Executive MBA in Information Security
According to the Brookings Institute, an organization’s information and other intangible assets account for over 80 percent of its market value. As the primary sponsors and implementers of information security programs, it is essential for those in key leadership positions to possess a solid understanding of the constantly evolving fundamental concepts of information security management. Developing this knowledge and keeping it current however, requires the time and energy that busy...
Search in google:
According to the Brookings Institute, an organization’s information and other intangible assets account for over 80 percent of its market value. As the primary sponsors and implementers of information security programs, it is essential for those in key leadership positions to possess a solid understanding of the constantly evolving fundamental concepts of information security management. Developing this knowledge and keeping it current however, requires the time and energy that busy executives like you simply don’t have.Supplying a complete overview of key concepts, The Executive MBA in Information Security provides the tools needed to ensure your organization has an effective and up-to-date information security management program in place. This one-stop resource provides a ready-to use security framework you can use to develop workable programs and includes proven tips for avoiding common pitfalls—so you can get it right the first time.Allowing for quick and easy reference, this time-saving manual provides those in key leadership positions with a lucid understanding of:The difference between information security and IT securityCorporate governance and how it relates to information securitySteps and processes involved in hiring the right information security staffThe different functional areas related to information securityRoles and responsibilities of the chief information security officer (CISO)Presenting difficult concepts in a straightforward manner, this concise guide allows you to get up to speed, quickly and easily, on what it takes to develop a rock-solid information security management program that is as flexible as it is secure.
PrefaceAcknowledgmentsThe AuthorContributorsInformation Security OverviewInformation Security ManagementWhat Is Information Security?ResponsibilitiesOrganizationFunctionsIdeal Traits of an Information Security ProfessionalCertification RequirementsRecruitingScreeningInterviewingReference ChecksRetentionTrust and LoyaltyWhy Is Information Security Important?Information Security ConceptsLaws of SecurityInformation Security RequirementsInterrelationship of Regulations, Policies, Standards, Procedures, and GuidelinesRegulationsSarbanes—Oxley Act Gramm—Leach—Bliley Act Health Insurance Portability and Accountability ActFederal Financial Institutions Examination CouncilPayment Card Industry (PCI) Data Security StandardCommon Elements of ComplianceSecurity ControlsIndustry Best Practice GuidelinesStandardsMeasurement TechniquesControl Objectives for Information and Related Technology(COBIT)ISO 27002 OverviewCapability Maturity Model (CMM)Generally Accepted Information Security Principles (GAISP)Common Pitfalls of an Effective Information Security ProgramDefense in DepthManaging RisksRisk ManagementSystem CharacterizationThreat IdentificationVulnerability Identification andCategorizationControl AnalysisLikelihood RatingImpact Rating (Premitigation)Risk DeterminationRecommendationsTechnical Evaluation Plan (TEP)Methodology OverviewRole of Common Vulnerabilities and Exposures (CVE)Executive SummaryFollow-UpTrackingConflict ResolutionTest PlansPhysical SecurityAccess Control Systems and MethodsDiscretionary Access Controls (DACs)Mandatory Access Controls (MACs)Nondiscretionary Access ControlsAdministrative Access ControlsPhysical Access ControlsTechnical Access ControlsLogical Access ControlsCommon Access Control PracticesAuditingPhysical SecuritySocial EngineeringPhishingPharmingVishingPassive Information GatheringActive Information GatheringCovert TestingClean Desk PolicyDumpster DivingBusiness Continuity Plans and Disaster RecoveryBusiness ContinuityPhase 1—Project Management and InitiationPhase 2—Business Impact AnalysisPhase 3—Recovery StrategiesPhase 4—Plan, Design, and DevelopPhase 5—Testing, Maintenance, andAwareness TrainingComplications to Consider in BCPDisaster RecoveryBusinessFacilities and SuppliesUsersTechnologyDataEvent StagesDisaster Recovery TestingBusiness Continuity Planning and Disaster Recovery TrainingAdministrative ControlsChange ManagementRequest PhaseProcess PhaseRelease PhaseChange Management StepsComputer ForensicsComputer Investigation ModelIncident ManagementReporting InformationStepsNotificationIncident DetailsIncident HandlerActions to DateRecommended ActionsLaws, Investigations, and EthicsLawsInvestigationsEthicsOperations SecurityOPSEC ControlsSeparation of DutiesJob RotationLeast PrivilegesRecords RetentionFederal Rules of Civil ProcedureSecurity Awareness TrainingA Cracker’s StorySecurity Management PracticesSecurity CountermeasuresService Providers, Service-Level Agreements, and VendorReviewsVendor Relationship PolicyService-Level AgreementsVendor ReviewsManaging Security Risks in Vendor RelationshipsDue Diligence: The First ToolKey Contractual Protections: The Second ToolInformation Security Requirements Exhibit: The ThirdToolTechnical ControlsHost SecuritySystem Hardening ChecklistHost ServicesOther Host Security ControlsMalware ProtectionViruses, Worms, and BackdoorsDAT SignaturesMultimedia DevicesNetwork SecuritySeven Layers of the OSI ModelOther LayersProtocol Data UnitsTCP/IP ModelDecimal, Binary, and Hexadecimal ComparedNetwork AddressingNetwork Security ControlsPasswordsPatch or Vulnerability ManagementApplication ControlsApplication and System Developmente-MailEncryptionPrivate Key Encryption (Symmetric Key Encryption)Choosing a Symmetric Key Cryptography MethodPublic Key Encryption (Asymmetric KeyEncryption)Choosing an Asymmetric Key Cryptography MethodDigital SignatureOne-Way Encryptione-Mail EncryptionChoosing e-Mail EncryptionInternet EncryptionChoosing an Internet Security MethodEncrypting Hard DrivesEncryption AttacksMultifactor AuthenticationPerimeter ControlsSecurity ArchitectureInternal ControlsExternal ControlsTelecommunications SecurityVoice over IP SecurityVirtual Private NetworkWireless SecurityWeb FilteringAudit and ComplianceAudit and ComplianceInformation Security Governance MetricsTesting—Vulnerability AssessmentAppendix A: Information Security PolicyAppendix B: Technology Resource PolicyAppendix C: Log-on Warning BannerAppendix D: Penetration Test WaiverAppendix E: ToolsAppendix F: How to Report Internet CrimeAcronymsMyISATWeb ReferencesIndex
