0%

Book Description

PART OF THE NEW JONES & BARTLETT LEARNING INFORMATION SYSTEMS SECURITY & ASSURANCE SERIES

Security Policies and Implementation Issues, Third Edition offers a comprehensive, end-to-end view of information security policies and frameworks from the raw organizational mechanics of building to the psychology of implementation. Written by industry experts, the new Third Edition presents an effective balance between technical knowledge and soft skills, while introducing many different concepts of information security in clear simple terms such as governance, regulator mandates, business drivers, legal considerations, and much more. With step-by-step examples and real-world exercises, this book is a must-have resource for students, security officers, auditors, and risk leaders looking to fully understand the process of implementing successful sets of security policies and frameworks.

Instructor Materials for Security Policies and Implementation Issues include:

PowerPoint Lecture Slides
Instructor's Guide
Sample Course Syllabus
Quiz & Exam Questions
Case Scenarios/Handouts

About the Series
This book is part of the Information Systems Security and Assurance Series from Jones and Bartlett Learning. Designed for courses and curriculums in IT Security, Cybersecurity, Information Assurance, and Information Systems Security, this series features a comprehensive, consistent treatment of the most current thinking and trends in this critical subject area. These titles deliver fundamental information-security principles packed with real-world applications and examples. Authored by Certified Information Systems Security Professionals (CISSPs), they deliver comprehensive information on all aspects of information security. Reviewed word for word by leading technical experts in the field, these books are not just current, but forward-thinking—putting you in the position to solve the cybersecurity challenges not just of today, but of tomorrow, as well.

Table of Contents

