Information Security: A Strategic Approach (Paperback)(美國原版) (資訊安全:策略性方法)

Vincent LeVeque

  • 出版商: IEEE
  • 出版日期: 2006-03-01
  • 定價: $3,120
  • 售價: 5.0$1,560
  • 語言: 英文
  • 頁數: 288
  • 裝訂: Paperback
  • ISBN: 0471736120
  • ISBN-13: 9780471736127
  • 相關分類: 資訊安全
  • 立即出貨 (庫存 < 3)

買這商品的人也買了...

相關主題

商品描述

Description

Bridging the gap between information security and strategic planning


This publication is a reflection of the author's firsthand experience as an information security consultant, working for an array of clients in the private and public sectors. Readers discover how to work with their organizations to develop and implement a successful information security plan by improving management practices and by establishing information security as an integral part of overall strategic planning.

The book starts with an overview of basic concepts in strategic planning, information technology strategy, and information security strategy. A practical guide to defining an information security strategy is then provided, covering the "nuts and bolts" of defining long-term information security goals that effectively protect information resources. Separate chapters covering technology strategy and management strategy clearly demonstrate that both are essential, complementary elements in protecting information.

Following this practical introduction to strategy development, subsequent chapters cover the theoretical foundation of an information security strategy, including:
* Examination of key enterprise planning models that correspond to different uses of information and different strategies for securing information
* Review of information economics, an essential link between information security strategy and business strategy
* Role of risk in building an information security strategy

Two separate case studies are developed, helping readers understand how the development and implementation of information security strategies can work within their own organizations.

This is essential reading for information security managers, information technology executives, and consultants. By linking information security to general management strategy, the publication is also recommended for nontechnical executives who need to protect the value and security of their organization's information.

 

Table of Contents

List of Figures.

Preface.

1. Introduction.

Strategy Overview.

Strategy and Information Technology.

Strategy and Information Security.

An Information Security Strategic Planning Methodology.

The Business Environment.

Information Value.

Risk.

The Strategic Planning Process.

The Technology Plan.

The Management Plan.

Theory and Practice.

2. Developing an Information Security Strategy.

Overview.

An Information Security Strategy Development Methodology.

Strategy Prerequisites.

Research Sources.

Preliminary Development.

Formal Project Introduction.

Fact Finding.

General Background Information.

Documentation Review.

Interviews.

Surveys.

Research Sources.

Analysis Methods.

Strengths, Weaknesses, Opportunities, and Threats.

Business Systems Planning.

Life-Cycle Methods.

Critical Success Factors.

Economic Analysis.

Risk Analysis.

Benchmarks and Best Practices.

Compliance Requirements.

Analysis Focus Areas.

Industry Environment.

Organizational Mission and Goals.

Executive Governance.

Management Systems and Controls.

Information Technology Management.

Information Technology Architecture.

Security Management.

Draft Plan Presentation.

Final Plan Presentation.

Options for Plan Development.

A Plan Outline.

Selling the Strategy.

Plan Maintenance.

The Security Assessment and the Security Strategy.

Strategy Implementation:

What is a Tactical Plan?

Converting Strategic goals to Tactical Plans.

Turning Tactical Planning Outcomes into Ongoing Operations.

Key Points.

Plan Outline.

3. The Technology Strategy.

Thinking About Technology.

Planning Technology Implementation.

Technology Forecasting.

Some Basic Advice.

Technology Life-Cycle Models.

Technology Solution Evaluation.

Role of Analysts.

Technology Strategy Components:

The Security Strategy Technical Architecture.

Leveraging Existing Vendors.

Legacy Technology.

The Management Dimension.

Overall Technical Design.

The Logical Technology Architecture.

Specific Technical Components.

Servers.

Network Zones.

External Network Connections.

Desktop Systems.

Applications and DBMS.

Portable Computing Devices.

Telephone Systems.

Control Devices.

Intelligent Peripherals.

Facility Security Systems.

Security Management Systems.

Key Points.

4. The Management Strategy.

Control Systems.

Control Systems and the Information Security Strategy.

Governance.

Ensuring IT Governance.

IT Governance Models.

Current Issues in Governance.

Control Objectives for Information and Related Technology (CobiT).

IT Balanced Scorecard.

Governance in Information Security.

End-User Role.

