Purpose of This Book

This book is part of the Information Systems Security & Assurance Series from Jones & Bartlett Learning (www.jblearning.com). Designed for courses and curriculums in IT Security, Cybersecurity, Information Assurance, and Information Systems Security, this series features a comprehensive, consistent treatment of the most current thinking and trends in this critical subject area. These titles deliver fundamental information-security principles packed with real-world applications and examples. Authored by Certified Information Systems Security Professionals (CISSPs), they deliver comprehensive information on all aspects of information security. Reviewed word for word by leading technical experts in the field, these books are not just current, but forward thinking—putting you in the position to solve the cybersecurity challenges not just of today, but of tomorrow, as well.

Implementing IT security policies and related frameworks for an organization can seem like an overwhelming task, given the vast number of issues and considerations. Security Policies and Implementation Issues demystifies this topic, taking you through a logical sequence of discussions about major concepts and issues related to security policy implementation.

It is a unique book that offers a comprehensive, end-to-end view of information security policies and frameworks from the raw organizational mechanics of building to the psychology of implementation. This book presents an effective balance between technical knowledge and soft skills, both of which are necessary for understanding the business context and psychology of motivating people and leaders. It also introduces you in clear, simple terms to many different concepts of information security, such as governance, regulator mandates, business drivers, legal considerations, and more. If you need to understand how information risk is controlled, or are responsible for oversight of those who do, you will find this book helpful.

Part 1 of this book focuses on why private and public sector organizations need an information technology (IT) security framework consisting of documented policies, standards, procedures, and guidelines. As businesses, organizations, and governments change the way they operate and organize their overall information systems security strategy, one of the most critical security controls is documented IT security policies.

Part 2 defines the major elements of an IT security policy framework. Many organizations, under recent compliance laws, must now define, document, and implement information security policies, standards, procedures, and guidelines. Many organizations and businesses conduct a risk assessment to determine their current risk exposure within their IT infrastructure. Once these security gaps and threats are identified, design and implementation of more-stringent information security policies are put in place. This can provide an excellent starting point for the creation of an IT security policy framework.

Policies are only as effective as the individuals who create them and enforce them within an organization. Part 3 of this book presents how to successfully implement and enforce policies within an organization. Emerging techniques and automation of policy enforcement are also examined.

This book is a valuable resource for students, security officers, auditors, and risk leaders who want to understand what a successful implementation of security policies and frameworks looks like.

Learning Features

The writing style of this book is practical and conversational. Step-by-step examples of information security concepts and procedures are presented throughout the text. Each chapter begins with a statement of learning objectives. Illustrations are used both to clarify the material and to vary the presentation. The text is sprinkled with Notes, Tips, FYIs, Warnings, and sidebars to alert the reader to additional helpful information related to the subject under discussion. Chapter Assessments appear at the end of each chapter, with solutions provided in the back of the book.

Chapter summaries are included in the text to provide a rapid review or preview of the material and to help students understand the relative importance of the concepts presented.

Audience

The material is suitable for undergraduate or graduate computer science majors or information science majors, students at a two-year technical college or community college who have a basic technical background, or readers who have a basic understanding of IT security and want to expand their knowledge.

New to This Edition

• Covers additional standards:
  • ISO 38500
  • ISO 27007
  • ISO 30105
  • GDPR
  • ETSI
• Updated NIST Special Publication (SP) 800-53 for the 2019 changes
• Updated COBIT for COBIT 2019
• Added the CIS Critical Security Controls for Effective Cyber Defense
• Added coverage of mobile devices in the workplace (BYOD, COPE, CYOD)
• Included additional models like McCumber Cube
• Updated statistics and case studies

Theory Labs

This text is accompanied by Cybersecurity Theory Labs. These hands-on labs provide guided exercises and case studies where students can learn and practice foundational cybersecurity skills as an extension of the lessons in this textbook. For more information or to purchase the labs, visit go.jblearning.com/johnson3e