  1. Cover
  2. Title Page
  3. Copyright Page
  4. Brief Contents
  5. Contents
  6. Dedication
  7. Preface
  8. Acknowledgments
  9. About the Authors
  10. CHAPTER 1 Information Systems Security Policy Management
    1. What Is Information Systems Security?
      1. Information Systems Security Management Life Cycle
        1. Align, Plan, and Organize
        2. Build, Acquire, and Implement
        3. Deliver, Service, and Support
        4. Monitor, Evaluate, and Assess
        5. ISO/IEC 38500
    2. What Is Information Assurance?
      1. Confidentiality
      2. Integrity
        1. Authentication
        2. Availability
      3. Nonrepudiation
    3. What Is Governance?
    4. Why Is Governance Important?
    5. What Are Information Systems Security Policies?
      1. How Policies and Standards Differ
      2. How Policies and Procedures Differ
    6. Creating Policies
    7. Where Do Information Systems Security Policies Fit Within an Organization?
    8. Why Information Systems Security Policies Are Important
      1. Policies That Support Operational Success
      2. Challenges of Running a Business Without Policies
      3. Dangers of Not Implementing Policies
      4. Dangers of Implementing the Wrong Policies
    9. When Do You Need Information Systems Security Policies?
      1. Business Process Reengineering (BPR)
      2. Continuous Improvement
      3. Making Changes in Response to Problems
    10. Why Enforcing and Winning Acceptance for Policies Is Challenging
    11. CHAPTER SUMMARY
    12. KEY CONCEPTS AND TERMS
    13. CHAPTER 1 ASSESSMENT
    14. ENDNOTES
  11. CHAPTER 2 Business Drivers for Information Security Policies
    1. Why Are Business Drivers Important?
    2. Maintaining Compliance
      1. Compliance Requires Proper Security Controls
      2. Security Controls Enforce Information Security Policies
        1. Preventive Security Controls
        2. Detective Security Control
        3. Corrective Security Control
        4. Mitigating Security Controls
    3. Mitigating Risk Exposure
      1. Educate Employees and Drive Security Awareness
      2. Prevent Loss of Intellectual Property
        1. Labeling Data and Data Classification
      3. Protect Digital Assets
      4. Secure Privacy of Data
        1. Full Disclosure and Data Encryption
      5. Lower Risk Exposure
    4. Minimizing Liability of the Organization
      1. Separation Between Employer and Employee
      2. Acceptable Use Policies
      3. Confidentiality Agreement and Nondisclosure Agreement
      4. Business Liability Insurance Policies
    5. Implementing Policies to Drive Operational Consistency
      1. Forcing Repeatable Business Processes Across the Entire Organization
      2. Differences Between Mitigating and Compensating Controls
      3. Policies Help Prevent Operational Deviation
    6. CHAPTER SUMMARY
    7. KEY CONCEPTS AND TERMS
    8. CHAPTER 2 ASSESSMENT
    9. ENDNOTES
  12. CHAPTER 3 Compliance Laws and Information Security Policy Requirements
    1. U.S. Compliance Laws
      1. What Are U.S. Compliance Laws?
        1. Federal Information Security Management Act (FISMA)
        2. Health Insurance Portability and Accountability Act (HIPAA)
        3. HITECH
        4. Gramm-Leach-Bliley Act (GLBA)
        5. Sarbanes-Oxley (SOX) Act
        6. Family Educational Rights and Privacy Act (FERPA)
        7. Children’s Internet Protection Act (CIPA)
      2. Why Did U.S. Compliance Laws Come About?
    2. Whom Do the Laws Protect?
    3. Which Laws Require Proper Security Controls to Be Included in Policies?
    4. Which Laws Require Proper Security Controls for Handling Privacy Data?
    5. Aligning Security Policies and Controls with Regulations
    6. Industry Leading Practices and Self-Regulation
    7. Some Important Industry Standards
      1. Payment Card Industry Data Security Standard (PCI DSS)
      2. Clarified Statement on Standards for Attestation Engagements No. 18 (SSAE18)
      3. Information Technology Infrastructure Library (ITIL)
    8. International Laws
      1. General Data Protection Regulation (GDPR)
      2. European Telecommunications Standards Institute (ETSI)
      3. Asia-Pacific Economic Framework (APEC)
    9. CHAPTER SUMMARY
    10. KEY CONCEPTS AND TERMS
    11. CHAPTER 3 ASSESSMENT
    12. ENDNOTES
  13. CHAPTER 4 Business Challenges Within the Seven Domains of IT Responsibility
    1. The Seven Domains of a Typical IT Infrastructure
      1. User Domain
      2. Workstation Domain
      3. LAN Domain
      4. LAN-to-WAN Domain
      5. WAN Domain
      6. Remote Access Domain
      7. System/Application Domain
    2. Information Security Business Challenges and Security Policies That Mitigate Risk Within the Seven Domains
      1. User Domain
      2. Workstation Domain
      3. LAN Domain
      4. LAN-to-WAN Domain
      5. WAN Domain
      6. Remote Access Domain
      7. System/Application Domain
        1. Inventory
        2. Perimeter
        3. Device Management
    3. CHAPTER SUMMARY
    4. KEY CONCEPTS AND TERMS
    5. CHAPTER 4 ASSESSMENT
    6. ENDNOTES
  14. CHAPTER 5 Information Security Policy Implementation Issues
    1. Human Nature in the Workplace
      1. Basic Elements of Motivation
        1. Pride
        2. Self-Interest
        3. Success
