IT Governance: An International Guide to Data Security and ISO 27001/ISO 27002

Faced with the compliance requirements of increasingly punitive information and privacy-related regulation, as well as the proliferation of complex threats to information security, there is an urgent need for organizations to adopt IT governance best practice. Alan Calder is responsible for security development lifecycle threat modeling at Microsoft and is one of a handful of threat modeling experts in the world. Now, he is sharing his considerable expertise into this unique book. With pages of specific actionable advice, he details how to build better security into the design of systems, software, or services from the outset. You'll explore various threat modeling approaches, find out how to test your designs against threats, and learn effective ways to address threats that have been validated at Microsoft and other top companies. Systems security managers, you'll find tools and a framework for structured thinking about what can go wrong. Software developers, you'll appreciate the jargon-free and accessible introduction to this essential skill. Security professionals, you'll learn to discern changing threats and discover the easiest ways to adopt a structured approach to threat modeling.

Book contents:

  1. Why is Information Security Necessary?

  2. The Corporate Governance Code, the FRC Risk Guidance and Sarbanes-Oxley

  3. ISO 27001

  4. Organizing Information Security

  5. Information Security Policy and Scope

  6. The Risk Assessment and Statement of Applicability

  7. Mobile Devices

  8. Human Resources Security

  9. Asset Management

  10. Media Handling

  11. Access Control

  12. Use Access Management

  13. System and Application Access Control

  14. Communications Management

  15. Exchanges of Information

  16. System Acquisition, Development and maintenance

  17. Development and Support Processes

  18. Supplier Relationships

  19. Monitoring and Information Security Incident Management

  20. Business and Information Security Continuity Management

  21. Compliance

  22. The ISO 27001 Audit