|
Showing 1 - 25 of
139 matches in All Departments
An ideal introduction and a quick reference to PCI DSS version 3.1
All businesses that accept payment cards are prey for hackers and
criminal gangs trying to steal financial information and commit
identity fraud. The PCI DSS (Payment Card Industry Data Security
Standard) exists to ensure that businesses process credit and debit
card orders in a way that protects cardholder data effectively. All
organisations that accept, store, transmit or process cardholder
data must comply with the Standard; failure to do so can have
serious consequences for their ability to process card payments.
Product overview Co-written by a PCI QSA (Qualified Security
Assessor) and updated to cover PCI DSS version 3.1, this handy
pocket guide provides all the information you need to consider as
you approach the PCI DSS. It is also an ideal training resource for
anyone in your organisation who deals with payment card processing.
Coverage includes: An overview of Payment Card Industry Data
Security Standard v3.1. A PCI self-assessment questionnaire (SAQ).
Procedures and qualifications. An overview of the Payment
Application Data Security Standard. Contents 1.What is the Payment
Card Industry Data Security Standard (PCI DSS)? 2.What is the Scope
of the PCI DSS? 3.Compliance and Compliance Programmes
4.Consequences of a Breach 5.How do you Comply with the
Requirements of the Standard? 6.Maintaining Compliance 7.PCI DSS -
The Standard 8.Aspects of PCI DSS Compliance 9.The PCI
Self-Assessment Questionnaire 10.Procedures and Qualifications
11.The PCI DSS and ISO/IEC 27001 12.The Payment Application Data
Security Standard (PA-DSS) 13.PIN Transaction Security (PTS) About
the authors Alan Calder is the founder and executive chairman of IT
Governance Ltd, an information, advice and consultancy firm that
helps company boards tackle IT governance, risk management,
compliance and information security issues. He has many years of
senior management experience in the private and public sectors.
Geraint Williams is a knowledgeable and experienced senior
information security consultant and PCI QSA, with a strong
technical background and experience of the PCI DSS and security
testing. Geraint has provided consultancy on implementation of the
PCI DSS, and conducted audits with a wide range of merchants and
service providers. He has performed penetration testing and
vulnerability assessments for various clients. Geraint leads the IT
Governance CISSP Accelerated Training Programme, as well as the PCI
Foundation and Implementer training courses. He has broad technical
knowledge of security and IT infrastructure, including high
performance computing, and Cloud computing. His certifications
include CISSP, PCI QSA, CREST Registered Tester, CEH and CHFI."
When is a gift not a gift? When it's a bribe. For many, corporate
hospitality oils the wheels of commerce. But where do you draw the
line? Bribes, incentives and inducements are not just a matter of
used banknotes stuffed in brown envelopes. Expenses, corporate
settlement of personal bills, gifts and hospitality can all be used
to influence business partners, clients and contractors. Can you
afford unlimited fines? Under the Bribery Act 2010, a maximum of
ten years' imprisonment and an unlimited fine may be imposed for
offering, promising, giving, requesting, agreeing, receiving or
accepting bribes. With such strict penalties, it's astonishing that
so few companies have few or no measures in place to ensure that
they are not liable for prosecution. This is especially astonishing
as the Ministry of Justice's Quick start guide to the Bribery Act
makes it clear that "There is a full defence if you can show you
had adequate procedures in place to prevent bribery." Such
procedures can be found in BS 10500:2010, the British Standard for
anti-bribery management systems (ABMSs). How to implement an ABMS
An Introduction to Anti-Bribery Management Systems (BS 10500)
explains how to implement an ABMS that meets the requirements of BS
10500, from initial gap analysis to due diligence management: * An
introduction to BS 10500 * An explanation of an ABMS * Management
processes within an ABMS * Implementing an ABMS * Risk assessment
in due diligence * Whistleblowing and bribery investigations *
Internal auditing and corrective action * Certification to BS 10500
It provides helpful guidance on the importance of clearly defining
policies; logging gifts and hospitality in auditable records;
ensuring a consistent approach across the organisation; controls
for contractors; facilitation payments; charitable and political
donations; risk assessment in due diligence; whistle-blowing and
bribery investigations; and internal auditing and corrective
