買這商品的人也買了...
-
$1,320Peer Reviews in Software: A Practical Guide (Paperback) -
IT Security: Risking the Corporation$1,490$1,416 -
Project 2003 徹底研究$690$538 -
Microsoft Windows Internals: Microsoft Windows Server 2003, Windows XP, and Windows 2000, 4/e$2,330$2,214 -
The Business Case for Network Security : Advocacy, Governance, and ROI$1,990$1,891 -
Java 2 與 UML 物件導向程式設計範例教本$680$578 -
最新詳解 Javascript & HTML & CSS 語法辭典(增訂新版)$490$382 -
PowerPoint 2003 實力養成暨評量解題秘笈$150$119 -
Microsoft SQL Server 2005 設計實務$680$578 -
ASP.NET 2.0 深度剖析範例集$650$507 -
Microsoft SQL Server 2005 管理實務$680$578 -
SQL 語法範例辭典$550$468 -
$299Computer Security: 20 Things Every Employee Should Know, 2/e -
SCJP Java 5 專業認證手冊 (SCJP Sun Certified Programmer for Java 5 Study Guide)(Exam 310-055)
$880$695 -
Dreamweaver 搞不定的網頁設計效果:CSS 關鍵救援密碼
$520$442 -
Ajax 實戰手冊 (Ajax in Action)$680$537 -
The Wargame:駭客訓練基地─駭客防駭實戰演練$550$468 -
Ajax 技術手冊 (Foundations of Ajax)$450$356 -
Ajax 快速上手 (Head Rush Ajax)$780$616 -
聖殿祭司的 ASP.NET 2.0 專家技術手冊─使用 C#$720$569 -
Fedora Core 6 Linux 實務應用(附DVD)$650$553 -
次世代─Linux Ubuntu 玩全手冊$580$522 -
簡報設計王 2-善用圖表、插圖、動畫與範本來提升企劃說服力$450$351 -
輕鬆打造我的網站─XOOPS2 深入使用手冊$580$522 -
董大偉 Silverlight 權威講座-ASP.NET 整合秘技 X 獨家案例剖析$540$459
商品描述
Bridging the gap between information security and strategic planning
This publication is a reflection of the author's firsthand experience as an information security consultant, working for an array of clients in the private and public sectors. Readers discover how to work with their organizations to develop and implement a successful information security plan by improving management practices and by establishing information security as an integral part of overall strategic planning.
The book starts with an overview of basic concepts in strategic planning, information technology strategy, and information security strategy. A practical guide to defining an information security strategy is then provided, covering the "nuts and bolts" of defining long-term information security goals that effectively protect information resources. Separate chapters covering technology strategy and management strategy clearly demonstrate that both are essential, complementary elements in protecting information.
Following this practical introduction to strategy development, subsequent chapters cover the theoretical foundation of an information security strategy, including:
* Examination of key enterprise planning models that correspond to different uses of information and different strategies for securing information
* Review of information economics, an essential link between information security strategy and business strategy
* Role of risk in building an information security strategy
Two separate case studies are developed, helping readers understand how the development and implementation of information security strategies can work within their own organizations.
This is essential reading for information security managers, information technology executives, and consultants. By linking information security to general management strategy, the publication is also recommended for nontechnical executives who need to protect the value and security of their organization's information.
Table of Contents
List of Figures.
Preface.
1. Introduction.
Strategy Overview.
Strategy and Information Technology.
Strategy and Information Security.
An Information Security Strategic Planning Methodology.
The Business Environment.
Information Value.
Risk.
The Strategic Planning Process.
The Technology Plan.
The Management Plan.
Theory and Practice.
2. Developing an Information Security Strategy.
Overview.
An Information Security Strategy Development Methodology.
Strategy Prerequisites.
Research Sources.
Preliminary Development.
Formal Project Introduction.
Fact Finding.
General Background Information.
Documentation Review.
Interviews.
Surveys.
Research Sources.
Analysis Methods.
Strengths, Weaknesses, Opportunities, and Threats.
Business Systems Planning.
Life-Cycle Methods.
Critical Success Factors.
Economic Analysis.
Risk Analysis.
Benchmarks and Best Practices.
Compliance Requirements.
Analysis Focus Areas.
Industry Environment.
Organizational Mission and Goals.
Executive Governance.
Management Systems and Controls.
Information Technology Management.
Information Technology Architecture.
Security Management.
Draft Plan Presentation.
Final Plan Presentation.
Options for Plan Development.
A Plan Outline.
Selling the Strategy.
Plan Maintenance.
The Security Assessment and the Security Strategy.
Strategy Implementation:
What is a Tactical Plan?
Converting Strategic goals to Tactical Plans.
Turning Tactical Planning Outcomes into Ongoing Operations.
Key Points.
Plan Outline.
3. The Technology Strategy.
Thinking About Technology.
Planning Technology Implementation.
Technology Forecasting.
Some Basic Advice.
Technology Life-Cycle Models.
Technology Solution Evaluation.
Role of Analysts.
Technology Strategy Components:
The Security Strategy Technical Architecture.
