3 Compliance Laws and Information Security Policy Requirements
U.S. Compliance Laws
What Are U.S. Compliance Laws?
Federal Information Security Management Act (FISMA)
Health Insurance Portability and Accountability Act (HIPAA)
HITECH
Gramm-Leach-Bliley Act (GLBA)
Sarbanes-Oxley (SOX) Act
Family Educational Rights and Privacy Act (FERPA)
Children’s Internet Protection Act (CIPA)
Why Did U.S. Compliance Laws Come About?
Whom Do the Laws Protect?
Which Laws Require Proper Security Controls to Be Included in Policies?
Which Laws Require Proper Security Controls for Handling Privacy Data?
Aligning Security Policies and Controls with Regulations
Industry Leading Practices and Self-Regulation
Some Important Industry Standards
Payment Card Industry Data Security Standard (PCI DSS)
Clarified Statement on Standards for Attestation Engagements No. 18 (SSAE18)
Information Technology Infrastructure Library (ITIL)
International Laws
General Data Protection Regulation (GDPR)
European Telecommunications Standards Institute (ETSI)
Asia-Pacific Economic Framework (APEC)
CHAPTER SUMMARY
KEY CONCEPTS AND TERMS
CHAPTER 3 ASSESSMENT
ENDNOTES
CHAPTER 4 Business Challenges Within the Seven Domains of IT Responsibility
The Seven Domains of a Typical IT Infrastructure
User Domain
Workstation Domain
LAN Domain
LAN-to-WAN Domain
WAN Domain
Remote Access Domain
System/Application Domain
Information Security Business Challenges and Security Policies That Mitigate Risk Within the Seven Domains
User Domain
Workstation Domain
LAN Domain
LAN-to-WAN Domain
WAN Domain
Remote Access Domain
System/Application Domain
Inventory
Perimeter
Device Management
CHAPTER SUMMARY
KEY CONCEPTS AND TERMS
CHAPTER 4 ASSESSMENT
ENDNOTES
CHAPTER 5 Information Security Policy Implementation Issues
Human Nature in the Workplace
Basic Elements of Motivation
Pride
Self-Interest
Success
Personality Types of Employees
Leadership, Values, and Ethics
Organizational Structures
Flat Organizations
Hierarchical Organizations
Advantages of a Hierarchical Model
Disadvantages of a Hierarchical Model
The Challenge of User Apathy
The Importance of Executive Management Support
Selling Information Security Policies to an Executive
Before, During, and After Policy Implementation
The Role of Human Resources Policies
Relationship Between HR and Security Policies
Lack of Support
Policy Roles, Responsibilities, and Accountability
Change Model
Responsibilities During Change
Step 1: Create Urgency
Step 2: Create a Powerful Coalition
Step 3: Create a Vision for Change
Step 4: Communicate the Vision
Step 5: Remove Obstacles
Step 6: Create Short-Term Wins
Step 7: Build on the Change
Step 8: Anchor the Changes in Corporate Culture
Roles and Accountabilities
When Policy Fulfillment Is Not Part of Job Descriptions
Impact on Entrepreneurial Productivity and Efficiency
Tying Security Policy to Performance and Accountability
CHAPTER SUMMARY
KEY CONCEPTS AND TERMS
CHAPTER 5 ASSESSMENT
ENDNOTES
CHAPTER 6 IT Security Policy Frameworks
What Is an IT Policy Framework?
What Is a Program Framework Policy or Charter?
Purpose and Mission
Scope
Responsibilities
Compliance
Industry-Standard Policy Frameworks
ISO/IEC 27002 (2015)
ISO/IEC 30105
ISO 27007
NIST Special Publication (SP) 800-53
What Is a Policy?
What Are Standards?
Issue-Specific or Control Standards
System-Specific or Baseline Standards
What Are Procedures?
Exceptions to Standards
What Are Guidelines?
Business Considerations for the Framework
Roles for Policy and Standards Development and Compliance
Information Assurance Considerations
Confidentiality
Integrity
Availability
Information Systems Security Considerations
Unauthorized Access to and Use of the System
Unauthorized Disclosure of the Information
Disruption of the System or Services
Modification of Information
Destruction of Information Resources
Best Practices for IT Security Policy Framework Creation
Case Studies in Policy Framework Development
Private Sector Case Study
Private Sector Case Study Two
Public Sector Case Study
Private Sector Case Study Three
CHAPTER SUMMARY
KEY CONCEPTS AND TERMS
CHAPTER 6 ASSESSMENT
ENDNOTES
CHAPTER 7 How to Design, Organize, Implement, and Maintain IT Security Policies
Policies and Standards Design Considerations
Operating Models
Principles for Policy and Standards Development
The Importance of Transparency with Regard to Customer Data
Types of Controls for Policies and Standards
Security Control Types
Document Organization Considerations
Sample Templates
Sample Policy Template
Sample Standard Template
Sample Procedure Template
Sample Guideline Template
Considerations for Implementing Policies and Standards
Building Consensus on Intent
Reviews and Approvals
Publishing Your Policy and Standards Library
Awareness and Training
Security Newsletter
Security Articles
What Is...?