action. Meet the stringent requirements of the Bribery Act Not only
will a BS 10500-compliant ABMS help your organisation prove its
probity by meeting the stringent requirements of the Bribery Act,
it can also be adapted to most legal or compliance systems. An
ethical approach to business is not just a legal obligation but a
way to protect your reputation. About the author Alan Field, MA,
LL.B (Hons), PgC, MCQI CQP, MIIRSM, AIEMA, GIFireE, GradIOSH is a
Chartered Quality Professional, an IRCA Registered Lead Auditor and
member of the Society of Authors. Alan has particular expertise in
auditing and assessing anti-bribery management systems to BS 10500
and public-sector counter-fraud systems to ISO9001. Alan has many
years' experience with quality and integrated management systems in
the legal, financial, property services and project management
sectors in auditing, assessment and gap analysis roles. Your
company's integrity is important. An Introduction to Anti-Bribery
Management Systems (BS 10500) shows you how to maintain and prove
it.
Take the first steps to ISO 14001 certification with this practical
overview. This book provides practical advice on how to achieve
compliance with ISO 14001:2015, the international standard for an
EMS (environmental management system). With an EMS certified to ISO
14001, you can improve the efficiency of your business operations
and fulfil compliance obligations, while reassuring your employees,
clients and other stakeholders that you are monitoring your
environmental impact. This easy-to-follow guide takes a
step-by-step approach, and provides many sample documents to help
you understand how to record and monitor your organisation's EMS
processes. Ideal for compliance managers, IT and general managers,
environmental officers, auditors and trainers, this book will
provide you with: The confidence to plan and design an EMS.
Detailed descriptions of the ISO 14001:2015 requirements will give
you a clear understanding of the standard, even if you lack
specialist knowledge or previous experience; Guidance to build
stakeholder support for your EMS. Information on why it is
important for an organisation to have an environmental policy, and
a sample communications procedure will help you to raise awareness
of the benefits of implementing an EMS; and Advice on how to become
an ISO 14001-certified organisation. The book takes a step-by-step
approach to implementing an 1SO 14001-compliant EMS. Key features:
A concise summary of the ISO 14001:2015 requirements and how you
can meet them. An overview of the documentation needed to achieve
ISO 14001:2015 accreditation. Sample documents to help you
understand how to record and monitor your organisation's
environmental management processes. New for the second edition:
Updated for ISO 14001:2015, including terms, definitions and
references; Revised approach to take into account requirements to
address "risks and opportunities". Your practical guide to
implementing an EMS that complies with ISO 14001:2015 - buy this
book today to get the help and guidance you need!
In the world as we know it, you can be attacked both physically and
virtually. For today's organisations, which rely so heavily on
technology - particularly the Internet - to do business, the latter
is the far more threatening of the two. The cyber threat landscape
is complex and constantly changing. For every vulnerability fixed,
another pops up, ripe for exploitation. This book is a
comprehensive cyber security implementation manual which gives
practical guidance on the individual activities identified in the
IT Governance Cyber Resilience Framework (CRF) that can help
organisations become cyber resilient and combat the cyber threat
landscape. Suitable for senior directors (CEO, CISO, CIO),
compliance managers, privacy managers, IT managers, security
analysts and others, the book is divided into six parts: Part 1:
Introduction. The world of cyber security and the approach taken in
this book. Part 2: Threats and vulnerabilities. A discussion of a
range of threats organisations face, organised by threat category,
to help you understand what you are defending yourself against
before you start thinking about your actual defences. Part 3: The
CRF processes. Detailed discussions of each of the 24 CRF
processes, explaining a wide range of security areas by process
category and offering guidance on how to implement each. Part 4:
Eight steps to implementing cyber security. Our eight-step approach
to implementing the cyber security processes you need and
maintaining them. Part 5: Reference frameworks. An explanation of
how standards and frameworks work, along with their benefits. It
also presents ten framework options, introducing you to some of the
best-known standards and giving you an idea of the range available.