      2. Personality Types of Employees
      3. Leadership, Values, and Ethics
    2. Organizational Structures
      1. Flat Organizations
      2. Hierarchical Organizations
        1. Advantages of a Hierarchical Model
        2. Disadvantages of a Hierarchical Model
    3. The Challenge of User Apathy
    4. The Importance of Executive Management Support
      1. Selling Information Security Policies to an Executive
      2. Before, During, and After Policy Implementation
    5. The Role of Human Resources Policies
      1. Relationship Between HR and Security Policies
      2. Lack of Support
    6. Policy Roles, Responsibilities, and Accountability
      1. Change Model
      2. Responsibilities During Change
        1. Step 1: Create Urgency
        2. Step 2: Create a Powerful Coalition
        3. Step 3: Create a Vision for Change
        4. Step 4: Communicate the Vision
        5. Step 5: Remove Obstacles
        6. Step 6: Create Short-Term Wins
        7. Step 7: Build on the Change
        8. Step 8: Anchor the Changes in Corporate Culture
      3. Roles and Accountabilities
    7. When Policy Fulfillment Is Not Part of Job Descriptions
    8. Impact on Entrepreneurial Productivity and Efficiency
    9. Tying Security Policy to Performance and Accountability
    10. CHAPTER SUMMARY
    11. KEY CONCEPTS AND TERMS
    12. CHAPTER 5 ASSESSMENT
    13. ENDNOTES
  15. CHAPTER 6 IT Security Policy Frameworks
    1. What Is an IT Policy Framework?
    2. What Is a Program Framework Policy or Charter?
      1. Purpose and Mission
      2. Scope
      3. Responsibilities
      4. Compliance
      5. Industry-Standard Policy Frameworks
        1. ISO/IEC 27002 (2015)
        2. ISO/IEC 30105
        3. ISO 27007
        4. NIST Special Publication (SP) 800-53
      6. What Is a Policy?
      7. What Are Standards?
        1. Issue-Specific or Control Standards
        2. System-Specific or Baseline Standards
      8. What Are Procedures?
        1. Exceptions to Standards
      9. What Are Guidelines?
    3. Business Considerations for the Framework
      1. Roles for Policy and Standards Development and Compliance
    4. Information Assurance Considerations
      1. Confidentiality
      2. Integrity
      3. Availability
    5. Information Systems Security Considerations
      1. Unauthorized Access to and Use of the System
      2. Unauthorized Disclosure of the Information
      3. Disruption of the System or Services
      4. Modification of Information
      5. Destruction of Information Resources
    6. Best Practices for IT Security Policy Framework Creation
    7. Case Studies in Policy Framework Development
      1. Private Sector Case Study
      2. Private Sector Case Study Two
      3. Public Sector Case Study
      4. Private Sector Case Study Three
    8. CHAPTER SUMMARY
    9. KEY CONCEPTS AND TERMS
    10. CHAPTER 6 ASSESSMENT
    11. ENDNOTES
  16. CHAPTER 7 How to Design, Organize, Implement, and Maintain IT Security Policies
    1. Policies and Standards Design Considerations
      1. Operating Models
      2. Principles for Policy and Standards Development
      3. The Importance of Transparency with Regard to Customer Data
      4. Types of Controls for Policies and Standards
        1. Security Control Types
    2. Document Organization Considerations
      1. Sample Templates
        1. Sample Policy Template
        2. Sample Standard Template
        3. Sample Procedure Template
        4. Sample Guideline Template
    3. Considerations for Implementing Policies and Standards
      1. Building Consensus on Intent
      2. Reviews and Approvals
      3. Publishing Your Policy and Standards Library
      4. Awareness and Training
        1. Security Newsletter
        2. Security Articles
        3. What Is...?
        4. Ask Us
        5. Security Resources
        6. Contacts
        7. Policy Change Control Board
      5. Business Drivers for Policy and Standards Changes
    4. Maintaining Your Policy and Standards Library
      1. Updates and Revisions
    5. Best Practices for Policies and Standards Maintenance
    6. Case Studies and Examples of Designing, Organizing, Implementing, and Maintaining IT Security Policies
      1. Private Sector Case Study 1
      2. Private Sector Case Study 2
      3. Public Sector Case Study
    7. CHAPTER SUMMARY
    8. KEY CONCEPTS AND TERMS
    9. CHAPTER 7 ASSESSMENT
    10. ENDNOTES
  17. CHAPTER 8 IT Security Policy Framework Approaches
    1. IT Security Policy Framework Approaches
      1. Risk Management and Compliance Approach
      2. The Physical Domains of IT Responsibility Approach
    2. Roles, Responsibilities, and Accountability for Personnel
      1. The Seven Domains of a Typical IT Infrastructure
      2. Organizational Structure
      3. Organizational Culture
    3. Separation of Duties
      1. Layered Security Approach
      2. Domain of Responsibility and Accountability
        1. First Line of Defense
        2. Second Line of Defense
        3. Third Line of Defense
    4. Governance and Compliance
      1. IT Security Controls
      2. IT Security Policy Framework
    5. Best Practices for IT Security Policy Framework Approaches
      1. What Is the Difference Between GRC and ERM?