Ask Us
Security Resources
Contacts
Policy Change Control Board
Business Drivers for Policy and Standards Changes
Maintaining Your Policy and Standards Library
Updates and Revisions
Best Practices for Policies and Standards Maintenance
Case Studies and Examples of Designing, Organizing, Implementing, and Maintaining IT Security Policies
Private Sector Case Study 1
Private Sector Case Study 2
Public Sector Case Study
CHAPTER SUMMARY
KEY CONCEPTS AND TERMS
CHAPTER 7 ASSESSMENT
ENDNOTES
CHAPTER 8 IT Security Policy Framework Approaches
IT Security Policy Framework Approaches
Risk Management and Compliance Approach
The Physical Domains of IT Responsibility Approach
Roles, Responsibilities, and Accountability for Personnel
The Seven Domains of a Typical IT Infrastructure
Organizational Structure
Organizational Culture
Separation of Duties
Layered Security Approach
Domain of Responsibility and Accountability
First Line of Defense
Second Line of Defense
Third Line of Defense
Governance and Compliance
IT Security Controls
IT Security Policy Framework
Best Practices for IT Security Policy Framework Approaches
What Is the Difference Between GRC and ERM?
Case Studies and Examples of IT Security Policy Framework Approaches
Private Sector Case Study
Public Sector Case Study
E-Commerce Case Study
CHAPTER SUMMARY
KEY CONCEPTS AND TERMS
CHAPTER 8 ASSESSMENT
ENDNOTES
CHAPTER 9 User Domain Policies
The Weakest Link in the Information Security Chain
Social Engineering
Phishing
Human Mistakes
Insiders
Seven Types of Users
Employees
Systems Administrators
Security Personnel
Contractors
Vendors
Guests and General Public
Control Partners
Contingent
System
Why Govern Users with Policies?
Acceptable Use Policy (AUP)
The Privileged-Level Access Agreement (PAA)
Security Awareness Policy (SAP)
Best Practices for User Domain Policies
Understanding Least Access Privileges and Best Fit Access Privileges
Case Studies and Examples of User Domain Policies
Government Laptop Compromised
The NASA Raspberry Pi
Defense Data Stolen
CHAPTER SUMMARY
KEY CONCEPTS AND TERMS
CHAPTER 9 ASSESSMENT
CHAPTER 10 IT Infrastructure Security Policies
Anatomy of an Infrastructure Policy
Format of a Standard
Workstation Domain Policies
Control Standards
Baseline Standards
Procedures
Guidelines
Mobile Device Domain Policies
LAN Domain Policies
Control Standards
Baseline Standards
Procedures
Guidelines
LAN-to-WAN Domain Policies
Control Standards
Baseline Standards
Procedures
Guidelines
WAN Domain Policies
Control Standards
Baseline Standards
Procedures
Guidelines
Remote Access Domain Policies
Control Standards
Baseline Standards
Procedures
Guidelines
System/Application Domain Policies
Control Standards
Baseline Standards
Procedures
Guidelines
Telecommunications Policies
Control Standards
Baseline Standards
Procedures
Guidelines
Best Practices for IT Infrastructure Security Policies
Cloud Security Policies
Case Studies and Examples of IT Infrastructure Security Policies
State Government Case Study
Public Sector Case Study
Critical Infrastructure Case Study
CHAPTER SUMMARY
KEY CONCEPTS AND TERMS
CHAPTER 10 ASSESSMENT
CHAPTER 11 Data Classification and Handling Policies and Risk Management Policies
Data Classification Policies
When Is Data Classified or Labeled?
The Need for Data Classification
Protecting Information
Retaining Information
Recovering Information
Legal Classification Schemes
Military Classification Schemes
Business Classification Schemes
Developing a Customized Classification Scheme
Classifying Your Data
Data Handling Policies
The Need for Policy Governing Data at Rest and in Transit
Policies, Standards, and Procedures Covering the Data Life Cycle
Identifying Business Risks Related to Information Systems
Types of Risk
Development and Need for Policies Based on Risk Management
Risk and Control Self-Assessment
Risk Assessment Policies
Risk Exposure
Prioritization of Risks, Threats, and Vulnerabilities
Risk Management Strategies
Vulnerability Assessments
Vulnerability Windows
Common Vulnerability Scan Tools
Patch Management
Quality Assurance Versus Quality Control
Best Practices for Data Classification and Risk Management Policies
Case Studies and Examples of Data Classification and Risk Management Policies
Private Sector Case Study 1
Public Sector Case Study
Private Sector Case Study 2
CHAPTER SUMMARY
KEY CONCEPTS AND TERMS
CHAPTER 11 ASSESSMENT
CHAPTER 12 Incident Response Team (IRT) Policies
Incident Response Policy
What Is an Incident?