Part 6: Conclusion and appendices. The appendices include a
glossary of all the acronyms and abbreviations used in this book.
Whether you are just starting out on the road to cyber security or
looking to enhance and improve your existing cyber resilience
programme, it should be clear that cyber security is no longer
optional in today's information age; it is an essential component
of business success. Make sure you understand the threats and
vulnerabilities your organisation faces and how the Cyber
Resilience Framework can help you tackle them. Start your journey
to cyber security now - buy this book today!
Protect your organisation from information security risks For any
modern business to thrive, it must assess, control and audit the
risks it faces in a manner appropriate to its risk appetite. As
information-based risks and threats continue to proliferate, it is
essential that they are addressed as an integral component of your
enterprise's risk management strategy, not in isolation. They must
be identified, documented, assessed and managed, and assigned to
risk owners so that they can be mitigated and audited. Fundamentals
of Information Risk Management Auditing provides insight and
guidance on this practice for those considering a career in
information risk management, and an introduction for
non-specialists, such as those managing technical specialists.
Product overview Fundamentals of Information Risk Management
Auditing - An Introduction for Managers and Auditors has four main
parts: What is risk and why is it important? An introduction to
general risk management and information risk. Introduction to
general IS and management risks An overview of general information
security controls, and controls over the operation and management
of information security, plus risks and controls for the
confidentiality, integrity and availability of information.
Introduction to application controls An introduction to application
controls, the controls built into systems to ensure that they
process data accurately and completely. Life as an information risk
management specialist/auditor A guide for those considering, or
undergoing, a career in information risk management. Each chapter
contains an overview of the risks and controls that you may
encounter when performing an audit of information risk, together
with suggested mitigation approaches based on those risks and
controls. Chapter summaries provide an overview of the salient
points for easy reference, and case studies illustrate how those
points are relevant to businesses. The book concludes with an
examination of the skills and qualifications necessary for an
information risk management auditor, an overview of typical job
responsibilities, and an examination of the professional and
ethical standards that an information risk auditor should adhere
to. Topics covered Fundamentals of Information Risk Management
Auditing covers, among other subjects, the three lines of defence;
change management; service management; disaster planning;
frameworks and approaches, including Agile, COBIT(R)5, CRAMM,
PRINCE2(R), ITIL(R) and PMBOK; international standards, including
ISO 31000, ISO 27001, ISO 22301 and ISO 38500; the UK Government's
Cyber Essentials scheme; IT security controls; and application
controls. About the author Christopher Wright is a qualified
accountant, Certified Information Systems Auditor and Certified
ScrumMaster(TM) with over 30 years' experience providing financial
and IT advisory and risk management services. For 16 years, he
worked at KPMG, where he was head of information risk training in
the UK and also ran training courses overseas, including in India
and throughout mainland Europe. He managed a number of major IS
audit and risk assignments, including project risk and business
control reviews. He has worked in a wide range of industry sectors
including oil and gas, the public sector, aviation, and travel. For
the past eight years, he has been an independent consultant
specialising in financial, SOX and operational controls for major
ERP implementations, mainly at oil and gas/utilities enterprises.
He is an international speaker and trainer on Agile audit and
governance, and is the author of two other titles, also published
by ITGP: Agile Governance and Audit and Reviewing IT in Due
Diligence.
The Universal Service Desk (USD) - Implementing, controlling and
improving service delivery defines what a USD is, why it is
valuable to an organisation and how to build and implement one. It
also discusses the evolution of the USD as part of integrated
workplace management. Understand the essentials of any USD - buy
this book today!
