IT Governance
eBook - ePub

IT Governance

An International Guide to Data Security and ISO 27001/ISO 27002

  1. English
  2. ePUB (mobile friendly)
  3. Available on iOS & Android
eBook - ePub

IT Governance

An International Guide to Data Security and ISO 27001/ISO 27002

About this book

Faced with the compliance requirements of increasingly punitive information and privacy-related regulation, as well as the proliferation of complex threats to information security, there is an urgent need for organizations to adopt IT governance best practice. IT Governance is a key international resource for managers in organizations of all sizes and across industries, and deals with the strategic and operational aspects of information security. Now in its seventh edition, the bestselling IT Governance provides guidance for companies looking to protect and enhance their information security management systems (ISMS) and protect themselves against cyber threats. The new edition covers changes in global regulation, particularly GDPR, and updates to standards in the ISO/IEC 27000 family, BS 7799-3: 2017 (information security risk management) plus the latest standards on auditing. It also includes advice on the development and implementation of an ISMS that will meet the ISO 27001 specification and how sector-specific standards can and should be factored in. With information on risk assessments, compliance, equipment and operations security, controls against malware and asset management, IT Governance is the definitive guide to implementing an effective information security management and governance system.

Frequently asked questions

Yes, you can cancel anytime from the Subscription tab in your account settings on the Perlego website. Your subscription will stay active until the end of your current billing period. Learn how to cancel your subscription.
At the moment all of our mobile-responsive ePub books are available to download via the app. Most of our PDFs are also available to download and we're working on making the final remaining ones downloadable now. Learn more here.
Perlego offers two plans: Essential and Complete
  • Essential is ideal for learners and professionals who enjoy exploring a wide range of subjects. Access the Essential Library with 800,000+ trusted titles and best-sellers across business, personal growth, and the humanities. Includes unlimited reading time and Standard Read Aloud voice.
  • Complete: Perfect for advanced learners and researchers needing full, unrestricted access. Unlock 1.4M+ books across hundreds of subjects, including academic and specialized titles. The Complete Plan also includes advanced features like Premium Read Aloud and Research Assistant.
Both plans are available with monthly, semester, or annual billing cycles.
We are an online textbook subscription service, where you can get access to an entire online library for less than the price of a single book per month. With over 1 million books across 1000+ topics, we’ve got you covered! Learn more here.
Look out for the read-aloud symbol on your next book to see if you can listen to it. The read-aloud tool reads text aloud for you, highlighting the text as it is being read. You can pause it, speed it up and slow it down. Learn more here.
Yes! You can use the Perlego app on both iOS or Android devices to read anytime, anywhere — even offline. Perfect for commutes or when you’re on the go.
Please note we cannot support devices running on iOS 13 and Android 7 or earlier. Learn more about using the app.
Yes, you can access IT Governance by Alan Calder,Steve Watkins in PDF and/or ePUB format, as well as other popular books in Business & Information Management. We have over one million books available in our catalogue for you to explore.

Information

Publisher
Kogan Page
Year
2019
Print ISBN
9780749496951
eBook ISBN
9780749496968
Edition
7
Topic
Business
Subtopic
Information Management
Index
Business

Appendix 1

Useful websites

IT Governance Ltd

www.itgovernance.co.uk (archived at https://perma.cc/52C6-BA5J)
Comprehensive library of ISO27001 books, tools and resources
www.itgovernance.co.uk/iso27001 (archived at https://perma.cc/5Z44-FFHT)
Blogs
www.alancalderitgovernanceblog.com (archived at https://perma.cc/Y9WY-KKKQ)
http://blog.itgovernance.co.uk (archived at https://perma.cc/KSG9-6246)

ISO27001 certification-related organizations

United Kingdom Accreditation Service
www.ukas.com (archived at https://perma.cc/PBP9-55AX)
BSI
www.bsigroup.com (archived at https://perma.cc/ERJ8-N2JA)
Bureau Veritas Quality International (BVQI)
www.bureauveritas.co.uk (archived at https://perma.cc/87K2-XPQJ)
DNV GL – Business Assurance
www.dnvgl.com/about/business-assurance/index.html (archived at https://perma.cc/RU25-CU34)
Lloyd’s Register Quality Assurance (LRQA)
www.lr.org/en (archived at https://perma.cc/X8CY-86LH)
NQA Certification
www.nqa.com (archived at https://perma.cc/Z6LN-GX2Q)
SGS
www.sgs.com (archived at https://perma.cc/9WRJ-FBVL)

