Information Security outlines a complete roadmap to successful adaptation and implementation of a security program based on the ISO/IEC 17799:2005 (27002) Code of Practice for Information Security Management.

Features:

• Contains a programmatic approach that applies to a business regardless of its size or type
• Presents a process that allows firms to shape customized information security practices for their own requirements
• Demonstrates how to conduct a risk assessment covering all controls and control objectives
• Illustrates how to use data both qualitatively and quantitatively to meet the ISO/IEC 17799 standard
• Provides a gap analysis between the first and second editions of the standard to simplify transition to the new one

Contents

Information Security Risk Assessment Model

• Risk Assessment Types
• Relationship to Other Models and Standards
• Risk Assessment Relationship
• Information Security Risk Assessment Model (ISRAM)

Global Information Security Assessment Methodology

• GISAM and ISRAM Relationship
• GISAM Design Criteria
• General Assessment Types
• GISAM Components

Developing an Information Security Evaluation Process

• The Culmination of ISRAM and GISAM
• Business Process

A Security Baseline

• KRI Security Baseline Controls
• Security Baseline
• Information Security Policy Document
• Management Commitment to Information Security
• Allocation of Information Security Responsibilities
• Independent Review of Information Security
• Identification of Risks Related to External Parties
• Inventory of Assets
• Classification Guidelines
• Screening
• Information Security Awareness, Education, and Training
• Removal of Access Rights
• Physical Security Perimeter
• Protecting Against External and Environmental Threats
• Secure Disposal or Reuse of Equipment
• Documented Operating Procedures
• Change Management
• Segregation of Duties
• System Acceptance
• Controls against Malicious Code
• Management of Removable Media
• Information Handling Procedures
• Physical Media in Transit
• Electronic Commerce
• Access Control Policy
• User Registration
• Segregation in Networks
• Teleworking
• Security Requirements Analysis and Specification
• Policy on the Use of Cryptographic Controls
• Protection of System Test Data
• Control of Technical Vulnerabilities
• Reporting Information Security Events
• Including Information Security in the Business Continuity Process
• Identification of Applicable Legislation
• Data Protection and Privacy of Personal Information
• Technical Compliance Checking

Background of the ISO/IEC 17799 Standard

• History of the Standard
• Internals of the Standard
• Guidance for Use
• High-Level Objectives
• ISO/IEC Defined

ISO/IEC 17799:2005 Gap Analysis

• Guidance for Use
• Security Policy
• Organization of Information Security
• Asset Management
• Human Resources Security
• Physical and Environmental Security
• Communications and Operations Management
• Access Control
• Information Systems Acquisition, Development, and Maintenance
• Information Security Incident Management
• Business Continuity Management

Index

click here to see books • videos • cd-roms of related interest