Securing Cloud Services - A pragmatic guide gives an overview of
security architecture processes and explains how they may be used
to derive an appropriate set of security controls to manage the
risks associated with working in the Cloud. Manage the risks
associated with Cloud computing - buy this book today!
Cyber Security - Essential principles to secure your organisation
takes you through the fundamentals of cyber security, the
principles that underpin it, vulnerabilities and threats, and how
to defend against attacks. Organisations large and small experience
attacks every day, from simple phishing emails to intricate,
detailed operations masterminded by criminal gangs, and for every
vulnerability fixed, another pops up, ripe for exploitation. Cyber
security doesn't have to cost vast amounts of money or take a short
ice age to implement. No matter the size of your organisation,
improving cyber security helps protect your data and that of your
clients, improving business relations and opening the door to new
opportunities. This pocket guide will take you through the
essentials of cyber security - the principles that underpin it,
vulnerabilities and threats and the attackers who use them, and how
to defend against them - so you can confidently develop a cyber
security programme. Cyber Security - Essential principles to secure
your organisation Covers the key differences between cyber and
information security; Explains how cyber security is increasingly
mandatory and how this ties into data protection, e.g. the Data
Protection Act 2018 and the GDPR (General Data Protection
Regulation); Focuses on the nature of the problem, looking at
technical, physical and human threats and vulnerabilities; Explores
the importance of security by design; Gives guidance on why
security should be balanced and centralised; and Introduces the
concept of using standards and frameworks to manage cyber security.
No matter the size of your organisation, cyber security is no
longer optional - it is an essential component of business success
and a critical defence against the risks of the information age.
The only questions left are to decide when and where your journey
will begin. Start that journey now - buy this book today!
ISO/IEC 27701:2019: An introduction to privacy information
management offers a concise introduction to the Standard, aiding
those organisations looking to improve their privacy information
management regime, particularly where ISO/IEC 27701:2019 is
involved.
A must-have resource for anyone looking to establish, implement and
maintain an ISMS. Ideal for information security managers,
auditors, consultants and organisations preparing for ISO 27001
certification, this book will help readers understand the
requirements of an ISMS (information security management system)
based on ISO 27001. Similarly, for anyone involved in internal or
external audits, the book includes the definitive requirements that
auditors must address when certifying organisations to ISO 27001.
The book covers: Implementation guidance - what needs to be
considered to fulfil the requirements of the controls from ISO/IEC
27001, Annex A. This guidance is aligned with ISO/IEC 27002, which
gives advice on implementing the controls; Auditing guidance - what
should be checked, and how, when examining the ISO/IEC 27001
controls to ensure that the implementation covers the ISMS control
requirements. The implementation guidance gives clear descriptions
covering what needs to be considered to achieve compliance against
the requirements, with examples given throughout. The auditing
guidance covers what evidence an auditor should look for in order
to satisfy themselves that the requirement has been met. Useful for
internal auditors and consultants, the auditing guidance will also
be useful for information security managers and lead implementers
as a means of confirming that their implementation and evidence to
support it will be sufficient to pass an audit. This guide is
intended to be used by those involved in: Designing, implementing
and/or maintaining an ISMS; Preparing for ISMS audits and
assessments; or Undertaking both internal and third-party ISMS
audits and assessments About the author Bridget Kenyon (CISSP) is
global CISO for Thales eSecurity. Her experience in information
security started in 2000 with a role in network vulnerabilities at
DERA, following which she has been a PCI Qualified Security
Assessor, information security officer for Warwick University and
head of information security for UCL, and has held a variety of
roles in consultancy and academia. Bridget has been contributing to
international standards since 2006, when she first joined BSI Panel
1, coordinating development of information security management
system standards; she is currently editor for ISO/IEC 27014.
Bridget has also co-authored three textbooks on information
security. She strongly believes that "information security is
fundamental to reliable business operations, not a nice-to-have".
