skip to content
Security policies and implementation issues Preview this item
ClosePreview this item
Checking...

Security policies and implementation issues

Author: Rob Johnson; Mark S Merkow
Publisher: Sudbury, MA : Jones & Bartlett Learning, ©2011.
Series: Jones & Bartlett Learning information systems security & assurance series.
Edition/Format:   Print book : EnglishView all editions and formats
Summary:
The study of information system security concepts and domains is an essential part of the education of computer science students and professionals alike. Security Policies and Implementation Issues offers a comprehensive, end-to-end view of information security policies and frameworks from the raw organizational mechanics of building to the psychology of implementation. It presents an effective balance between
Rating:

(not yet rated) 0 with reviews - Be the first.

Subjects
More like this

 

Find a copy in the library

&AllPage.SpinnerRetrieving; Finding libraries that hold this item...

Details

Document Type: Book
All Authors / Contributors: Rob Johnson; Mark S Merkow
ISBN: 9780763791322 0763791326
OCLC Number: 650217961
Description: xvii, 437 pages : illustrations ; 24 cm.
Contents: Machine generated contents note: pt. ONE Need for IT Security Policy Frameworks --
ch. 1 Information Systems Security Policy Management --
What Is Information Systems Security? --
Information Systems Security Management Life Cycle --
What is Information Assurance? --
Confidentiality --
Integrity --
Nonrepudiation --
What Is Governance Important? --
What Is Governance Important? --
What Are Information Systems Security Policies? --
What Do Information Systems Security Policies Fit Within an Organization? --
Why Information Systems Security Policies are Important --
Policies That Support Operational Success --
Challenges of Running a Business Without Policies --
Dangers of Not Implementing Polincies --
Dangers of Implementing the Wrong Policies --
When Do You Need Information Systems Security Policies? --
Business Process Reengineering (BPR) --
Continuous Improvement --
Problem Related --
Why Enforcing and Winning Acceptance for Policies Is Challenging --
Chapter Summary --
Key Concepts and Terms --
ch. 1 Assessment --
ch. 2 Business Drivers for Information Security Policies --
Why are Business Drivers Important? --
Maintaining Compliance --
Compliance Requires Proper Security Controls --
Security Controls Must Include Information Security Policies --
Relationship Between Security Controls and Information Security Policy --
Mitigating Risk Exposure --
Educate Employees and Drive Security Awareness --
Prevent Loss of Intellectual Property --
Protect Digital Assets --
Secure Privacy of Data --
Lower Risk Exposure --
Minimizing Liability of the Organization --
Separation Between Employer and Employee --
Acceptable Use Policies --
Confidentiality Agreement and Non-Disclosure Agreement --
Business Liability Insurance Policies --
Implementing Policies to Drive Operational Consistency --
Forcing Repeatable Business Processes Across the Entire Organization --
Policies Help Prevent Operational Deviation --
Chapter Summary --
Key Concepts and Terms --
ch. 2 Assessment --
Endnotes --
ch. 3 U.S. Compliance Laws and Information Security Policy Requirements --
U.S. Compliance Laws --
What are They? --
Why Did They Come About? --
Whom Do the Laws Protect? --
Which Laws Require Proper Security Controls Including Policies? --
Which Laws Require Proper Security Controls for Handling Privacy Data? --
Aligning Security Policies and Controls with Regulations --
Industry Leading Practices and Self-Regulation --
Some Important Industry Standards --
Payment Card Industry Data Security Standard (PCI DSS) --
Statement on Auditing Standard 70 (SAS 70) --
Information Technology Infrastructure Library (ITIL) --
Chapter Summary --
Key Concepts and Terms --
ch. 3 Assessment --
Endnotes --
ch. 4 Business Challenges Within the Seven Domains of IT Responsibility --
Seven Domains of a Typical It Infrastructure --
User Domain --
Workstation Domain --
LAN Domain --
LAN-to-WAN Domain --
WAN Domain --
Remote Access Domain --
System/Application Domain --
Information Security Business Challenges and Security Policies That Mitigate Risk Within the Seven Domains --
User Domain --
Workstation Domain --
LAN Domain --
LAN-to-WAN Domain --
WAN Domain --
Remote Access Domain --
System/Application Domain --
Chapter Summary --
Key Concepts and Terms --
ch. 4 Assessment --
ch. 5 Information Security Policy Implementation Issues --
Human Nature in the Workplace --
Basic Elements of Motivation --
Personality Types of Employees --
Leadership, Values, and Ethics --
Organizational Structure --
Flat Organizations --
Hierarchical Organizations --
Challenge of User Apathy --
Importance of Executive Management Support --
Selling Information Security Policies to an Executive --
Before, During, and After Policy Implementation --
Role of Human Resources --
Relationship Between HR and Security Policies --
Lack of Support --
Policy Roles, Responsibilities, and Accountability --
Change Model --
Responsibilities During Change --
Roles and Accountabilities --
When Policy Fulfillment Is Not Part of Job Descriptions --
Impact on Entrepreneurial Productivity and Efficiency --
Applying Security Policies to a Entrepreneurial Business --
Tying Security Policy to Performance and Accountability --
Success is Dependent Upon Proper Interpretation and Enforcement --
