- The Sarbanes-Oxley Act (SOX): US public companies, public accounting firms
- Payment Card Industry Data Security Standard: PCI-DSS: Credit card companies, retailers, any other entity that handles payment card information
- The Gramm-Leach-Bliley Act (GLB): Securities firms, insurance companies, banks, brokers, lenders, and other financial institutions
- Electronic Fund Transfer Act: Merchants, financial institutions that provide EFT services or manage consumer accounts
- Fair and Accurate Credit Transaction Act (FACTA): Financial institutions, credit reporting agencies, credit bureaus, and creditors
- Federal Information Security Management Act (FISMA): US federal agencies
- Health Insurance Portability and Accountability Act (HIPAA): Health plans, health care providers, and organizations that manage personal health information
- European Union Data Protection Directive: European business or non-European businesses that export data to another country
- Preface
- Information and Data Security Fundamentals
- Defining the Threat Landscape
- Preparing for Information and Data Security
- Establishing an information security program
- Information security policies
- Recommended operational policies
- Planning policy
- Access control policy
- Awareness and training policy
- Auditing and accountability policy
- Configuration management policy
- Contingency planning policy
- Identification and authentication policy
- Incident response policy
- Maintenance policy
- Media protection policy
- Personnel security policy
- Physical and environmental protection policy
- Risk assessment policy
- Security assessment policy
- System and communications protection policy
- System and information integrity policy
- Systems and services acquisitions policy
- Summary
- Information Security Risk Management
- What is risk?
- Who owns organizational risk?
- Where is your valuable data?
- Performing a quick risk assessment
- Risk management is an organization-wide activity
- Business operations
- IT operations
- Personnel
- External organization
- Risk management life cycle
- Information categorization
- Data classification steps
- Determining information assets
- Finding information in the environment
- Disaster recovery considerations
- Backup storage considerations
- Organizing information into categories
- Examples of information type categories
- Security control selection
- Security control implementation
- Assessing implemented security controls
- Authorizing information systems to operate
- Monitoring information system security controls
- Calculating risk
- Qualitative risk analysis
- Identifying your organizations threats
- Identifying your organizations vulnerabilities
- Pairing threats with vulnerabilities
- Estimating likelihood
- Estimating impact
- Conducting the risk assessment
- Management choices when it comes to risk
- Quantitative analysis
- Qualitative risk assessment example
- Summary
- Developing Your Information and Data Security Plan
- Continuous Testing and Monitoring
- Business Continuity/Disaster Recovery Planning
- Incident Response Planning
- Do I need an incident response plan?
- Components of an incident response plan
- Preparing the incident response plan
- Identification – detection and analysis
- Identification – incident response tools
- Remediation – containment/recovery/mitigation
- Remediation - incident response tools
- Post incident activity
- Summary
- Developing a Security Operations Center
- Developing an Information Security Architecture Program
- Information security architecture and SDLC/SELC
- Conducting an initial information security analysis
- Purpose and description of the information system
- Determining compliance requirements
- Documenting key information system and project roles
- Defining the expected user types
- Documenting interface requirements
- Documenting external information systems access
- Conducting a business impact assessment
- Conducting an information categorization
- Developing a security architecture advisement program
- Summary
- Cloud Security Consideration
- Cloud computing characteristics
- Cloud computing service models
- Cloud computing deployment models
- Cloud computing management models
- Cloud computing special consideration
- Summary
- Information and Data Security Best Practices
Compliance standards
-
No Comment
..................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.