In 2018, she was named one of the top 25 women in tech by UK
publication PCR.
Summary Explains in easy-to-understand terms what executives and
senior managers need to know and do about the ever-changing cyber
threat landscape. Gives strategic, business-focused guidance and
advice relevant to C-suite executives. Provides an effective and
efficient framework for managing cyber governance, risk and
compliance. Explains what is required to implement an effective
cyber security strategy. Description With high-profile cyber
attacks, data breaches and fines for GDPR (General Data Protection
Regulation) non-compliance hitting the headlines daily, businesses
must protect themselves and their reputations, while reassuring
stakeholders they take cyber security seriously. Cyber attacks are
becoming more sophisticated and prevalent, and the cost of data
breaches is soaring. In addition, new regulations and reporting
requirements make cyber security a critical business issue. Board
members and senior management must understand the threat landscape
and the strategies they can employ to establish, implement and
maintain effective cyber resilience throughout their organisation.
How Cyber Security Can Protect your Business - A guide for all
stakeholders provides an effective and efficient framework for
managing cyber governance, risk and compliance, which organisations
can adapt to meet their own risk appetite and synchronise with
their people, processes and technology. It explains what is meant
by governance, risk and compliance, how it applies to cyber
security and what is required to implement an effective cyber
security strategy. The pocket guide: Gives readers a greater
understanding of cyber governance, risk and compliance; Explains
what executives, senior managers and their advisors need to know
and do about the ever-changing cyber threat landscape; Provides
context as to why stakeholders need to be aware of and in control
of their organisation's cyber risk management and cyber incident
response; Gives guidance on building an appropriate and efficient
governance framework that enables organisations to demonstrate
their cyber approach in a non-technical, strategic,
business-focused way; Details an overview process to enable risk
assessment, assess existing defence mitigations and provide a
framework for developing suitable controls; and Includes a
checklist to help readers focus on their higher-priority cyber
areas. Suitable for all managers and executives, this pocket guide
will be of interest to non-cyber specialists, including
non-executive directors, who may be required to review cyber
arrangements. For cyber specialists, it provides an approach for
explaining cyber issues in non-jargonistic, business-based
language. Kick-start your journey to becoming cyber secure - buy
this pocket guide today!
ISO 50001 - A strategic guide to establishing an energy management
system provides a practical but strategic overview for leadership
teams of what an EnMS (energy management system) is and how
implementing one can bring added value to an organisation.
This useful pocket guide is an ideal introduction for those wanting
to understand more about ISO 38500. It describes the scope,
application and objectives of the Standard and outlines its six
core principles.
This pocket guide is perfect as a quick reference for PCI
professionals, or as a handy introduction for new staff. It
explains the fundamental concepts of the latest iteration of the
PCI DSS, v3.2.1, making it an ideal training resource. It will
teach you how to protect your customers' cardholder data with best
practice from the Standard.
Achieving certification to multiple ISO standards can be time
consuming and costly, but an IMS incorporates all of an
organisation's processes and systems so that they are working under
- and towards - one set of policies and objectives. With an IMS,
risks and opportunities are no longer managed in silos within the
organisation, but with one unified or integrated approach from the
leadership team. This guide discusses the benefits of an IMS, and
the strategies you should consider before implementing one. It
references a vast number of standards that can be integrated but
stresses the need for senior management to lead the implementation
by deciding upon objectives and which standards to include. Ideal
for the c-suite, directors, compliance managers, auditors and
trainers, this pocket guide will explain: -What an IMS is - even if
you have no prior knowledge, this book will help you envisage what
an IMS is and how it works; -How to develop a strategy for IMS
implementation - this guide emphasises the importance of
effectively planning your IMS implementation by having objectives
set by senior management to encourage a unified approach; and -The
benefits of an IMS - information on how an IMS can benefit your
organisation, e.g. avoiding duplication of effort as management
systems are no longer working in silos, reducing the number of
audits required, and making more effective use of senior management
time. Key features: -An easy-to-follow introduction to an IMS, and
advice on IMS implementation strategies. -Discusses the challenges
you may face during implementation and how to prepare for and
overcome them. -Advice on audits and IMS certification.