Leveraging Existing Vendors.
Legacy Technology.
The Management Dimension.
Overall Technical Design.
The Logical Technology Architecture.
Specific Technical Components.
Servers.
Network Zones.
External Network Connections.
Desktop Systems.
Applications and DBMS.
Portable Computing Devices.
Telephone Systems.
Control Devices.
Intelligent Peripherals.
Facility Security Systems.
Security Management Systems.
Key Points.
4. The Management Strategy.
Control Systems.
Control Systems and the Information Security Strategy.
Governance.
Ensuring IT Governance.
IT Governance Models.
Current Issues in Governance.
Control Objectives for Information and Related Technology (CobiT).
IT Balanced Scorecard.
Governance in Information Security.
End-User Role.
An IT Management Model for Information Security.
Policies, Procedures, and Standards.
Assigning Information Security Responsibilities.
To Whom Should Information Security Report?
Executive Roles.
Organizational Interfaces.
Information Security Staff Structure.
Staffing and Funding Levels.
Managing Vendors.
Organizational Culture and Legitimacy.
Training and Awareness.
Key Points.
5. Case Studies.
Case Study 1—Singles Opportunity Services.
Background.
Developing the Strategic Plan.
Information Value Analysis.
Risk Analysis.
Technology Strategy.
Management Strategy.
Implementation.
Case Study 2—Rancho Nachos Mosquito Abatement District.
Background.
Developing the Strategic Plan.
Information Value Analysis.
Risk Analysis.
Technology Strategy.
Management Strategy.
Implementation.
Key Points.
6. Business and IT Strategy:
Introduction.
Strategy and Systems of Management.
Business Strategy Models.
Boston Consulting Group Business Matrix.
Michael Porter—Competitive Advantage.
Business Process Reengineering.
The Strategy of No Strategy.
IT Strategy.
Nolan/Gibson Stages of Growth.
Information Engineering.
Rockart’s Critical Success Factors.
IBM Business System Planning (BSP).
So is IT really “strategic”?
IT Strategy and Information Security Strategy.
Key Points.
7. Information Economics.
Concepts of Information Protection.
Information Ownership.
From Ownership to Asset.
Information Economics and Information Security.
Basic Economic Principles.
Why is Information Economics Difficult?
Information Value—Reducing Uncertainty.
Information Value—Improved Business Processes.
Information Security Investment Economics.
The Economic Cost of Security Failures.
Future Directions in Information Economics.
Information Management Accounting—Return on Investment.
Economic Models and Management Decision Making.
Information Protection or Information Stewardship?
Key Points.
8. Risk Analysis.
Compliance Versus Risk Approaches.
The “Classic” Risk Analysis Model.
Newer Risk Models.
Process-Oriented Risk Models.
Tree-Based Risk Models.
Organizational Risk Cultures.
Risk Averse, Risk Neutral, and Risk Taking Organizations.
Strategic Versus Tactical Risk Analysis.
When Compliance-based Models are Appropriate.
Risk Mitigation.
Key Points.
Notes and References.
Index.
商品描述(中文翻譯)
描述
這本出版物是作者作為一名信息安全顧問在私營和公共部門的各種客戶中的第一手經驗的反映。讀者將了解如何與組織合作,通過改進管理實踐並將信息安全作為整體戰略規劃的一部分來制定和實施成功的信息安全計劃。
該書首先概述了戰略規劃、信息技術戰略和信息安全戰略的基本概念。然後提供了一個實用指南,涵蓋了定義長期信息安全目標的“螺絲釘和螺母”,以有效保護信息資源。涵蓋技術戰略和管理戰略的獨立章節清楚地表明,這兩者都是保護信息的必要且互補的要素。
在這個實用的戰略發展介紹之後,接下來的章節涵蓋了信息安全戰略的理論基礎,包括:
* 檢查與不同信息使用和不同信息安全戰略相對應的關鍵企業規劃模型
* 檢查信息經濟學,這是信息安全戰略和業務戰略之間的重要聯繫
* 風險在構建信息安全戰略中的角色
開發了兩個獨立的案例研究,幫助讀者了解如何在自己的組織中開發和實施信息安全戰略。
這是信息安全經理、信息技術高管和顧問的必讀之作。通過將信息安全與總體管理戰略聯繫起來,本出版物也建議非技術高管保護其組織的價值和安全性的必讀之作。
目錄
圖表列表。
前言。
1. 簡介。
戰略概述。
戰略與信息技術。
戰略與信息安全。
信息安全戰略規劃方法論。
商業環境。
信息價值。
風險。
戰略規劃過程。
技術計劃。
管理計劃。
理論與實踐。
2. 制定信息安全戰略。
概述。
信息安全戰略制定方法論。
戰略先決條件。
研究來源。
初步開發。
正式項目介紹。
事實查明。
一般背景信息。
文件審查。
面試。
調查。
研究來源。
分析方法。
優勢、劣勢、機會和威脅。
業務系統規劃。
生命周期方法。
關鍵成功因素。
經濟分析。
風險分析
