BCS Learning & Development Limited; June ; ISBN: ; Edition: 2; Read online; Title: Information Security Management Principles; Author. Editorial Reviews. Review. Although the book is targeted at students taking the CISMP examination, I would still recommend this book for any IT professional. demand for - Selection from Information Security Management Principles - Second edition [Book] ISBN: View table of contents.

Information Security Management Principles 2nd Edition Pdf

Language:English, French, Portuguese
Published (Last):03.12.2015
ePub File Size:17.67 MB
PDF File Size:15.47 MB
Distribution:Free* [*Registration needed]
Uploaded by: SIMON

Publishing and Information Products. First Floor, Block D. North Star House. North Star Avenue. Swindon. SN2 1FA. UK ISBN Read "Information Security Management Principles" by David Alexander available from Rakuten Kobo. Sign up today and get $5 off your first download. 26 % of. Download Now: Read Information Security Management Principles Ebook #ebook #full #read #pdf.

EBook Free.

download for others

The Perspective Workbook: Recipes from a Turkish—Cypriot kitchen Free Download. Thrawn Free Download. How to revolutionise your Body from the inside out Read Online. Fall of Deadworld Dark Judges: Tainted Free Download. Journey to Star Wars: The Force Awakens Free Download. Collection 8 Read Online. The Cookbook EBook Free.

The book that started a baking revolution Free Download. The entrepreneur's guide to launching a fast, lean and profitable online venture EPUB. Good Food and Good Wine: Complete Case Files 29 Free Download.

Undercover in the secret society of pickup artists Free Download.

Hall of Fame EBook Free. The Beef Cookbook Free Download. Inspiration from 50 Masters Read Online. The Autobiography EBook Free. The Pursuit of Speed: The Man Revealed: The Man Revealed Free Download. Between the Extremes Read Online.

Expressing the natural world with acrylics, watercolour and mixed media EPUB. A photographic exploration of more than worlds we have left behind Read Online. From the Sunday Times no.

Over delicious fuss-free recipes Read Online. Snoopy and Friends Free Download. Lean for Life Read Online. Lean for Life: Provide a proportional response. Consider productivity, cost effectiveness, and value of the asset. Evaluate the effectiveness of the control measures. Ensure the controls provide the required cost effective protection without discernible loss of productivity. For any given risk, management can choose to accept the risk based upon the relative low value of the asset, the relative low frequency of occurrence, and the relative low impact on the business.

Or, leadership may choose to mitigate the risk by selecting and implementing appropriate control measures to reduce the risk.

In some cases, the risk can be transferred to another business by downloading insurance or outsourcing to another business. In such cases leadership may choose to deny the risk. Main article: security controls Selecting and implementing proper security controls will initially help an organization bring down risk to acceptable levels.

Control selection should follow and should be based on the risk assessment. Controls can vary in nature, but fundamentally they are ways of protecting the confidentiality, integrity or availability of information. Organizations can implement additional controls according to requirement of the organization. Administrative[ edit ] Administrative controls consist of approved written policies, procedures, standards and guidelines.

Administrative controls form the framework for running the business and managing people. They inform people on how the business is to be run and how day-to-day operations are to be conducted.

Laws and regulations created by government bodies are also a type of administrative control because they inform the business. Other examples of administrative controls include the corporate security policy, password policy , hiring policies, and disciplinary policies.

Administrative controls form the basis for the selection and implementation of logical and physical controls. Logical and physical controls are manifestations of administrative controls, which are of paramount importance.

Logical[ edit ] Logical controls also called technical controls use software and data to monitor and control access to information and computing systems. Passwords, network and host-based firewalls, network intrusion detection systems, access control lists , and data encryption are examples of logical controls. An important logical control that is frequently overlooked is the principle of least privilege, which requires that an individual, program or system process not be granted any more access privileges than are necessary to perform the task.

Violations of this principle can also occur when an individual collects additional access privileges over time. This happens when employees' job duties change, employees are promoted to a new position, or employees are transferred to another department. The access privileges required by their new duties are frequently added onto their already existing access privileges, which may no longer be necessary or appropriate. Physical[ edit ] Physical controls monitor and control the environment of the work place and computing facilities.

They also monitor and control access to and from such facilities and include doors, locks, heating and air conditioning, smoke and fire alarms, fire suppression systems, cameras, barricades, fencing, security guards, cable locks, etc. Separating the network and workplace into functional areas are also physical controls. An important physical control that is frequently overlooked is separation of duties, which ensures that an individual can not complete a critical task by himself. For example, an employee who submits a request for reimbursement should not also be able to authorize payment or print the check.

An applications programmer should not also be the server administrator or the database administrator ; these roles and responsibilities must be separated from one another.

The information must be protected while in motion and while at rest.

During its lifetime, information may pass through many different information processing systems and through many different parts of information processing systems. There are many different ways the information and information systems can be threatened. To fully protect the information during its lifetime, each component of the information processing system must have its own protection mechanisms.

The building up, layering on and overlapping of security measures is called "defense in depth. The three types of controls can be used to form the basis upon which to build a defense in depth strategy.

With this approach, defense in depth can be conceptualized as three distinct layers or planes laid one on top of the other. Additional insight into defense in depth can be gained by thinking of it as forming the layers of an onion, with data at the core of the onion, people the next outer layer of the onion, and network security , host-based security and application security forming the outermost layers of the onion. Both perspectives are equally valid, and each provides valuable insight into the implementation of a good defense in depth strategy.

Security classification for information[ edit ] An important aspect of information security and risk management is recognizing the value of information and defining appropriate procedures and protection requirements for the information. Not all information is equal and so not all information requires the same degree of protection.

This requires information to be assigned a security classification. The first step in information classification is to identify a member of senior management as the owner of the particular information to be classified.

ISBN 13: 9781780171753

Next, develop a classification policy. The policy should describe the different classification labels, define the criteria for information to be assigned a particular label, and list the required security controls for each classification.

Laws and other regulatory requirements are also important considerations when classifying information. The Information Systems Audit and Control Association ISACA and its Business Model for Information Security also serves as a tool for security professionals to examine security from a systems perspective, creating an environment where security can be managed holistically, allowing actual risks to be addressed. All employees in the organization, as well as business partners, must be trained on the classification schema and understand the required security controls and handling procedures for each classification.

The classification of a particular information asset that has been assigned should be reviewed periodically to ensure the classification is still appropriate for the information and to ensure the security controls required by the classification are in place and are followed in their right procedures. Access control[ edit ] Access to protected information must be restricted to people who are authorized to access the information. The computer programs, and in many cases the computers that process the information, must also be authorized.

This requires that mechanisms be in place to control the access to protected information. The sophistication of the access control mechanisms should be in parity with the value of the information being protected; the more sensitive or valuable the information the stronger the control mechanisms need to be.

The foundation on which access control mechanisms are built start with identification and authentication.

You may also be interested in...

Access control is generally considered in three steps: identification, authentication , and authorization. If a person makes the statement "Hello, my name is John Doe " they are making a claim of who they are.

However, their claim may or may not be true. Before John Doe can be granted access to protected information it will be necessary to verify that the person claiming to be John Doe really is John Doe.

Typically the claim is in the form of a username.Target Audience Although perceived as an IT issue, Information Security is in fact a subject relevant to all business units.

Customers who bought this item also bought

Formatting may be different depending on your device and eBook type. Rupert Kendrick. Mike Fleckenstein. Calculate the impact that each threat would have on each asset. Organizations can implement additional controls according to requirement of the organization.

You already recently rated this item. IT Service Management.