Succeed as a PRINCE2(R) practitioner with this concise overview.
PRINCE2 is the leading model for effective project management
methodology. PRINCE2 certification will help you implement projects
across your organisation efficiently, creating a controlled and
manageable environment for employees. This guide explains the
fundamental principles of PRINCE2 2017, enabling you to review
essential themes before taking your PRINCE2 Foundation exam.
Following accreditation, it serves as a reference guide to help you
manage ongoing PRINCE2 projects within your organisation. Ideal for
anyone involved with implementing a new project that uses the
PRINCE2 framework, whether you are a student, project board member
or team manager, this guide will help you: Prepare for your PRINCE2
2017 Foundation exam; Implement PRINCE2-aligned projects; and
Enhance your skills as a PRINCE2 practitioner. Key features:
Concise summary of the fundamental principles and themes of PRINCE2
2017. Clear and comprehensible format. Serves as a reference guide
while you manage ongoing PRINCE2 projects. New for the third
edition: Updated to align with PRINCE2 2017. New diagrams to aid
understanding of the framework. A succinct reference guide that
summarises the key elements of PRINCE2 2017 - buy this book today
to get the help and guidance you need!
This pocket guide is an introduction to the EU's NIS Directive
(Directive on security of network and information systems). It
outlines the key requirements, details which digital service
providers are within scope, and explains how the security
objectives from ENISA's Technical Guidelines and international
standards can help DSPs achieve compliance. This pocket guide is a
primer for any DSP that needs to comply with the NIS Directive. The
pocket guide helps DSPs: Gain insight into the NIS Directive and
who is regulating it; Identify if they are within the scope of the
Directive; Understand the key requirements; and Understand how
guidance from international standards and ENISA can help them
comply. Your essential guide to understanding the EU's NIS
Directive - buy this book today and get the help and guidance you
need.
This pocket guide is a primer for any OES (operators of essential
services) that needs to comply with the NIS Regulations, and
explores who they are, and why the NIS Regulations are different
for them. An introduction to the new NIS Regulations 2018 that
bring the EU's NIS Directive and Implementing Regulation into UK
law. This guide outlines the requirements for operators of
essential services based on the Cyber Assessment Framework
established by the National Cyber Security Centre (NCSC), including
an explanation of the objectives, principles and indicators of good
practice, and offers implementation guidance. This guide will help
you: Understand how to comply with NIS Regulations, and avoid
penalties associated with non-compliance Unravel the key
definitions, authorities and points of contact Learn the benefits
of a good Cyber Resilience plan Interpret and ensure compliance
with the Cyber Assessment Framework Establish the NCSC's cyber
security objectives, principles and indicators of good practice
Your essential guide to understanding the NIS Regulations - buy
this book today and get the help and guidance you need.
