IT Security Risk Control Management: An Audit Preparation Plan

This book explains how to construct an information security program, from inception to audit, with enduring, practical, hands-on advice and actionable behavior for IT professionals.  Information security is more than configuring firewalls, removing viruses, hacking machines, or setting passwords. Creating and promoting a successful security program requires skills in organizational consulting, diplomacy, change management, risk analysis, and out-of-the-box thinking.

IT Security Risk Control Management provides step-by-step guidance on how to craft a security program that will fit neatly into an organization and change dynamically to suit both the needs of the organization and survive constant changing threats.  Readers will understand the paradoxes of information security and discover handy tools that hook security controls into business processes. 

With this book, you will be able to equip your security program to prepare for and pass such common audits as PCI, SSAE-16 and ISO 27001. In addition, you will learn the depth and breadth of the expertise necessary to become an adaptive and effective security professional. This book:

• Starts at the beginning of how to approach, scope, and customize a security program to fit an organization.
  
• Walks you through how to implement the most challenging processes, pointing out common pitfalls and distractions.
  
• Teaches you how to frame security and risk issues to be clear and actionable to decision makers, technical personnel, and users.

What you’ll learn

• How to organically grow a useful, functional security program appropriate to an organization's culture and requirements
  
• How to inform, advise, and influence executives, IT staff, and users on information security
  
• How to think like a seasoned security professional, understanding how cyber-criminals subvert systems with subtle and insidious tricks.
  
• How to analyze, select, implement, and monitor security controls such as change control, vulnerability management, incident response, and access controls.
  
• How to prepare an organization to pass external formal audits such as PCI, SSAE-16 or ISO 27001
  
• How to  write clear, easy to follow, comprehensive security policies and procedures
  

Who This Book Is For

IT professionals moving into the security field; new security managers, directors, project heads, and would-be CISOs; and security specialists from other disciplines moving into information security (e.g., former military security professionals, law enforcement professionals, and physical security professionals). 

本書解釋了如何建立一個信息安全計劃，從開始到審計，提供持久、實用、實踐性的建議和可行的行為指南，適用於IT專業人士。信息安全不僅僅是配置防火牆、清除病毒、入侵機器或設置密碼。創建和推廣一個成功的安全計劃需要組織諮詢、外交、變革管理、風險分析和獨特思維的技能。

《IT安全風險控制管理》提供了逐步指導，教您如何打造一個能夠完美融入組織並能夠動態適應組織需求和不斷變化的威脅的安全計劃。讀者將了解信息安全的矛盾之處，並發現將安全控制與業務流程相結合的實用工具。

通過本書，您將能夠為您的安全計劃做好準備，通過常見的PCI、SSAE-16和ISO 27001等審計。此外，您還將學習到成為一名適應性和高效的安全專業人員所需的專業知識的深度和廣度。本書包括以下內容：

- 從如何處理、範圍和定制安全計劃開始。
- 引導您實施最具挑戰性的流程，指出常見的陷阱和干擾。
- 教您如何將安全和風險問題框架化，以便決策者、技術人員和用戶能夠清晰明確地行動。

您將學到以下內容：

- 如何有機地發展一個有用、功能性的安全計劃，以適應組織的文化和需求。
- 如何向高管、IT人員和用戶提供信息安全的信息、建議和影響力。
- 如何像一名經驗豐富的安全專業人員一樣思考，了解網絡犯罪分子如何以微妙而隱蔽的手法破壞系統。
- 如何分析、選擇、實施和監控安全控制，如變更控制、漏洞管理、事件響應和訪問控制。
- 如何使組織能夠通過PCI、SSAE-16或ISO 27001等外部正式審計。
- 如何撰寫清晰、易於遵循、全面的安全政策和程序。

本書適合以下讀者：

- 轉入安全領域的IT專業人士；
- 新的安全經理、主管、項目負責人和未來的CISO；
- 從其他專業領域轉入信息安全的安全專家（例如前軍事安全專業人員、執法人員和實體安全專業人員）。