Security Program and Policies: Principles and Practices, 2/e (Paperback)

Sari Greene



Everything you need to know about information security programs and policies, in one book

  • Clearly explains all facets of InfoSec program and policy planning, development, deployment, and management
  • Thoroughly updated for today’s challenges, laws, regulations, and best practices
  • The perfect resource for anyone pursuing an information security management career


In today’s dangerous world, failures in information security can be catastrophic. Organizations must protect themselves. Protection begins with comprehensive, realistic policies. This up-to-date guide will help you create, deploy, and manage them.

Complete and easy to understand, it explains key concepts and techniques through real-life examples. You’ll master modern information security regulations and frameworks, and learn specific best-practice policies for key industry sectors, including finance, healthcare, online commerce, and small business.


If you understand basic information security, you’re ready to succeed with this book. You’ll find projects, questions, exercises, examples, links to valuable easy-to-adapt information security policies...everything you need to implement a successful information security program.


Sari Stern Greene, CISSP, CRISC, CISM, NSA/IAM, is an information security practitioner, author, and entrepreneur. She is passionate about the importance of protecting information and critical infrastructure. Sari founded Sage Data Security in 2002 and has amassed thousands of hours in the field working with a spectrum of technical, operational, and management personnel, as  well as boards of directors, regulators, and service providers. Her first text was Tools and Techniques for Securing Microsoft Networks, commissioned by Microsoft to train its partner channel, which was soon followed by the first edition of Security Policies and Procedures: Principles and Practices. She is actively involved in the security community, and speaks regularly at security conferences and workshops. She has been quoted in The New York Times, Wall Street Journal, and on CNN, and CNBC. Since 2010, Sari has served as the chair of the annual Cybercrime Symposium.


Learn how to

·         Establish program objectives, elements, domains, and governance

·         Understand policies, standards, procedures, guidelines, and plans—and the differences among them

·         Write policies in “plain language,” with the right level of detail

·         Apply the Confidentiality, Integrity & Availability (CIA) security model

·         Use NIST resources and ISO/IEC 27000-series standards

·         Align security with business strategy

·         Define, inventory, and classify your information and systems

·         Systematically identify, prioritize, and manage InfoSec risks

·         Reduce “people-related” risks with role-based Security Education, Awareness, and Training (SETA)

·         Implement effective physical, environmental, communications, and operational security

·         Effectively manage access control

·         Secure the entire system development lifecycle

·         Respond to incidents and ensure continuity of operations

·         Comply with laws and regulations, including GLBA, HIPAA/HITECH, FISMA, state data security and notification rules, and PCI DSS




  • 清楚解釋了資訊安全計畫和政策規劃、開發、部署和管理的各個方面

  • 根據當今的挑戰、法律、法規和最佳實踐進行全面更新

  • 對於追求資訊安全管理職業的任何人來說,這是一個完美的資源




Sari Stern Greene,CISSP、CRISC、CISM、NSA/IAM,是一位資訊安全從業者、作家和企業家。她對保護資訊和關鍵基礎設施的重要性充滿熱情。Sari於2002年創立了Sage Data Security,並在該領域與技術、運營和管理人員以及董事會、監管機構和服務提供商合作中累積了數千小時的經驗。她的第一本著作是由微軟委託培訓其合作夥伴渠道的《Tools and Techniques for Securing Microsoft Networks》,隨後出版了第一版的《Security Policies and Procedures: Principles and Practices》。她積極參與安全社群,並經常在安全會議和研討會上發表演講。她曾被引用於《紐約時報》、《華爾街日報》以及CNN和CNBC。自2010年以來,Sari擔任年度網絡犯罪研討會的主席。


- 建立計畫目標、要素、領域和治理
- 理解政策、標準、程序、指南和計畫之間的差異
- 以「平易近人的語言」撰寫政策,適當的細節層次
- 應用機密性、完整性和可用性(CIA)安全模型
- 使用NIST資源和ISO/IEC 27000系列標準
- 將安全與業務策略對齊
- 定義、清點和分類您的資訊和系統
- 系統性地識別、優先處理和管理資訊安全風險
- 降低與角色有關的風險