This pocket guide is a primer for any DSPs (digital service
providers) that needs to comply with the NIS Regulations, and
explores who they are, and why the NIS Regulations are different
for them. An introduction to the new NIS Regulations 2018 that
bring the EU's NIS Directive and Implementing Regulation into UK
law. This guide outlines the key requirements, details exactly
which digital service providers are within scope, and explains how
the security objectives from ENISA's Technical Guidelines and
international standards can help DSPs achieve compliance. This
guide will help you: Clarify how to identify if you are within the
scope of the NIS Regulations Gain an insight into the NIS Directive
Unravel the key definitions, authorities and points of contact
Understand the benefits of a good cyber resilience plan Your
essential guide to understanding the NIS Regulations - buy this
book today and get the help and guidance you need
Now in its second edition, The Power of the Agile Business Analyst
has expanded to include new Agile methods that have emerged or
gained prominence since the first edition. Buy this book to learn
how to revolutionise your Agile development and increase the value
and relevancy of your project outcomes. Learn 30 realistic,
achievable ways that an Agile business analyst can increase project
efficiency, add value and improve quality. Find out how an Agile
business analyst bridges the gap between the needs of the business
and the resources of the development team. Now updated with current
Agile methods, to support emerging and established business
analysts to adapt to new trends. 30 ways an Agile business analyst
can help Drawing on her extensive experience, Jamie proposes a new
role for Agile projects: The Agile business analyst. She details 30
achievable ways that such a role will increase relevance, quality
and overall business value, and provide business users with crucial
support. The Agile business analyst is also a boon to the
development team, being a ready source of business knowledge and
ensuring that project outcomes align with requirements. This book
has been updated to Incorporate behaviour-driven development into
the work that the business analyst does to support interface
design; Align the programme management strategies of the Scaled
Agile Framework (SAFe) to encourage cross-organisational
communication and participation; Include full updates throughout
the Qualifications section in 'Getting the Right Agile Business
Analyst for Your Team'; and Provide Agile updates, bringing the
book back into line with current methods. Support your Agile
business user for better project outcomes.
What do a jilted bride, a football team and a scientist all have in
common? They are all case studies that demonstrate how PRINCE2(R)
can be used to manage both professional and private lives. This
book can be used as a guide to the PRINCE2 framework, using
everyday language and experiences, and focusing on areas such as
product-based planning, project management, team structure and
project flexibility. The translations and illustrations give a
real-life context to the method, and provide evidence of how to use
(and how not to use) it. This step-by-step guide: Explains the
principles of PRINCE2 in straightforward, manageable chunks;
Emphasises how to apply PRINCE2 in practice, using real-life
examples; Is written by an experienced PRINCE2 practitioner and
trainer, so you can be sure that the information is based upon
approaches that work; Gives clear explanations and practical
illustrations in each section; Explains how to effectively apply
PRINCE2's principles, themes and processes to your projects and
other real-world scenarios; and Has been updated for PRINCE2 2017.
Susan Tuttle has 20 years' experience in project management,
programme management and change management, producing exceptional
results across diverse industries. She is an accredited trainer in
PRINCE2. Her training style is influenced by her strong commitment
to human development. She uses learner-centred theories and
principles in her training and writing to help explain and
communicate difficult topics.
Understand how to protect your critical information infrastructure
(CII). Billions of people use the services of critical
infrastructure providers, such as ambulances, hospitals, and
electricity and transport networks. This number is increasing
rapidly, yet there appears to be little protection for many of
these services. IT solutions have allowed organisations to increase
their efficiency in order to be competitive. However, do we even
know or realise what happens when IT solutions are not working -
when they simply don't function at all or not in the way we expect?
This book aims to teach the IT framework from within, allowing you
to reduce dependence on IT systems and put in place the necessary
processes and procedures to help protect your CII. Lessons Learned:
Critical Information Infrastructure Protection is aimed at people
who organise the protection of critical infrastructure, such as
chief executive officers, business managers, risk managers, IT
managers, information security managers, business continuity
managers and civil servants. Most of the principles and
recommendations described are also valid in organisations that are
not critical infrastructure service providers. The book covers the
following: - Lesson 1: Define critical infrastructure services. -
Lesson 2: Describe the critical infrastructure service and
determine its service level. - Lesson 3: Define the providers of
critical infrastructure services. - Lesson 4: Identify the critical
activities, resources and responsible persons needed to provide the
critical infrastructure service. - Lesson 5: Analyse and identify
the interdependencies of services and their reliance upon power
supplies. - Lesson 6: Visualise critical infrastructure data. -
Lesson 7: Identify important information systems and assess their
importance. - Lesson 8: Identify and analyse the interconnections
and dependencies of information systems. - Lesson 9: Focus on more
critical services and prioritise your activities. - Lesson 10:
Identify threats and vulnerabilities. - Lesson 11: Assess the
impact of service disruptions. - Lesson 12: Assess the risks
associated with the service and information system. - Lesson 13:
Implement the necessary security measures. - Lesson 14: Create a
functioning organisation to protect CII. - Lesson 15: Follow
regulations to improve the cyber resilience of critical
infrastructure services. - Lesson 16: Assess the security level of
your information systems yourself and ask external experts to
assess them as well. - Lesson 17: Scan networks yourself and ask
external experts to scan them as well to find the systems that
shouldn't be connected to the Internet but still are. - Lesson 18:
Prepare business continuity and disaster recovery plans and test
them at reasonable intervals. - Lesson 19: Establish reliable
relations and maintain them. - Lesson 20: Share information and be
a part of networks where information is shared. - Lesson 21: Train
people to make sure they are aware of cyber threats and know the
correct behaviour. - Lesson 22: If the CII protection system does
not work as planned or give the desired output, make improvements.
