IT Governance: A Manager's Guide to Data Security and BS 7799/ISO 17799

IT Governance: A Manager's Guide to Data Security and BS 7799/ISO 17799

by Alan Calder, Steve Watkins

Hardcover

$139.42 $165.00 Save 16% Current price is $139.42, Original price is $165. You Save 16%. View All Available Formats & Editions
MARKETPLACE
2 New & Used Starting at $3.94

Overview

"Companies across the USA, worried that cyberspace will be terrorism's next battleground have shored up security since September 11. About 77% of businesses improved defenses against hackers, viruses and other attacks. Such threats are real. Cyberspace attacks jumped 64% from a year ago." — USA Today 8/19/02
• 60% of organizations have suffered a data security breach in the last 2 years. 43% of those with sensitive or critical information have suffered an extremely serious one.
• IT security is now the key boardroom issue of the e-commerce age.
• Aimed at CEOs, FOs, and senior managers in the private and public sectors.
• Explains current "best practice"in managing data and information security
• Encourages companies to ensure effective management control and legal compliance through attaining BS 7799 / ISO 17799. IT governance is a critical aspect of corporate governance, and recent reports have focused boardroom attention on the need to ensure "best practice" in IT management. This important guide, now up-dated to contain the final BS7799 / ISO17799 nomenclature, explains current best practice in managing data and information security and gives a clear action plan for attaining certification. It is an essential resource for directors and senior managers in organizations of all sorts and sizes but particularly those with well-developed IT systems and those focused on e-commerce. Topics covered include: The need for information security and the benefits of certification; Information security management, policy and scope; Risk assessment; Personnel security; Physical and environmental security, Equipment security; Security controls; Controls agains malicious software; Exchanges ofsoftware, the Internet and e-mail; Access control; Housekeeping, network management and media handling; Mobile computing and teleworking; Systems development and maintenance; Cryptographic controls; Compliance

Product Details

ISBN-13: 9780749440787
Publisher: Kogan Page, Ltd.
Publication date: 09/28/2003
Pages: 331
Product dimensions: 6.82(w) x 9.82(h) x 0.98(d)

About the Author

Alan Calder is a founder-director of IT Governance Ltd. He is the author of Corporate Governance, IT Governance, and International IT Governance (all Kogan Page).

Steve Watkins is a recognized expert in the field of management system standards. He has authored several books on the topic and provides training and consulting services in this area.

Table of Contents

Forewordxi
Introduction1
Background1
1.Why is information security necessary?7
Nature of information security threats8
Prevalence of information security threats9
Impacts of information security threats10
Cybercrime11
Cyberwar14
Legislation16
Benefits of an information security management system17
2.The Combined Code and the Turnbull Report19
The Combined Code19
The Turnbull Report19
IT governance23
3.BS 779925
Benefits of certification25
History of BS 7799 and ISO 1779926
Use of the standard27
ISO 1779928
PDCA and Process Approach30
Structured approach to implementation31
Quality system integration32
Documentation33
Continual improvement38
4.Information security management39
The management information security forum39
Information security manager41
Management review41
The cross-functional management forum42
BS 7799 project group44
Authorization process for information processing facilities49
Product selection and the Common Criteria50
Specialist information security advice52
Co-operation between organizations56
Independent review of information security57
Summary58
5.Information security policy and scope59
Information security policy59
A policy statement64
Costs and monitoring progress65
6.The risk assessment and statement of applicability67
Approach to risk67
Selection of controls and statement of applicability79
Gap analysis81
Risk assessment tools82
Risk treatment plan83
7.Security of third party access and outsourcing85
Identification of risks85
Types of access86
Reasons for access87
Onsite contractors88
Security requirements in third party contracts90
Outsourcing93
8.Asset classification and control95
Asset owners95
Inventory95
Information classification98
Unified classification markings101
Information labelling and handling103
Non-disclosure agreements and trusted partners108
9.Personnel security109
Job descriptions and competence requirements109
Personnel screening and policy111
Confidentiality agreements and terms of employment114
User training and awareness116
Responding to security incidents and malfunctions121
Learning from incidents125
Disciplinary process126
10.Physical and environmental security129
Secure areas129
Isolated delivery and loading areas137
11.Equipment security139
Equipment siting and protection139
Power supplies142
Cabling security143
Equipment maintenance144
Security of equipment off-premises145
Secure disposal or re-use of equipment146
12.General security controls147
Clear desk and clear screen policy147
Removal of property148
13.Communications and operations management151
Documented operating procedures151
Operational change control153
Incident management procedures154
Segregation of duties156
Separation of development and operational facilities156
External facilities management157
System planning and acceptance158
14.Controls against malicious software (malware)163
Viruses, worms and Trojans163
Anti-malware software164
Hoax messages166
Anti-malware controls167
Airborne viruses169
15.Housekeeping, network management and media handling171
Network management175
Media handling and security177
16.Exchanges of information and software181
Information and software exchange agreements181
Security of media in transit182
Electronic commerce security183
Security technologies185
Server security188
Security of electronic office systems189
Publicly available systems191
Other forms of information exchange193
17.E-mail and Internet use197
Security risks in e-mail197
Misuse of the Internet199
Internet Acceptable Use Policy (AUP)201
18.Access control205
Hackers205
Hacker techniques206
System configuration209
Access control policy209
19.Network access control221
Networks221
Network security225
20.Operating system access control233
Automatic terminal identification233
Terminal logon procedures234
User identification and authentication235
Password management system235
Use of system utilities236
Duress alarms237
Terminal time-out237
Limitation of connection time237
21.Application access control239
Monitoring system access and use241
22.Mobile computing and teleworking245
Mobile computing245
Teleworking246
23.Systems development and maintenance249
Security requirements analysis and specification249
Security in application systems250
24.Cryptographic controls253
Encryption254
Public Key Infrastructure (PKI)255
Digital signatures256
Non-repudiation services256
Key management257
25.Security in development and support processes259
System files259
Access control to program source library260
Development and support processes261
26.Business continuity management265
Business continuity management process265
Business continuity and impact analysis266
Writing and implementing continuity plans267
Business continuity planning framework268
Testing, maintaining and re-assessing business continuity plans272
27.Compliance277
Identification of applicable legislation277
Intellectual Property Rights (IPR)283
Safeguarding of organizational records287
Data protection and privacy of personal information288
Prevention of misuse of information processing facilities289
Regulation of cryptographic controls289
Collection of evidence290
Review of security policy, technical compliance and internal ISMS audits291
System audit considerations293
28.The BS 7799 audit295
Selection of auditors295
Initial visit296
Preparation for audit297
Appendices301
I.Useful websites303
Consultancy firms303
BS 7799 certification organizations303
E-learning304
Microsoft304
Information security304
Accounting, finance and economics306
Business, management and governance307
Contingency planning and disaster recovery307
Information technology308
Risk management309
II.BS 7799--2:2002311
III.Further reading317
Index319

Customer Reviews

Most Helpful Customer Reviews

See All Customer Reviews