This groundbreaking book helps you master the management of information security, concentrating on the recognition and resolution of the practical issues of developing and implementing IT security for the enterprise. Drawing upon the authors' wealth of valuable experience in high-risk commercial environments, the work focuses on the need to align the information security process as a whole with the requirements of the modern enterprise, which involves empowering business managers to manage information security-related risk. Throughout, the book places emphasis on the use of simple, pragmatic risk management as a tool for decision-making. The first book to cover the strategic issues of IT security, it helps you to: understand the difference between more theoretical treatments of information security and operational reality; learn how information security risk can be measured and subsequently managed; define and execute an information security strategy design and implement a security architecture; and ensure that limited resources are used optimally. Illustrated by practical examples, this topical volume reveals the current problem areas in IT security deployment and management. Moreover, it offers guidelines for writing scalable and flexible procedures for developing an IT security strategy and monitoring its implementation. You discover an approach for reducing complexity and risk, and find tips for building a successful team and managing communications issues within the organization. This essential resource provides practical insight into contradictions in the current approach to securing enterprise-wide IT infrastructures, recognizes the need to continually challenge dated concepts, demonstrates the necessity of using appropriate risk management techniques, and evaluates whether or not a given risk is acceptable in pursuit of future business opportunities.

Provides an overview of basic information security practices that will enable your security team to better engage with their peers to address the threats facing the organisation as a whole.

The CISO Handbook: A Practical Guide to Securing Your Company provides unique insights and guidance into designing and implementing an information security program, delivering true value to the stakeholders of a company. The authors present several essential high-level concepts before building a robust framework that will enable you to map the conc

Create appropriate, security-focused business propositions that consider the balance between cost, risk, and usability, while starting your journey to become an information security manager. Covering a wealth of information that explains exactly how the industry works today, this book focuses on how you can set up an effective information security practice, hire the right people, and strike the best balance between security controls, costs, and risks. Practical Information Security Management provides a wealth of practical advice for anyone responsible for information security management in the workplace, focusing on the ‘how’ rather than the ‘what’. Together we’ll cut through the policies, regulations, and standards to expose the real inner workings of what makes a security management program effective, covering the full gamut of subject matter pertaining to security management: organizational structures, security architectures, technical controls, governance frameworks, and operational security. This book was not written to help you pass your CISSP, CISM, or CISMP or become a PCI-DSS auditor. It won’t help you build an ISO 27001 or COBIT-compliant security management system, and it won’t help you become an ethical hacker or digital forensics investigator – there are many excellent books on the market that cover these subjects in detail. Instead, this is a practical book that offers years of real-world experience in helping you focus on the getting the job done. What You Will Learn Learn the practical aspects of being an effective information security manager Strike the right balance between cost and risk Take security policies and standards and make them work in reality Leverage complex security functions, such as Digital Forensics, Incident Response and Security Architecture Who This Book Is For“/div>divAnyone who wants to make a difference in offering effective security management for their business. You might already be a security manager seeking insight into areas of the job that you’ve not looked at before, or you might be a techie or risk guy wanting to switch into this challenging new career. Whatever your career goals are, Practical Security Management has something to offer you.

The Web is an exciting but unstable place to do business. The potential rewards are high but so are the risks, and the effective management of these risks 'online' is likely to be the greatest business enabler or destroyer of the next decade. Information security is no longer an issue confined to the IT department - it is critical to all operational functions and departments within an organization. Nor are the solutions purely technical, with two-thirds of security breaches caused by human error, management controls and processes. Risk to the integrity, availability and confidentiality of e-business activities comes in many forms - fraud, espionage, viruses, spamming, denial of service - and the potential for damage or irretrievable loss is very real. The Secure Online Business Handbook is designed as a practical guide for managers in developing and implementing appropriate strategies for online risk management. The contributions in this fully revised and updated new edition draw on a wide range of expertise and know-how, both in IT and in other disciplines such as the law, insurance, accounting and consulting. Security should not be an afterthought in developing a strategy, but an integral part of setting up sustainable new channels of communication and business.

Revised edition of: Information security for managers.

Practical guide that can be used by executives to make well-informed decisions on cybersecurity issues to better protect their business Emphasizes, in a direct and uncomplicated way, how executives can identify, understand, assess, and mitigate risks associated with cybersecurity issues Covers 'What to Do When You Get Hacked?' including Business Continuity and Disaster Recovery planning, Public Relations, Legal and Regulatory issues, and Notifications and Disclosures Provides steps for integrating cybersecurity into Strategy; Policy and Guidelines; Change Management and Personnel Management Identifies cybersecurity best practices that executives can and should use both in the office and at home to protect their vital information

Utilizing an incremental development method called knowledge scaffolding--a proven educational technique for learning subject matter thoroughly by reinforced learning through an elaborative rehearsal process--this new resource includes coverage on threats to confidentiality, integrity, and availability, as well as countermeasures to preserve these.

The Growing Imperative Need for Effective Information Security Governance With monotonous regularity, headlines announce ever more spectacular failures of information security and mounting losses. The succession of corporate debacles and dramatic control failures in recent years underscores the necessity for information security to be tightly integrated into the fabric of every organization. The protection of an organization's most valuable asset information can no longer be relegated to low-level technical personnel, but must be considered an essential element of corporate governance that is critical to organizational success and survival. Written by an industry expert, Information Security Governance is the first book-length treatment of this important topic, providing readers with a step-by-step approach to developing and managing an effective information security program. Beginning with a general overview of governance, the book covers: The business case for information security Defining roles and responsibilities Developing strategic metrics Determining information security outcomes Setting security governance objectives Establishing risk management objectives Developing a cost-effective security strategy A sample strategy development The steps for implementing an effective strategy Developing meaningful security program development metrics Designing relevant information security management metrics Defining incident management and response metrics Complemented with action plans and sample policies that demonstrate to readers how to put these ideas into practice, Information Security Governance is indispensable reading for any professional who is involved in information security and assurance.

The modern dependence upon information technology and the corresponding information security regulations and requirements force companies to evaluate the security of their core business processes, mission critical data, and supporting IT environment. Combine this with a slowdown in IT spending resulting in justifications of every purchase, and security professionals are forced to scramble to find comprehensive and effective ways to assess their environment in order to discover and prioritize vulnerabilities, and to develop cost-effective solutions that show benefit to the business. A Practical Guide to Security Assessments is a process-focused approach that presents a structured methodology for conducting assessments. The key element of the methodology is an understanding of business goals and processes, and how security measures are aligned with business risks. The guide also emphasizes that resulting security recommendations should be cost-effective and commensurate with the security risk. The methodology described serves as a foundation for building and maintaining an information security program. In addition to the methodology, the book includes an Appendix that contains questionnaires that can be modified and used to conduct security assessments. This guide is for security professionals who can immediately apply the methodology on the job, and also benefits management who can use the methodology to better understand information security and identify areas for improvement.