- Inbunden (Hardback)
- Antal sidor
- Auerbach Publishers Inc.
- Kabay, M. E.
- 63 black & white illustrations, 198 black & white tables
- 234 x 158 x 31 mm
- Antal komponenter
- 861 g
Du kanske gillar
Pragmatic Security Metrics
Applying Metametrics to Information Security
Fri frakt inom Sverige för privatpersoner.
Fler böcker av författarna
Information Security Management Metrics
W Krag Brotby
Spectacular security failures continue to dominate the headlines despite huge increases in security budgets and ever-more draconian regulations. The 20/20 hindsight of audits is no longer an effective solution to security weaknesses, and the neces...
Recensioner i media
Like all books on metrics, PRAGMATIC Security Metrics: Applying Metametrics to Information Security makes the statement that "you can't manage what you can't measure". The authors claim that other books on information security metrics discuss number theory and statistics in academic terms. This title promises to be light on mathematics and heavy on utility and is meant as a how-to-do-it guide for security metrics. As to the title, PRAGMATIC is an acronym for the basis of the method of the book, in using metrics that are predictive, relevant, actionable, genuine, meaningful, timely, independent and cost. After reading the first chapter, PRAGMATIC Security Metrics: Applying Metametrics to Information Security looks like it may live up to its promise of being able to use metrics not only to track and report performance but to identify problem areas and opportunities, and drive information security improvements. If so, this could be the metrics book a lot of information security professionals have been waiting for. -Ben Rothke, CISSP, CISM, Information Security Manager, Wyndham Worldwide; and author of Computer Security: 20 Things Every Employee Should Know, writing on the RSA Conference Blog, www.rsaconference.com
Bloggat om Pragmatic Security Metrics
Krag Brotby has 30 years of experience in the area of enterprise computer security architecture, governance, risk, and metrics and is a Certified Information Security Manager (CISM) and Certified in the Governance of Enterprise Information Technology qualifications. Krag is a CISM trainer and has developed a number of related courses in governance, metrics, governance-risk-compliance (GRC), and risk and trained thousands on five continents during the past decade. Krag's experience includes intensive involvement in current and emerging security architectures, IT and information security metrics, and governance. He holds a foundation patent for digital rights management and has published a variety of technical and IT security-related articles and books. Brotby has served as principal author and editor of the Certified Information Security Manager Review Manual (ISACA 2012) since 2005, and is the researcher and author of the widely circulated Information Security Governance: Guidance for Boards of Directors and Executive Management (ITGI 2006), and Information Security Governance: Guidance for Information Security Managers (ITGI 2008a) as well as a new approach to Information Security Management Metrics (Brotby 2009a) and Information Security Governance; A Practical Development and Implementation Approach (Brotby 2009b). Krag has served on ISACA's Security Practice Development Committee. He was appointed to the Test Enhancement Committee, responsible for testing development, and to the committee developing a systems approach to information security called the Business Model for Information Security (BMIS). He received the 2009 ISACA John W. Lainhart IV Common Body of Knowledge Award for noteworthy contributions to the information security body of knowledge for the benefit of the global information security community. Krag is a member of the California High Tech Task Force Steering Committee, an advisory board for law enforcement. He is a frequent workshop presenter and speaker at conferences globally and lectures on information security governance; metrics; information security management; and GRC and CISM preparation throughout Oceania, Asia, Europe, the Middle East, and North America. As a practitioner in the security industry for three decades, Krag was the principal Xerox BASIA enterprise security architect and managed the proof-of-concept project, pilot, and global PKI implementation plan. He was a principal architect of the SWIFT Next Gen PKI security architecture; served as technical director at RAND Corporation for the cyber assurance initiative; as chief security strategist, was the PKI architect for TransactPlus, a J.P. Morgan spinoff; and developed policies and standards for a number of organizations, including the Australian Post Office and several U.S. banks. Recent consulting engagements include security governance projects for the Australia Post, New Zealand Inland