An IT Management Model for Information Security.

Policies, Procedures, and Standards.

Assigning Information Security Responsibilities.

To Whom Should Information Security Report?

Executive Roles.

Organizational Interfaces.

Information Security Staff Structure.

Staffing and Funding Levels.

Managing Vendors.

Organizational Culture and Legitimacy.

Training and Awareness.

Key Points.

5. Case Studies.

Case Study 1—Singles Opportunity Services.

Background.

Developing the Strategic Plan.

Information Value Analysis.

Risk Analysis.

Technology Strategy.

Management Strategy.

Implementation.

Case Study 2—Rancho Nachos Mosquito Abatement District.

Background.

Developing the Strategic Plan.

Information Value Analysis.

Risk Analysis.

Technology Strategy.

Management Strategy.

Implementation.

Key Points.

6. Business and IT Strategy:

Introduction.

Strategy and Systems of Management.

Business Strategy Models.

Boston Consulting Group Business Matrix.

Michael Porter—Competitive Advantage.

Business Process Reengineering.

The Strategy of No Strategy.

IT Strategy.

Nolan/Gibson Stages of Growth.

Information Engineering.

Rockart’s Critical Success Factors.

IBM Business System Planning (BSP).

So is IT really “strategic”?

IT Strategy and Information Security Strategy.

Key Points.

7. Information Economics.

Concepts of Information Protection.

Information Ownership.

From Ownership to Asset.

Information Economics and Information Security.

Basic Economic Principles.

Why is Information Economics Difficult?

Information Value—Reducing Uncertainty.

Information Value—Improved Business Processes.

Information Security Investment Economics.

The Economic Cost of Security Failures.

Future Directions in Information Economics.

Information Management Accounting—Return on Investment.

Economic Models and Management Decision Making.

Information Protection or Information Stewardship?

Key Points.

8. Risk Analysis.

Compliance Versus Risk Approaches.

The “Classic” Risk Analysis Model.

Newer Risk Models.

Process-Oriented Risk Models.

Tree-Based Risk Models.

Organizational Risk Cultures.

Risk Averse, Risk Neutral, and Risk Taking Organizations.

Strategic Versus Tactical Risk Analysis.

When Compliance-based Models are Appropriate.

Risk Mitigation.

Key Points.

Notes and References.

Index.

商品描述(中文翻譯)

描述

這本出版物是作者作為一名信息安全顧問在私營和公共部門的各種客戶中的第一手經驗的反映。讀者將了解如何與組織合作,通過改進管理實踐並將信息安全作為整體戰略規劃的一部分來制定和實施成功的信息安全計劃。

該書首先概述了戰略規劃、信息技術戰略和信息安全戰略的基本概念。然後提供了一個實用指南,涵蓋了定義長期信息安全目標的“螺絲釘和螺母”,以有效保護信息資源。涵蓋技術戰略和管理戰略的獨立章節清楚地表明,這兩者都是保護信息的必要且互補的要素。

在這個實用的戰略發展介紹之後,接下來的章節涵蓋了信息安全戰略的理論基礎,包括:
* 檢查與不同信息使用和不同信息安全戰略相對應的關鍵企業規劃模型
* 檢查信息經濟學,這是信息安全戰略和業務戰略之間的重要聯繫
* 風險在構建信息安全戰略中的角色

開發了兩個獨立的案例研究,幫助讀者了解如何在自己的組織中開發和實施信息安全戰略。

這是信息安全經理、信息技術高管和顧問的必讀之作。通過將信息安全與總體管理戰略聯繫起來,本出版物也建議非技術高管保護其組織的價值和安全性的必讀之作。

目錄

圖表列表。
前言。
1. 簡介。
戰略概述。
戰略與信息技術。
戰略與信息安全。
信息安全戰略規劃方法論。
商業環境。
信息價值。
風險。
戰略規劃過程。
技術計劃。
管理計劃。
理論與實踐。
2. 制定信息安全戰略。
概述。
信息安全戰略制定方法論。
戰略先決條件。
研究來源。
初步開發。
正式項目介紹。
事實查明。
一般背景信息。
文件審查。
面試。
調查。
研究來源。
分析方法。
優勢、劣勢、機會和威脅。
業務系統規劃。
生命周期方法。
關鍵成功因素。
經濟分析。
風險分析