Microsoft

www.microsoft.com (archived at https://perma.cc/GX4A-BB7A)
www.microsoft.com/download (archived at https://perma.cc/UH3M-5EKJ)
Microsoft Security Centre
https://www.microsoft.com/en-gb/security (archived at https://perma.cc/YY9A-6W65)

Information security

(UK) Alliance Against Intellectual Property Theft
www.allianceforip.co.uk (archived at https://perma.cc/Y5KH-RNNT)
Anti-phishing Working Group
www.antiphishing.org (archived at https://perma.cc/3BMD-EW2H)
British Computer Society
www.bcs.org (archived at https://perma.cc/F2JT-8CR9)
Carnegie Mellon Software Engineering Institute
www.sei.cmu.edu (archived at https://perma.cc/7GK6-8FMN)
Carnegie Mellon Software Engineering Institute Computer Emergency Response Team (CERT) Coordination Centre
www.sei.cmu.edu/about/divisions/cert/index.cfm (archived at https://perma.cc/ C9ZJ-KUQ7)
Centre for Education and Research in Information Assurance and Security
www.cerias.purdue.edu (archived at https://perma.cc/Q2UU-JXBG)
(UK) Centre for the Protection of National Infrastructure
www.cpni.gov.uk (archived at https://perma.cc/3M6L-NUES)
Common Vulnerabilities and Exposures
https://cve.mitre.org (archived at https://perma.cc/ZS35-2RNV)
CWE/SANS Top 25 Most Dangerous Software Errors
http://cwe.mitre.org/top25/ (archived at https://perma.cc/T6SQ-JVHF)
Computer Security Resource Center (US National Institute of Standards and Technology)
csrc.nist.gov (archived at https://perma.cc/Z5WL-42XB)
ENISA
www.enisa.europa.eu (archived at https://perma.cc/Q2UU-JXBG)
(US) Federal Computer Emergency Readiness Team
www.us-cert.gov (archived at https://perma.cc/RV7C-QS8M)
(UK) Federation Against Software Theft
www.fast.org (archived at https://perma.cc/Z8MK-Y2FS)
Forum of Incident Response and Security Teams
www.first.org (archived at https://perma.cc/K8T8-7LSK)
GCHQ, Cheltenham
www.gchq.gov.uk (archived at https://perma.cc/RF95-WKDY)
HMG Cabinet Office Security Policy
www.gov.uk/government/publications/security-policy-framework (archived at https://perma.cc/MB7X-SHGA)
(UK) Information Commissioner
www.ico.org.uk (archived at https://perma.cc/6BTV-VF5H)
Information Systems Audit and Control Association
www.isaca.org (archived at https://perma.cc/M2SL-RC7N)
Information Systems Security Association
www.issa.org (archived at https://perma.cc...

