You are previewing Security Program and Policies: Principles and Practices, Second Edition.
O'Reilly logo
Security Program and Policies: Principles and Practices, Second Edition

Book Description

Everything you need to know about information security programs and policies, in one book

  • Clearly explains all facets of InfoSec program and policy planning, development, deployment, and management

  • Thoroughly updated for today’s challenges, laws, regulations, and best practices

  • The perfect resource for anyone pursuing an information security management career

  • In today’s dangerous world, failures in information security can be catastrophic. Organizations must protect themselves. Protection begins with comprehensive, realistic policies. This up-to-date guide will help you create, deploy, and manage them.

    Complete and easy to understand, it explains key concepts and techniques through real-life examples. You’ll master modern information security regulations and frameworks, and learn specific best-practice policies for key industry sectors, including finance, healthcare, online commerce, and small business.

    If you understand basic information security, you’re ready to succeed with this book. You’ll find projects, questions, exercises, examples, links to valuable easy-to-adapt information security policies...everything you need to implement a successful information security program.

    Sari Stern Greene, CISSP, CRISC, CISM, NSA/IAM, is an information security practitioner, author, and entrepreneur. She is passionate about the importance of protecting information and critical infrastructure. Sari founded Sage Data Security in 2002 and has amassed thousands of hours in the field working with a spectrum of technical, operational, and management personnel, as  well as boards of directors, regulators, and service providers. Her first text was Tools and Techniques for Securing Microsoft Networks, commissioned by Microsoft to train its partner channel, which was soon followed by the first edition of Security Policies and Procedures: Principles and Practices. She is actively involved in the security community, and speaks regularly at security conferences and workshops. She has been quoted in The New York Times, Wall Street Journal, and on CNN, and CNBC. Since 2010, Sari has served as the chair of the annual Cybercrime Symposium.

    Learn how to

    ·         Establish program objectives, elements, domains, and governance

    ·         Understand policies, standards, procedures, guidelines, and plans—and the differences among them

    ·         Write policies in “plain language,” with the right level of detail

    ·         Apply the Confidentiality, Integrity & Availability (CIA) security model

    ·         Use NIST resources and ISO/IEC 27000-series standards

    ·         Align security with business strategy

    ·         Define, inventory, and classify your information and systems

    ·         Systematically identify, prioritize, and manage InfoSec risks

    ·         Reduce “people-related” risks with role-based Security Education, Awareness, and Training (SETA)

    ·         Implement effective physical, environmental, communications, and operational security

    ·         Effectively manage access control

    ·         Secure the entire system development lifecycle

    ·         Respond to incidents and ensure continuity of operations

    ·         Comply with laws and regulations, including GLBA, HIPAA/HITECH, FISMA, state data security and notification rules, and PCI DSS

    Table of Contents

    1. About This eBook
    2. Title Page
    3. Copyright Page
    4. Contents at a Glance
    5. Table of Contents
    6. About the Author
    7. Dedication
    8. Acknowledgments
    9. We Want to Hear from You!
    10. Reader Services
    11. Chapter 1. Understanding Policy
      1. Looking at Policy Through the Ages
      2. Information Security Policy
      3. Information Security Policy Lifecycle
      4. Summary
      5. References
    12. Chapter 2. Policy Elements and Style
      1. Policy Hierarchy
      2. Policy Format
      3. Writing Style and Technique
      4. Summary
      5. References
    13. Chapter 3. Information Security Framework
      1. CIA
      2. Information Security Framework
      3. Summary
      4. References
    14. Chapter 4. Governance and Risk Management
      1. Understanding Information Security Policies
      2. Information Security Governance
      3. Information Security Risk
      4. Summary
      5. References
    15. Chapter 5. Asset Management
      1. Information Assets and Systems
      2. Information Classification
      3. Labeling and Handling Standards
      4. Information Systems Inventory
      5. Summary
      6. References
    16. Chapter 6. Human Resources Security
      1. The Employee Lifecycle
      2. The Importance of Employee Agreements
      3. The Importance of Security Education and Training
      4. Summary
      5. References
    17. Chapter 7. Physical and Environmental Security
      1. Understanding the Secure Facility Layered Defense Model
      2. Protecting Equipment
      3. Summary
      4. References
    18. Chapter 8. Communications and Operations Security
      1. Standard Operating Procedures (SOPs)
      2. Operational Change Control
      3. Malware Protection
      4. Data Replication
      5. Secure Messaging
      6. Activity Monitoring and Log Analysis
      7. Service Provider Oversight
      8. Summary
      9. References
    19. Chapter 9. Access Control Management
      1. Access Control Fundamentals
      2. Infrastructure Access Controls
      3. User Access Controls
      4. Summary
      5. References
    20. Chapter 10. Information Systems Acquisition, Development, and Maintenance
      1. System Security Requirements
      2. Secure Code
      3. Cryptography
      4. Summary
      5. References
    21. Chapter 11. Information Security Incident Management
      1. Organizational Incident Response
      2. Data Breach Notification Requirements
      3. Summary
      4. References
    22. Chapter 12. Business Continuity Management
      1. Emergency Preparedness
      2. Business Continuity Risk Management
      3. The Business Continuity Plan
      4. Plan Testing and Maintenance
      5. Summary
      6. References
    23. Chapter 13. Regulatory Compliance for Financial Institutions
      1. The Gramm-Leach-Bliley Act (GLBA)
      2. Personal and Corporate Identity Theft
      3. Summary
      4. References
    24. Chapter 14. Regulatory Compliance for the Healthcare Sector
      1. The HIPAA Security Rule
      2. The HITECH Act and the Omnibus Rule
      3. Summary
      4. References
    25. Chapter 15. PCI Compliance for Merchants
      1. Protecting Cardholder Data
      2. PCI Compliance
      3. Summary
      4. References
    26. Appendix A. Information Security Program Resources
      1. National Institute of Standards and Technology (NIST) Special Publications
      2. Federal Financial Institutions Examination Council (FFIEC) IT Handbooks
      3. Department of Health and Human Services HIPAA Security Series
      4. Payment Security Standards Council Documents Library
      5. Information Security Professional Development and Certification Organizations
    27. Appendix B. Sample Information Security Policy
      1. Introduction
      2. Section 1: Governance and Risk Management
      3. Section 2: Asset Management
      4. Section 3: Human Resources Security
      5. Section 4: Physical and Environmental Security
      6. Section 5: Communications and Operations Security
      7. Section 6: Access Control Management
      8. Section 7: Information Systems Acquisition, Development, and Maintenance
      9. Section 8: Incident Management
      10. Section 9: Business Continuity
    28. Appendix C. Information Systems Acceptable Use Agreement and Policy
      1. Information Systems Acceptable Use Agreement
      2. Acceptable Use of Information Systems Policy
    29. Index