Managing Information Security: Studies from real life

Managing Information Security Studies from real life

A comprehensive guide to managing an information security incident Even when organisations take precautions, they may still be at risk of a data breach. Information security incidents do not just affect small businesses: major companies and government departments suffer from them as well. Completel...

Full description

Bibliographic Details
Corporate Author: IT Governance Publishing, editor (editor)
Other Authors: Krausz, Michael, author (author)
Format: eBook
Language:Inglés
Published: IT Governance Publishing 2015.
Edition:2nd edition
Subjects:
Computer security.
Computer crimes.
Electronic information resources > Access control.
Computer networks > Security measures.
Computer Security
Computer Crimes
Information Resources Management
Computers
True Crime
Business & Economics
See on Biblioteca Universitat Ramon Llull:https://discovery.url.edu/permalink/34CSUC_URL/1im36ta/alma991009630028406719
Table of Contents:
  • Intro
  • Foreword
  • Preface
  • About the Author
  • Acknowledgements
  • Contents
  • Introduction
  • Part 1 - General
  • Chapter 1: Why Risk does Not Depend on Company Size
  • Risk effect
  • Propagation of damage (downstream effects)
  • Culture
  • Information security staff
  • Cash reserves / cash at hand
  • Ability to improvise / make quick decisions
  • Preparedness
  • Contacts with authority
  • Chapter 2: Getting your Risk Profile Right
  • Intuitive risk analysis
  • Formal risk analysis
  • Step 1 - Identifying threats
  • Step 2 - Assigning damage and likelihood
  • Step 3 - Defining acceptable loss
  • Step 4 - Defining mitigation priorities (business priorities)
  • Residual risks
  • Chapter 3: What is a Breach?
  • Confidentiality breach
  • Availability breach
  • Integrity breach
  • Impact
  • Source
  • External vs. internal
  • Unintentional vs. intentional
  • Manual vs. automatic
  • Human vs. nature
  • General treatment options
  • Chapter 4: General Avoidance and Mitigation Strategies
  • Introduction - general aspects, avoidance and related ISO27001 controls
  • People
  • A.7.1.1 - Screening
  • Methods of screening
  • A.7.1.2 - Terms and conditions of employment
  • A.7.2.1 - Management responsibilities
  • A.7.2.2 - Information security awareness, education and training
  • A.7.2.3 - Disciplinary process
  • A.7.3.1 - Termination or change of employment
  • A.8.1.4 - Return of assets
  • A.9.2.6 - Removal or adjustment of access rights
  • Processes
  • Technology
  • ISO27001 Controls helpful for treatment of breaches
  • A.6.1.3 - Contact with authorities
  • A.7.2.2 - Information security awareness, education and training
  • A.7.2.3 - Disciplinary process A.8.1.4 - Return of assets A.9.2.6 - Removal or adjustment of access rights
  • A.12.2.1 - Controls against malware
  • A.12.4.1 - Event logging and
  • A.12.4.2 - Protection of log information.
  • A.16.1.1 - Responsibilities and procedures
  • A.16.1.2 - Reporting information security events
  • A.16.1.3 - Reporting security weaknesses
  • A.16.1.4 - Assessment of and decision on information security events
  • A.16.1.5 - Response to information security incidents
  • A.16.1.6 - Learning from information security incidents
  • A.16.1.7 - Collection of evidence
  • Strategies and tactics for treating breaches
  • Tactical advice
  • Regular meetings
  • Time, time, time
  • Rest
  • People (number)
  • International contacts
  • Keep the information flowing
  • Keep minutes
  • Additional quality feedback
  • Dimensions of treatment / mitigation of information security breaches
  • None
  • Internal investigation
  • External investigation
  • Joint task force
  • Part 2 - Case studies
  • Chapter 5: Notes from the Field
  • Privacy
  • Cost
  • The practicalities of surveillance
  • People
  • Cost
  • Speed
  • Outreach
  • The truth vs. company policy
  • Chapter 6: Motives and Reasons
  • Greed
  • Despair
  • Revenge
  • Business advantage
  • Chapter 7: Case Studies from Small Companies
  • Foreword to the case studies
  • The stolen backup
  • In-depth explanation
  • Lessons learned
  • Eavesdropping on faxes
  • In-depth explanation
  • A stolen laptop
  • In-depth explanation
  • Chapter 8: Case Studies from Medium-sized Companies
  • A case of intrigue - the missing contract
  • In-depth explanation
  • Lessons learned
  • The sales manager who changed jobs
  • In-depth explanation
  • Lessons learned
  • The project manager who became a friend, and then an enemy
  • In-depth explanation
  • The lost customers - how a sales manager cost a company 10% of revenue
  • In-depth explanation
  • Lessons learned
  • The flood - how not to learn about risk management
  • In-depth explanation
  • Chapter 9: Case Studies from Large Corporations
  • Who wants my data? - a case of data theft.
  • In-depth explanation
  • Lessons learned
  • Who wants my data? - a more complicated case
  • In-depth explanation
  • Hard disk for sale - beware of your contractors
  • In-depth explanation
  • Unauthorised domain links - it is easy to harm a company's reputation
  • In-depth explanation
  • The trusted guard who was not
  • In-depth explanation
  • Insider badmouthing
  • In-depth explanation
  • The software vulnerability that was not - a case of blackmail
  • In-depth explanation
  • Lessons learned
  • Part 3 - A Sample Treatment Process
  • Chapter 10: A Sample Treatment Process
  • Step 1 Gather information
  • Step 2 Determine extent and damage
  • Step 3 Establish and conduct investigation
  • Step 4 Determine mitigation
  • Step 5 Implement mitigation
  • Step 6 Follow up on investigation results
  • Step 7 Determine degree of resolution achieved
  • Abbreviations and Acronyms
  • ITG Resources.

Similar Items