Chapter Summary --
Key Concepts and Terms --
ch. 5 Assessment --
Endnote --
pt. TWO Types of Policies and Appropriate Frameworks --
ch. 6 IT Security Policy Frameworks --
What is and IT Policy Framework? --
What is a Program Framework Police or Charter? --
Industry-Standard Policy Frameworks --
What is a Policy? --
What Are Standards? --
What Are Procedures? --
What Are Guidelines? --
Business Considerations for the Framework --
Roles for Policy and Standards Development and Compliance --
Information Assurance Considerations --
Confidentiality --
Integrity --
Availability --
Authentication --
Nonrepudiation --
Information Systems Security Considerations --
Unauthorized Access to and Use of the System --
Unauthorized Disclosure of the Information --
Disruption of the System or Services --
Modification of Information --
Distruction of Information Resources --
Best Practices for IT Security Policy Framework Creation --
Case Studies in Policy Framework Development --
Private Sector Case Study --
Public Sector Case Study --
Critical Infrastructure Protection Case Study --
Chapter Summary --
Key Concepts and Terms --
ch. 6 Assessment --
ch. 7 How to Design, Organize, Implement, and Maintain IT Security Policies --
Policies and Standards Design Considerations --
Principles for Policy and Standards Development --
Types of Controls for Policies and Standards --
Document Organization Considerations --
Sample Templates --
Considerations For Implementing Policies and Standards --
Reviews and Approvals --
Publishing Your Policies and Standards Library --
Awareness and Training --
Policy Change Control Board --
Business Drivers for Policy and Standards Changes --
Maintaining Your Policies and Standards Library --
Updates and Revisions --
Best Practices for Policies and Standards Maintenance --
Case Studies and Examples of Designing, Organizing, Implementing, and Maintaining IT Security Policies --
Private Sector Case Study --
Public Sector Case Study --
Critical Infrastructure Example --
Chapter Summary --
Key Concepts and Terms --
ch. 7 Assessment --
ch. 8 IT Security Policy Framework Approaches --
IT Security Policy Framework Approaches --
Risk Management and Compliance Approach --
Physical Domains of IT Responsibility Approach --
Roles, Responsibilities, and Accountability for Personnel --
Seven Domains of a Typical IT Infrastructure --
Organizational Structure --
Organizational Culture --
Separation of Duties --
Layered Security Approach --
Domain of Responsibility and Accountability --
Governance and Compliance --
IT Security Controls --
IT Security Policy Framework --
Best Practices for IT Security Policy Framework Approaches --
What is the Difference Between GRC and ERM? --
Case Studies and Examples of IT Security Policy Framework Approaches --
Private Sector Case Study --
Public Sector Case Study --
Critical Infrastructure Case Study --
Chapter Summary --
Key Concepts and Terms --
ch. 8 Assessment --
Endnote --
ch. 9 User Domain Policies --
Weakest Link in the Information Security Chain --
Social Engineering --
Human Mistakes --
Insiders --
Six Types of Users --
Employees --
Systems Administrators --
Security Personnel --
Contractors --
Guests and General Public --
Auditors --
Why Govern Users with Policies? --
Acceptable Use Policy (AUP) --
Privileged-Level Access Agreement (PAA) --
Security Awareness Policy (SAP) --
Best Practices for User Domain Policies --
Case Studies and Examples of User Domain Policies --
Private Sector Case Studies --
Public Sector Case Study --
Critical Infrastructure Case Studies --
Chapter Summary --
Key Concepts and Terms --
ch. 9 Assessment --
ch. 10 IT Infrastructure Security Policies --
Anatomy of an Infrastructure Policy --
Format of a Standard --
Workstation Domain Policies --
LAN Domain Policies --
LAN-to-WAN Domain Policies --
WAN Domain Policies --
Remote Access Domain Policies --
System/Application Domain Policies --
Telecommunications Policies --
Best Practices for IT Infrastructure Security Policies --
Case Studies and Examples of IT Infrastructure Security Policies --
Private Sector Case Study --
Public Sector Case Study --
Critical Infrastructure Case Study --
Chapter Summary --
Key Concepts and Terms --
ch. 10 Assessment --
ch. 11 Data Classification and Handling Policies and Risk Management Policies --
Data Classification Policies --
Need for Data Classification --
Military Classification Schemes --
Business Classification Schemes --
Developing a Customized Classification Scheme --
Classifying Your Data --
Data Handling Policies --
Need for Policy Governing Data at Rest and in Transit --
Policies, Standards, and Procedures Covering the Data Life Cycle --
Identify Business Risks Related to Information Systems --
Types of Risk --
Development and Need for Policies Based on Risk Management --
Business Impact Analysis (BIA) Policies --
Component Priority --
Component Reliance --
Impact Report --
Development and Need for Policies Based on BIA --
Risk Assessment Policies --
Risk Exposure --
Prioritization of Risk, Threat, and Vulnerabilities --
Risk Management Strategies --
Vulnerability Assessments Note continued: Vulnerability Windows --
Patch Management --
Business Continuity Planning (BCP) Policies --
Dealing with Loss of Systems, Applications, or Data Availability --
Continuity of Operations Plan (COOP) --
Response and Recovery Time Objectives (RTO) Policies Based on the BIA --
Disaster Recovery Plan (DRP) Policies --
