Search in ISMS Guides


Wednesday, December 19, 2007

Information Security Management Handbook [Sixth Edition]

Information Security Management Handbook [Sixth Edition]
Book Details
- Hardcover: 3280 pages
- Publisher: AUERBACH; 6 edition (May 14, 2007)
- Language: English
- ISBN-10: 0849374952
- ISBN-13: 978-0849374951

Book Description

Never before have there been so many laws designed to keep corporations honest. New laws and regulations force companies to develop stronger ethics policies and the shareholders themselves are holding publicly traded companies accountable for their practices. Consumers are also concerned over the privacy of their personal information and current and emerging legislation is reflecting this trend. Under these conditions, it can be difficult to know where to turn for reliable, applicable advice.

The sixth edition of the Information Security Management Handbook addresses up-to-date issues in this increasingly important area. It balances contemporary articles with relevant articles from past editions to bring you a well grounded view of the subject. The contributions cover questions important to those tasked with securing information assets including the appropriate deployment of valuable resources as well as dealing with legal compliance, investigations, and ethics. Promoting the view that the management ethics and values of an organization leads directly to its information security program and the technical, physical, and administrative controls to be implemented, the book explores topics such as risk assessments; metrics; security governance, architecture, and design; emerging threats; standards; and business continuity and disaster recovery. The text also discusses physical security including access control and cryptography, and a plethora of technology issues such as application controls, network security, virus controls, and hacking.

US federal and state legislators continue to make certain that information security is a board-level conversation and the Information Security Management Handbook, Sixth Edition continues to ensure that there you have a clear understanding of the rules and regulations and an effective method for their implementation.

Book Info
Handbook includes chapters that correspond to the 10 domains of the Certified Information System Security Professional (CISSP) examination. Previous edition: c1999. DLC: Computer security--Management--Handbooks, manuals, etc. --This text refers to an out of print or unavailable edition of this title.

IT Auditing: Using Controls to Protect Information Assets [Book]

IT Auditing: Using Controls to Protect Information Assets
Book Details :

- Paperback: 387 pages
- Publisher: McGraw-Hill Osborne Media; 1 edition (December 22, 2006)
- Language: English
- ISBN-10: 0072263431
- ISBN-13: 978-0072263435

Book Description
Protect Your Systems with Proven IT Auditing Strategies

"A must-have for auditors and IT professionals." -Doug Dexter, CISSP-ISSMP, CISA, Audit Team Lead, Cisco Systems, Inc.

Plan for and manage an effective IT audit program using the in-depth information contained in this comprehensive resource. Written by experienced IT audit and security professionals, IT Auditing: Using Controls to Protect Information Assets covers the latest auditing tools alongside real-world examples, ready-to-use checklists, and valuable templates. Inside, you'll learn how to analyze Windows, UNIX, and Linux systems; secure databases; examine wireless networks and devices; and audit applications. Plus, you'll get up-to-date information on legal standards and practices, privacy and ethical issues, and the CobiT standard.

Build and maintain an IT audit function with maximum effectiveness and value

-Implement best practice IT audit processes and controls
-Analyze UNIX-, Linux-, and Windows-based operating systems
-Audit network routers, switches, firewalls, WLANs, and mobile devices
-Evaluate entity-level controls, data centers, and disaster recovery plans
-Examine Web servers, platforms, and applications for vulnerabilities
-Review databases for critical controls
-Use the COSO, CobiT, ITIL, ISO, and NSA INFOSEC methodologies
-Implement sound risk analysis and risk management practices
-Drill down into applications to find potential control weaknesses

About the Author

Chris Davis, CISA, CISSP, shares his experience from architecting, hardening, and auditing systems. He has trained auditors and forensic analysts. Davis is the coauthor of the bestselling Hacking Exposed: Computer Forensics.

Mike Schiller, CISA, has 14 years of experience in the IT audit field, most recently as the worldwide IT Audit Manager at Texas Instruments.

Kevin Wheeler, CISA, CISSP, NSA IAM/IEM, is the founder and CEO of InfoDefense and has over ten years of IT security experience.

Wednesday, December 5, 2007

Thinking Through Your 2008 Security Budget

By Ed Moyle
E-Commerce Times

For some people, November is all about festivity: turkey, cranberry sauce and the start of the long ramp-up to the December holidays.

However, that's not always the case if you happen to be in IT security Webroot AntiSpyware 30-Day Free Trial. Click here..

