Information is widely regarded as the lifeblood of modern business, but organizations are facing a flood of threats to such “intellectual capital” from hackers, viruses, and online fraud. Directors must respond to increasingly complex and competing demands regarding data protection, privacy regulations, computer misuse, and investigatory regulations. IT Governance will be valuable to board members, executives, owners and managers of any business or organization that depends on...
Information is widely regarded as the lifeblood of modern business, but organizations are facing a flood of threats to such intellectual capital” from hackers, viruses, and online fraud. Directors must respond to increasingly complex and competing demands regarding data protection, privacy regulations, computer misuse, and investigatory regulations. IT Governance will be valuable to board members, executives, owners and managers of any business or organization that depends on information. Covering the Sarbanes-Oxley Act (in the US) and the Turnbull Report and the Combined Code (in the UK), the book examines standards of best practice for compliance and data security. Written for companies looking to protect and enhance their information security management systems, it allows them to ensure that their IT security strategies are coordinated, coherent, comprehensive and cost effective.
Acknowledgements xiIntroduction 1Why is information security necessary? 9The nature of information security threats 10The prevalence of information security threats 12Impacts of information security threats 13Cybercrime 15Cyberwar 17Future risks 17Legislation 21Benefits of an information security management system 21The Combined Code, the Turnbull Report and Sarbanes-Oxley 23The Combined Code 23The Turnbull Report 24The Revised Combined Code 25Sarbanes-Oxley 28IT governance 31ISO27001 33Benefits of certification 33The history of ISO27001 and ISO27002 35The ISO/IEC 27000 series of standards 36Use of the standard 37ISO/IEC 27002 37The Plan-Do-Check-Act and process approach 39Structured approach to implementation 40Quality system integration 42Documentation 43Continual improvement and metrics 47Organizing information security 49Internal organization 50Management review 51Information security manager 52The cross-functional management forum 53The ISO27001 project group 55Approval process for information processing facilities 60Product selection and the Common Criteria 61Specialist information security advice 62Contact with authorities and special interest groups 67Independent review of information security 67Summary 68Information security policy and scope 69Information security policy 69A policy statement 76Costs and the monitoring of progress 77The risk assessment and statement of applicability 79Establishing security requirements 79Risks, impacts and risk management 79Selection of controls and statement of applicability 93Gap analysis 97Risk assessment tools 97Risk treatment plan 98Measures of effectiveness 99External parties 101Identification of risks related to external parties 101Types of access 103Reasons for access 104Outsourcing 105On-site contractors 107Addressing security when dealing with customers 108Addressing security in third-party agreements 110Asset management 114Asset owners 114Inventory 115Acceptable use of assets 118Information classification 118Unified classification markings 121Information labelling and handling 123Non-disclosure agreements and trusted partners 128Human resources security 129Job descriptions and competency requirements 130Screening 131Terms and conditions of employment 134During employment 136Disciplinary process 142Termination or change of employment 142Physical and environmental security 145Secure areas 145Public access, delivery and loading areas 154Equipment security 156Equipment siting and protection 156Supporting utilities 159Cabling security 161Equipment maintenance 162Security of equipment off-premises 163Secure disposal or reuse of equipment 164Removal of property 164Communications and operations management 167Documented operating procedures 167Change management 169Segregation of duties 170Separation of development, test and operational facilities 171Third-party service delivery management 172Monitoring and review of third-party services 173Managing changes to third-party services 174System planning and acceptance 175Controls against malicious software (malware) and back-ups 180Viruses, worms and Trojans 181Spyware 182Anti-malware software 182Hoax messages 183Anti-malware controls 184Airborne viruses 187Controls against mobile code 188Back-up 189Network security management and media handling 193Network management 193Media handling 196Exchanges of information 199Information exchange policies and procedures 199Exchange agreements 202Physical media in transit 203Business information systems 204Electronic commerce services 207E-commerce issues 207Security technologies 210Server security 213Online transactions 214Publicly available information 215E-mail and internet use 218Security risks in e-mail 219Spam 221Misuse of the internet 221Internet acceptable use policy 223Access control 226Hackers 226Hacker techniques 227System configuration 230Access control policy 231User access management 233Clear desk and clear screen policy 242Network access control 244Networks 244Network security 248Operating system access control 257Secure log-on procedures 257User identification and authentication 259Password management system 259Use of system utilities 260Session time-out 260Limitation of connection time 261Application access control and teleworking 262Application and information access control 262Mobile computing and teleworking 264Systems acquisition, development and maintenance 270Security requirements analysis and specification 271Correct processing in applications 271Cryptographic controls 275Encryption 276Public key infrastructure 277Digital signatures 278Non-repudiation services 279Key management 280Security in development and support processes 282System files 282Access control to program source code 284Development and support processes 284Vulnerability management 288Monitoring and information security incident management 290Monitoring 290Information security events 295Management of information security incidents and improvements 300Legal admissibility 305Business continuity management 306BS25999 307The business continuity management process 307Business continuity and risk assessment 308Developing and implementing continuity plans 309Business continuity planning framework 311Testing, maintaining and reassessing business continuity plans 315Compliance 319Identification of applicable legislation 320Intellectual property rights 329Safeguarding of organizational records 334Data protection and privacy of personal information 335Prevention of misuse of information processing facilities 336Regulation of cryptographic controls 337Compliance with security policies and standards, and technical compliance checking 337Information systems audit considerations 340The ISO27001 audit 342Selection of auditors 343Initial audit 344Preparation for audit 345Terminology 347Useful websites 351Further reading 359Index 363
\ From the Publisher"A top pick for college-level, professional IT and computer collections." — The Midwest Book Review\ \