An up-to-date and comprehensive desk reference for information security and privacy professionals CISOs, CSOs, Chief Privacy Officers, and other information security and privacy professionals are required to understand and apply legislation and regulations from seemingly countless local, state, national, and international authorities. The information you need every day is contained in an overwhelming number of sources from all over the world. The Information Security and Privacy Quick Reference is a convenient and straightforward solution to this information overload. The book combines and…mehr
An up-to-date and comprehensive desk reference for information security and privacy professionals CISOs, CSOs, Chief Privacy Officers, and other information security and privacy professionals are required to understand and apply legislation and regulations from seemingly countless local, state, national, and international authorities. The information you need every day is contained in an overwhelming number of sources from all over the world. The Information Security and Privacy Quick Reference is a convenient and straightforward solution to this information overload. The book combines and summarizes the tangle of overlapping technical certification objectives, government guidance, and international standards that you must apply in your day-to-day. It offers comprehensive and concise coverage of information security and privacy topics, organizing it all into easy-to-find and accessible chapters that explain: * Security and Privacy Foundations * Governance, Risk Management, and Compliance * Security Architecture and Design * Identity and Access Management * Data Protection and Privacy Engineering * Cryptography Essentials * Physical and Environmental Security * Legal and Ethical Considerations * Security and Privacy Incident Management * Network Security and Privacy Protections * Security Assessment and Testing * Endpoint and Device Security * Application Security * Threat Intelligence and Cyber Defense * Business Continuity and Disaster Recovery
Mike Chapple, PhD, CISSP, CISM, CIPP/US, CIPM, and CCSP, is Teaching Professor of Information Technology, Analytics, and Operations at Notre Dame's Mendoza College of Business. He is the bestselling author of over 50 technical books. He is also the Faculty Director of the University's Business/Computer Science program. Joe Shelley, CIPP/US, CIPM, and Security+, is the Vice President for Libraries and Information Technology at Hamilton College in New York. He oversees the information security and privacy programs, IT risk management, business intelligence and analytics, and data governance. James Michael Stewart, CISSP, CEH, CHFI, ECSA, CND, ECIH, CEI, and CFR, has been writing and training for more than 25 years, with a focus on CISSP, internet security and ethical hacking/penetration testing. He is the author of and contributor to more than 80 books on security certification, Microsoft topics, and network administration.
Inhaltsangabe
Introduction xiii 1 Security and Privacy Foundations 1 Security 101 1 Confidentiality, Integrity, and Availability (CIA) 3 Disclosure, Alteration, and Destruction (DAD) 4 Authentication, Authorization, and Accounting (AAA) 5 Privacy in the Modern Era 6 Foundational Privacy Principles 8 Security and Privacy Frameworks 11 Security and Privacy Policies: Creation and Enforcement 14 Establishing Security Awareness Programs 16 Security Strategies 19 2 Governance, Risk Management, and Compliance 23 The Role of Governance in Security and Privacy 23 Key Regulations and Standards 26 Regulatory Compliance 29 Building and Managing a Risk Management Framework 32 Managing Third-Party Risks and Vendor Assessments 35 3 Security Architecture and Design 39 Principles of Secure Design 39 Security Operations Foundations 42 Ensuring Confidentiality, Integrity, and Availability 44 Understanding Security Models 46 Implementing Personnel Security 49 Applying Protection Mechanisms 52 System Resilience and High Availability 54 4 Identity and Access Management 57 IAM Core Concepts and Principles 57 Authentication Methods and Multifactor Authentication 60 Role-Based Access Control Versus Attribute-Based Access Control 62 Identity Federation and Single Sign-On 65 Zero Trust Architecture for IAM 68 Identity Governance Life Cycle 71 Access Control Attacks 73 5 Data Protection and Privacy Engineering 77 Data Classification and Labeling 77 Data Masking, Tokenization, and Encryption 80 Data Loss Prevention Strategies 82 Privacy by Design 85 Developing a Privacy Program 87 Cross-Border Data Transfers and Legal Implications 90 Data Subject Rights and Privacy Request Handling 93 Data Retention, Archiving, and Secure Disposal 96 6 Security and Privacy Incident Management 101 Incident Response Planning 101 Detection and Triage of Security and Privacy Incidents 104 Investigating Incidents 106 Communication Plans for Incident Response 110 Post-Incident Review and Lessons Learned 113 Privacy Breach Notifications and Regulatory Reporting 117 7 Network Security and Privacy Protections 121 Secure Network Components 121 Network Segmentation 125 System Hardening 128 Firewalls and Intrusion Detection/Prevention Systems 130 Virtual Private Networks and Secure Access Service Edge 133 Secure Wireless Network Management 136 Securing the Cloud 139 Network Monitoring 142 8 Security Assessment and Testing 145 Building a Security Assessment and Testing Program 145 Vulnerability Management 147 Understanding Security Vulnerabilities 150 Penetration Testing 153 Testing Software 155 Training and Exercises 158 9 Endpoint and Device Security 163 Endpoint Detection and Response 163 Network Device Security 166 Mobile Device Management 169 Understanding Malware 173 Malware Prevention 176 Patching and Vulnerability Remediation 178 10 Application Security 183 Secure Software Development Life Cycle 183 DevSecOps and DevOps Integration 187 Application Attacks 191 Injection Vulnerabilities 192 Authorization Vulnerabilities 194 Web Application Attacks 196 Application Security Controls 198 Coding Best Practices 201 11 Cryptography Essentials 205 Core Cryptography Concepts 205 Symmetric Cryptography 208 Asymmetric Cryptography 210 Hash Functions 213 Digital Signatures 216 Public Key Infrastructure 218 Key Management Best Practices 220 Cryptographic Attacks 222 12 Physical and Environmental Security 227 Security and Facility Design 227 Physical Access Controls and Monitoring 229 Security in Data Centers and Server Rooms 232 Environmental Controls 234 Implement and Manage Physical Security 235 13 Legal and Ethical Considerations 237 Computer Crime 238 Intellectual Property Laws 241 Software Licensing Laws 243 Import/Export Laws 244 Privacy Laws 246 Compliance 249 Ethical Considerations 250 14 Threat Intelligence and Cyber Defense 253 Threat Actors 253 Threat Vectors 256 Threat Intelligence 258 Threat Feeds 259 Threat Hunting 262 Assessing Threat Intelligence 263 Cyber Kill Chain and the MITRE ATT&CK 265 15 Business Continuity and Disaster Recovery 269 Project Scope and Planning 270 Conducting Business Impact Analysis 273 Business Continuity Planning Essentials 277 Recovery Planning Essentials 279 Disaster Recovery Strategies and Solutions 282 Testing and Simulation Exercises 284 Index 289