Disaster Declaration Policy --
Assessment of the Severity of the Disaster and Potential Downtime --
Dealing with Natural Disasters, Man-Made Disasters, and Catastrophic Loss --
Disaster Recovery Procedures for Mission-Critical System, Application, or Data Functionality and Recovery --
RTO Policies Based on Disaster Scenario --
Best Practices for Risk Management Policies --
Case Studies and Examples of Risk Management Policies --
Private Sector Case Example --
Public Sector Case Example --
Critical Infrastructure Case Study --
Chapter Summary --
Key Concepts and Terms --
ch. 11 Assessment --
ch. 12 Incident Response Team (IRT) Policies --
Incident Response Policy --
What Is an Incident? --
Incident Classification --
Response Team Charter --
Incident Response Team Members --
Responsibilities During an Incident --
Users on the Front Line --
System Administrators --
Information Security Personnel --
Management --
Support Services --
Other Key Roles --
Procedures for Incident Response --
Discovering an Incident --
Reporting an Incident --
Containing and Minimizing the Damage --
Cleaning Up After the Incident --
Documenting the Incident and Actions --
Analyzing the Incident and Response --
Creating Mitigation to Prevent Future Incidents --
Handling the Media and What to Disclose --
Best Practices for Incident Response Policies --
Case Studies and Examples of Incident Response Policies --
Private Sector Case Study --
Public Sector Case Study --
Critical Infrastructure Case Study --
Chapter Summary --
Key Concepts and Terms --
ch. 12 Assessment --
pt. THREE Implementing and Maintaining an IT Security Policy Framework --
ch. 13 IT Security Policy Implementations --
Implementation Issues for IT Security Policies --
Organizational Challenges --
Organizational and Cultural Change --
Organizational and Individual Acceptance --
Security Awareness Policy Implementations --
Development of an Organization-Wide Security Awareness Policy --
Conducting Security Awareness Training Sessions --
Executive Management Sponsorship --
Human Resources (HR) Ownership of New Employee Orientation --
Review of Acceptable Use Policies (AUPs) --
Information Dissemination --
How to Educate Employees --
Hard Copy Dissemination --
Posting Policies on the Intranet --
Using E-mail --
Brown Bag Lunch and Learning Sessions --
Overcoming Technical Hindrances --
Distributed Infrastructure --
Outdated Technology --
Lack of Standardization Throughout the IT Infrastructure --
Overcoming Nontechnical Hindrances --
Distributed Environment --
User Types --
Lack of Executive Management Support --
Best Practices for IT Security Policy Implementations --
Case Studies and Examples of Successful IT Security Policy Implementations --
Private Sector Case Study --
Public Sector Case Study --
Critical Infrastructure Case Study --
Chapter Summary --
Key Concepts and Terms --
ch. 13 Assessment --
Endnote --
ch. 14 IT Security Policy Enforcement --
Organizational Support for IT Security Policy Enforcement --
Executive Management Must Provide Sponsorship --
Hierarchical Organizational Approach to Ensure Roles, Responsibilities, and Accountabilities are Defined for Security Policy Implementation --
Front-Line Managers and Supervisors Must Take Responsibility and Accept Accountability --
Grass-Roots Employees --
Organization's Right to Monitor User Actions and Traffic --
Compliance Law: Requirement or Risk Management? --
What Is Law and What is Policy? --
What Security Controls Work to Enforce Protection of Privacy Data? --
What Automated Security Controls Can Be Implemented Through Policy? --
What Manual Security Controls Assist with Enforcement? --
Legal Implications of IT Security Policy Enforcement --
Who Is Ultimately Liable for Risk, Threats, and Vulnerabilities? --
Where Must IT Security Policy Enforcement Come From? --
Best Practices for IT Security Policy Enforcement --
Case Studies and Examples of Successful IT Security Policy Enforcement --
Private Sector Case Study --
Public Sector Case Study --
Critical Infrastructure Case Study --
Chapter Summary --
Key Concepts and Terms --
ch. 14 Assessment --
ch. 15 IT Policy Compliance Systems and Emerging Technologies --
Defining a Baseline Definition for Information Systems Security --
Policy-Defining Overall IT Infrastructure Security Definition --
Vulnerability Window and Information Security Gap Definition --
Tracking, Monitoring, and Reporting IT Security Baseline Definition and Policy Compliance --
Automated Systems --
Manual Tracking and Reporting --
Random Audits and Departmental Compliance --
Overall Organizational Report Card for Policy Compliance --
Automating IT Security Policy Compliance --
Automated Policy Distribution --
Configuration Management and Change Control Management --
Collaboration and Policy Compliance across Business Areas --
Version Control for Policy Implementation Guidelines and Compliance --
Emerging Technologies and Solutions --
SCAP --
SNMP --
WBEM --
WMI --
Digital Signing --
Best Practices for IT Security Policy Compliance Monitoring --
Case Studies and Examples of Successful IT Security Policy Compliance Monitoring --
Private Sector Case Studies --
Public Sector Case Study --
Critical Infrastructure Case Study --
Chapter Summary --
Key Concepts and Terms --
ch. 15 Assessment.
Series Title: Jones & Bartlett Learning information systems security & assurance series.
Responsibility: Rob Johnson with Mike [i.e. Mark] Merkow.

