PART II
Managing the Cybersecurity Function
The basic idea is that the several components in any complex system will perform particular subfunctions that contribute to the overall function.
—The Sciences of the Artificial, Herbert Simon, 1969
CHAPTER 6: Information Management
CHAPTER 7: Physical Access Management
CHAPTER 9: Business Application Management
CHAPTER 12: Networks and Communications
CHAPTER 13: Supply Chain Management
CHAPTER 14: Technical Security Management
CHAPTER 15: Threat and Incident Management
CHAPTER 16: Local Environment Management
CHAPTER 17: Business Continuity
Part II examines in detail the security controls intended to satisfy the defined security requirements. Chapter 5 discusses a range of issues that encompasses both screening and application procedures as well as ongoing education and training of all employees in proper security procedures and how to conform to the organization’s security policy. Chapter 6 includes a discussion of policies for classifying information and for ensuring the privacy of information. The chapter also covers protecting documents and sensitive physical information. Chapter 7 focuses on security issues related to physical assets. It includes equipment management and mobile device management. Chapter 8 focuses on development activities for business applications. It includes system development management and the system development life cycle. Chapter 9 deals with how to incorporate security controls into business applications (including specialized controls for web browser-based applications) to protect the confidentiality and integrity of information when it is input to, processed by, and output from these applications. The chapter also covers end-user applications and user-generated data, such as spreadsheets and databases. Chapter 10 focuses on controlling access to applications, devices, systems, and networks. It includes access management and customer access issues. Chapter 11 covers availability and security issues related to the configuration and maintenance of all IT systems in the organization. Chapter 12 includes discussion of network management plus security measures associated with email and messaging. Chapter 13 includes external supplier management and cloud computing services. Chapter 14 includes technical security infrastructure and cryptography. Chapter 15 deals with planning for and reacting to threats. It includes cybersecurity resilience and incident management. Chapter 16 covers issues related to documenting and managing individual local environments within an organization. The chapter also deals with physical and environmental security. Chapter 17 deals with the important topic of business continuity.