Revenue, and Singapore Infocom Development Agency. Clients have included Microsoft, Unisys, AT&T, BP Alyeska, Countrywide Financial, Informix, Visa, VeriSign, Digital Signature Trust, Zantaz, Bank Al-Bilad, J.P. Morgan Chase, KeyBank, Certicom, and Paycom, among others. He has served on the board of advisors for Signet Assurance and has been involved in significant trade secret theft cases in the Silicon Valley. Gary Hinson-Despite his largely technical background, Dr. Gary Hinson, PhD, MBA, CISSP, has an abiding interest in human factors-the people side as opposed to the purely technical aspects of information security and governance. Gary's professional career stretches back to the mid-1980s as both a practitioner and manager in the fields of IT system and network administration, information security, and IT auditing. He has worked for some well-known multinationals in the pharmaceuticals/life sciences, utilities, IT, engineering, defense, and financial services industries, mostly in the United Kingdom and Europe. He emigrate
Introduction Why Have We Written This Book? What's Different about This Metrics Book? Who Are We Writing This For? Who Are We? Krag Brotby Gary Hinson What We'll Be Talking About Defining Our Terminology What We Expect of You, the Reader Summary Why Measure Information Security? To Answer Awkward Management Questions To Improve Information Security, Systematically For Strategic, Tactical, and Operational Reasons For Compliance and Assurance Purposes To Fill the Vacuum Caused by Our Inability to Measure Security To Support the Information Security Manager For Profit! For Various Other Reasons Summary The Art and Science of Security Metrics Metrology, the Science of Measurement Governance and Management Metrics Information Security Metrics Financial Metrics (for Information Security) (Information Security) Risk Management Metrics Software Quality (and Security) Metrics Information Security Metrics Reference Sources Douglas Hubbard "How to Measure Anything" (Hubbard 2010) Andrew Jaquith: Security Metrics (Jaquith 2007) NIST SP 800-55: Performance Measurement Guide for Information Security (NIST 2008) Debra Herrmann: Complete Guide to Security and Privacy Metrics (Herrmann 2007) Krag Brotby: Information Security Management Metrics (Brotby 2009a) Lance Hayden: IT Security Metrics (Hayden 2010) Caroline Wong "Security Metrics: A Beginner's Guide" (Wong 2012) ISO/IEC 27004: Information Security Management-Measurement (ISO/IEC 27004 2009) 3.7.9 CIS Security Metrics (CIS 2010) ISACA Specifying Metrics Metrics Catalogs and a Serious Warning About SMD Other (Information Security) Metrics Resources Summary Audiences for Security Metrics Metrics Audiences Within the Organization Senior Management Middle and Junior Management Security Operations Others with Interest in Information Security Metrics Audiences From Without the Organization Summary Finding Candidate Metrics Preexisting/Current Information Security Metrics Other Corporate Metrics Metrics Used in Other Fields and Organizations Information Security Metrics Reference Sources Other Sources of Inspiration for Security Metrics Security Surveys Vendor Reports and White Papers Security Software Roll-Your-Own Metrics Metrics Supply and Demand Summary Metametrics and the PRAGMATIC Approach Metametrics Selecting Information Security Metrics PRAGMATIC Criteria 6.3.1 P = Predictive 6.3.2 R = Relevant 6.3.3 A = Actionable 6.3.4 G = Genuine 6.3.5 M = Meaningful 6.3.6 A = Accurate 6.3.7 T = Timely 6.3.8 I = Independent 6.3.9 C = Cost Scoring Information Security Metrics against the PRAGMATIC Criteria Other Uses for PRAGMATIC Metametrics Classifying Information Security Metrics 6.6.1 Strategic/Managerial/Operational (SMO)Metrics Classification 6.6.2 Risk/Control Metrics Classification 6.6.3 Input-Process-Output (Outcome) Metrics Classification 6.6.4 Effectiveness and Efficiency Metrics Classification 6.6.5 Maturity Metrics Classification 6.6.6 Directness Metrics Classification 6.6.7 Robustness Metrics Classification 6.6.8 Readiness Metrics Classification 6.6.9 Policy/Practice Metrics Classification Summary 150+ Example Security Metrics Information Security Risk Management Example Metrics Information Security Policy Example Metrics Security Governance, Management, and Organization Example Metrics Information Security Financial Management Metrics Information Security Control-Related Metrics Metrics for Business Alignment and Relevance of Controls Control Monitoring and Testing Metrics Financial Information Security Metrics Information Asset Management Example Metrics Human Resources Security Example Metrics Physical Security Examples IT Security Metric Examples Access Control Example Metrics Software Security Example Metrics Incident Management Example Metrics Business Continuity Management Examples Compliance and Assurance Metric