Home > Categories > Cybersecurity > IT Governance: An international guide to data security and ISO 27001/ISO 27002
IT Governance: An international guide to data security and ISO 27001/ISO 27002
đź“Ą Download PDF

IT Governance: An international guide to data security and ISO 27001/ISO 27002

by Alan Calder, Steve Watkins

Cybersecurity

Book Details

Book Title

IT Governance: An international guide to data security and ISO 27001/ISO 27002

Author

Alan Calder, Steve Watkins

Publisher

Itgp

Publication Date

2024

ISBN

9781787784086

Number of Pages

486

Language

English

Format

PDF

File Size

8.17MB

Subject

cybersecurity

Table of Contents

  • Cover
  • Title
  • Copyright
  • About the Authors
  • Contents
  • Introduction
  • The information economy
  • What is IT governance?
  • Information security
  • Chapter 1: Why is information security necessary?
  • The nature of information security threats
  • Information insecurity
  • Impacts of information security threats
  • Cyber crime
  • Cyber war
  • Advanced persistent threat
  • Future risks
  • Legislation
  • Benefits of an information security management system
  • Chapter 2: The corporate governance code, the FRC guidance on risk management, and Sarbanes–Oxley
  • The Combined Code
  • The Turnbull Report
  • The Corporate Governance Code
  • Sarbanes–Oxley
  • Enterprise risk management
  • Regulatory compliance
  • IT governance
  • Chapter 3: ISO 27001
  • Benefits of certification
  • The history of ISO 27001 and ISO 27002
  • The ISO/IEC 27000 series of standards
  • Use of the Standard
  • ISO/IEC 27002
  • Continual improvement, Plan–Do–Check–Act, and process approach
  • Structured approach to implementation
  • Management system integration
  • Documentation
  • Continual improvement and metrics
  • Chapter 4: Organizing information security
  • Internal organization
  • Management review
  • The information security manager
  • The cross-functional management forum
  • The ISO 27001 project group
  • Specialist information security advice
  • Segregation of duties
  • Contact with authorities
  • Contact with special interest groups
  • Information security in project management
  • Independent review of information security
  • Summary
  • Chapter 5: Information security policy and scope
  • Context of the organization
  • Information security policy
  • A policy statement
  • Costs and the monitoring of progress
  • Chapter 6: The risk assessment and Statement of Applicability
  • Establishing security requirements
  • Risks, impacts, and risk management
  • Threat intelligence
  • Cyber Essentials
  • Selection of controls and Statement of Applicability
  • Statement of Applicability example
  • Gap analysis
  • Risk assessment tools
  • Risk treatment plan
  • Measures of effectiveness
  • Chapter 7: Mobile and remote working
  • Mobile devices and remote working
  • Remote working
  • Chapter 8: Human resources security
  • Job descriptions and competency requirements
  • Screening
  • Terms and conditions of employment
  • During employment
  • Disciplinary process
  • Termination or change of employment
  • Chapter 9: Asset management
  • Asset owners
  • Inventory of information assets
  • Acceptable use of information and other assets
  • Classification of information
  • Unified classification markings
  • Government classification markings
  • Information lifecycle
  • Labeling of information
  • Non-disclosure agreements and trusted partners
  • Chapter 10: Exchanges of information
  • Information transfer policies and procedures
  • Agreements on information transfers
  • Management of removable media
  • Email and social media
  • Security risks in email
  • Spam
  • Misuse of the Internet and web filtering
  • Internet acceptable use policy
  • Social media
  • Chapter 11: Access control
  • Hackers
  • Hacker techniques
  • Access control
  • Chapter 12: User access management
  • Identity management
  • Access rights
  • Password management system
  • Chapter 13: Supplier relationships
  • Information security policy for supplier relationships
  • Addressing security within supplier agreements
  • Managing information security in the ICT supply chain
  • Monitoring, review, and change management of supplier services
  • Managing changes to supplier services
  • Information security for Cloud services
  • Chapter 14: Physical and environmental security
  • Physical security perimeters
  • Delivery and loading areas
  • Physical security monitoring
  • Protecting against external and environmental threats
  • Chapter 15: Equipment security
  • Equipment siting and protection
  • Supporting utilities
  • Cabling security
  • Equipment maintenance
  • Security of equipment and assets off-premises
  • Secure disposal or reuse of equipment
  • Unattended user equipment
  • Clear desk and clear screen policy
  • Chapter 16: System and application access control
  • Information access restriction
  • Dynamic access control
  • Access control to source code
  • Secure authentication
  • Use of privileged utility programs
  • Installation of software on operational systems
  • Chapter 17: Cryptography
  • Encryption
  • Public key infrastructure
  • Digital signatures
  • Non- repudiation services
  • Key management
  • Chapter 18: Operations security
  • Documented operating procedures
  • Change management
  • Separation of development, testing and operational environments
  • Information backup
  • Chapter 19: Controls against malicious software (malware)
  • Viruses, worms, Trojans, and rootkits
  • Spyware
  • Anti-malware software
  • Hoax messages and ransomware
  • Phishing and pharming
  • Anti-malware controls
  • Airborne viruses
  • Technical vulnerability management
  • System configuration
  • Information deletion
  • Data masking
  • Data leakage prevention
  • Chapter 20: Networks security
  • Network security management
  • Networks security
  • Access to networks and network services
  • Chapter 21: System acquisition, development, and maintenance
  • Security requirements analysis and specification
  • Application security requirements
  • E-commerce issues
  • Security technologies
  • Chapter 22: Development and support processes
  • Secure development policy
  • Secure systems architecture and engineering principles
  • Secure coding
  • Secure development environment
  • Security testing in development and acceptance
  • Chapter 23: Monitoring and information security incident management
  • Logging and monitoring
  • Information security events and incidents
  • Incident management – responsibilities and procedures
  • Reporting information security events
  • Reporting software malfunctions
  • Assessment of and decision on information security events
  • Response to information security incidents
  • Legal admissibility
  • Chapter 24: Business and information security continuity management
  • ISO 22301
  • The business continuity management process
  • Business continuity and risk assessment
  • Developing and implementing continuity plans
  • Business continuity planning framework
  • Testing, maintaining, and reassessing business continuity plans
  • Information security continuity
  • Chapter 25: Compliance
  • Identification of applicable legislation
  • Regulation of cryptographic controls
  • Intellectual property rights
  • Protection of organizational records
  • Privacy and protection of personally identifiable information
  • Compliance with security policies and standards
  • Chapter 26: The ISO 27001 audit
  • Selection of auditors
  • Initial audit
  • Preparation for audit
  • Terminology
  • Information systems audit considerations
  • Appendix 1: Useful websites
  • Appendix 2: Further reading
  • Index