Incident Classification
The Response Team Charter
Incident Response Team Members
Responsibilities During an Incident
Users on the Front Line
System Administrators
Information Security Personnel
Management
Support Services
Other Key Roles
Business Impact Analysis (BIA) Policies
Component Priority
Component Reliance
Impact Report
Development and Need for Policies Based on the BIA
Procedures for Incident Response
Discovering an Incident
Reporting an Incident
Containing and Minimizing the Damage
Cleaning Up After the Incident
Documenting the Incident and Actions
Analyzing the Incident and Response
Creating Mitigation to Prevent Future Incidents
Handling the Media and Deciding What to Disclose
Business Continuity Planning Policies
Dealing with Loss of Systems, Applications, or Data Availability
Response and Recovery Time Objectives Policies Based on the BIA
Best Practices for Incident Response Policies
Disaster Recovery Plan Policies
Disaster Declaration Policy
Assessment of the Disaster’s Severity and of Potential Downtime
Case Studies and Examples of Incident Response Policies
Private Sector Case Study
Public Sector Case Study
Critical Infrastructure Case Study
CHAPTER SUMMARY
KEY CONCEPTS AND TERMS
CHAPTER 12 ASSESSMENT
CHAPTER 13 IT Security Policy Implementations
Simplified Implementation Process
Target State
Distributed Infrastructure
Outdated Technology
Lack of Standardization Throughout the IT Infrastructure
Executive Buy-in, Cost, and Impact
Executive Management Sponsorship
Overcoming Nontechnical Hindrances
Distributed Environment
User Types
Organizational Challenges
Policy Language
Employee Awareness and Training
Organizational and Individual Acceptance
Motivation
Developing an Organization-Wide Security Awareness Policy
Conducting Security Awareness Training Sessions
Human Resources Ownership of New Employee Orientation
Review of Acceptable Use Policies (AUPs)
Information Dissemination—How to Educate Employees
Hard Copy Dissemination
Posting Policies on the Intranet
Using Email
Brown Bag Lunches and Learning Sessions
Policy Implementation Issues
Governance and Monitoring
Best Practices for IT Security Policy Implementations
Case Studies and Examples of IT Security Policy Implementations
CIO Magazine
SANS
Public Sector Case Study
CHAPTER SUMMARY
KEY CONCEPTS AND TERMS
CHAPTER 13 ASSESSMENT
ENDNOTES
CHAPTER 14 IT Security Policy Enforcement
Organizational Support for IT Security Policy Enforcement
Executive Management Sponsorship
Governance Versus Management Organizational Structure
The Hierarchical Organizational Approach to Security Policy Implementation
Project Committee
Architecture Review Committee
External Connection Committee
Vendor Governance Committee
Security Compliance Committee
Operational Risk Committee
Front-Line Managers’ and Supervisors’ Responsibility and Accountability
Grass-Roots Employees
An Organization’s Right to Monitor User Actions and Traffic
Internet Use
Email Use
Computer Use
Compliance Law: Requirement or Risk Management?
What Is Law and What Is Policy?
What Security Controls Work to Enforce Protection of Personal Data?
What Automated Security Controls Can Be Implemented Through Policy?
What Manual Security Controls Assist with Enforcement?
Legal Implications of IT Security Policy Enforcement
Who Is Ultimately Accountable for Risks, Threats, and Vulnerabilities?
Where Must IT Security Policy Enforcement Come From?
Best Practices for IT Security Policy Enforcement
Case Studies and Examples of Successful and Unsuccessful IT Security Policy Enforcement
Private Sector Case Study
Public Sector Case Study 1
Public Sector Case Study 2
CHAPTER SUMMARY
KEY CONCEPTS AND TERMS
CHAPTER 14 ASSESSMENT
CHAPTER 15 IT Policy Compliance and Compliance Technologies
Creating a Baseline Definition for Information Systems Security
Policy-Defining Overall IT Infrastructure Security Definition
Vulnerability Window and Information Security Gap Definition
Tracking, Monitoring, and Reporting IT Security Baseline Definition and Policy Compliance
Automated Systems
Random Audits and Departmental Compliance
Overall Organizational Report Card for Policy Compliance
Automating IT Security Policy Compliance
Automated Policy Distribution
Training Administrators and Users
Organizational Acceptance
Testing for Effectiveness
Audit Trails
Configuration Management and Change Control Management
Configuration Management Database
Tracking, Monitoring, and Reporting Configuration Changes
Collaboration and Policy Compliance Across Business Areas
Version Control for Policy Implementation Guidelines and Compliance
Compliance Technologies and Solutions
COSO Internal Control—Integrated Framework
SCAP
SNMP
WBEM
Digital Signing
Best Practices for IT Security Policy Compliance Monitoring
Case Studies and Examples of Successful IT Security Policy Compliance Monitoring
Private Sector Case Study 1
Private Sector Case Study 2
Nonprofit Sector Case Study
CHAPTER SUMMARY
KEY CONCEPTS AND TERMS
CHAPTER 15 ASSESSMENT
APPENDIX A Answer Key
APPENDIX B Standard Acronyms
Glossary of Key Terms
References
Index
← Prev
Back
Next →
← Prev
Back
Next →