Table of contents

  1. Cover
  2. Half-title Page
  3. Title Page
  4. Contents
  5. About the author
  6. Introduction
  7. The information economy
  8. What is IT governance?
  9. Information security
  10. 01 Why is information security necessary?
  11. The nature of information security threats
  12. Information insecurity
  13. Impacts of information security threats
  14. Cybercrime
  15. Cyberwar
  16. Advanced persistent threat
  17. Future risks
  18. Legislation
  19. Benefits of an information security management system
  20. 02 The Corporate Governance Code, the FRC Risk Guidance and Sarbanes–Oxley
  21. The Combined Code
  22. The Turnbull Report
  23. The Corporate Governance Code
  24. Sarbanes–Oxley
  25. Enterprise risk management
  26. Regulatory compliance
  27. IT governance
  28. 03 ISO27001
  29. Benefits of certification
  30. The history of ISO27001 and ISO27002
  31. The ISO/IEC 27000 series of standards
  32. Use of the standard
  33. ISO/IEC 27002
  34. Continual improvement, Plan–Do–Check–Act, and process approach
  35. Structured approach to implementation
  36. Management system integration
  37. Documentation
  38. Continual improvement and metrics
  39. 04 Organizing information security
  40. Internal organization
  41. Management review
  42. The information security manager
  43. The cross-functional management forum
  44. The ISO27001 project group
  45. Specialist information security advice
  46. Segregation of duties
  47. Contact with special interest groups
  48. Contact with authorities
  49. Information security in project management
  50. Independent review of information security
  51. Summary
  52. 05 Information security policy and scope
  53. Context of the organization
  54. Information security policy
  55. A policy statement
  56. Costs and the monitoring of progress
  57. 06 The risk assessment and Statement of Applicability
  58. Establishing security requirements
  59. Risks, impacts and risk management
  60. Cyber Essentials
  61. Selection of controls and Statement of Applicability
  62. Statement of Applicability Example
  63. Gap analysis
  64. Risk assessment tools
  65. Risk treatment plan
  66. Measures of effectiveness
  67. 07 Mobile devices
  68. Mobile devices and teleworking
  69. Teleworking
  70. 08 Human resources security
  71. Job descriptions and competency requirements
  72. Screening
  73. Terms and conditions of employment
  74. During employment
  75. Disciplinary process
  76. Termination or change of employment
  77. 09 Asset management
  78. Asset owners
  79. Inventory
  80. Acceptable use of assets
  81. Information classification
  82. Unified classification markings
  83. Government classification markings
  84. Information lifecycle
  85. Information labelling and handling
  86. Non-disclosure agreements and trusted partners
  87. 10 Media handling
  88. Physical media in transit
  89. 11 Access control
  90. Hackers
  91. Hacker techniques
  92. System configuration
  93. Access control policy
  94. Network Access Control
  95. 12 User access management
  96. User access provisioning
  97. 13 System and application access control
  98. Secure log-on procedures
  99. Password management system
  100. Use of privileged utility programs
  101. Access control to program source code
  102. 14 Cryptography
  103. Encryption
  104. Public key infrastructure
  105. Digital signatures
  106. Non-repudiation services
  107. Key management
  108. 15 Physical and environmental security
  109. Secure areas
  110. Delivery and loading areas
  111. 16 Equipment security
  112. Equipment siting and protection
  113. Supporting utilities
  114. Cabling security
  115. Equipment maintenance
  116. Removal of assets
  117. Security of equipment and assets off-premises
  118. Secure disposal or reuse of equipment
  119. Clear desk and clear screen policy
  120. 17 Operations security
  121. Documented operating procedures
  122. Change management
  123. Separation of development, testing and operational environments
  124. Back-up
  125. 18 Controls against malicious software (malware)
  126. Viruses, worms, Trojans and rootkits
  127. Spyware
  128. Anti-malware software
  129. Hoax messages and Ransomware
  130. Phishing and pharming
  131. Anti-malware controls
  132. Airborne viruses
  133. Technical vulnerability management
  134. Information Systems Audits
  135. 19 Communications management
  136. Network security management
  137. 20 Exchanges of information
  138. Information transfer policies and procedures
  139. Agreements on information transfers
  140. E-mail and social media
  141. Security risks in e-mail
  142. Spam
  143. Misuse of the internet
  144. Internet acceptable use policy
  145. Social media
  146. 21 System acquisition, development and maintenance
  147. Security requirements analysis and specification
  148. Securing application services on public networks
  149. E-commerce issues
  150. Security technologies
  151. Server security
  152. Server virtualization
  153. Protecting application services transactions
  154. 22 Development and support processes
  155. Secure development policy
  156. Secure systems engineering principles
  157. Secure development environment
  158. Security and acceptance testing
  159. 23 Supplier relationships
  160. Information security policy for supplier relationships
  161. Addressing security within supplier agreements
  162. ICT supply chain
  163. Monitoring and review of supplier services
  164. Managing changes to supplier services
  165. 24 Monitoring and information security incident management
  166. Logging and monitoring
  167. Information security events and incidents
  168. Incident management – responsibilities and procedures
  169. Reporting information security events
  170. Reporting software malfunctions
  171. Assessment of and decision on information security events
  172. Response to information security incidents
  173. Legal admissibility
  174. 25 Business and information security continuity management
  175. ISO22301
  176. The business continuity management process
  177. Business continuity and risk assessment
  178. Developing and implementing continuity plans
  179. Business continuity planning framework
  180. Testing, maintaining and reassessing business continuity plans
  181. Information security continuity
  182. 26 Compliance
  183. Identification of applicable legislation
  184. Intellectual property rights
  185. Protection of organizational records
  186. Privacy and protection of personally identifiable information
  187. Regulation of cryptographic controls
  188. Compliance with security policies and standards
  189. Information systems audit considerations
  190. 27 The ISO27001 audit
  191. Selection of auditors
  192. Initial audit
  193. Preparation for audit
  194. Terminology
  195. Appendix 1: Useful websites
  196. IT Governance Ltd
  197. ISO27001 certification-related organizations
  198. Microsoft
  199. Information security
  200. Appendix 2: Further reading
  201. ISO27000 family of standards includes:
  202. Books
  203. Toolkits
  204. Index
  205. Copyright