A Practical Guide to Security AssessmentsThe modern dependence upon information technology and the corresponding information security regulations and requirements force companies to evaluate the security of their core business processes, mission critical data, and supporting IT environment. Combine this with a slowdown in IT spending resulting in justifications of every purchase, and security professionals are forced to scramble to find comprehensive and effective ways to assess their environment in order to discover and prioritize vulnerabilities, and to develop cost-effective solutions that show benefit to the business. A Practical Guide to Security Assessments is a process-focused approach that presents a structured methodology for conducting assessments. The key element of the methodology is an understanding of business goals and processes, and how security measures are aligned with business risks. The guide also emphasizes that resulting security recommendations should be cost-effective and commensurate with the security risk. The methodology described serves as a foundation for building and maintaining an information security program. In addition to the methodology, the book includes an Appendix that contains questionnaires that can be modified and used to conduct security assessments. This guide is for security professionals who can immediately apply the methodology on the job, and also benefits management who can use the methodology to better understand information security and identify areas for improvement. |
Contents
| 1 | |
| 5 | |
Chapter 3 The Information Security Program and How a Security Assessment Fits In | 45 |
Chapter 4 Planning | 67 |
Chapter 5 Initial Information Gathering | 103 |
Chapter 6 Business Process Evaluation | 139 |
Chapter 7 Technology Evaluation | 165 |
Chapter 8 Risk Analysis and Final Presentation | 193 |
Backup and Recovery | 297 |
Externally Hosted Services | 309 |
Physical Security | 325 |
Employee Termination | 343 |
Incident Handling | 351 |
Business to Business B2B | 361 |
Business to Consumer B2C | 371 |
Change Management | 385 |
Chapter 9 Information Security Standards | 229 |
Chapter 10 Information Security Legislation | 245 |
Security Questionnaires and Checklists | 255 |
Preliminary Checklist to Gather Information | 259 |
Generic Questionnaire for Meetings with Business Process Owners | 271 |
Generic Questionnaire for Meetings with Technology Owners | 277 |
Data Classification | 283 |
Data Retention | 291 |
User ID Administration | 391 |
Managed Security | 403 |
Media Handling | 415 |
HIPAA Security | 423 |
Index | 487 |
Back cover | 499 |
Other editions - View all
A Practical Guide to Security Assessments Sudhanshu Kairab,Taylor & Francis Group No preview available - 2019 |
Common terms and phrases
accountability addition analysis application appropriate areas associated audit awareness basis become business process changes Client Response communication company’s conducting considered cost critical customers defined Depending detailed determine developed discussed documented effective electronic employees enforcement ensure environment example exist facilities final findings function gain given Guidance handling health information HIPAA identified impact implement important incident individuals information security program initial integrity internal issues listed logs look meeting methodology MSSP operations organization owners passwords performed person personnel perspective phase physical potential practices properly protected health questionnaire questions reasons recommendations requirements result risk roles scope security assessment security incident security measures security policies sensitive sets significant someone specific standards steps technical terminated testing understand users
Popular passages
Page 484 - Ibid 5 Ibid 6 Ibid 7 Ibid 8 Ibid 9 Ibid 10 Ibid 11 Ibid 12 Ibid 13 Ibid 14 Ibid 15 Ibid 16 Ibid 17 Ibid...
Page 425 - An employee welfare benefit plan or any other arrangement that is established or maintained for the purpose of offering or providing health benefits to the employees of two or more employers. (ix) The health care program for active military personnel under title 10 of the United States Code. (x) The veterans health care program under 38 USC chapter 17.
Page 470 - Implement policies and procedures that specify the proper functions to be performed, the manner in which those functions are to be performed, and the physical attributes of the surroundings of a specific workstation or class of workstation that can access electronic protected health information.
Page 241 - Fites et al. [4], who recommend that one take the following steps: 1 . Identify what you are trying to protect. 2. Determine what you are trying to protect it from. 3. Determine how likely the threats are. 4. Implement measures that will protect your assets in a cost-effective manner. 5. Review the process continuously, and make improvements each time a weakness is found. Most...
Page 252 - adequacy" standard for privacy protection. While the United States and the European Union share the goal of enhancing privacy protection for their citizens, the United States takes a different approach to privacy from that taken by the European Union. The United States uses a sectoral approach that relies on a mix of legislation, regulation, and self-regulation.
Page 469 - Implement procedures to control and validate a person's access to facilities based on their role or function, including visitor control, and control of access to software programs for testing and revision.
Page 425 - An approved State child health plan under title XXI of the Act, providing benefits for child health assistance that meet the requirements of section 2103 of the Act, 42 USC 1397, et seq.
Page 460 - Contingency plan. Establish (and implement as needed) policies and procedures for responding to an emergency or other occurrence (for example, fire, vandalism, system failure, and natural disaster) that damages systems that contain electronic protected health information, (ii) Implementation specifications: (A) Data backup plan (Required).