IT Governance: A Manager's Guide to Data Security and BS 7799/ISO 17799

Front Cover
Kogan Page Publishers, 2005 - Business enterprises - 368 pages
0 Reviews

"Written for managers, this addresses how they should comply with best practice on the security, confidentiality and integrity of data stored on IT systems." -The Times

"Should be read by every computer professional with responsibility for security." -IMIS Journal

The development of IT governance - which recognizes the convergence between business and IT management - makes it essential for managers at all levels and in organizations of all sizes to understand how best to deal with information security risks. Also, the Turnbull report on company risk management (alongside laws and regulations throughout the OECD) gives company directors a legal responsibility to act on computer and information security.

Containing the latest revisions to BS7799 and ISO17799, this book guides business managers through the issues involved in achieving ISO certification in Information Security Management and covers all aspects of data security.

 

What people are saying - Write a review

We haven't found any reviews in the usual places.

Selected pages

Contents

Introduction
1
The information economy
2
What is IT governance?
3
Information security
4
Why is information security necessary?
9
Nature of information security threats
10
Prevalence of information security threats
11
Impacts of information security threats
13
Monitoring and review of third party services
169
Managing changes to third party services
170
System planning and acceptance
171
Controls against malicious software malware and backups
177
Spyware
179
Hoax messages
180
Antimalware controls
181
Airborne viruses
184

Cybercrime
15
Cyberwar
17
Future risks
18
Legislation
21
Benefits of an information security management system
22
The Combined Code the Turnbull Report and SarbanesOxley
23
The Turnbull Report
24
Revised Combined Code
25
SarbanesOxley
28
IT governance
30
BS 7799
33
History of BS 7799 and ISOIEC 17799
35
Use of the standard
36
PDCA and process approach
38
Structured approach to implementation
39
Quality system integration
41
Documentation
42
Continual improvement and metrics
46
Organizing information security
49
Internal organization
50
Management review
51
The crossfunctional management forum
53
BS 7799 project group
54
Approval process for information processing facilities
59
Product selection and the Common Criteria
60
Specialist information security advice
61
Contact with authorities and special interest groups
66
Independent review of information security
67
Summary
68
Information security policy and scope
69
A policy statement
75
Costs and monitoring progress
77
The risk assessment and statement of applicability
79
Risks impacts and risk management
80
Selection of controls and statement of applicability
93
Gap analysis
96
Risk treatment plan
97
External parties
99
Types of access
101
Reasons for access
102
Outsourcing
103
Onsite contractors
105
Addressing security when dealing with customers
106
Addressing security in third party agreements
107
Asset management
111
Inventory
112
Acceptable use of assets
115
Unified classification markings
118
Information labelling and handling
120
Nondisclosure agreements and trusted partners
125
Human resources security
127
Job descriptions and competence requirements
128
Screening
129
Terms and conditions of employment
132
During employment
134
Disciplinary process
139
Termination or change of employment
140
Physical and environmental security
143
Public access delivery and loading areas
151
Equipment security
153
Supporting utilities
156
Cabling security
158
Equipment maintenance
159
Security of equipment offpremises
160
Secure disposal or reuse of equipment
161
Communications and operations management
163
Change management
165
Segregation of duties
166
Separation of development test and operational facilities
167
Third party service delivery management
168
Controls against mobile code
185
Network security management and media handling
189
Media handling
192
Exchanges of information
195
Exchange agreements
198
Physical media in transit
199
Electronic commerce services
203
Security technologies
206
Server security
208
Online transactions
209
Publicly available information
210
Email and internet use
213
Security risks in email
214
Spam
216
Internet acceptable use policy AUP
218
Access control
221
Hacker techniques
222
System configuration
225
User access management
228
Clear desk and clear screen policy
236
Network access control
239
Network security
243
Operating system access control
251
User identification and authentication
253
Use of system utilities
254
Limitation of connection time
255
Application access control and teleworking
257
Mobile computing and teleworking
259
Systems acquisition development and maintenance
265
Correct processing in applications
266
Cryptographic controls
271
Encryption
272
Public key infrastructure PKI
273
Digital signatures
274
Nonrepudiation services
275
Security in development and support processes
279
Access control to program source code
281
Vulnerability management
285
Monitoring and information security incident management
287
Information security events
292
Management of information security incidents and improvements
297
Business continuity management
303
Business continuity management process
304
Business continuity and risk assessment
305
Developing and implementing continuity plans
306
Business continuity planning framework
307
Testing maintaining and reassessing business continuity plans
311
Compliance
315
Identification of applicable legislation
316
Intellectual property rights IPR
324
Safeguarding of organizational records
328
Data protection and privacy of personal information
330
Prevention of misuse of information processing facilities
331
Compliance with security policies and standards
332
Information systems audit considerations
335
The BS 7799 audit
337
Initial audit
339
Preparation for audit
340
Appendices
343
Useful websites
345
Elearning
346
Accounting finance and economics
349
Business management and governance
350
Information technology
351
Risk management
352
ISOIEC 177992005
353
Further reading
355
Index
357
Copyright

Other editions - View all

Common terms and phrases

References to this book

About the author (2005)

Alan Calder is CEO of IT Governance Ltd.

Steve Watkins is Head of Corporate Services at HMCPSI.

Bibliographic information