Abstract:

The study of information system security concepts and domains is an essential part of the education of computer science students and professionals alike. Security Policies and Implementation Issues offers a comprehensive, end-to-end view of information security policies and frameworks from the raw organizational mechanics of building to the psychology of implementation. It presents an effective balance between technical knowledge and soft skills, and introduces many different concepts of information security in clear, simple terms such as governance, regulator mandates, business drives, legal considerations, and much more. With step-by-step examples and real-world exercises, this book is a must-have resource for students, security officers, auditors, and risk leaders looking to fully understand the process of implementing successful sets of security policies and frameworks.

The Jones & Bartlett Learning: Information Systems Security & Assurance Series delivers fundamental IT security principles packed with real-world applications and examples for IT Security, Cybersecurity, Information Assurance, and Information Systems Security programs. Authored by Certified Information Systems Security Professionals (CISSPs) and reviewed by leading technical experts in the field, these books are current, forward-thinking resources that enable readers to solve the cybersecurity challenges of today and tommorrow. --Book Jacket.

Reviews

User-contributed reviews
Retrieving GoodReads reviews...
Retrieving DOGObooks reviews...

Tags

Be the first.

Similar Items

Related Subjects:(4)

User lists with this item (2)

Confirm this request

You may have already requested this item. Please select Ok if you would like to proceed with this request anyway.