    6. Case Studies and Examples of IT Security Policy Framework Approaches
      1. Private Sector Case Study
      2. Public Sector Case Study
      3. E-Commerce Case Study
    7. CHAPTER SUMMARY
    8. KEY CONCEPTS AND TERMS
    9. CHAPTER 8 ASSESSMENT
    10. ENDNOTES
  18. CHAPTER 9 User Domain Policies
    1. The Weakest Link in the Information Security Chain
      1. Social Engineering
      2. Phishing
      3. Human Mistakes
      4. Insiders
    2. Seven Types of Users
      1. Employees
      2. Systems Administrators
      3. Security Personnel
      4. Contractors
      5. Vendors
      6. Guests and General Public
      7. Control Partners
      8. Contingent
      9. System
    3. Why Govern Users with Policies?
    4. Acceptable Use Policy (AUP)
    5. The Privileged-Level Access Agreement (PAA)
    6. Security Awareness Policy (SAP)
    7. Best Practices for User Domain Policies
    8. Understanding Least Access Privileges and Best Fit Access Privileges
    9. Case Studies and Examples of User Domain Policies
      1. Government Laptop Compromised
      2. The NASA Raspberry Pi
      3. Defense Data Stolen
    10. CHAPTER SUMMARY
    11. KEY CONCEPTS AND TERMS
    12. CHAPTER 9 ASSESSMENT
  19. CHAPTER 10 IT Infrastructure Security Policies
    1. Anatomy of an Infrastructure Policy
      1. Format of a Standard
    2. Workstation Domain Policies
      1. Control Standards
      2. Baseline Standards
        1. Procedures
        2. Guidelines
    3. Mobile Device Domain Policies
    4. LAN Domain Policies
      1. Control Standards
      2. Baseline Standards
      3. Procedures
      4. Guidelines
    5. LAN-to-WAN Domain Policies
      1. Control Standards
      2. Baseline Standards
      3. Procedures
      4. Guidelines
    6. WAN Domain Policies
      1. Control Standards
      2. Baseline Standards
      3. Procedures
      4. Guidelines
    7. Remote Access Domain Policies
      1. Control Standards
      2. Baseline Standards
      3. Procedures
      4. Guidelines
    8. System/Application Domain Policies
      1. Control Standards
      2. Baseline Standards
      3. Procedures
      4. Guidelines
    9. Telecommunications Policies
      1. Control Standards
      2. Baseline Standards
      3. Procedures
      4. Guidelines
    10. Best Practices for IT Infrastructure Security Policies
    11. Cloud Security Policies
    12. Case Studies and Examples of IT Infrastructure Security Policies
      1. State Government Case Study
      2. Public Sector Case Study
      3. Critical Infrastructure Case Study
    13. CHAPTER SUMMARY
    14. KEY CONCEPTS AND TERMS
    15. CHAPTER 10 ASSESSMENT
  20. CHAPTER 11 Data Classification and Handling Policies and Risk Management Policies
    1. Data Classification Policies
      1. When Is Data Classified or Labeled?
      2. The Need for Data Classification
        1. Protecting Information
        2. Retaining Information
        3. Recovering Information
      3. Legal Classification Schemes
      4. Military Classification Schemes
      5. Business Classification Schemes
      6. Developing a Customized Classification Scheme
      7. Classifying Your Data
    2. Data Handling Policies
      1. The Need for Policy Governing Data at Rest and in Transit
      2. Policies, Standards, and Procedures Covering the Data Life Cycle
    3. Identifying Business Risks Related to Information Systems
      1. Types of Risk
      2. Development and Need for Policies Based on Risk Management
    4. Risk and Control Self-Assessment
    5. Risk Assessment Policies
      1. Risk Exposure
      2. Prioritization of Risks, Threats, and Vulnerabilities
      3. Risk Management Strategies
      4. Vulnerability Assessments
      5. Vulnerability Windows
      6. Common Vulnerability Scan Tools
      7. Patch Management
    6. Quality Assurance Versus Quality Control
    7. Best Practices for Data Classification and Risk Management Policies
    8. Case Studies and Examples of Data Classification and Risk Management Policies
      1. Private Sector Case Study 1
      2. Public Sector Case Study
      3. Private Sector Case Study 2
    9. CHAPTER SUMMARY
    10. KEY CONCEPTS AND TERMS
    11. CHAPTER 11 ASSESSMENT
  21. CHAPTER 12 Incident Response Team (IRT) Policies
    1. Incident Response Policy
      1. What Is an Incident?
    2. Incident Classification
    3. The Response Team Charter
    4. Incident Response Team Members
    5. Responsibilities During an Incident
      1. Users on the Front Line
      2. System Administrators
      3. Information Security Personnel
      4. Management
      5. Support Services
      6. Other Key Roles
    6. Business Impact Analysis (BIA) Policies
      1. Component Priority
      2. Component Reliance
      3. Impact Report
      4. Development and Need for Policies Based on the BIA
    7. Procedures for Incident Response
      1. Discovering an Incident
      2. Reporting an Incident
      3. Containing and Minimizing the Damage
      4. Cleaning Up After the Incident
      5. Documenting the Incident and Actions
      6. Analyzing the Incident and Response
      7. Creating Mitigation to Prevent Future Incidents
      8. Handling the Media and Deciding What to Disclose
      9. Business Continuity Planning Policies
      10. Dealing with Loss of Systems, Applications, or Data Availability