If you are, you know that November can be anything but festive -- unless your idea of "festive" includes end-of-the-year network See the HP StorageWorks All-in-One Storage System. Click here. freezes, the inevitable holiday malware, spam out the wazoo, and (worst of all) the 2008 budget. Yup, 'tis the season -- the season for guessing at what you might need in the future and (most likely) won't get.

Every year, we're asked to do the same thing: Request the funding that we need for the upcoming year to keep the organization "secure." Like programming a universal remote control, it's one of those things that sounds simple enough until you actually try to do it.

Aside from being impossible (there's no such thing as "secure" -- just "secure enough"), there's also the fact that we're being asked to foresee the unforeseeable. How much malware will there be next year? How many application vulnerabilities will we find in the new accounting system See the HP Proliant DL380 G5 Server with Systems Insight Manager – Click here.? How many patches will come out for the hundreds of software products we support? These are just a few of the myriad things impacting budgetary requirements which simply cannot be precisely determined ahead of time.

However, rather than give up and submit another year's budget dripping with irony, let's look to see if there aren't a few strategies that we can use to help us bring some sanity to an otherwise insane process.
Planning for the Unforeseeable

When it comes to planning for your security operations budget, there are two types of information security organizations: those that have usable metrics and those that don't. If you're in the first category, you probably have a historical record of past events -- and you probably have some idea of what each of those events costs.

For example, you might know the number of malware events that occurred over the past 12 months and (depending on how long you've been keeping track) you might have some idea about the relative rate of increase of those events year-over-year. The same is true of security incidents, forensic investigations, IDS (intrusion detection system) alerts, applications reviewed, etc.

Now, I don't mean to suggest that metrics are the complete solution to your budgetary woes, but the budgeting process is the one area where you're likely to see quite a bit of return on your metrics initiative. If you're measuring, you can come up with a reasonable (or at least logical) estimate of future activity based on historical trends. Add in a margin of error and it's not unreasonable to put together a ballpark figure for what those future events might cost. Heck, you can even create milestones of how much you expect to spend month-over-month and use unspent dollars to invest in making everything more efficient. Of course, times being what they are, you might not get everything you ask for, but at least you'll know the impact of that ahead of time.

If you don't have metrics yet but you think they might help you with your budget, the challenge is to get them in place so that you can use them. Since you probably won't get any reliable metrics in place in time to use them in planning for this year's budget (hats off to you if you decide to try), the goal is to get them there in time to use them next year.

Don't assume that obtaining this information is going to be "free" though -- it won't be. So plan for the expense and account for the spending in your 2008 spending (after all, now's the time). If your decision-making process isn't currently based on some kind of concrete information like realistic metrics, one of your strategic goals (maybe your No. 1 strategic goal) should be improving the data coming in and making use of it.
Investing in the Program

So, maybe you have a reasonable idea about what operations spending looks like for 2008 -- or if you don't, you at least have it as a goal to get to a point where you can estimate (more) accurately. How about overall spending? After all, keeping to the "status quo" -- estimating what it'll cost next year to do the same thing as last year -- shouldn't be your final goal. Even if you're getting more efficient over time, there are still more things that you could be doing. No, there's another piece to the puzzle: Where should you invest in 2008 to operate in a more repeatable, organized and "mature" way? That's where program maturity comes in.

Your information security "program," or -- depending on the terminology you choose -- your ISMS (information security management system) is something to be thinking about as well when putting together your 2008 budget. Your ISMS should be your overarching framework for managing information security within your organization -- it's your opportunity to think about how you'll move away from tactical decision-making ("putting out fires") and move toward a model based on analyzing and treating risk, keeping track of your security processes and how they perform, both in terms of efficiency as well as effectiveness.

In other words, think about having a structured, well thought-out program as your road map to a better life.

Assuming that you want to come up with a more structured way of doing things, how can you get there? First, start by analyzing what your program does and doesn't already account for -- tools like ISO 27001 (International Organization for Standardization) help you identify what your program should have in place and areas that you should be looking into for program management.

Need to do a gap analysis to see where your program falls short? Account for that in your budget.

Already have a gap analysis that tells you where you need to improve? Account for those areas in your budget.

Granted, you might not get everything on your request list, but if you can demonstrate why this is valuable and candidly discuss with your management how you'd like to improve, you're probably likely to get some funding for doing this. Especially if you believe (as I do) that a structured, repeatable and mature program saves money over the long term.

Source :

Demand for ISO 27001 Grows

For the first time the survey collected information on ISO 27001, a standard for assessing information security management systems (ISMS).

The survey reports 5,800 certificates issued in 64 countries. Japan accounts for 65% of these certificates.

Australia ranked 9th with 59 ISMS certificates. New Zealand recorded just one certificate.