IT Security Risk Control Management

1. Front Matter

   Pages i-xxxi

   PDF

2. Getting a Handle on Things

   1. Front Matter

      Pages 1-1

      PDF

   2. Why Audit?

      • Raymond Pompon

      Pages 3-11

   3. Assume Breach

      • Raymond Pompon

      Pages 13-21

   4. Risk Analysis: Assets and Impacts

      • Raymond Pompon

      Pages 23-37

   5. Risk Analysis: Natural Threats

      • Raymond Pompon

      Pages 39-50

   6. Risk Analysis: Adversarial Risk

      • Raymond Pompon

      Pages 51-65

3. Wrangling the Organization

   1. Front Matter

      Pages 67-67

      PDF

   2. Scope

      • Raymond Pompon

      Pages 69-80

   3. Governance

      • Raymond Pompon

      Pages 81-98

   4. Talking to the Suits

      • Raymond Pompon

      Pages 99-112

   5. Talking to the Techs

      • Raymond Pompon

      Pages 113-121

   6. Talking to the Users

      • Raymond Pompon

      Pages 123-130

4. Managing Risk with Controls

   1. Front Matter

      Pages 131-131

      PDF

   2. Policy

      • Raymond Pompon

      Pages 133-143

   3. Control Design

      • Raymond Pompon

      Pages 145-152

   4. Administrative Controls

      • Raymond Pompon

      Pages 153-163

   5. Vulnerability Management

      • Raymond Pompon

      Pages 165-174

   6. People Controls

      • Raymond Pompon

      Pages 175-185

   7. Logical Access Control

      • Raymond Pompon

      Pages 187-195

Follow step-by-step guidance to craft a successful security program. You will identify with the paradoxes of information security and discover handy tools that hook security controls into business processes.

Information security is more than configuring firewalls, removing viruses, hacking machines, or setting passwords. Creating and promoting a successful security program requires skills in organizational consulting, diplomacy, change management, risk analysis, and out-of-the-box thinking.

What You Will Learn:

• Build a security program that will fit neatly into an organization and change dynamically to suit both the needs of the organization and survive constantly changing threats
  
• Prepare  for and pass such common audits as PCI-DSS, SSAE-16, and ISO 27001
  
• Calibrate the scope, and customize security controls to fit into an organization’s culture
  
• Implement the most challenging processes, pointing out common pitfalls and distractions
  
• Frame security and risk issues to be clear and actionable so that decision makers, technical personnel, and users will listen and value your advice

Who This Book Is For:

IT professionals moving into the security field; new security managers, directors, project heads, and would-be CISOs; and security specialists from other disciplines moving into information security (e.g., former military security professionals, law enforcement professionals, and physical security professionals)

• IT Security
• Security Audit
• Security Risk
• Security Policy
• Risk Management
• Network Security Controls
• Logical Access Controls
• Vulnerability Management
• Network Breach
• Network Risk
• Failure Mode Effects Analysis
• Adversarial Risk
• SSAE-16
• PCI
• ISO27001

“Pompon provides step-by-step guidance for successfully establishing a security management system for an organization’s IT systems. … The introduction provides a good road map to the book, and each chapter finishes with a list of further readings. There is a good index and a very thorough table of contents. … This is a good, step-by-step approach to building a security program that should protect an organization’s IT systems and, importantly, also be able to demonstrate that protection to an auditor.” (David B. Henderson, Computing Reviews, April, 2017)

• Seattle, USA

  Raymond Pompon

Ray Pompon is currently the Director of Security at Linedata. With over 20 years of experience in Internet security, he works closely with Federal investigators in cyber-crime investigations and apprehensions. He has been directly involved in several major intrusion cases, including the FBI undercover Flyhook operation and the NW Hospital botnet prosecution. For six years, Ray was president and founder of the Seattle chapter of InfraGard, the FBI public-private partnership. He is a lecturer and on the board of advisors for three information assurance certificate programs at the University of Washington. Ray has written many articles and white papers on advanced technology topics and is frequently asked to speak as a subject matter expert on Internet security issues. National journalists have solicited and quoted his thoughts and perspective on the topic of computer security numerous times. He is a Certified Information Systems Security Professional as well as GIAC certified in the Law of Data Security & Investigations.

Policies and ethics