    8. Response and Recovery Time Objectives Policies Based on the BIA
    9. Best Practices for Incident Response Policies
    10. Disaster Recovery Plan Policies
      1. Disaster Declaration Policy
      2. Assessment of the Disaster’s Severity and of Potential Downtime
    11. Case Studies and Examples of Incident Response Policies
      1. Private Sector Case Study
      2. Public Sector Case Study
      3. Critical Infrastructure Case Study
    12. CHAPTER SUMMARY
    13. KEY CONCEPTS AND TERMS
    14. CHAPTER 12 ASSESSMENT
  22. CHAPTER 13 IT Security Policy Implementations
    1. Simplified Implementation Process
    2. Target State
      1. Distributed Infrastructure
      2. Outdated Technology
      3. Lack of Standardization Throughout the IT Infrastructure
    3. Executive Buy-in, Cost, and Impact
      1. Executive Management Sponsorship
      2. Overcoming Nontechnical Hindrances
        1. Distributed Environment
        2. User Types
        3. Organizational Challenges
    4. Policy Language
    5. Employee Awareness and Training
      1. Organizational and Individual Acceptance
      2. Motivation
      3. Developing an Organization-Wide Security Awareness Policy
      4. Conducting Security Awareness Training Sessions
      5. Human Resources Ownership of New Employee Orientation
      6. Review of Acceptable Use Policies (AUPs)
    6. Information Dissemination—How to Educate Employees
      1. Hard Copy Dissemination
      2. Posting Policies on the Intranet
      3. Using Email
      4. Brown Bag Lunches and Learning Sessions
    7. Policy Implementation Issues
    8. Governance and Monitoring
    9. Best Practices for IT Security Policy Implementations
    10. Case Studies and Examples of IT Security Policy Implementations
      1. CIO Magazine
      2. SANS
      3. Public Sector Case Study
    11. CHAPTER SUMMARY
    12. KEY CONCEPTS AND TERMS
    13. CHAPTER 13 ASSESSMENT
    14. ENDNOTES
  23. CHAPTER 14 IT Security Policy Enforcement
    1. Organizational Support for IT Security Policy Enforcement
      1. Executive Management Sponsorship
      2. Governance Versus Management Organizational Structure
      3. The Hierarchical Organizational Approach to Security Policy Implementation
        1. Project Committee
        2. Architecture Review Committee
        3. External Connection Committee
        4. Vendor Governance Committee
        5. Security Compliance Committee
        6. Operational Risk Committee
      4. Front-Line Managers’ and Supervisors’ Responsibility and Accountability
      5. Grass-Roots Employees
    2. An Organization’s Right to Monitor User Actions and Traffic
      1. Internet Use
      2. Email Use
      3. Computer Use
    3. Compliance Law: Requirement or Risk Management?
    4. What Is Law and What Is Policy?
      1. What Security Controls Work to Enforce Protection of Personal Data?
    5. What Automated Security Controls Can Be Implemented Through Policy?
      1. What Manual Security Controls Assist with Enforcement?
    6. Legal Implications of IT Security Policy Enforcement
    7. Who Is Ultimately Accountable for Risks, Threats, and Vulnerabilities?
      1. Where Must IT Security Policy Enforcement Come From?
    8. Best Practices for IT Security Policy Enforcement
    9. Case Studies and Examples of Successful and Unsuccessful IT Security Policy Enforcement
      1. Private Sector Case Study
      2. Public Sector Case Study 1
      3. Public Sector Case Study 2
    10. CHAPTER SUMMARY
    11. KEY CONCEPTS AND TERMS
    12. CHAPTER 14 ASSESSMENT
  24. CHAPTER 15 IT Policy Compliance and Compliance Technologies
    1. Creating a Baseline Definition for Information Systems Security
      1. Policy-Defining Overall IT Infrastructure Security Definition
      2. Vulnerability Window and Information Security Gap Definition
    2. Tracking, Monitoring, and Reporting IT Security Baseline Definition and Policy Compliance
      1. Automated Systems
      2. Random Audits and Departmental Compliance
      3. Overall Organizational Report Card for Policy Compliance
    3. Automating IT Security Policy Compliance
      1. Automated Policy Distribution
        1. Training Administrators and Users
        2. Organizational Acceptance
        3. Testing for Effectiveness
        4. Audit Trails
      2. Configuration Management and Change Control Management
        1. Configuration Management Database
        2. Tracking, Monitoring, and Reporting Configuration Changes
      3. Collaboration and Policy Compliance Across Business Areas
      4. Version Control for Policy Implementation Guidelines and Compliance
    4. Compliance Technologies and Solutions
      1. COSO Internal Control—Integrated Framework
      2. SCAP
      3. SNMP
      4. WBEM
      5. Digital Signing
    5. Best Practices for IT Security Policy Compliance Monitoring
    6. Case Studies and Examples of Successful IT Security Policy Compliance Monitoring
      1. Private Sector Case Study 1
      2. Private Sector Case Study 2
      3. Nonprofit Sector Case Study
    7. CHAPTER SUMMARY
    8. KEY CONCEPTS AND TERMS
    9. CHAPTER 15 ASSESSMENT
  25. APPENDIX A Answer Key
  26. APPENDIX B Standard Acronyms
  27. Glossary of Key Terms
  28. References
  29. Index
54.90.167.73