E-Book, Englisch, 240 Seiten
Wylder Strategic Information Security
Erscheinungsjahr 2003
ISBN: 978-0-203-49708-1
Verlag: Taylor & Francis
Format: PDF
Kopierschutz: Adobe DRM (»Systemvoraussetzungen)
E-Book, Englisch, 240 Seiten
ISBN: 978-0-203-49708-1
Verlag: Taylor & Francis
Format: PDF
Kopierschutz: Adobe DRM (»Systemvoraussetzungen)
The new emphasis on physical security resulting from the terrorist threat has forced many information security professionals to struggle to maintain their organization's focus on protecting information assets. In order to command attention, they need to emphasize the broader role of information security in the strategy of their companies. Until now, however, most books about strategy and planning have focused on the production side of the business, rather than operations.
Strategic Information Security integrates the importance of sound security policy with the strategic goals of an organization. It provides IT professionals and management with insight into the issues surrounding the goals of protecting valuable information assets. This text reiterates that an effective information security program relies on more than policies or hardware and software, instead it hinges on having a mindset that security is a core part of the business and not just an afterthought.
Armed with the content contained in this book, security specialists can redirect the discussion of security towards the terms and concepts that management understands. This increases the likelihood of obtaining the funding and managerial support that is needed to build and maintain airtight security programs.
Zielgruppe
CIO, MIS managers; students; business managers
Autoren/Hrsg.
Fachgebiete
Weitere Infos & Material
Introduction to Strategic Information Security
What Does It Mean to Be Strategic?
Information Security Defined
The Security Professional's View of Information Security
The Business View of Information Security
Changes Affecting Business and Risk Management
Strategic Security
Strategic Security or Security Strategy?
Monitoring and Measurement
Moving Forward
ORGANIZATIONAL ISSUES
The Life Cycles of Security Managers
Introduction
The Information Security Manager's Responsibilities
The Evolution of Data Security to Information Security
The Repository Concept
Changing Job Requirements
Business Life Cycles and the Evolution of an Information
Security Program
The Introductory Phase
The Early Growth Phase
The Rapid Growth Phase
The Maturity Phase
Skill Changes over Time
Conclusion
Chief Security Officer or Chief Information Security Officer
Introduction
Organizational Issues
Justifying the Importance and Role of Security in Business
Risk Management Issues Affecting Organizational Models
Chief Information Security Officer (CISO) Role Defined
The Chief Security Officer (CSO) Role Defined
Organizational Models and Issues
Organization Structure and Reporting Models
Choosing the Right Organization Model
RISK MANAGEMENT TOPICS
Information Security and Risk Management
Introduction
The Information Technology View of Threats, Vulnerabilities,
and Risks
Business View of Threats, Vulnerabilities, and Risks
The Economists' Approach to Understanding Risk
Total Risk
Technology Risk
Information Risk
Information Risk Formula
Protection Mechanisms and Risk Reduction
Matching Protection Mechanisms to Risks
The Risk Protection Matrix
Conclusion
Establishing Information Ownership
Establishing Information Ownership
Centralized Information Security
Local Administrators vs. Information Owners
Transferring Ownership
Operations Orientation of Information Ownership
Information Ownership in Larger Organizations
Information as an Asset
Decentralized vs. Centralized Information Security Controls
Ownership and Information Flow
Information Ownership Hierarchy
Functional Owners of Information
Income Statement Information Owners
Information Value
Statement of Condition Information Owners
Conclusion
The Network as the Enterprise Database
Introduction
A Historical View of Data and Data Management
Management Information Systems (MIS)
Executive Information Systems (EIS)
The Evolving Network
The Network as the Database
Conclusion
Risk Reduction Strategies
Introduction
Information Technology Risks
Evaluating the Alternatives
Improving Security from the Bottom Up: Moving Toward
a New Way of Enforcing Security Policy
Encouraging Personal Accountability for Corporate Information
Security Policy
Background
The Problem
The Role of the Chief Information Security Officer (CISO) in
Improving Security
Centralized Management vs. Decentralized Management
Security Policy and Enforcement Alternatives
Policy Compliance and the Human Resources Department
Personal Accountability
Conclusion
Authentication Models and Strategies
Introduction to Authentication
Authentication Defined
Authentication Choices
Public Key Infrastructure
Administration and Authentication: Management Issues
Identity Theft
Risks and Threats Associated with Authentication Schemes
Other Strategic Issues Regarding Authentication Systems
Conclusion
INFORMATION SECURITY PRINCIPLES AND
PRACTICES
Single Sign-On Security
Overview
The Authentication Dilemma
The Many Definitions of Single Sign-On
Risks Associated with Single Sign-On
Single Sign-On Alternative: A More In-Depth Review
User Provisioning
Authentication and Single Sign-On
Crisis Management: A Strategic Viewpoint
Introduction
Crisis Defined
Benefits from a Formal Crisis Management Process
Escalation and Notification
Organizational Issues and Structures for Dealing with Crisis
Management
Strategies for Managing through a Crisis
Creating a Formalized Response for Crisis Management
Conclusion
Business Continuity Planning
Introduction
Types of Outages and Disasters Outages
Planning for a Disaster
Roles and Responsibilities
Plan Alternatives and Decision Criteria
Risk Mitigation vs. Risk Elimination
Preparation: Writing the Plan
Testing and Auditing the Plan
Issues for Executive Management
Conclusion
Security Monitoring: Advanced Security Management
Introduction.
Monitoring vs. Auditing
Activity Monitoring and Audit Trails
How Security Information Management Systems Work
Other Security Information Monitoring Sources
Privacy and Security Monitoring
Reactions to Security Monitoring Information
Problems with Security Monitoring
Senior Management Issues and Security Monitoring
Auditing and Testing a Strategic Control Process
Introduction: The Role of Auditing and Testing
Auditing and Security Management
Security Audits
Information Protection
Audit Logs and Audit Trails
Security Testing and Analysis
Application Controls and Strategic Security Goals
Reporting of Security Problems and the Role of the Auditor
Auditing, Testing, and Strategic Security
Outsourcing Security: Strategic Management Issues
Information Security Operations and Security Management
Management Issues Regarding the Outsourcing Decision
Outsourced Security Alternatives
Return on Investment (ROI) with Outsourced Services
Contract Issues for Security Outsourcing
Integration of Outsourcing with Internal Operational
Functions
Risks Associated with Outsourcing Security Functions
Business Continuity Planning and Security Outsourcing
Strategic Management Issues with Outsourced Security
Final Thoughts on Strategic Security
Executive Management and Security Management
The Future of Information Security and the Challenges Ahead
Appendix Helpful Internet Resources