Linked Data


Primary Entity

<http://www.worldcat.org/oclc/650217961> # Security policies and implementation issues
    a schema:CreativeWork, schema:Book ;
    library:oclcnum "650217961" ;
    library:placeOfPublication <http://experiment.worldcat.org/entity/work/data/787151509#Place/sudbury_ma> ; # Sudbury, MA
    library:placeOfPublication <http://id.loc.gov/vocabulary/countries/mau> ;
    schema:about <http://experiment.worldcat.org/entity/work/data/787151509#Topic/proteccion_de_datos> ; # Protección de datos
    schema:about <http://experiment.worldcat.org/entity/work/data/787151509#Topic/seguridad_informatica> ; # Seguridad informática
    schema:about <http://experiment.worldcat.org/entity/work/data/787151509#Topic/redes_de_computadoras_medidas_de_seguridad> ; # Redes de computadoras--Medidas de seguridad
    schema:about <http://dewey.info/class/005.8/e23/> ;
    schema:about <http://id.worldcat.org/fast/872484> ; # Computer security
    schema:bookFormat bgn:PrintBook ;
    schema:contributor <http://viaf.org/viaf/77149073> ; # Mark S. Merkow
    schema:copyrightYear "2011" ;
    schema:creator <http://viaf.org/viaf/170490684> ; # Robert Johnson
    schema:datePublished "2011" ;
    schema:description "The Jones & Bartlett Learning: Information Systems Security & Assurance Series delivers fundamental IT security principles packed with real-world applications and examples for IT Security, Cybersecurity, Information Assurance, and Information Systems Security programs. Authored by Certified Information Systems Security Professionals (CISSPs) and reviewed by leading technical experts in the field, these books are current, forward-thinking resources that enable readers to solve the cybersecurity challenges of today and tommorrow. --Book Jacket."@en ;
    schema:description "The study of information system security concepts and domains is an essential part of the education of computer science students and professionals alike. Security Policies and Implementation Issues offers a comprehensive, end-to-end view of information security policies and frameworks from the raw organizational mechanics of building to the psychology of implementation. It presents an effective balance between technical knowledge and soft skills, and introduces many different concepts of information security in clear, simple terms such as governance, regulator mandates, business drives, legal considerations, and much more. With step-by-step examples and real-world exercises, this book is a must-have resource for students, security officers, auditors, and risk leaders looking to fully understand the process of implementing successful sets of security policies and frameworks."@en ;
    schema:exampleOfWork <http://worldcat.org/entity/work/id/787151509> ;
    schema:inLanguage "en" ;
    schema:isPartOf <http://experiment.worldcat.org/entity/work/data/787151509#Series/jones_&_bartlett_learning_information_systems_security_&_assurance_series> ; # Jones & Bartlett Learning information systems security & assurance series.
    schema:name "Security policies and implementation issues"@en ;
    schema:productID "650217961" ;
    schema:publication <http://www.worldcat.org/title/-/oclc/650217961#PublicationEvent/sudbury_ma_jones_&_bartlett_learning_2011> ;
    schema:publisher <http://experiment.worldcat.org/entity/work/data/787151509#Agent/jones_&_bartlett_learning> ; # Jones & Bartlett Learning
    schema:workExample <http://worldcat.org/isbn/9780763791322> ;
    wdrs:describedby <http://www.worldcat.org/title/-/oclc/650217961> ;
    .


Related Entities

<http://experiment.worldcat.org/entity/work/data/787151509#Agent/jones_&_bartlett_learning> # Jones & Bartlett Learning
    a bgn:Agent ;
    schema:name "Jones & Bartlett Learning" ;
    .

<http://experiment.worldcat.org/entity/work/data/787151509#Series/jones_&_bartlett_learning_information_systems_security_&_assurance_series> # Jones & Bartlett Learning information systems security & assurance series.
    a bgn:PublicationSeries ;
    schema:hasPart <http://www.worldcat.org/oclc/650217961> ; # Security policies and implementation issues
    schema:name "Jones & Bartlett Learning information systems security & assurance series." ;
    schema:name "Jones & Bartlett Learning information systems security & assurance series" ;
    .

<http://experiment.worldcat.org/entity/work/data/787151509#Topic/proteccion_de_datos> # Protección de datos
    a schema:Intangible ;
    schema:name "Protección de datos"@en ;
    .

<http://experiment.worldcat.org/entity/work/data/787151509#Topic/redes_de_computadoras_medidas_de_seguridad> # Redes de computadoras--Medidas de seguridad
    a schema:Intangible ;
    schema:name "Redes de computadoras--Medidas de seguridad"@en ;
    .

<http://experiment.worldcat.org/entity/work/data/787151509#Topic/seguridad_informatica> # Seguridad informática
    a schema:Intangible ;
    schema:name "Seguridad informática"@en ;
    .

<http://id.worldcat.org/fast/872484> # Computer security
    a schema:Intangible ;
    schema:name "Computer security"@en ;
    .

<http://viaf.org/viaf/170490684> # Robert Johnson
    a schema:Person ;
    schema:familyName "Johnson" ;
    schema:givenName "Robert" ;
    schema:givenName "Rob" ;
    schema:name "Robert Johnson" ;
    .

<http://viaf.org/viaf/77149073> # Mark S. Merkow
    a schema:Person ;
    schema:familyName "Merkow" ;
    schema:givenName "Mark S." ;
    schema:name "Mark S. Merkow" ;
    .

<http://worldcat.org/isbn/9780763791322>
    a schema:ProductModel ;
    schema:isbn "0763791326" ;
    schema:isbn "9780763791322" ;
    .


Content-negotiable representations

Close Window

Please sign in to WorldCat 

Don't have an account? You can easily create a free account.