فهرست مطالب

• Cover
• Title
• Copyright
• About the Authors
• Contents
• Introduction
• The information economy
• What is IT governance?
• Information security
• Chapter 1: Why is information security necessary?
• The nature of information security threats
• Information insecurity
• Impacts of information security threats
• Cyber crime
• Cyber war
• Advanced persistent threat
• Future risks
• Legislation
• Benefits of an information security management system
• Chapter 2: The corporate governance code, the FRC guidance on risk management, and Sarbanes–Oxley
• The Combined Code
• The Turnbull Report
• The Corporate Governance Code
• Sarbanes–Oxley
• Enterprise risk management
• Regulatory compliance
• IT governance
• Chapter 3: ISO 27001
• Benefits of certification
• The history of ISO 27001 and ISO 27002
• The ISO/IEC 27000 series of standards
• Use of the Standard
• ISO/IEC 27002
• Continual improvement, Plan–Do–Check–Act, and process approach
• Structured approach to implementation
• Management system integration
• Documentation
• Continual improvement and metrics
• Chapter 4: Organizing information security
• Internal organization
• Management review
• The information security manager
• The cross-functional management forum
• The ISO 27001 project group
• Specialist information security advice
• Segregation of duties
• Contact with authorities
• Contact with special interest groups
• Information security in project management
• Independent review of information security
• Summary
• Chapter 5: Information security policy and scope
• Context of the organization
• Information security policy
• A policy statement
• Costs and the monitoring of progress
• Chapter 6: The risk assessment and Statement of Applicability
• Establishing security requirements
• Risks, impacts, and risk management
• Threat intelligence
• Cyber Essentials
• Selection of controls and Statement of Applicability
• Statement of Applicability example
• Gap analysis
• Risk assessment tools
• Risk treatment plan
• Measures of effectiveness
• Chapter 7: Mobile and remote working
• Mobile devices and remote working
• Remote working
• Chapter 8: Human resources security
• Job descriptions and competency requirements
• Screening
• Terms and conditions of employment
• During employment
• Disciplinary process
• Termination or change of employment
• Chapter 9: Asset management
• Asset owners
• Inventory of information assets
• Acceptable use of information and other assets
• Classification of information
• Unified classification markings
• Government classification markings
• Information lifecycle
• Labeling of information
• Non-disclosure agreements and trusted partners
• Chapter 10: Exchanges of information
• Information transfer policies and procedures
• Agreements on information transfers
• Management of removable media
• Email and social media
• Security risks in email
• Spam
• Misuse of the Internet and web filtering
• Internet acceptable use policy
• Social media
• Chapter 11: Access control
• Hackers
• Hacker techniques
• Access control
• Chapter 12: User access management
• Identity management
• Access rights
• Password management system
• Chapter 13: Supplier relationships
• Information security policy for supplier relationships
• Addressing security within supplier agreements
• Managing information security in the ICT supply chain
• Monitoring, review, and change management of supplier services
• Managing changes to supplier services
• Information security for Cloud services
• Chapter 14: Physical and environmental security
• Physical security perimeters
• Delivery and loading areas
• Physical security monitoring
• Protecting against external and environmental threats
• Chapter 15: Equipment security
• Equipment siting and protection
• Supporting utilities
• Cabling security
• Equipment maintenance
• Security of equipment and assets off-premises
• Secure disposal or reuse of equipment
• Unattended user equipment
• Clear desk and clear screen policy
• Chapter 16: System and application access control
• Information access restriction
• Dynamic access control
• Access control to source code
• Secure authentication
• Use of privileged utility programs
• Installation of software on operational systems
• Chapter 17: Cryptography
• Encryption
• Public key infrastructure
• Digital signatures
• Non- repudiation services
• Key management
• Chapter 18: Operations security
• Documented operating procedures
• Change management
• Separation of development, testing and operational environments
• Information backup
• Chapter 19: Controls against malicious software (malware)
• Viruses, worms, Trojans, and rootkits
• Spyware
• Anti-malware software
• Hoax messages and ransomware
• Phishing and pharming
• Anti-malware controls
• Airborne viruses
• Technical vulnerability management
• System configuration
• Information deletion
• Data masking
• Data leakage prevention
• Chapter 20: Networks security
• Network security management
• Networks security
• Access to networks and network services
• Chapter 21: System acquisition, development, and maintenance
• Security requirements analysis and specification
• Application security requirements
• E-commerce issues
• Security technologies
• Chapter 22: Development and support processes
• Secure development policy
• Secure systems architecture and engineering principles
• Secure coding
• Secure development environment
• Security testing in development and acceptance
• Chapter 23: Monitoring and information security incident management
• Logging and monitoring
• Information security events and incidents
• Incident management – responsibilities and procedures
• Reporting information security events
• Reporting software malfunctions
• Assessment of and decision on information security events
• Response to information security incidents
• Legal admissibility
• Chapter 24: Business and information security continuity management
• ISO 22301
• The business continuity management process
• Business continuity and risk assessment
• Developing and implementing continuity plans
• Business continuity planning framework
• Testing, maintaining, and reassessing business continuity plans
• Information security continuity
• Chapter 25: Compliance
• Identification of applicable legislation
• Regulation of cryptographic controls
• Intellectual property rights
• Protection of organizational records
• Privacy and protection of personally identifiable information
• Compliance with security policies and standards
• Chapter 26: The ISO 27001 audit
• Selection of auditors
• Initial audit
• Preparation for audit
• Terminology
• Information systems audit considerations
• Appendix 1: Useful websites
• Appendix 2: Further reading
• Index