- Lesson 23: Be prepared to provide critical infrastructure
services without IT systems. If possible, reduce dependence on IT
systems. If possible, during a crisis, provide critical services at
reduced functionality and/or in reduced volumes. Author Toomas
Viira is a highly motivated, experienced and results-orientated
cyber security risk manager and IT auditor. He has more than 20
years' experience in the IT and cyber security sectors.
This adapted version of CBSD for the Fundamentals Series explores
the characteristics of IT-driven business services, their
requirements and how to gather the right requirements to improve
the service lifecycle throughout design, development and
maintenance until decommissioning. By understanding IT-driven
business services and anchoring them in a service design statement
(SDS), you will be able to accelerate the translation of the needs
of the business to the delivery of IT-intensive business services.
Product overview CBSD supports portfolio, programme and project
management by identifying key questions and structuring the
creative process of designing services. Insight into the CBSD
approach to deriving an SDS is therefore a practical and powerful
tool to help you: - Promote a coherent design so that fundamental
issues and requirements of needs are mapped, based on different
perspectives between demand and supply; - Gain insight into the
dynamics between stakeholders within an enterprise; - Reflect on
and formulate a practical and realistic roadmap; and - Guide the
development, build, programme management and maintenance of
IT-driven business services. CBSD complements existing frameworks
such as TOGAF(R), IT4IT, BiSL(R) Next and ITIL(R) by focusing on
business architecture, a subject rarely discussed before designing
an IT-intensive, complex business service. Who should read this
book This book is intended for anyone responsible for designing and
implementing IT-driven services or involved in their operation.
This includes: - Internal and external service providers, such as
service managers, contract managers, bid managers, lead architects
and requirement analysts; - Business, financial, sales, marketing
and operations managers who are responsible for output and outcome;
- Sales and product managers who need to present and improve
service offerings; - Developers who need to develop new and
improved services; - Contract managers and those responsible for
purchasing; and - Consultants, strategists, business managers,
business process owners, business architects, business information
managers, chief information officers, information systems owners
and information architects. Collaborative Business Design: The
Fundamentals is part of the Fundamentals Series. Authors Brian
Johnson has published more than 30 books, including a dozen
official titles in the IT Infrastructure Library (ITIL), all of
which are used worldwide. He designed and led the programme for
ITIL version 2. He has fulfilled many roles during his career,
including vice president, chief architect, senior director and
executive consultant. One of his current roles is chief architect
at the ASL BiSL Foundation, which provides guidance on business
information management to a wide range of public and private-sector
businesses in the Benelux region. Brian is chief architect for the
redesign of all guidance and is the author of new strategic
publications. Leon-Paul de Rouw studied technical management and
organisation sociology. He worked for several years as a consultant
and researcher in the private sector. Since 2003, he has been a
programme manager with the central government in the Netherlands.
He is responsible for all types of projects and programmes that
focus on business enabled by IT.
|
|